Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
4
Helpful
4
Replies

Site-to-site up but cannot ping through the tunnel

Tommy Svensson
Level 1
Level 1

‎04-03-2011 10:29 AM

Hi.

I have set up an VPN site-to-site and the tunnel is up but i cant ping through it. Do i need to open up something i my zone based firewall?

Regards Tommy Svensson

R1#show crypto ipsec sa

inbound esp sas:
 spi: 0xC6ADFE40(3333291584)
 transform: esp-3des esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2141, flow_id: Onboard VPN:141, sibling_flags 80000046, crypto map: tedact_iosoft
 sa timing: remaining key lifetime (k/sec): (4545295/2419)
 IV size: 8 bytes
 replay detection support: Y
 Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
 spi: 0x95A651E(156919070)
 transform: esp-3des esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2142, flow_id: Onboard VPN:142, sibling_flags 80000046, crypto map: tedact_iosoft
 sa timing: remaining key lifetime (k/sec): (4545314/2419)
 IV size: 8 bytes
 replay detection support: Y
 Status: ACTIVE


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
xxxxxxxxxxxxxxxxxxx  QM_IDLE           1141 ACTIVE


R1#show run
class-map match-any VOIP_CLASS
 match protocol skype
class-map type inspect match-any PPTP_ALLOW_CLASS
 match access-group name PPTP_ALLOW
class-map match-any WEB_MAIL_CLASS
 match protocol http
 match protocol secure-http
 match protocol secure-imap
 match protocol secure-pop3
 match protocol ssh
 match protocol smtp
 match protocol imap
 match protocol pop3
class-map type inspect match-any STANDARD
 match protocol http
 match protocol https
 match protocol icmp
 match protocol echo
 match protocol pop3
 match protocol pop3s
 match protocol imap
 match protocol imaps
 match protocol smtp
 match protocol dns
 match protocol ssh
 match protocol directconnect
 match protocol ftp
 match protocol ftps
 match protocol exec
 match protocol dnsix
 match protocol ddns-v3
 match protocol h323
 match protocol h323-annexe
 match protocol h323-nxg
 match protocol icq
 match protocol imap3
 match protocol ipsec-msft match protocol irc
 match protocol irc-serv
 match protocol ircu
 match protocol iscsi
 match protocol kerberos
 match protocol ldap
 match protocol microsoft-ds
 match protocol lotusmtap
 match protocol lotusnote
 match protocol ldap-admin
 match protocol ldaps
 match protocol login
 match protocol nfs
 match protocol oracle
 match protocol tftp
 match protocol rtsp
 match protocol sip
 match protocol pptp
 match protocol qmtp
 match protocol radius
 match protocol tacacs
 match protocol realsecure
 match protocol realmedia
 match protocol rtelnet
 match protocol send
 match protocol shell
 match protocol sshell
class-map type inspect match-all MIXED_ALLOWED_BACK_CLASS
 match access-group name MIXED_ALLOW_BACK
class-map type inspect match-any MIXED_ALLOW_CLASS
 match access-group name MIXED_ALLOWED
class-map type inspect match-any PPTP_ALLOW_BACK
 match access-group name PPTP_BACK
!
!
policy-map QOS_POLICY
 class VOIP_CLASS
 priority percent 30
 set dscp ef
 class WEB_MAIL_CLASS
 bandwidth remaining percent 75
policy-map type inspect STANDARD
 class type inspect STANDARD
 inspect
 class type inspect PPTP_ALLOW_CLASS
 pass
 class type inspect MIXED_ALLOW_CLASS
 inspect
 class class-default
 drop
policy-map type inspect PPTP_ALLOW_BACK
 class type inspect PPTP_ALLOW_BACK
 pass
 class type inspect MIXED_ALLOWED_BACK_CLASS
 inspect
 class class-default
 drop
!
zone security VLAN10_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN11_ZONE
zone security VLAN12_ZONE
zone security VLAN13_ZONE
zone security VLAN14_ZONE
zone security VLAN15_ZONE
zone security VLAN50_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN10 source WAN_ZONE destination VLAN10_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN11 source WAN_ZONE destination VLAN11_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN12 source WAN_ZONE destination VLAN12_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN13 source WAN_ZONE destination VLAN13_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN14 source WAN_ZONE destination VLAN14_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN15 source WAN_ZONE destination VLAN15_ZONE
 service-policy type inspect PPTP_ALLOW_BACK
zone-pair security VLAN_11_TO_WAN source VLAN11_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_12_TO_WAN source VLAN12_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_13_TO_WAN source VLAN13_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_14_TO_WAN source VLAN14_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_15_TO_WAN source VLAN15_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_50_TO_WAN source VLAN50_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_50_TO_VLAN1 source VLAN50_ZONE destination VLAN1_ZONE
 service-policy type inspect STANDARD
zone-pair security VLAN_1_TO_VLAN50 source VLAN1_ZONE destination VLAN50_ZONE
 service-policy type inspect STANDARD
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key ddassasdasdasdasdadsadsadsasda address xxxxxxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set tedact_iosoft esp-3des esp-sha-hmac
!
crypto map tedact_iosoft 1 ipsec-isakmp
 description Tunnel to IOSOFT_xxxxxxxxxxxxxx
 set peer xxxxxxxxxxxxxxxx
 set transform-set tedact_iosoft
 match address 110
!
!
!
!
!
interface GigabitEthernet0/0
 description MANAGEMENT
 ip address 10.10.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN1_ZONE
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.10
 description Company10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.11
 description Company11
 encapsulation dot1Q 11
 ip address 10.10.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 rate-limit input 1000000 5000 5000 conform-action continue exceed-action drop
 rate-limit output 1000000 5000 5000 conform-action continue exceed-action drop
 zone-member security VLAN11_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.12
 description Company12
 encapsulation dot1Q 12
 ip address 10.10.12.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN12_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.13
 description Company13
 encapsulation dot1Q 13
 ip address 10.10.13.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN13_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.14
 description Company14
 encapsulation dot1Q 14
 ip address 10.10.14.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN14_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.15
 description Company15
 encapsulation dot1Q 15
 ip address 10.10.15.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 rate-limit input 1000000 5000 5000 conform-action continue exceed-action drop
 rate-limit output 1000000 5000 5000 conform-action continue exceed-action drop
 zone-member security VLAN15_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.50
 description WLAN
 encapsulation dot1Q 50
 ip address 10.10.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN50_ZONE
 no cdp enable permit udp any any eq 902
 permit ip 192.168.96.0 0.0.0.255 10.10.1.0 0.0.0.255
 permit tcp any any eq www
 permit tcp any any eq 8080
 permit tcp any any eq domain
 permit udp any any eq domain
ip access-list extended PPTP_ALLOW
 permit gre any any
 permit tcp any any eq 1723
ip access-list extended PPTP_BACK
 permit gre any any
 permit tcp any eq 1723 any
!
logging trap debugging
logging 10.10.50.5
access-list 9 permit xxxxxxxxxxxxxx
access-list 9 permit xxxxxxxxxxxx
access-list 9 permit xxxxxxxxxxxxxxxx
access-list 9 permit 10.10.1.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.97.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.96.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 105 permit ip 10.10.12.0 0.0.0.255 any
access-list 105 permit ip 10.10.13.0 0.0.0.255 any
access-list 105 permit ip 10.10.14.0 0.0.0.255 any
access-list 105 permit ip 10.10.15.0 0.0.0.255 any
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.10.1.0 0.0.0.255 192.168.96.0 0.0.0.255
!
no cdp run

!
interface GigabitEthernet0/1
 description NOT_USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description WAN
 bandwidth 10240
 ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled
 crypto map tedact_iosoft
 !
 service-policy output QOS_POLICY
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/2
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
 !
!
ip local pool test 10.10.12.5 10.10.12.25
ip local pool test 10.10.1.200 10.10.1.250
ip forward-protocol nd
!
ip http server
ip http access-class 9
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload2 xxxxxxxxxxxxxxxxxxxxxxx prefix-length 28
ip nat inside source list 105 pool with_overload2 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxx
!
ip access-list extended MIXED_ALLOWED
 permit tcp any any eq 465
 permit tcp any any eq 587
 permit tcp any eq 587 any
 permit tcp any eq 465 any
 permit esp 10.10.1.0 0.0.0.255 any
 permit ip 10.10.1.0 0.0.0.255 10.10.50.0 0.0.0.255
 permit tcp any any eq 2082
 permit tcp any any eq 2083
 permit tcp any any eq 2086
 permit tcp any any eq 2087
 permit tcp any any eq 2095
 permit tcp any any eq 2096
 permit tcp any any eq 5900
 permit udp any any eq 5900
 permit udp any any eq 902
 permit udp any any eq 3544
 permit tcp any any eq 138
 permit udp any any eq netbios-dgm
 permit ip 192.168.96.0 0.0.0.255 10.10.1.0 0.0.0.255
 permit ip 10.10.1.0 0.0.0.255 192.168.96.0 0.0.0.255
ip access-list extended MIXED_ALLOW_BACK
 permit tcp any any eq 587
 permit tcp any eq 587 any
 permit tcp any eq 465 any
 permit tcp any any eq 465
 permit esp any 10.10.1.0 0.0.0.255
 permit tcp any any eq 902
 permit tcp any any eq 903

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-03-2011 02:35 PM

The policy to allow traffic from remote towards local LAN is called PPTP_ALLOW_BACK.

That policy needs to allow traffic to be initiated from 192.168.96.0/24 towards 10.10.1.0/24 as follows:

ip access-list extended MIXED_ALLOW_BACK

     permit ip 192.168.96.0 0.0.0.255 10.10.1.0 0.0.0.255

Hope that helps.

Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎04-04-2011 06:51 AM

I have changed my config a bit and it is still the same problem, i want multiple site-to-site connections on my WAN interface and is unsure how to configure it. And still one tunnel is up and i cannot ping between the local networks.

Regards Tommy Svensson

class-map match-any VOIP_CLASS
match protocol skype
class-map type inspect match-any PPTP_ALLOW_CLASS
match access-group name PPTP_ALLOW
class-map match-any WEB_MAIL_CLASS
match protocol http
match protocol secure-http
match protocol secure-imap
match protocol secure-pop3
match protocol ssh
match protocol smtp
match protocol imap
match protocol pop3
class-map type inspect match-any STANDARD
match protocol http
match protocol https
match protocol icmp
match protocol echo
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
match protocol dns
match protocol ssh
match protocol directconnect
match protocol ftp
match protocol ftps
match protocol exec
match protocol dnsix
match protocol ddns-v3
match protocol h323
match protocol h323-annexe
match protocol h323-nxg
match protocol icq
match protocol imap3
match protocol ipsec-msft
match protocol irc
match protocol irc-serv
match protocol ircu
match protocol iscsi
match protocol kerberos
match protocol ldap
match protocol microsoft-ds
match protocol lotusmtap
match protocol lotusnote
match protocol ldap-admin
match protocol ldaps
match protocol login
match protocol nfs
match protocol oracle
match protocol tftp
match protocol rtsp
match protocol sip
match protocol pptp
match protocol qmtp
match protocol radius
match protocol tacacs
match protocol realsecure
match protocol realmedia
match protocol rtelnet
match protocol send
match protocol shell
match protocol sshell
class-map type inspect match-all MIXED_ALLOWED_BACK_CLASS
match access-group name MIXED_ALLOW_BACK
class-map type inspect match-any MIXED_ALLOW_CLASS
match access-group name MIXED_ALLOWED
class-map type inspect match-any PPTP_ALLOW_BACK
match access-group name PPTP_BACK
!
!
policy-map QOS_POLICY
class VOIP_CLASS
    priority percent 30
  set dscp ef
class WEB_MAIL_CLASS
    bandwidth remaining percent 75
policy-map type inspect STANDARD
class type inspect STANDARD
  inspect
class type inspect PPTP_ALLOW_CLASS
  pass
class type inspect MIXED_ALLOW_CLASS
  inspect
class class-default
  drop
policy-map type inspect PPTP_ALLOW_BACK
class type inspect PPTP_ALLOW_BACK
  pass
class type inspect MIXED_ALLOWED_BACK_CLASS
  inspect
class class-default
  drop
!
zone security VLAN10_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN11_ZONE
zone security VLAN12_ZONE
zone security VLAN13_ZONE
zone security VLAN14_ZONE
zone security VLAN15_ZONE
zone security VLAN50_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN10 source WAN_ZONE destination VLAN10_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN11 source WAN_ZONE destination VLAN11_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN12 source WAN_ZONE destination VLAN12_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN13 source WAN_ZONE destination VLAN13_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN14 source WAN_ZONE destination VLAN14_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security WAN_TO_VLAN15 source WAN_ZONE destination VLAN15_ZONE
service-policy type inspect PPTP_ALLOW_BACK
zone-pair security VLAN_11_TO_WAN source VLAN11_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_12_TO_WAN source VLAN12_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_13_TO_WAN source VLAN13_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_14_TO_WAN source VLAN14_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_15_TO_WAN source VLAN15_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_50_TO_WAN source VLAN50_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_50_TO_VLAN1 source VLAN50_ZONE destination VLAN1_ZONE
service-policy type inspect STANDARD
zone-pair security VLAN_1_TO_VLAN50 source VLAN1_ZONE destination VLAN50_ZONE
service-policy type inspect STANDARD
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxx
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set tedact esp-3des esp-sha-hmac
!
crypto map tedact 1 ipsec-isakmp
description Multiple tunnels
set peer xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set tedact
match address 110
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description MANAGEMENT
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security VLAN1_ZONE
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.10
description Company10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.11
description Company11
encapsulation dot1Q 11
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 1000000 5000 5000 conform-action continue exceed-action drop
rate-limit output 1000000 5000 5000 conform-action continue exceed-action drop
zone-member security VLAN11_ZONE
no cdp enable
!
interface GigabitEthernet0/0.12
description Company12
encapsulation dot1Q 12
ip address 10.10.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN12_ZONE
no cdp enable
!
interface GigabitEthernet0/0.13
description Company13
encapsulation dot1Q 13
ip address 10.10.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN13_ZONE
no cdp enable
!
interface GigabitEthernet0/0.14
description Company14
encapsulation dot1Q 14
ip address 10.10.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN14_ZONE
no cdp enable
!
interface GigabitEthernet0/0.15
description Company15
encapsulation dot1Q 15
ip address 10.10.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 1000000 5000 5000 conform-action continue exceed-action drop
rate-limit output 1000000 5000 5000 conform-action continue exceed-action drop
zone-member security VLAN15_ZONE
no cdp enable
!
interface GigabitEthernet0/0.50
description WLAN
encapsulation dot1Q 50
ip address 10.10.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN50_ZONE
no cdp enable
!
interface GigabitEthernet0/1
description NOT_USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description WAN
bandwidth 10240
ip address xxxxxxxxxxxxxx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
crypto map tedact
!
service-policy output QOS_POLICY
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/2
peer default ip address pool test
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
!
ip local pool test 10.10.12.5 10.10.12.25
ip local pool test 10.10.1.200 10.10.1.250
ip forward-protocol nd
!
ip http server
ip http access-class 9
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload2 xxxxxxxxxxxxxxxxxxxxx prefix-length 28
ip nat inside source list 105 pool with_overload2 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
!
ip access-list extended MIXED_ALLOWED
permit tcp any any eq 465
permit tcp any any eq 587
permit tcp any eq 587 any
permit tcp any eq 465 any
permit esp 10.10.1.0 0.0.0.255 any
permit ip 10.10.1.0 0.0.0.255 10.10.50.0 0.0.0.255
permit tcp any any eq 2082
permit tcp any any eq 2083
permit tcp any any eq 2086
permit tcp any any eq 2087
permit tcp any any eq 2095
permit tcp any any eq 2096
permit tcp any any eq 5900
permit udp any any eq 5900
permit udp any any eq 902
permit udp any any eq 3544
permit tcp any any eq 138
permit udp any any eq netbios-dgm
permit udp any any eq snmp
permit udp any any eq snmptrap
permit tcp any any eq 162
permit tcp any any eq 9100
permit udp any any eq 9100
permit tcp any any eq 3366
permit udp any any eq 3366
ip access-list extended MIXED_ALLOW_BACK
permit tcp any any eq 587
permit tcp any eq 587 any
permit tcp any eq 465 any
permit tcp any any eq 465
permit esp any 10.10.1.0 0.0.0.255
permit tcp any any eq 902
permit tcp any any eq 903
permit udp any any eq 902
permit tcp any any eq www
permit tcp any any eq 8080
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq 3
permit udp any any eq 3
permit ip 192.168.96.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 192.168.111.0 0.0.0.255 10.10.1.0 0.0.0.255
ip access-list extended PPTP_ALLOW
permit gre any any
permit tcp any any eq 1723
ip access-list extended PPTP_BACK
permit gre any any
permit tcp any eq 1723 any
permit ip 192.168.96.0 0.0.0.255 10.10.1.0 0.0.0.255
!
logging trap debugging
logging 10.10.50.5
access-list 9 permit xxxxxxxx
access-list 9 permit xxxxxxxxxx
access-list 9 permit xxxxxxxxxx
access-list 9 permit 10.10.1.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.97.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.96.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 105 permit ip 10.10.12.0 0.0.0.255 any
access-list 105 permit ip 10.10.13.0 0.0.0.255 any
access-list 105 permit ip 10.10.14.0 0.0.0.255 any
access-list 105 permit ip 10.10.15.0 0.0.0.255 any
access-list 110 permit ip 10.10.1.0 0.0.0.255 192.168.96.0 0.0.0.255
access-list 110 permit ip 10.10.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit ip 10.10.1.0 0.0.0.255 192.168.111.0 0.0.0.255


0 Helpful

Tommy Svensson
Level 1
Level 1
In response to Tommy Svensson

‎04-06-2011 11:04 PM

Anyone that has got an idea of how to solve this?

It would be very apriciated.

Regards Tommy Svensson

0 Helpful

Tommy Svensson
Level 1
Level 1
In response to Tommy Svensson

‎04-12-2011 12:10 AM

No one that could solve this matter for me? Its giving me a headache already

Regards Tommy Svensson

0 Helpful
Customers Also Viewed These Support Documents