yes traffic matchingPlease

junaid haroon · ‎01-26-2015

Hi,

We have site to site VPN configured between Cisco router 2600 (os 12.2) and Fortigate100D.Everything is working fine but strange issue i am facing.

At branch side we have cisco router and devices like printer,Access Control (attendance device ) and camers.We can not access these devices from Head-office through HTTP where as in Local LAN of Branch there is no problem with HTTP.

Fortigate support team told me its not fortigate issue they have troubleshoot and verified everything is working fine from Fortigate end they told me the issue is with Cisco device.

Below is my cisco router configurations please help me out.

Building configuration...

Current configuration : 2590 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname wrtre
!
logging queue-limit 100
!
ip subnet-zero
!
!
no ip domain lookup
ip name-server 10.16.6.10
ip name-server 10.16.7.12
ip name-server 8.8.8.8
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.3.200 192.168.3.254
!
ip dhcp pool store
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
dns-server 192.168.0.1 192.168.0.4
lease 30
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ***************** address 124.109.36.242
!
!
crypto ipsec transform-set tset esp-des esp-md5-hmac
!
crypto map smap 10 ipsec-isakmp
set peer 124.109.36.242
set transform-set tset
match address 101
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 58.27.222.42 255.255.255.252
ip nat outside
speed 100
full-duplex
crypto map smap
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description inside interface
ip address 192.168.3.254 255.255.255.0
ip nat inside
speed 100
full-duplex
!
ip nat inside source list 111 interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 58.27.222.41
!
!
!
access-list 101 permit tcp host 192.168.3.7 any eq www
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 permit ip 192.168.3.0 0.0.0.255 any
!
route-map nat permit 10
match ip address 111
!
call rsvp-sync
!
mgcp fax t38 ecm
!
mgcp profile default
!
!
!
dial-peer cor custom
!

!
scheduler allocate 20000 1000
!
end

Karsten Iwen · ‎01-27-2015

This line doesn't make any sense:

access-list 101 permit tcp host 192.168.3.7 any eq www

The rest should be functionally correct although you are using crypto from the 80th. Could be considered cleartext nowadays.

What to check next:

Are the devices in the remote office using the right gateway?

junaid haroon · ‎01-27-2015

Yeah i can ping the devices and also telnet are success from head office to branch through port 80.

access-list 101 permit tcp host 192.168.3.7 any eq www?? Can you explain why this dosenot make any sense????

Where is the issue???

Karsten Iwen · ‎01-27-2015

> Yeah i can ping the devices and also telnet are success from head office to branch through port 80.

Then there also could be access-control on the devices itself.

>Can you explain why this dosenot make any sense????

This line tells the router that traffic from 192.168.3.7 to any destination/80 is allowed to the tunnel. But if you communicate to a destination that is not 192.168.0/10/50/101, then the NAT will change the 192.168.3.7 to the outside IP and it can't go through the tunnel any more.

junaid haroon · ‎01-27-2015

Hi,

Yes devices has access-control i have checked all IPs are allowed.

What i get is that router is not processing HTTP traffic through tunnel.Below is debug from fortigate device

id=20085 trace_id=52 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 192.168.0.31:61788->192.168.3.7:80) from lan. flag [R.], seq 351967354, ack 584979354, win 0"
id=20085 trace_id=52 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-0016fd08, original direction"
id=20085 trace_id=52 func=ipsec_tunnel_output4 line=859 msg="enter IPsec tunnel-ISB_TO_Store_VPN_P1"
id=20085 trace_id=52 func=esp_output4 line=885 msg="encrypting, and send to 58.27.221.42 with source 124.109.46.242"
id=20085 trace_id=51 func=ipsec_output_finish line=231 msg="send to 124.109.46.241 via intf-wan1"

Karsten Iwen · ‎01-27-2015

> What i get is that router is not processing HTTP traffic through tunnel.

How do you tell that?

To see if there is traffic you can put the following config on the router:

ip access-list ext TEST-FA01-in
 permit tcp host 192.168.3.7 host 192.168.0.31 log
 permit ip any any
ip access-list ext TEST-FA01-out
 permit tcp host 192.168.0.31 host 192.168.3.7 log
 permit ip any any
!
int fa0/1
 ip access-group TEST-FA01-in in
 ip access-group TEST-FA01-out out

EDIT: Typo in the ACL-names corrected.

junaid haroon · ‎01-27-2015

I entered above statement in my router

now how i will check acl logs through telnet session??

Karsten Iwen · ‎01-27-2015

(Please look at the corrected configs above, you probably spoted that there was a typo in the ACL-names).

You can use "show logging" or "sh ip access-list" to see the hitcounts.

junaid haroon · ‎01-27-2015

Traffic is matching so where is the issue am really fed up with this issue???

Please tell me one thing more my router version is (C2600-IK9O3S-M), Version 12.2(15)T12 its will support AES encryption???Send me any link from where verify its features?/

I want solution please help me out??????????????/

Karsten Iwen · ‎01-27-2015

> Traffic is matching so where is the issue am really fed up with this issue???

Is it matching both in- and outbound?

junaid haroon · ‎01-27-2015

yes traffic matching

Store_RTR#sh ip access-lists
Extended IP access list 101
10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255 (9531900 matches)
20 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255 (5136 matches)
30 permit ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255 (121391 matches)
40 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255 (1 match)
Extended IP access list 111
10 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255 (4455489 matches)
20 deny ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255 (2396 matches)
30 deny ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255 (66047 matches)
40 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255 (1 match)
50 permit ip 192.168.3.0 0.0.0.255 any (105377 matches)
Extended IP access list TEST-FA01-in
10 permit tcp host 192.168.3.7 host 192.168.0.31 log (15 matches)
20 permit ip any any (968 matches)
Extended IP access list TEST-FA01-out
10 permit tcp host 192.168.0.31 host 192.168.3.7 log (9 matches)
20 permit ip any any (1258 matches)
Store_RTR#

Please tell me one thing more my router version is (C2600-IK9O3S-M), Version 12.2(15)T12 its will support AES encryption???Send me any link from where verify its features?/

Karsten Iwen · ‎01-27-2015

I just saw that you wrote above that ping/telnet to the device is working, so the ACL-test was not really meaningful. Sorry for any confusion.

I think you have to place a PC in the branch that captures the traffic to see what comes back from the device.

For AES: I don't remember exactly, but I think it was one of the many 12.2(8)T changes. Just try to configure it in the transform-set. Without encryption-hardware I would stick with AES 128Bit.

site to site VPN ISSUE