Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
4
Replies

Traffic goes down VPN but not out to internet

richardwhit
Level 1
Level 1

‎08-03-2006 05:21 AM - edited ‎02-21-2020 02:33 PM

Hi,

I am setting up an 877W. I have configured an IPSec VPN and the traffic that is meant to go down this does. However the rest of the traffic, which is supposed to go out to the internet, seems to be dropped. I can't figure out where, I've logged all the ACL's and nothing shows up as being odd but I just can't understand what is happening to the internet bound traffic.

I can post the full config if needed. The relevant parts of the config so far is here:

ip inspect name firewall cuseeme

ip inspect name firewall ftp

ip inspect name firewall h323

ip inspect name firewall icmp

ip inspect name firewall netshow

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall rtsp

ip inspect name firewall esmtp

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tftp

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall vdolive

!

!

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key isakmpkey address x.x.x.x

!

!

crypto ipsec transform-set dyn-map esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer x.x.x.x

set transform-set dyn-map

match address 120

!

!

!

!

bridge irb

!

!

!

interface ATM0

no ip address

no cdp enable

shutdown

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

.......................

!

interface Vlan1

no ip address

ip inspect firewall in

ip access-group 100 in

bridge-group 1

!

interface Vlan2

no ip address

ip inspect firewall in

ip access-group 101 in

bridge-group 2

!

interface Dialer0

ip address x.x.x.x 255.0.0.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname username

ppp chap password password

crypto map nolan

!

!

interface BVI1

ip address 192.168.80.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface BVI2

ip address 172.17.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map nonat interface Dialer0 overload

!

access-list 1 permit 192.168.80.0 0.0.0.255

access-list 2 permit 172.17.0.0 0.0.0.255

access-list 3 deny 172.17.0.0 0.0.0.255

access-list 100 permit ip 192.168.80.0 0.0.0.255 any log

access-list 100 permit ip any any

access-list 101 permit ip 172.17.0.0 0.0.0.255 any log

access-list 101 permit ip any any

access-list 103 permit ip host x.x.x.x host x.x.x.x log

access-list 103 permit ip 172.31.0.0 0.0.255.255 192.168.80.0 0.0.0.255 ------- 172.31.0.0/16 is the subnet at the other end of the tunnel

access-list 103 deny ip any any

access-list 120 permit ip 192.168.80.0 0.0.0.255 172.31.0.0 0.0.255.255 log

access-list 120 deny ip any any

access-list 130 deny ip 192.168.80.0 0.0.0.255 172.31.0.0 0.0.255.255 log

access-list 130 permit ip 192.168.80.0 0.0.0.255 any

access-list 130 permit ip 172.17.0.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

dialer-list 1 protocol ip permit

!

!

Labels:
0 Helpful
4 Replies 4

grant.maynard
Level 4
Level 4

‎08-04-2006 02:28 AM

your NAT and VPN config looks but I'm suspicious of the bridging. Can you not remove the bridging and put IPS on the VLAN interfaces?

0 Helpful

richardwhit
Level 1
Level 1
In response to grant.maynard

‎08-04-2006 03:08 AM

Thanks for the response, I'll give that a try and get back to you.

0 Helpful

richardwhit
Level 1
Level 1
In response to grant.maynard

‎08-04-2006 07:09 AM

OK, I've removed the bridging from VLAN1 and given VLAN1 interface an IP address. I can now get out to the internet OK on VLAN1. So it does appear to be the bridging that is causing the problem.

However I need the bridging interfaces to set up the wireless interface to work. Have you got any further suggestions?

0 Helpful

richardwhit
Level 1
Level 1
In response to richardwhit

‎08-04-2006 07:52 AM

Great! Got it working, I moved the ip inspect firewall in lines to the bridge interface configuration so they were on the same interface as where NAT is configured and its now working.

Thanks for pointing me in the right direction

0 Helpful
Customers Also Viewed These Support Documents