06-06-2014 09:33 PM - edited 02-21-2020 07:40 PM
Hi Everyone,
Thanks for taking the time to read my post.
Using ISO version 12.4(13r)T11
i have setup a IPSEC tunnel between my cisco 2821 and a UBNT device. The LAN on the 2821 side is 10.0.1.x and the lan on the UBNT side is 10.0.2.x. The internet is in the middle.
from the ubnt device, they can access everything on the 10.0.1.x network but 10.0.1.x can not access anything on the 10.0.2.x network. Im thinking i missed a no nat statement somewhere.. but where?
Current configuration : 4951 bytes
!
! Last configuration change at 00:15:28 EDT Sat Jun 7 2014 by a-rogarrett
! NVRAM config last updated at 23:12:54 EDT Fri Jun 6 2014 by a-rogarrett
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home1
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone EDT -4
!
!
!
!
ip cef
!
!
ip domain name <removed>
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 1024
!
!
voice-card 0
no dspfarm
!
!
!
voice service voip
clid substitute name
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
bind control source-interface GigabitEthernet0/1
bind media source-interface GigabitEthernet0/1
asserted-id ppi
e911
transport switch udp tcp
outbound-proxy dns:<removed>
outbound-proxy dns:<removed>
no call service stop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username <removed> password 0 <removed>
!
crypto keyring orddie
pre-shared-key address <UBNT IP ADDRESS> key <removed>
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <removed> hostname <UBNT dns name> no-xauth
!
!
crypto ipsec transform-set orddie esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map orddie 10 ipsec-isakmp
set peer UBNT Device IP
set transform-set orddie
match address 101
!
archive
log config
hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface GigabitEthernet0/0
description Comcast
ip address dhcp
ip access-group 184 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map orddie
!
interface GigabitEthernet0/1
description Network
ip address 10.0.1.169 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
peer default ip address pool ppp
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
ip local pool ppp 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
access-list 100 remark Internal network
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 184 permit ip host UBNT Device IP any
access-list 184 permit ip host <removed> any
access-list 184 permit ip host <removed> any
access-list 184 permit gre any any
access-list 184 permit tcp any any eq 1723
access-list 184 permit udp any any eq 1701
access-list 184 permit icmp any any echo
access-list 184 permit icmp any any echo-reply
access-list 184 permit udp any any eq bootpc
access-list 184 permit udp any any eq bootps
access-list 184 permit udp any any eq isakmp
access-list 184 permit udp host 75.75.75.75 eq domain any
access-list 184 permit udp host 75.75.76.76 eq domain any
access-list 184 permit udp host 8.8.8.8 eq domain any
access-list 184 permit udp any any eq ntp
access-list 184 permit udp any eq ntp any
access-list 184 permit tcp any eq www any
access-list 184 permit tcp any eq 443 any
access-list 184 permit udp any any eq non500-isakmp
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer voice <removed> voip
destination-pattern <removed>
session protocol sipv2
session target ipv4:10.0.1.99
session transport udp
codec g711ulaw
!
dial-peer voice 10 voip
destination-pattern 1..........
session protocol sipv2
session target dns:<removed>
session transport udp
!
!
sip-ua
<removed>
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
access-class 100 in
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180192
ntp server 17.151.16.21 prefer
!
end
Solved! Go to Solution.
06-07-2014 01:58 AM
hi,
you have problem with ACL's:
you need to do this way: because Cisco recommend ACL should be mirror both sides.
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
no access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
and
no access-list 100 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
when u using pure IPSEC site to site not GRE over IPSEC then you need permit ESP not GRE
no access-list 184 permit gre any any
access-list 184 permit esp any any
the last one Cisco recommend for no-nat with route-map:
ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload
route-map no-nat permit 10
match ip address 100
Regards,
kazim
"please rate me, if post helpful"
06-07-2014 01:58 AM
hi,
you have problem with ACL's:
you need to do this way: because Cisco recommend ACL should be mirror both sides.
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
no access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
and
no access-list 100 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
when u using pure IPSEC site to site not GRE over IPSEC then you need permit ESP not GRE
no access-list 184 permit gre any any
access-list 184 permit esp any any
the last one Cisco recommend for no-nat with route-map:
ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload
route-map no-nat permit 10
match ip address 100
Regards,
kazim
"please rate me, if post helpful"
06-07-2014 10:30 AM
Thanks for the response!
I tried as you suggested, and now 10.0.2.x can no longer ping 10.0.1.x and 10.0.1.x can not ping 10.0.2.x.
Building configuration...
Current configuration : 4917 bytes
!
! Last configuration change at 13:17:44 EDT Sat Jun 7 2014 by a-rogarrett
! NVRAM config last updated at 13:17:47 EDT Sat Jun 7 2014 by a-rogarrett
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home1
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone EDT -4
!
!
!
!
ip cef
!
!
ip domain name orddie.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 1024
!
!
voice-card 0
no dspfarm
!
!
!
voice service voip
clid substitute name
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
bind control source-interface GigabitEthernet0/1
bind media source-interface GigabitEthernet0/1
asserted-id ppi
e911
transport switch udp tcp
outbound-proxy dns:<removed>
outbound-proxy dns:<removed>
no call service stop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username <removed> password 0 <removed>
!
crypto keyring orddie
pre-shared-key address <UBNT IP> key <removed>
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <removed> hostname <UBNT HOSTNAME> no-xauth
!
!
crypto ipsec transform-set orddie esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map orddie 10 ipsec-isakmp
set peer <UBNT IP>
set transform-set orddie
match address 101
!
archive
log config
hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface GigabitEthernet0/0
description Comcast
ip address dhcp
ip access-group 184 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map orddie
!
interface GigabitEthernet0/1
description Network
ip address 10.0.1.169 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
peer default ip address pool ppp
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
ip local pool ppp 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload
!
access-list 100 remark Internal network
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 184 permit ip host <UBNT Host> any
access-list 184 permit ip host <removed> any
access-list 184 permit ip host <removed> any
access-list 184 permit gre any any
access-list 184 permit esp any any
access-list 184 permit tcp any any eq 1723
access-list 184 permit udp any any eq 1701
access-list 184 permit icmp any any echo
access-list 184 permit icmp any any echo-reply
access-list 184 permit udp any any eq bootpc
access-list 184 permit udp any any eq bootps
access-list 184 permit udp any any eq isakmp
access-list 184 permit udp host 75.75.75.75 eq domain any
access-list 184 permit udp host 75.75.76.76 eq domain any
access-list 184 permit udp host 8.8.8.8 eq domain any
access-list 184 permit udp any any eq ntp
access-list 184 permit udp any eq ntp any
access-list 184 permit tcp any eq www any
access-list 184 permit tcp any eq 443 any
access-list 184 permit udp any any eq non500-isakmp
!
!
!
route-map no-nat permit 10
match ip address 100
!
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer voice <removed> voip
destination-pattern <removed>
session protocol sipv2
session target ipv4:10.0.1.99
session transport udp
codec g711ulaw
!
dial-peer voice 10 voip
destination-pattern 1..........
session protocol sipv2
session target <removed>
session transport udp
!
!
sip-ua
<removed>
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
access-class 100 in
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180196
ntp server 17.151.16.21 prefer
!
end
home1#
06-07-2014 02:11 PM
got it working. was a firewall rule on the UBNT.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide