10-24-2012 05:11 PM
Hello group,
I have an EasyVPN server setup on my personal router (1861) so that I can access my home network when I am on the road. Apparently the Cisco VPN client and Windows 7 do not play nicely together, but I finally got my computer to nail up a tunnel and send encrypted traffic towards my router.
However, I am not able to reach anything on my local LAN (192.168.0.0/24) from my laptop over a VPN connection. I have tried ping, http, RDP, with no success. The internet is still browsable on the laptop because of the split tunneling. When I look at the status of the VPN connection from my laptop, I see sent/encrypted packets incrementing, but nothing received. I am using ZBFW and VTI with my VPN server. I did try disabling the ZBFW with the same results, in fact, I don't see anything in the log stating packets are dropped to/from the ezvpn zone.
I have been really racking my brains trying to get this working, so hopefully someone here can spot where I went wrong.
Here is a copy of my (messy) config file:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MyRouter
!
boot-start-marker
boot system flash flash:c1861-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/2
logging message-counter syslog
logging buffered 16384
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Chicago -6
clock summer-time CDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1445602082
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1445602082
revocation-check none
rsakeypair TP-self-signed-1445602082
!
!
crypto pki certificate chain TP-self-signed-1445602082
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343435 36303230 3832301E 170D3132 30353239 31353039
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343536
30323038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D465 136AB645 8BC3B71C ED37D188 C5379D34 11AC19A6 4E4CF964 E49FE347
B5A81DED 59B4D5DA BF604557 2A4738A4 115AF64F 97BE7172 757D3EB1 26470703
5E0A7BBD 86DF2ED0 4C828B08 C41C59BA FD7D967D 65433707 5A11A031 392138B8
74638F73 D9169F6D 91F44800 B0766582 D5A765FA 9C480B41 9B8AC8DE 254151C3
85670203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18504F4C 4B2D4757 312E616A 73636872 6F656465 722E6E65
74301F06 03551D23 04183016 80148FC0 A44BB98F 0CAC193F 68AD46BE 7B6E8BC9
1FD3301D 0603551D 0E041604 148FC0A4 4BB98F0C AC193F68 AD46BE7B 6E8BC91F
D3300D06 092A8648 86F70D01 01040500 03818100 0D300973 50FDB092 6AA75D95
4DEE853D 6E19925B 0FECC24C D44ACCCC 73F30B84 665C8D76 E52409C7 6F219ECE
38B583B1 0D0562E3 8336DB68 7FD4FF0A 2C0F00C6 57BBD31B 9830A8FE 95D92CDC
9CBE3EA1 B703DA12 47676BCF 877373A1 07916A5A A7F6675B 2620EF9C 62D6C141
21AB2701 7B17E18C E9582CB5 BD6D4952 277ED6D8
quit
dot11 syslog
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.254
ip dhcp excluded-address 192.168.248.251 192.168.248.254
ip dhcp excluded-address 192.168.208.254
ip dhcp excluded-address 192.168.0.251 192.168.1.254
!
ip dhcp pool Workstations
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
domain-name example.com
lease 3
!
ip dhcp pool Guest_DMZ
network 172.16.0.0 255.255.255.0
default-router 172.16.0.254
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VoIP
network 192.168.248.0 255.255.255.0
default-router 192.168.248.254
option 150 ip 192.168.248.254
!
!
no ip bootp server
ip domain name example.com
ip port-map user-xbl-ctrl-udp port udp 3074 description XBOX Live control protocol over UDP
ip port-map user-xbl-ctrl-tcp port tcp 3074 description XBOX Live control protocol over TCP
ip port-map user-xbl-auth port udp 88 description XBOX Live Authentication
ip ddns update method DynDNS
HTTP
add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
parameter-map type inspect audit
audit-trail on
!
!
!
voice service voip
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol cisco
sip
registrar server expires max 3600 min 3600
outbound-proxy dns:pbxes.org
!
!
!
voice class codec 1
codec preference 3 g726r16
codec preference 4 g726r24
codec preference 5 g726r32
codec preference 6 g711alaw
codec preference 7 g711ulaw
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
dsp services dspfarm
!
!
!
object-group network VoIP-Phones
192.168.248.0 255.255.255.0
!
!
spanning-tree vlan 2 priority 24576
spanning-tree vlan 3 priority 24576
spanning-tree vlan 4 priority 24576
vtp mode transparent
username XXXXXXXXXX privilege 15 password XXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EasyVPN-Group
key XXXXXXXXXXXXXX
pool SDM_POOL_1
acl ACL-Split-Tunnel
crypto isakmp profile ciscocp-ike-profile-1
match identity group EasyVPN-Group
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
archive
log config
hidekeys
!
!
vlan 2
name LAN
!
vlan 3
name Guest_DMZ
!
vlan 4
name VoIP
!
ip tcp synwait-time 10
ip ftp username XXXXXXXXXXXXX
ip ftp password XXXXXXXXXXXXXXXX
ip ssh time-out 30
ip scp server enable
!
class-map type inspect sip match-any Disable-Strict-SIP-cmap
match request method invite
match protocol-violation
class-map type inspect match-any Traceroute-cmap
match access-group name Traceroute
class-map type inspect match-all Allow-NTP-cmap
match access-group name Allow-NTP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any Allow-TFTP-out-cmap
match access-group name Allow-TFTP-out
class-map type inspect match-all RouterManagement
match access-group name RouterManagement
class-map type inspect match-any SIP-Traffic-cmap
match protocol sip
class-map type inspect match-any CME-Traffic-cmap
match protocol skinny
class-map type inspect match-any Protocol-P2P-cmap
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any Allow-DNS-cmap
match access-group name Allow-DNS
class-map type inspect match-all Allow-VPN-Outbound-cmap
match access-group name ACL-Allow-VPN-Outbound
class-map type inspect match-any Guest_DMZtoOutside-cmap
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol http
match protocol tcp
match protocol udp
class-map type inspect match-any ICMPecho-cmap
match access-group name ICMPecho
class-map type inspect match-any Protocol-IM-cmap
match protocol ymsgr Yahoo-Servers
match protocol msnmsgr MSN-Servers
match protocol aol AOL-Servers
class-map type inspect match-all RouterDataTransfer
match access-group name RouterDataTransfer
class-map type inspect match-all DDNS-Update-cmap
match access-group name ACL-DDNS-Update
class-map type inspect match-any XBOX-class
match protocol user-xbl-ctrl-udp
match protocol user-xbl-ctrl-tcp
match protocol user-xbl-auth
class-map type inspect match-all InsideToOutside-HTTP-cmap
match protocol http
class-map type inspect match-any ICMPreply-cmap
match access-group name ICMPreply
class-map type inspect match-any Allow-DHCP-cmap
match access-group name Allow-DHCP
class-map type inspect match-any InsideToOutside-cmap
match protocol dns
match protocol https
match protocol ftp
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-any Allow-TFTP-in-cmap
match access-group name Allow-TFTP-in
!
!
policy-map type inspect InsideToRouter-pmap
class type inspect ICMPecho-cmap
inspect
class type inspect ICMPreply-cmap
pass
class type inspect Allow-DHCP-cmap
pass
class type inspect Allow-DNS-cmap
inspect
class type inspect RouterManagement
inspect
class type inspect Allow-NTP-cmap
inspect
class class-default
drop
policy-map type inspect RouterToInside-pmap
class type inspect ICMPecho-cmap
inspect
class type inspect Traceroute-cmap
inspect
class type inspect Allow-DHCP-cmap
pass
class type inspect RouterDataTransfer
inspect
class class-default
drop
policy-map type inspect sip Disable-Strict-SIP-pmap
class type inspect sip Disable-Strict-SIP-cmap
allow
policy-map type inspect Guest_DMZtoOutside-pmap
class type inspect Guest_DMZtoOutside-cmap
inspect
class class-default
drop
policy-map type inspect Guest_DMZtoRouter-pmap
class type inspect ICMPecho-cmap
inspect
class type inspect ICMPreply-cmap
pass
class type inspect Allow-DHCP-cmap
pass
class class-default
drop
policy-map type inspect OutsideToRouter-pmap
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect ICMPecho-cmap
inspect
class type inspect ICMPreply-cmap
pass
class type inspect Allow-DHCP-cmap
pass
class type inspect Allow-DNS-cmap
inspect
class class-default
drop log
policy-map type inspect RouterToOutside-pmap
class type inspect ICMPecho-cmap
inspect
class type inspect Traceroute-cmap
inspect
class type inspect Allow-DHCP-cmap
pass
class type inspect Allow-NTP-cmap
inspect
class type inspect SIP-Traffic-cmap
inspect
service-policy sip Disable-Strict-SIP-pmap
class type inspect Allow-DNS-cmap
inspect
class type inspect DDNS-Update-cmap
pass
class type inspect Allow-VPN-Outbound-cmap
pass
class class-default
drop log
policy-map type inspect VoiceToRouter-pmap
class type inspect Allow-DHCP-cmap
pass
class type inspect Allow-TFTP-in-cmap
pass
class type inspect CME-Traffic-cmap
inspect
class class-default
drop log
policy-map type inspect RouterToVoice-pmap
class type inspect Allow-DHCP-cmap
pass
class type inspect Allow-TFTP-out-cmap
pass
class class-default
drop log
policy-map type inspect RouterToGuest_DMZ-pmap
class type inspect ICMPecho-cmap
inspect
class type inspect Traceroute-cmap
inspect
class type inspect Allow-DHCP-cmap
pass
class class-default
drop
policy-map type inspect InsideToOutside-pmap
class type inspect XBOX-class
inspect
class type inspect Protocol-IM-cmap
inspect
class type inspect Protocol-P2P-cmap
inspect
class type inspect InsideToOutside-cmap
inspect
class class-default
drop
policy-map type inspect OutsideToInside-pmap
class type inspect XBOX-class
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security Inside
zone security Outside
zone security Guest_DMZ
zone security Voice
zone security ezvpn-zone
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside-pmap
zone-pair security OutsideToInside source Outside destination Inside
service-policy type inspect OutsideToInside-pmap
zone-pair security OutsideToRouter source Outside destination self
service-policy type inspect OutsideToRouter-pmap
zone-pair security Guest_DMZtoOutside source Guest_DMZ destination Outside
service-policy type inspect Guest_DMZtoOutside-pmap
zone-pair security Guest_DMZtoRouter source Guest_DMZ destination self
service-policy type inspect Guest_DMZtoRouter-pmap
zone-pair security RouterToGuest_DMZ source self destination Guest_DMZ
service-policy type inspect RouterToGuest_DMZ-pmap
zone-pair security InsideToRouter source Inside destination self
service-policy type inspect InsideToRouter-pmap
zone-pair security RouterToInside source self destination Inside
service-policy type inspect RouterToInside-pmap
zone-pair security VoiceToRouter source Voice destination self
service-policy type inspect VoiceToRouter-pmap
zone-pair security RouterToVoice source self destination Voice
service-policy type inspect RouterToVoice-pmap
zone-pair security sdm-zp-in-ezvpn1 source Inside destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source Outside destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination Outside
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination Inside
service-policy type inspect sdm-permit-ip
zone-pair security RouterToOutside source self destination Outside
service-policy type inspect RouterToOutside-pmap
bridge irb
!
!
!
!
interface FastEthernet0/0
description Internet
ip ddns update hostname example.com
ip ddns update DynDNS host example.com
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security Outside
duplex auto
speed auto
auto discovery qos
!
interface FastEthernet0/1/0
switchport access vlan 2
!
interface FastEthernet0/1/1
switchport access vlan 2
!
interface FastEthernet0/1/2
switchport access vlan 2
switchport voice vlan 2590
!
interface FastEthernet0/1/3
switchport access vlan 2
switchport voice vlan 2590
!
interface FastEthernet0/1/4
switchport access vlan 2
switchport voice vlan 4
!
interface FastEthernet0/1/5
description AP2
switchport access vlan 2
!
interface FastEthernet0/1/6
switchport access vlan 2
switchport voice vlan 2590
!
interface FastEthernet0/1/7
description AP1
switchport trunk native vlan 2
switchport trunk allowed vlan 1-3,1002-1005
switchport mode trunk
!
interface FastEthernet0/1/8
switchport access vlan 2
switchport voice vlan 2590
!
interface Dot11Radio0/5/0
no ip address
shutdown
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security Inside
!
interface Vlan3
description Guest DMZ LAN
ip address 172.16.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security Guest_DMZ
!
interface Vlan4
ip address 192.168.248.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security Voice
!
ip local pool SDM_POOL_1 172.31.1.1 172.31.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool NAS-NAT-POOL 192.168.0.250 192.168.0.250 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.0.242 3074 interface FastEthernet0/0 3074
ip nat inside source static udp 192.168.0.242 3074 interface FastEthernet0/0 3074
ip nat inside source static udp 192.168.0.242 88 interface FastEthernet0/0 88
ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside destination list NAS-NAT pool NAS-NAT-POOL
!
ip access-list extended ACL-Allow-VPN-Outbound
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
ip access-list extended ACL-DDNS-Update
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ACL-Split-Tunnel
permit ip 192.168.0.0 0.0.0.255 any
permit icmp 192.168.0.0 0.0.0.255 any
permit tcp 192.168.0.0 0.0.0.255 any
permit udp 192.168.0.0 0.0.0.255 any
ip access-list extended NAS-NAT
permit tcp any any range 6881 6889
permit udp any any eq 6881
ip access-list extended Allow-DHCP
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended Allow-DNS
permit udp any any eq domain
permit udp any eq domain any
permit udp any gt 1023 any eq domain
ip access-list extended Allow-NTP
permit udp any any eq ntp
ip access-list extended Allow-TFTP-in
remark CCP_ACL Category=16
permit udp object-group VoIP-Phones host 192.168.248.254
ip access-list extended Allow-TFTP-out
remark CCP_ACL Category=16
permit udp host 192.168.248.254 object-group VoIP-Phones
ip access-list extended ICMPecho
permit icmp any any echo
ip access-list extended ICMPreply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
ip access-list extended Internal-Subnets
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended RouterDataTransfer
permit tcp host 192.168.0.254 host 192.168.0.250 eq 22
permit tcp host 192.168.0.254 host 192.168.0.250 eq www
permit tcp host 192.168.0.254 host 192.168.0.250 eq 443
permit tcp host 192.168.0.254 host 192.168.0.250 eq ftp
permit tcp host 192.168.0.254 host 192.168.0.250 gt 1024
ip access-list extended RouterManagement
permit tcp any any eq 22
permit tcp any any eq 443
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit icmp any any
permit udp any any
permit tcp any any
permit ip any any
ip access-list extended Traceroute
permit udp any range 32768 65535 any range 33434 33523
!
!
!
!
!
route-map NAT permit 10
match ip address Internal-Subnets
!
!
tftp-server flash:APPS-1.2.1.SBN alias APPS-1.2.1.SBN
tftp-server flash:/phone/7941-7961/apps41.9-1-1TH1-16.sbn alias apps41.9-1-1TH1-16.sbn
tftp-server flash:/phone/7941-7961/cnu41.9-1-1TH1-16.sbn alias cnu41.9-1-1TH1-16.sbn
tftp-server flash:/phone/7941-7961/cvm41sccp.9-1-1TH1-16.sbn alias cvm41sccp.9-1-1TH1-16.sbn
tftp-server flash:/phone/7941-7961/dsp41.9-1-1TH1-16.sbn alias dsp41.9-1-1TH1-16.sbn
tftp-server flash:/phone/7941-7961/jar41sccp.9-1-1TH1-16.sbn alias jar41sccp.9-1-1TH1-16.sbn
tftp-server flash:/phone/7941-7961/SCCP41.9-1-1SR1S.loads alias SCCP41.9-1-1SR1S.loads
tftp-server flash:/phone/7941-7961/term41.default.loads alias term41.default.loads
tftp-server flash:/phone/7941-7961/term61.default.loads alias term61.default.loads
!
control-plane
!
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
call threshold global cpu-avg low 68 high 75
call threshold global total-mem low 75 high 85
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control
description Music On Hold Port
!
!
mgcp fax t38 ecm
!
!
!
dial-peer voice 2 voip
description **Outgoing Call to SIP Trunk**
destination-pattern [2-9].........
voice-class codec 1
session protocol sipv2
session target sip-server
session transport udp
dtmf-relay rtp-nte
no vad
!
dial-peer voice 1 voip
description *** Incoming call to - -- Generic -- - SIP Trunk ***
session protocol sipv2
session target sip-server
incoming called-number .T
!
dial-peer voice 3 voip
destination-pattern 1[2-9].........
session protocol sipv2
session target sip-server
!
!
sip-ua
credentials username XXXXXXXXXXX password XXXXXXXXXX realm pbxes.org
authentication username XXXXXXXXXXXXX password XXXXXXXXXXXX
timers connect 100
registrar dns:pbxes.org expires 3600
sip-server dns:pbxes.org
!
!
!
telephony-service
max-ephones 12
max-dn 48
ip source-address 192.168.248.254 port 2000
max-redirect 5
auto assign 1 to 10
load 7961 SCCP41.9-1-1SR1S
time-zone 8
time-format 24
date-format dd-mm-yy
max-conferences 4 gain -6
moh music-on-hold.au
transfer-system full-consult
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-dn 2
number 1001 no-reg both
name Joe User
!
!
ephone 1
device-security-mode none
mac-address 001D.A266.C871
type 7961
button 1:2
!
!
!
ephone 2
device-security-mode none
mac-address 0025.8417.68CB
type 7961
button 1:2
!
!
!
line con 0
exec-timeout 30 0
privilege level 15
logging synchronous
no modem enable
line aux 0
exec-timeout 30 0
line vty 0 4
exec-timeout 30 0
transport input ssh
!
ntp source FastEthernet0/0
ntp update-calendar
end
10-24-2012 05:40 PM
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit icmp any any
permit udp any any
permit tcp any any
permit ip any any
could you log all the above and check again. Lets see if it is hitting the acl at all..
10-25-2012 07:04 AM
The router did not seem to like it when I tried to log the ACL:
MyRouter(config)#ip access-list extended SDM_IP
MyRouter(config-ext-nacl)# remark CCP_ACL Category=1
MyRouter(config-ext-nacl)# permit icmp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit udp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit tcp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit ip any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
So I let it go through and it did not appear to hit the ACL either:
MyRouter#sho ip access-list | b SDM_IP
Extended IP access list SDM_IP
10 permit icmp any any log
20 permit udp any any log
30 permit tcp any any log
40 permit ip any any log
I have since took the logging part off since it didn't seem to have an effect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: