08-03-2006 05:21 AM - edited 02-21-2020 02:33 PM
Hi,
I am setting up an 877W. I have configured an IPSec VPN and the traffic that is meant to go down this does. However the rest of the traffic, which is supposed to go out to the internet, seems to be dropped. I can't figure out where, I've logged all the ACL's and nothing shows up as being odd but I just can't understand what is happening to the internet bound traffic.
I can post the full config if needed. The relevant parts of the config so far is here:
ip inspect name firewall cuseeme
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall icmp
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key isakmpkey address x.x.x.x
!
!
crypto ipsec transform-set dyn-map esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer x.x.x.x
set transform-set dyn-map
match address 120
!
!
!
!
bridge irb
!
!
!
interface ATM0
no ip address
no cdp enable
shutdown
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
.......................
!
interface Vlan1
no ip address
ip inspect firewall in
ip access-group 100 in
bridge-group 1
!
interface Vlan2
no ip address
ip inspect firewall in
ip access-group 101 in
bridge-group 2
!
interface Dialer0
ip address x.x.x.x 255.0.0.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password password
crypto map nolan
!
!
interface BVI1
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI2
ip address 172.17.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 2 permit 172.17.0.0 0.0.0.255
access-list 3 deny 172.17.0.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 any log
access-list 100 permit ip any any
access-list 101 permit ip 172.17.0.0 0.0.0.255 any log
access-list 101 permit ip any any
access-list 103 permit ip host x.x.x.x host x.x.x.x log
access-list 103 permit ip 172.31.0.0 0.0.255.255 192.168.80.0 0.0.0.255 ------- 172.31.0.0/16 is the subnet at the other end of the tunnel
access-list 103 deny ip any any
access-list 120 permit ip 192.168.80.0 0.0.0.255 172.31.0.0 0.0.255.255 log
access-list 120 deny ip any any
access-list 130 deny ip 192.168.80.0 0.0.0.255 172.31.0.0 0.0.255.255 log
access-list 130 permit ip 192.168.80.0 0.0.0.255 any
access-list 130 permit ip 172.17.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
dialer-list 1 protocol ip permit
!
!
08-04-2006 02:28 AM
your NAT and VPN config looks but I'm suspicious of the bridging. Can you not remove the bridging and put IPS on the VLAN interfaces?
08-04-2006 03:08 AM
Thanks for the response, I'll give that a try and get back to you.
08-04-2006 07:09 AM
OK, I've removed the bridging from VLAN1 and given VLAN1 interface an IP address. I can now get out to the internet OK on VLAN1. So it does appear to be the bridging that is causing the problem.
However I need the bridging interfaces to set up the wireless interface to work. Have you got any further suggestions?
08-04-2006 07:52 AM
Great! Got it working, I moved the ip inspect firewall in lines to the bridge interface configuration so they were on the same interface as where NAT is configured and its now working.
Thanks for pointing me in the right direction
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide