Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
1
Replies

Access list problem with VPN

mjackson
Level 1
Level 1

‎12-13-2001 02:55 PM - edited ‎02-21-2020 11:32 AM

I've set up a vpn router to router between two Cisco 1720 routers. There will be a third router brought on line soon.

The routers are set up the same and they have the internal FastEthernet interface and an external WIC Ethernet card.

I was having trouble getting traffic though the IPSec tunnel until the access list I use on the External Wic Ethernet card included permit statements for the traffic comming from the other subnet.

I imagine I have something set up wrong. What seems to be happening is the vpn tunnel is ending at my external WIC card. The router is decrypting the information and then placing it back on the external interface. I then need to add the statement that allows the traffic from the other subnet through the external interface!?!? This seems it would open me up to attack from anyone who spoofed my internal IP addresses from the other subnett.

My main question is about the last statement on access-list 103. I would not have thought I needed this statement.

I'm new at this and any help would be appreciated.

Matt J.

The diagram of the networks is like this but flows in both directions.

internal network 192.168.1.0 -> Router 65.xx.xx.xx -> Internet -> 64.xx.xx.xx router -> internal network 192.168.3.0

Here is the configuration for the router at subnet 192.168.1.0. The router for subnet 192.168.3.0 is set up the same except for the subnet information.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 64.xxx.xxx.xxx

!

!

crypto ipsec transform-set cm-transformset-1 ah-sha-hmac esp-3des

!

crypto map cm-cryptomap local-address Ethernet0

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 64.xxx.xxx.xxx

set transform-set cm-transformset-1

match address 100

!

!

interface Ethernet0

description connected to Internet

ip address 65.xxx.xxx.xxx 255.255.255.0

ip access-group 103 in

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

crypto map cm-cryptomap

!

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip inspect FastEthernet_0 in

speed auto

!

router rip

version 2

passive-interface Ethernet0

network 192.168.1.0

no auto-summary

!

ip nat inside source list 102 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

!

access-list 100 remark Access-List to identify traffic for encryption

access-list 100 remark Match private to private network traffic

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 remark Deny any other traffic from this network

access-list 100 deny ip 192.168.1.0 0.0.0.255 any

no access-list 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no access-list 102

access-list 102 remark NAT Source List

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

no access-list 103

access-list 103 remark allow access to ipsec protocols from other subnet

access-list 103 permit udp host 64.xxx.xxx.xxx eq isakmp host 65.xxx.xxx.xxx

access-list 103 permit ahp host 64.xxx.xxx.xxx host 65.xxx.xxx.xxx

access-list 103 permit esp host 64.xxx.xxx.xxx host 65.xxx.xxx.xxx

access-list 103 remark anti-spoofing

access-list 103 deny ip 192.168.1.0 0.0.0.255 any

access-list 103 remark routing protocol

access-list 103 permit udp any eq rip any eq rip

access-list 103 remark domain responses

access-list 103 permit tcp any any eq domain

access-list 103 permit udp any eq domain any eq domain

access-list 103 remark allow icmp protocol

access-list 103 permit icmp any any

access-list 103 remark permit unencrypted data from other subnet

access-list 103 permit ip 192.168.3.0 0.0.0.255 any

!

!

Labels:
0 Helpful
1 Reply 1

abdul.kokumo
Level 1
Level 1

‎12-14-2001 05:39 AM

I think your problem is with the access-list. Start with only two access-list statement for now, one for the tunnel and the other for the nat.

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

When you add the third site, just include the access-list permit statement for the tunnel and rearrange the nat access-list making sure that the permit statement ends the 102 list. From experience I will advice you use route-map statement for your nat. Example;

ip nat inside source route-map you interface Ethernet0 overload

route-map nonat permit 10

match ip address 102

You have to be careful with applying access-list on the external interface because you use this for your nat. You have to the IP you want to deny and you cannot use deny any. Always list the deny statement and end with permit. Advice, try to simplify your configuration. If you are using applying static route, I dont see any need for the RIP.

0 Helpful
Customers Also Viewed These Support Documents