Solved: Need some ACL kung fu for Site To Site VPN issue ACL

Ross Mccullough · ‎12-29-2013

Group,

Have a small issue I am sure is related back to ACL. I wanted to have some experts take a look at my config please. Here is the issue:

Attempting to create site to site between two offices but for some reason they cannot ping each other. It's a strange thing.

97.xx.231.22 <--> 71.xx.160.123

I can ping both firewalls from the outside using a another computer but from the internal firewall utilities they cannot ping each other. From both I can ping their respective gateways.

Secondly, I did a inside outside translation as you can see here for 80 & 443 which is preventing me from browsing http and https via the VPN for the remote LAN, can this be modified to allow access? I can get access when I dial in via VPN client but can't via the permanent VPN tunnel. Here is the config.

no ip nat service sip udp port 5060

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extendable

ip nat inside source static tcp 10.41.14.103 443 71.xx.160.123 443 extendable

ip route 0.0.0.0 0.0.0.0 71.xx.160.121

ip route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

ip route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

ip route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

ip route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

ip route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

ip route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

ip route 208.67.188.32 255.255.255.224 10.41.14.99 2 permanent

ip route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

!

ip sla auto discovery

logging trap errors

logging host 192.168.10.29

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 remark Platinum LAN

access-list 2 permit 10.41.14.0 0.0.0.255

access-list 2 deny any

access-list 101 remark Master Rules

access-list 101 remark CCP_ACL Category=1

access-list 101 remark FaxFinder WWW Traffic

access-list 101 permit tcp any host 71.xx.160.123 eq www

access-list 101 remark FaxFinder HTTPS Traffic

access-list 101 permit tcp any host 71.xx.160.123 eq 443

access-list 101 remark NTP Time Protocol

access-list 101 permit udp any host 71.xx.160.123 eq ntp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.xx.160.123 eq isakmp

access-list 101 remark ESP Traffic

access-list 101 permit esp any host 71.xx.160.123

access-list 101 remark General Permit

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=2

access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 102 remark Platinum LAN NAT Rule

access-list 102 permit ip 10.41.14.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 108 remark CCP_ACL Category=4

access-list 108 permit ip 10.41.14.0 0.0.0.255 any

access-list 109 remark IPSec Rule

access-list 109 remark CCP_ACL Category=4

access-list 109 permit ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

access-list 110 remark CCP_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 102

Karsten Iwen · ‎12-29-2013

There are more then one way how you can achieve that.

1) The best way is possible if both VPN-peers are IOS-routers. Then you can migrate the VPN to Virtual tunnel-interfaces (VTI). With that, the outside interface doesn't mix VPN- and non-VPN-traffic.

2) If VTIs are not possible you can restrict the translation to only non-VPN-traffic by using a route-map:

object-group network RFC1918

10.0.0.0 255.0.0.0

172.16.0.0 255.240.0.0

192.168.0.0 255.255.0.0

route-map NAT-SERVER-10.41.14.103 permit 10

match ip address TRAFFIC-NAT-SERVER-10.41.14.103

ip access-list extended TRAFFIC-NAT-SERVER-10.41.14.103

deny ip host 10.41.14.103 object-group RFC1918

permit tcp host 10.41.14.103 eq 80 any

permit tcp host 10.41.14.103 eq 443 any

ip nat inside source static 10.41.14.103 71.xx.... route-map NAT-SERVER-10.41.14.103

What does that do?

When your server communicates with a system with an address in the RFC1918-range, then the route-map doesn't match and the translation is not used. That's you VPN-scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎12-29-2013

There are more then one way how you can achieve that.

1) The best way is possible if both VPN-peers are IOS-routers. Then you can migrate the VPN to Virtual tunnel-interfaces (VTI). With that, the outside interface doesn't mix VPN- and non-VPN-traffic.

2) If VTIs are not possible you can restrict the translation to only non-VPN-traffic by using a route-map:

object-group network RFC1918

10.0.0.0 255.0.0.0

172.16.0.0 255.240.0.0

192.168.0.0 255.255.0.0

route-map NAT-SERVER-10.41.14.103 permit 10

match ip address TRAFFIC-NAT-SERVER-10.41.14.103

ip access-list extended TRAFFIC-NAT-SERVER-10.41.14.103

deny ip host 10.41.14.103 object-group RFC1918

permit tcp host 10.41.14.103 eq 80 any

permit tcp host 10.41.14.103 eq 443 any

ip nat inside source static 10.41.14.103 71.xx.... route-map NAT-SERVER-10.41.14.103

What does that do?

When your server communicates with a system with an address in the RFC1918-range, then the route-map doesn't match and the translation is not used. That's you VPN-scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ross Mccullough · ‎12-31-2013

Karsten,

Thanks for your valuable insight, I can browse via http on our VPN connection now. Beautiful. Looking at my post do you have any insight into why the two firewalls wouldn't be able to ping one another? My item 1, is there anything in the ACL's that you see that would prevent this?

Attempting to create site to site between two offices but for some reason they cannot ping each other. It's a strange thing.

97.xx.231.22 <--> 71.xx.160.123

Karsten Iwen · ‎01-01-2014

I assume ACL 101 is applied on the outside interface in incoming direction? Then at least it's not an ACL-issue on this router as there is a "permit ip any any" in there.

Please post you complete configs because with this little extract above it's not clear what the problem is.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ross Mccullough · ‎01-04-2014

Karsten,

Thanks again for your valuable input, the configuration is below. The endpoints are as follows:

71.xx.160.123 --> 2911 IOS Router

97.xx.231.22 -->SA540 SMB Firewall

Please let me know if you have any further questions that I can post up.

<-- 2911 Config 71.xx.160.123-->

Building configuration...

Current configuration : 12196 bytes

!

! Last configuration change at 12:26:53 NewYork Sat Jan 4 2014 by cisco

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname pl-gw1-paf-router1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 52000

enable secret 5

enable password 7

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

clock timezone NewYork -5 0

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ip source-route

ip cef

!

no ip bootp server

ip domain name platautofinance.com

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip name-server 8.8.4.4

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1476751880

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1476751880

revocation-check none

rsakeypair TP-self-signed-1476751880

!

crypto pki certificate chain TP-self-signed-1476751880

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31343736 37353138 3830301E 170D3133 31313235 31373234

31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34373637

35313838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B70E D68704F7 1DC5B4C1 6DFF6421 41224111 E3BA9B0F 91C01E8E E9B61469

8722444D C2347B5E EB063258 C4F61C0F E17E5B51 6A63D7FC B93FA1BD A58CC717

D64DA408 56325935 C0F5D80C 5A1048AA 6DA0FF36 91A140A4 F9CDE135 955BF3E5

67065FD6 947CA3BB 954FA23B 547F7C6D DE6DC530 259F2503 6E72581A 68F53F80

74D70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 143012D1 A2989973 8A811A4E 124912E3 7CE0F9AC 41301D06

03551D0E 04160414 3012D1A2 9899738A 811A4E12 4912E37C E0F9AC41 300D0609

2A864886 F70D0101 05050003 8181005A ED92B7D5 9F05C89A FCC402E0 A71B2646

DF3558B1 ABC98AD0 10E5895F 4C31590E 413F8598 371C20FF 80015DA1 950E37B6

A33D3F94 C1680EF3 209B7F1D 4ABB3368 2028466F CB1BEE42 34F1C902 9F956F3E

1238886E D4A9C4C3 7C9EFE6F D30B06C9 FC06DFAA 089622FE 1C171FEA 5D495E9A

06053BF3 9CF06146 360285E7 1E8DAF

quit

license udi pid CISCO2911/K9 sn FGL172810VH

license boot module c2900 technology-package securityk9

!

object-group network RFC1918

10.0.0.0 255.0.0.0

172.16.0.0 255.240.0.0

192.168.0.0 255.255.0.0

!

username cisco privilege 15 secret 4

username blakmoon91 secret 4

!

redundancy

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map match-any CCP-Transactional-1

match dscp af21

match dscp af22

match dscp af23

class-map match-any CCP-Voice-1

match dscp ef

class-map match-any CCP-Routing-1

match dscp cs6

class-map match-any CCP-Signaling-1

match dscp cs3

match dscp af31

class-map match-any CCP-Management-1

match dscp cs2

!

policy-map sdm-qos-test-123

class class-default

policy-map CCP-QoS-Policy-1

class CCP-Voice-1

priority percent 33

class CCP-Signaling-1

bandwidth percent 5

class CCP-Routing-1

bandwidth percent 5

class CCP-Management-1

bandwidth percent 5

class CCP-Transactional-1

bandwidth percent 5

class class-default

fair-queue

random-detect

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

lifetime 28800

crypto isakmp key address 97.xx.78.222 no-xauth

crypto isakmp key address 67.xx.146.158

crypto isakmp key address 97.xx.231.22

crypto isakmp key address 98.xx.151.234

!

crypto isakmp client configuration group PlatinumVPNPool

key

dns 10.41.14.10 192.168.10.3

wins 10.41.14.10 192.168.10.3

domain clearwater.thrifty.com

pool SDM_POOL_1

acl 108

include-local-lan

split-dns clearwater.thrifty.com

pfs

max-users 25

max-logins 10

banner ^CYou are now connecting to a secure network. All connections are monitiored. If you have reached this in error please disconnect now. Call the Helpdesk X1000 for more information.^C

crypto isakmp profile ciscocp-ike-profile-1

match identity group PlatinumVPNPool

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set PlatinumTransform esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set security-association lifetime seconds 10800

set security-association idle-time 1800

set transform-set ESP-3DES-SHA

set pfs group2

set isakmp-profile ciscocp-ike-profile-1

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to97.xx.78.222

set peer 97.xx.78.222

set transform-set ESP-3DES-SHA

match address 104

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to67.xx.146.158

set peer 67.xx.146.158

set transform-set PlatinumTransform

match address 110

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to97.xx.231.22

set peer 97.xx.231.22

set transform-set PlatinumTransform

match address 109

crypto map SDM_CMAP_1 4 ipsec-isakmp

description Tunnel to98.xx.151.234

set peer 98.xx.151.234

set transform-set PlatinumTransform

match address 100

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 71.xx.160.123 255.255.255.248

no ip redirects

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description $FW_INSIDE$$ETH-LAN$$ETH-LAN$

ip address 10.41.14.100 255.255.255.0

no ip redirects

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

service-policy output CCP-QoS-Policy-1

!

interface GigabitEthernet0/2

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 192.168.26.1 192.168.26.50

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 25

sort-by bytes

cache-timeout 3600

!

no ip nat service sip udp port 5060

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extendable

ip nat inside source static tcp 10.41.14.103 443 71.xx.160.123 443 extendable

ip route 0.0.0.0 0.0.0.0 71.xx.160.121

ip route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

ip route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

ip route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

ip route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

ip route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

ip route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

ip route 208.67.188.32 255.255.255.224 10.41.14.99 2 permanent

ip route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

!

ip access-list extended TRAFFIC-NAT-SERVER-10.41.14.103

deny ip host 10.41.14.103 object-group RFC1918

permit tcp host 10.41.14.103 eq www any

permit tcp host 10.41.14.104 eq 443 any

!

ip sla auto discovery

logging trap errors

logging host 192.168.10.29

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 remark Platinum LAN

access-list 2 permit 10.41.14.0 0.0.0.255

access-list 2 deny any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.41.14.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 101 remark Master Rules

access-list 101 remark CCP_ACL Category=1

access-list 101 remark FaxFinder WWW Traffic

access-list 101 permit tcp any host 71.xx.160.123 eq www

access-list 101 remark FaxFinder HTTPS Traffic

access-list 101 permit tcp any host 71.xx.160.123 eq 443

access-list 101 remark NTP Time Protocol

access-list 101 permit udp any host 71.xx.160.123 eq ntp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.xx.160.123 eq isakmp

access-list 101 remark ESP Traffic

access-list 101 permit esp any host 71.xx.160.123

access-list 101 remark General Permit

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=2

access-list 102 remark IPSec Rule

access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 102 remark Platinum LAN NAT Rule

access-list 102 permit ip 10.41.14.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 108 remark CCP_ACL Category=4

access-list 108 permit ip 10.41.14.0 0.0.0.255 any

access-list 109 remark IPSec Rule

access-list 109 remark CCP_ACL Category=4

access-list 109 permit ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

access-list 110 remark CCP_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

no cdp run

!

route-map NAT-SERVER-10.41.14.103 permit 10

match ip address TRAFFIC-NAT-SERVER-10.41.14.103

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

snmp-server community RW

snmp-server community public RO

snmp-server location Clearwater North

snmp-server contact MIS IT Services x1000

snmp-server enable traps entity-sensor threshold

snmp-server host 192.168.10.29 Mccullour9320

!

control-plane

!

banner login ^CYou have reached a security checkpoint. All connections are monitored. Follow company usage guidelines. Please contact the MIS IT Department for more information at x1000.^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 02160B5E520F020D494F5D4A

transport input telnet ssh

transport output telnet ssh

line vty 5 15

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 24.56.178.140 prefer source GigabitEthernet0/0

ntp server 64.239.96.53 source GigabitEthernet0/0

ntp server 96.226.123.157 source GigabitEthernet0/0

ntp server 64.113.32.5 source GigabitEthernet0/0

ntp server 129.6.15.30 prefer source GigabitEthernet0/0

ntp server 12.10.191.151 source GigabitEthernet0/0

!

end