03-11-2014 08:36 AM
Hi All,
I cant seem to find where i'm going wrong. I have a site to site VPN tunnel that works and passes traffic, as soon as a add another access list to allow internet bound traffic out nothing then passes through the tunnel. What am i missing?
ip nat pool _Int 217.10.175.100 217.10.175.100 prefix-length 24
ip nat inside source list 101 pool _Int overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 217.10.176.xxx permanent
!
ip access-list extended VPN-TRAFFIC
permit ip 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255
permit ip 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255
permit ip 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255
permit ip 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255
permit ip 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255
permit ip 192.168.224.200 0.0.0.7 any
permit ip 192.168.224.200 0.0.0.7 10.82.128.0 0.0.31.255
permit ip 192.168.224.200 0.0.0.7 10.82.160.0 0.0.7.255
permit ip 192.168.224.200 0.0.0.7 10.82.168.0 0.0.3.255
permit ip 192.168.224.200 0.0.0.7 10.82.172.0 0.0.1.255
permit ip 192.168.224.200 0.0.0.7 10.82.174.0 0.0.0.255
!
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any
Any help is appriecated,
Thanks,
Joel
03-12-2014 06:09 AM
try to deny tcp/udp/icmp traffic to remote site in the acl 101 for the NAT. Put the deny rules at the top of acl 101
no access-list 101
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq domain
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide