Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1813
Views
0
Helpful
1
Replies

VPN Clients cannot access remote site

bigboss26
Level 1
Level 1

‎12-13-2012 06:13 AM

Hey there,

I am pretty new in configuring Cisco devices and now I need some help.

I have 2 site here:

site A

Cisco 891

external IP: 195.xxx.yyy.zzz

VPN Gateway for Remote users

local IP: VLAN10 10.133.10.0 /23

site B

Cisco 891

external IP: 62.xxx.yyy.zzz

local IP VLAN10 10.133.34.0 /23

Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.

I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.

What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.

Here is the config of site A

Building configuration...

Current configuration : 24257 bytes

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Englerstrasse

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

!

!

aaa new-model

!

!

aaa group server radius Radius-AD

server 10.133.10.5 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

clock timezone Berlin 1 0

clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-27361994

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-27361994

revocation-check none

rsakeypair TP-self-signed-27361994

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-27361994

certificate self-signed 01

  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238

  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939

  3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709

  64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53

  BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234

  2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615

  9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203

  010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304

  18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E

  04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886

  F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC

  20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB

  14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895

  C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF

  AF3EF676 26AD3F31 D368F5

      quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

!

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

ip inspect log drop-pkt

ip inspect name CCP_MEDIUM appfw CCP_MEDIUM

ip inspect name CCP_MEDIUM ftp

ip inspect name CCP_MEDIUM h323

ip inspect name CCP_MEDIUM sip

ip inspect name CCP_MEDIUM https

ip inspect name CCP_MEDIUM icmp

ip inspect name CCP_MEDIUM netshow

ip inspect name CCP_MEDIUM rcmd

ip inspect name CCP_MEDIUM realaudio

ip inspect name CCP_MEDIUM rtsp

ip inspect name CCP_MEDIUM sqlnet

ip inspect name CCP_MEDIUM streamworks

ip inspect name CCP_MEDIUM tftp

ip inspect name CCP_MEDIUM udp

ip inspect name CCP_MEDIUM vdolive

ip inspect name CCP_MEDIUM imap reset

ip inspect name CCP_MEDIUM smtp

ip cef

no ipv6 cef

!

appfw policy-name CCP_MEDIUM

  application im aol

    service default action allow alarm

    service text-chat action allow alarm

    server permit name login.oscar.aol.com

    server permit name toc.oscar.aol.com

    server permit name oam-d09a.blue.aol.com

    audit-trail on

  application im msn

    service default action allow alarm

    service text-chat action allow alarm

    server permit name messenger.hotmail.com

    server permit name gateway.messenger.hotmail.com

    server permit name webmessenger.msn.com

    audit-trail on

  application http

    strict-http action allow alarm

    port-misuse im action reset alarm

    port-misuse p2p action reset alarm

    port-misuse tunneling action allow alarm

  application im yahoo

    service default action allow alarm

    service text-chat action allow alarm

    server permit name scs.msg.yahoo.com

    server permit name scsa.msg.yahoo.com

    server permit name scsb.msg.yahoo.com

    server permit name scsc.msg.yahoo.com

    server permit name scsd.msg.yahoo.com

    server permit name cs16.msg.dcn.yahoo.com

    server permit name cs19.msg.dcn.yahoo.com

    server permit name cs42.msg.dcn.yahoo.com

    server permit name cs53.msg.dcn.yahoo.com

    server permit name cs54.msg.dcn.yahoo.com

    server permit name ads1.vip.scd.yahoo.com

    server permit name radio1.launch.vip.dal.yahoo.com

    server permit name in1.msg.vip.re2.yahoo.com

    server permit name data1.my.vip.sc5.yahoo.com

    server permit name address1.pim.vip.mud.yahoo.com

    server permit name edit.messenger.yahoo.com

    server permit name messenger.yahoo.com

    server permit name http.pager.yahoo.com

    server permit name privacy.yahoo.com

    server permit name csa.yahoo.com

    server permit name csb.yahoo.com

    server permit name csc.yahoo.com

    audit-trail on

!

!

!

!

!

parameter-map type inspect global

log dropped-packets enable

multilink bundle-name authenticated

!

!

!

redundancy

!

!

!

!

!

ip tcp synwait-time 10

!

class-map match-any CCP-Transactional-1

match dscp af21

match dscp af22

match dscp af23

class-map match-any CCP-Voice-1

match dscp ef

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map match-any CCP-Routing-1

match dscp cs6

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map match-any CCP-Signaling-1

match dscp cs3

match dscp af31

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map match-any CCP-Management-1

match dscp cs2

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

!

policy-map sdm-qos-test-123

class class-default

policy-map sdmappfwp2p_CCP_MEDIUM

class sdm_p2p_edonkey

class sdm_p2p_gnutella

class sdm_p2p_kazaa

class sdm_p2p_bittorrent

policy-map CCP-QoS-Policy-1

class sdm_p2p_edonkey

class sdm_p2p_gnutella

class sdm_p2p_kazaa

class sdm_p2p_bittorrent

class CCP-Voice-1

  priority percent 33

class CCP-Signaling-1

  bandwidth percent 5

class CCP-Routing-1

  bandwidth percent 5

class CCP-Management-1

  bandwidth percent 5

class CCP-Transactional-1

  bandwidth percent 5

class class-default

  fair-queue

  random-detect

!

!

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key REMOVED address 62.20.xxx.yyy 

crypto isakmp key REMOVED address 195.243.xxx.yyy

crypto isakmp key REMOVED address 195.243.xxx.yyy

crypto isakmp key REMOVED address 83.140.xxx.yyy  

!

crypto isakmp client configuration group VPN_local

key REMOVED

dns 10.133.10.5 10.133.10.7

wins 10.133.10.7

domain domain.de

pool SDM_POOL_2

acl 115

!

crypto isakmp profile ciscocp-ike-profile-1

   match identity group VPN_local

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA11

set isakmp-profile ciscocp-ike-profile-1

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to62.20.xxx.xxx

set peer 62.20.xxx.xxx

set transform-set ESP-3DES-SHA

match address 105

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to195.243.xxx.xxx

set peer 195.243.xxx.xxx

set transform-set ESP-3DES-SHA4

match address 107

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to83.140.xxx.xxx

set peer 83.140.xxx.xxx

set transform-set ESP-DES-SHA1

match address 118

!

!

!

!

!

interface Loopback2

ip address 192.168.10.1 255.255.254.0

!

interface Null0

no ip unreachables

!

interface FastEthernet0

switchport mode trunk

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface FastEthernet4

description Internal LAN

switchport access vlan 10

switchport trunk native vlan 10

no ip address

spanning-tree portfast

!

interface FastEthernet5

no ip address

spanning-tree portfast

!

interface FastEthernet6

no ip address

spanning-tree portfast

!

interface FastEthernet7

no ip address

spanning-tree portfast

!

interface FastEthernet8

description $FW_OUTSIDE$$ETH-WAN$

ip address 62.153.xxx.xxx 255.255.255.248

ip access-group 113 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect CCP_MEDIUM out

no ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

crypto map SDM_CMAP_1

service-policy input sdmappfwp2p_CCP_MEDIUM

service-policy output CCP-QoS-Policy-1

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet8

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan10

description $FW_INSIDE$

ip address 10.133.10.1 255.255.254.0

ip access-group 112 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200

ip local pool VPN_Pool 192.168.20.2 192.168.20.100

ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip forward-protocol nd

!

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx

!

ip access-list extended VPN1

remark VPN_Haberstrasse

remark CCP_ACL Category=4

permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255

!

ip radius source-interface Vlan10

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 23 remark CCP_ACL Category=17

access-list 23 permit 195.243.xxx.xxx

access-list 23 permit 10.133.10.0 0.0.1.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 10.133.10.0 0.0.1.255 any

access-list 101 remark CCP_ACL Category=16

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny   ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip any any

access-list 102 remark auto generated by CCP firewall configuration

access-list 102 remark CCP_ACL Category=1

access-list 102 deny   ip 10.10.10.0 0.0.0.7 any

access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply

access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded

access-list 102 permit icmp any host 62.153.xxx.xxx unreachable

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip host 0.0.0.0 any

access-list 102 deny   ip any any log

access-list 103 remark auto generated by CCP firewall configuration

access-list 103 remark CCP_ACL Category=1

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255

access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp

access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp

access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx

access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255

access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp

access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp

access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx

access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx

access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp

access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp

access-list 103 permit esp any host 62.153.xxx.xxx

access-list 103 permit ahp any host 62.153.xxx.xxx

access-list 103 permit udp host 194.25.0.60 eq domain any

access-list 103 permit udp host 194.25.0.68 eq domain any

access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx

access-list 103 deny   ip 10.10.10.0 0.0.0.7 any

access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply

access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded

access-list 103 permit icmp any host 62.153.xxx.xxx unreachable

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

access-list 103 deny   ip 172.16.0.0 0.15.255.255 any

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip host 0.0.0.0 any

access-list 103 deny   ip any any log

access-list 104 remark CCP_ACL Category=4

access-list 104 permit ip 10.133.10.0 0.0.1.255 any

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255

access-list 106 remark IPSec Rule

access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255

access-list 106 permit ip 10.10.10.0 0.0.0.7 any

access-list 106 permit ip 10.133.10.0 0.0.1.255 any

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255

access-list 108 remark Auto generated by SDM Management Access feature

access-list 108 remark CCP_ACL Category=1

access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet

access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22

access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www

access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443

access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd

access-list 108 deny   tcp any host 10.133.10.1 eq telnet

access-list 108 deny   tcp any host 10.133.10.1 eq 22

access-list 108 deny   tcp any host 10.133.10.1 eq www

access-list 108 deny   tcp any host 10.133.10.1 eq 443

access-list 108 deny   tcp any host 10.133.10.1 eq cmd

access-list 108 deny   udp any host 10.133.10.1 eq snmp

access-list 108 permit ip any any

access-list 109 remark CCP_ACL Category=1

access-list 109 permit ip 10.133.10.0 0.0.1.255 any

access-list 109 permit ip 10.10.10.0 0.0.0.7 any

access-list 109 permit ip 192.168.10.0 0.0.1.255 any

access-list 110 remark CCP_ACL Category=1

access-list 110 permit ip host 195.243.xxx.xxx any

access-list 110 permit ip host 84.44.xxx.xxx any

access-list 110 permit ip 10.133.10.0 0.0.1.255 any

access-list 110 permit ip 10.10.10.0 0.0.0.7 any

access-list 110 permit ip 192.168.10.0 0.0.1.255 any

access-list 111 remark CCP_ACL Category=4

access-list 111 permit ip 10.133.10.0 0.0.1.255 any

access-list 112 remark CCP_ACL Category=1

access-list 112 permit udp host 10.133.10.5 eq 1812 any

access-list 112 permit udp host 10.133.10.5 eq 1813 any

access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp

access-list 112 permit udp any host 10.133.10.1 eq isakmp

access-list 112 permit esp any host 10.133.10.1

access-list 112 permit ahp any host 10.133.10.1

access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1

access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1

access-list 112 remark auto generated by CCP firewall configuration

access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1

access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1

access-list 112 permit udp host 10.133.10.7 eq domain any

access-list 112 permit udp host 10.133.10.5 eq domain any

access-list 112 deny   ip 62.153.xxx.xxx 0.0.0.7 any

access-list 112 deny   ip 10.10.10.0 0.0.0.7 any

access-list 112 deny   ip host 255.255.255.255 any

access-list 112 deny   ip 127.0.0.0 0.255.255.255 any

access-list 112 permit ip any any

access-list 113 remark CCP_ACL Category=1

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255

access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp

access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp

access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx

access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx

access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx

access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx

access-list 113 remark auto generated by CCP firewall configuration

access-list 113 permit udp host 194.25.0.60 eq domain any

access-list 113 permit udp host 194.25.0.68 eq domain any

access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx

access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx

access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp

access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp

access-list 113 permit esp any host 62.153.xxx.xxx

access-list 113 permit ahp any host 62.153.xxx.xxx

access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx

access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx

access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp

access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255

access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx

access-list 113 remark IPSec Rule

access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255

access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx

access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp

access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255

access-list 113 remark Pop3

access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx

access-list 113 remark Pop3

access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx

access-list 113 remark SMTP

access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx

access-list 113 remark IMAP

access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx

access-list 113 deny   ip 10.133.10.0 0.0.1.255 any

access-list 113 deny   ip 10.10.10.0 0.0.0.7 any

access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply

access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded

access-list 113 permit icmp any host 62.153.xxx.xxx unreachable

access-list 113 deny   ip 10.0.0.0 0.255.255.255 any

access-list 113 deny   ip 172.16.0.0 0.15.255.255 any

access-list 113 deny   ip 192.168.0.0 0.0.255.255 any

access-list 113 deny   ip 127.0.0.0 0.255.255.255 any

access-list 113 deny   ip host 255.255.255.255 any

access-list 113 deny   ip host 0.0.0.0 any

access-list 113 deny   ip any any log

access-list 114 remark auto generated by CCP firewall configuration

access-list 114 remark CCP_ACL Category=1

access-list 114 deny   ip 10.133.10.0 0.0.1.255 any

access-list 114 deny   ip 10.10.10.0 0.0.0.7 any

access-list 114 permit icmp any any echo-reply

access-list 114 permit icmp any any time-exceeded

access-list 114 permit icmp any any unreachable

access-list 114 deny   ip 10.0.0.0 0.255.255.255 any

access-list 114 deny   ip 172.16.0.0 0.15.255.255 any

access-list 114 deny   ip 192.168.0.0 0.0.255.255 any

access-list 114 deny   ip 127.0.0.0 0.255.255.255 any

access-list 114 deny   ip host 255.255.255.255 any

access-list 114 deny   ip host 0.0.0.0 any

access-list 114 deny   ip any any log

access-list 115 remark VPN_Sub

access-list 115 remark CCP_ACL Category=5

access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255

access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255

access-list 115 permit ip 10.133.20.0 0.0.0.255 any

access-list 116 remark CCP_ACL Category=4

access-list 116 remark IPSec Rule

access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255

access-list 117 remark CCP_ACL Category=4

access-list 117 remark IPSec Rule

access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255

access-list 118 remark CCP_ACL Category=4

access-list 118 remark IPSec Rule

access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255

access-list 118 remark IPSec Rule

access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

transport output telnet

line 1

modem InOut

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

session-timeout 45

access-class 110 in

transport input telnet ssh

line vty 5 15

access-class 109 in

transport input telnet ssh

!

scheduler interval 500

!

end

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-13-2012 08:32 AM

The crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.

On Site A:

should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"

You should also remove the following line as the pool is incorrect:

access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255

On Site B:

should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"

NAT exemption on site B should also be configured with deny on the above ACL.

0 Helpful
Customers Also Viewed These Support Documents