VPN Client and Access lists

pdorian · ‎01-30-2003

I am trying to use the new IPSec Transparency VPN. I have a Cisco 3620 router using this bin file c3620-ik9o3s3-mz.122-13.T1.bin. What happens is anytime I apply an access list to the serial interface even if it says permit ip any any, the vpn will connect and authenticate but it can not ping anything on the LAN for example 10.1.0.1. If I removed the access-list from the serial interface everything works. Does anyone know if this is a bug or if I am doing something wrong?

I have included my config file with all of the public addresses taken out.

-Paul

version 12.2

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname calprov

!

clock timezone PST -8

clock summer-time zone recurring

aaa new-model

!

aaa authentication login userauthen group radius

aaa authentication login vtymethod group radius enable

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

ip inspect name inspect1 rtsp timeout 3600

ip inspect name inspect1 cuseeme timeout 3600

ip inspect name inspect1 http java-list 15 timeout 3600

ip inspect name inspect1 ftp timeout 3600

ip inspect name inspect1 h323 timeout 3600

ip inspect name inspect1 rcmd timeout 3600

ip inspect name inspect1 realaudio timeout 3600

ip inspect name inspect1 sqlnet timeout 3600

ip inspect name inspect1 streamworks timeout 3600

ip inspect name inspect1 tftp timeout 30

ip inspect name inspect1 vdolive timeout 3600

ip inspect name inspect1 smtp timeout 3600

ip inspect name inspect1 udp timeout 3600

ip inspect name inspect1 tcp timeout 3600

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group calprov

key cisco123

dns 10.1.0.10

domain calprov.org

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

mta receive maximum-recipients 0

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

ip address removed

no ip route-cache

no ip mroute-cache

half-duplex

!

interface Serial0/0

ip address removed

ip access-group 120 in

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect inspect1 out

crypto map clientmap

!

interface Ethernet0/1

ip address 10.1.0.1 255.0.0.0

ip nat inside

no ip route-cache

no ip mroute-cache

half-duplex

!

ip local pool ippool 192.168.200.100 192.168.200.200

ip nat pool calprov removed netmask 255.255.255.128

ip nat inside source list 101 pool calprov overload

ip nat inside source static 10.1.0.22 removed

ip nat inside source static 10.1.0.20 removed

ip nat inside source static 10.1.0.10 removed

ip nat inside source static 10.1.0.11 removed

ip nat inside source static 10.1.0.12 removed

ip nat inside source static 10.1.0.13 removed

ip classless

ip route 0.0.0.0 0.0.0.0 removed

no ip http server

ip pim bidir-enable

!

ip access-list extended wins-servers

!

logging 10.1.0.54

access-list 101 deny ip 10.0.0.0 0.255.255.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 120 permit ip any any log

access-list 123 permit ip host 10.1.0.10 192.168.200.0 0.0.0.255

access-list 123 permit ip host 10.1.0.22 192.168.200.0 0.0.0.255

access-list 123 permit ip host 10.1.0.20 192.168.200.0 0.0.0.255

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 123

set ip next-hop 1.1.1.2

!

snmp-server community public RO

snmp-server enable traps tty

radius-server host 10.1.0.10 auth-port 1645 acct-port 1646 key

radius-server authorization permit missing Service-Type

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

login authentication vtymethod

!

ntp clock-period 17179882

ntp server 128.138.140.44

ntp server 192.43.244.18

ntp server 131.107.1.10

ajagadee · ‎01-30-2003

Hi,

Looks like you are running into Bug ID CSCdz46552.

In Cisco IOS Release 12.2T, if you have a dynamic crypto map without

an ACL, if the user configures an access-list on the router, the

existing remote-access VPN that is connected via that dynamic

crypto map stops working.

The workaround is to add an ACL to the dynamic crypto map.

Regards,

Arul

pdorian · ‎01-30-2003

Do you know where I am suppose to add the access list? I try to add it to match address and that gives a bunch more errors.

-Paul

p.mafara · ‎02-04-2003

Hi,

i've got the same two question .

1)can you tell exactly wath bug CSCdz46552 is ?

2)cannot find any document where to add the acces list

Regards,

Patrizio

pdorian · ‎02-04-2003

Hi,

I don't know exactly what bug CSCdz46552 is and I also can not find any document where to add the access list either.

-Paul

pdorian · ‎03-13-2003

Does anybody know when the new software release is coming 12.2(14.2)T? Or know how to fix this problem? I have tried everything with no luck.

-Paul