12-13-2001 02:55 PM - edited 02-21-2020 11:32 AM
I've set up a vpn router to router between two Cisco 1720 routers. There will be a third router brought on line soon.
The routers are set up the same and they have the internal FastEthernet interface and an external WIC Ethernet card.
I was having trouble getting traffic though the IPSec tunnel until the access list I use on the External Wic Ethernet card included permit statements for the traffic comming from the other subnet.
I imagine I have something set up wrong. What seems to be happening is the vpn tunnel is ending at my external WIC card. The router is decrypting the information and then placing it back on the external interface. I then need to add the statement that allows the traffic from the other subnet through the external interface!?!? This seems it would open me up to attack from anyone who spoofed my internal IP addresses from the other subnett.
My main question is about the last statement on access-list 103. I would not have thought I needed this statement.
I'm new at this and any help would be appreciated.
Matt J.
The diagram of the networks is like this but flows in both directions.
internal network 192.168.1.0 -> Router 65.xx.xx.xx -> Internet -> 64.xx.xx.xx router -> internal network 192.168.3.0
Here is the configuration for the router at subnet 192.168.1.0. The router for subnet 192.168.3.0 is set up the same except for the subnet information.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 64.xxx.xxx.xxx
!
!
crypto ipsec transform-set cm-transformset-1 ah-sha-hmac esp-3des
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 64.xxx.xxx.xxx
set transform-set cm-transformset-1
match address 100
!
!
interface Ethernet0
description connected to Internet
ip address 65.xxx.xxx.xxx 255.255.255.0
ip access-group 103 in
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map cm-cryptomap
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect FastEthernet_0 in
speed auto
!
router rip
version 2
passive-interface Ethernet0
network 192.168.1.0
no auto-summary
!
ip nat inside source list 102 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
access-list 100 remark Access-List to identify traffic for encryption
access-list 100 remark Match private to private network traffic
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 remark Deny any other traffic from this network
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
no access-list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no access-list 102
access-list 102 remark NAT Source List
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no access-list 103
access-list 103 remark allow access to ipsec protocols from other subnet
access-list 103 permit udp host 64.xxx.xxx.xxx eq isakmp host 65.xxx.xxx.xxx
access-list 103 permit ahp host 64.xxx.xxx.xxx host 65.xxx.xxx.xxx
access-list 103 permit esp host 64.xxx.xxx.xxx host 65.xxx.xxx.xxx
access-list 103 remark anti-spoofing
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 remark routing protocol
access-list 103 permit udp any eq rip any eq rip
access-list 103 remark domain responses
access-list 103 permit tcp any any eq domain
access-list 103 permit udp any eq domain any eq domain
access-list 103 remark allow icmp protocol
access-list 103 permit icmp any any
access-list 103 remark permit unencrypted data from other subnet
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
!
!
12-14-2001 05:39 AM
I think your problem is with the access-list. Start with only two access-list statement for now, one for the tunnel and the other for the nat.
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
When you add the third site, just include the access-list permit statement for the tunnel and rearrange the nat access-list making sure that the permit statement ends the 102 list. From experience I will advice you use route-map statement for your nat. Example;
ip nat inside source route-map you interface Ethernet0 overload
route-map nonat permit 10
match ip address 102
You have to be careful with applying access-list on the external interface because you use this for your nat. You have to the IP you want to deny and you cannot use deny any. Always list the deny statement and end with permit. Advice, try to simplify your configuration. If you are using applying static route, I dont see any need for the RIP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide