10-24-2012 10:01 AM
Hi All,
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wireshark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
Any help would be great.
Regards,
10-24-2012 10:37 AM
Can you please post the configuration of both the site. or else atleast remote site.
10-24-2012 03:23 PM
Hi,
Here goes with the config for the 1841 at remote site. We have edited to simplify a little and to protect the identity of our Client. Please note that fa0/0 is not being used so all traffic is running out of fa0/1 for the VPN.
Any help appreciated.
Thanks.
Current configuration : 8203 bytes
!
! Last configuration change at 13:30:48 summer Wed Oct 24 2012 by
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret 5 ******************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock summer-time summer recurring last Sun Mar 2:00 last Sun Oct 2:00
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 172.16.99.0 172.16.99.9
!
ip dhcp pool LAN99
network 172.16.99.0 255.255.255.0
dns-server 8.8.8.8 208.67.220.220
default-router 172.16.99.1
domain-name *******
!
!
ip cef
ip domain name *******
ip name-server 208.67.222.222
ip name-server 8.8.8.8
ip name-server 208.67.220.220
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 3600
ip inspect name myfw udp timeout 15
ip inspect name myfw h323 timeout 3600
ip inspect name myfw sip
ip inspect name myfw icmp
ip inspect name myfw tcp timeout 3600
ip inspect name myfw http timeout 3600
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
!
!
username ******* privilege 15 secret 5 **************
username ******* privilege 15 secret 5 **************
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to
set peer
set transform-set ESP-3DES-SHA1
set pfs group2
match address 100
!
!
!
!
!
!
interface FastEthernet0/0
description Fibre (Primary)
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description Cable (Secondary)
ip address dhcp
ip access-group Internet-In in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
switchport access vlan 10
!
interface FastEthernet0/0/1
switchport access vlan 10
!
interface FastEthernet0/0/2
switchport access vlan 10
!
interface FastEthernet0/0/3
switchport access vlan 10
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
!
interface Dialer0
description Fibre Virtual-pppoe
ip address negotiated
ip access-group Internet-In in
ip mtu 1492
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
shutdown
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***********
ppp chap password 0 ***********
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 172.16.99.254 9004 interface FastEthernet0/1 9004
ip nat inside source static tcp 172.16.99.254 443 interface FastEthernet0/1 600
ip nat inside source static udp 172.16.99.254 5060 interface FastEthernet0/1 5060
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list extended Internet-In
remark CCP_ACL Category=17
remark IPSec Rule
permit ip 172.16.0.0 0.0.0.255 172.16.99.0 0.0.0.255
permit udp host <
permit udp host <
permit esp host <
permit ahp host <
permit ip host <
permit icmp any any echo-reply
permit tcp any any established
permit udp any any eq bootps
permit udp any any eq bootpc
permit esp any any
permit udp any any eq isakmp
permit gre any any
permit tcp any any eq 2221 log
permit udp host 192.53.103.104 eq ntp any eq ntp
permit tcp any any eq 22
permit udp any any eq domain
permit udp any eq domain any
!
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 172.16.99.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 172.16.99.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password *************
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.53.103.104 prefer
end
10-24-2012 04:53 PM
interface FastEthernet0/1
description Cable (Secondary)
ip address dhcp
ip access-group Internet-In in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
ip access-list extended Internet-In
remark CCP_ACL Category=17
remark IPSec Rule
permit tcp any any established
permit tcp any any eq 22
the established keyword means that only traffic originating from the 172.16.99.0/24 to the 172.16.0.0/24 would be allowed. SYN packet is from the spoke to the hub and the syn-ack is back the same way.
if there is a SYN packet from the HUB to the spoke, it would be dropped as there is no session established yet.
Your telnet sessions from 172.16.0.0/24 to 172.16.99.0/24 should work.
You could add
permit tcp any any eq 3389 and see that RDP would go through.
HTH.
10-24-2012 07:15 PM
try to remove the config
""permit tcp any any established""
and try to do rdp and use other things through the vpn and we can come to the conculsion.
Potha
10-24-2012 07:16 PM
but I don't think it matters, becuase they have
'permit ip 172.16.0.0 0.0.0.255 172.16.99.0 0.0.0.255' in the 'internet-in' ACL.
I would debug crypto ipsec and isa on both side, then lauch a test from the .0.x side, to check if cryptoed packets can reach .99.x side. to narrow down which side has the issue.
10-24-2012 07:25 PM
do you have any other device connected to this router towards to your LAN side ?
10-25-2012 03:56 AM
Hi All,
Thank you all for your input so far. We reply collectively to your comments.
We removed the permit tcp any any established, added 3389 to the ACL and ran the debug again. Unfortunately still no luck. We have a SIP server sitting on the inside LAN behind the 1841 which we can ping and also browse to the GUI both over the VPN, but that's about all we can do. No remote SIP regsitrations over the tunnel are possible nor is the RDP session, or SSH. We can test other traffic once we get these working as it will no doubt be the same issue with all traffic.
Anymore thoughts?
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide