Hi,

I have an issue, which I'm having trouble solving:

We have an internet facing webserver, which needs to be accessible to the world. Also hosted on this server (under a different domain name) is another website which carries sensitive data from an upstream provider; we have setup a VPN to tunnel this traffic safely over the internet (https isn't an option, unfortunately). The VPN terminates on the same subnet as the web server.

The tunnel comes up OK, and i can see traffic emerging on it: I have set up netflow on the VPN router, and can see packets destined for the webserver, coming from the encapsulated hosts. However the packets never make beyond the VPN endpoint - they just disappear.

I can telnet into the webserver on port 80 directly from the VPN box fine, so connectivity is there. It just doesn't route tunnelled data out.

The guts of it is this:

10.0.0.0/27 (origin servers) --> 10.0.1.1/32 (remote VPN endpoint) <-- INTERNET --> 10.10.1.2/29 (local VPN endpoint)--> 10.10.1.3/29 (destination host)

Does anyone have any ideas as to why my system isn't routing correctly? I have tried a number things, but haven't had any luck as yet.

Below is a fairly typical version my config (it's constantly changing while i try to fix the issue, but is always very similar to the below).

I started from scratch, so if there's a line that doesn't make sense, odds are I added it trying to solve this issue (Ie, it isn't the cause!)

I've modified the IPs (10.0 is remote, 10.10 is local) so if I've got inconsistencies or the wrong IP/netmask logic anywhere - that's the only reason.

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname <host>

!

boot-start-marker

boot system flash c2600-ik9s-mz.123-20.bin

boot system flash c2600-ipbase-mz.123-11.T3.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 <hash>

!

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

!

aaa session-id common

ip subnet-zero

ip cef

!

!

no ip domain lookup

ip domain name <domain>

!

ip accounting-list 0.0.0.0 255.255.255.255

rlogin trusted-remoteuser-source local

rlogin trusted-localuser-source local

!

!

username <secret>

!

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <PSK> address 10.0.1.1

crypto isakmp nat keepalive 3600

crypto isakmp aggressive-mode disable

!

crypto ipsec security-association lifetime seconds 4000

!

crypto ipsec transform-set xform_esp-3des-sha esp-3des esp-sha-hmac

!

crypto map tunnel local-address FastEthernet0/0

crypto map tunnel 10 ipsec-isakmp

set peer 10.0.1.1

set transform-set xform_esp-3des-sha

match address 100

!

!

interface FastEthernet0/0

description EXT

ip address 10.10.1.2 255.255.255.224

ip broadcast-address 10.10.1.7

ip access-group 10 in

ip access-group 20 out

ip flow ingress

ip route-cache flow

duplex auto

speed 100

crypto map tmobile

!

no ip http server

no ip http secure-server

ip flow-export destination <host> <port>

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.1.1

!

!

access-list 10 permit 10.0.0.1

access-list 10 permit 10.10.1.0 0.0.0.31

access-list 20 permit any

access-list 100 permit ip host 10.0.0.20 host 10.10.1.3

access-list 100 permit ip host 10.0.0.21 host 10.10.1.3

access-list 100 permit ip host 10.0.0.27 host 10.10.1.3

access-list 100 permit ip host 10.0.0.28 host 10.10.1.3

access-list 100 permit ip host 10.10.1.3 host 10.0.0.20

access-list 100 permit ip host 10.10.1.3 host 10.0.0.21

access-list 100 permit ip host 10.10.1.3 host 10.0.0.27

access-list 100 permit ip host 10.10.1.3 host 10.0.0.28

!

!

line con 0

line aux 0

line vty 0 4

password 7 <hex>

transport input telnet ssh

!

ntp clock-period 17207934

ntp server 158.43.128.66

!

end