I have a site-to-site IPSEC VPN tunnel established to a client for transferring of files for our billing services. Within the ACL that I am applying to
the crypto map, I do not have HTTP traffic allowed; however, HTTP/HTTPS is allowed on my firewall obviously. We are unable to access one of the company's sites, and I am thinking this is the problem. We have another external backup ISP connection that is outside our firewall and I can access the site fine. Can anyone shed some light on this and tell me if this could be the issue? Since we have a tunnel connection to them, do I need to specify this allowed traffic to their website? This just doesn't make sense to me.
Please let me know if you need any additional details, etc.
Within the ACL that I am applying to the crypto map, I do not have HTTP traffic allowed; however, HTTP/HTTPS is allowed on my firewall obviously. We are unable to access one of the company's sites, and I am thinking this is the problem.
I'm not sure I follow you here. Your crypto map does not allow HTTP over the tunnel, but HTTP/HTTPS is allowed by the firewall? Are you saying that HTTP/HTTPS is allowed outbound through the firewall (non-tunneled), but you cannot access an external website even though as previously stated you have configured access?
Just want to make sure I understand you issue
Message was edited by: Antonio Knox
Yes, HTTP/HTTPS is allowed outbound on the firewall, but it is not allowed on the tunnel for this client or any of my other client VPN tunnels for that matter. I cannot access this particular company's website. When I do a wireshark capture, I see my SYN packets going out, but I never see a SYN ACK. I THINK it is being blocked by my firewall, but I am not sure why. Is the fact that we have a VPN tunnel to this client the problem since I don't have HTTP/HTTPS traffic allowed for their tunnel? I can access their website if I am on my home computer for example at home so the problem is definitely not their site.
You may need to implement split tunneling.
For more info