Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Issue with Cisco router CBAC + VPN + IOS 12.3

Reply
Thread Tools

Issue with Cisco router CBAC + VPN + IOS 12.3

 
 
Frank
Guest
Posts: n/a
 
      12-06-2003
Hi,

I have a Cisco router with the IOS FW 3DES Feature Set that I had
setup months ago with multiple tunnels to remote sites. It also had
an inbound access-list on the external interface, along with an
outbound CBAC ruleset.

I had everything working fine on IOS 12.2, you could reach the remote
networks from the local one via the VPN tunnels, and vice versa.
Additionally, I had CBAC watching the Internet access originating from
my local network as well, which allowed access out without having to
write a complex inbound acl.

After upgrading to IOS 12.3, now the remote networks cannot access my
local network for services via VPN. ICMP pings work, but tcp and udp
services can't be reached. The local network can still reach the
services at the remote sites via the VPN, and I have Internet still
working here locally as well. After investigating the setup, it seems
that CBAC is blocking the access inbound from the VPN tunnels. If I
take CBAC out of the interface setup, the tunnels pass traffic
bidirectionally with no problem, but I lose Internet access from my
local network. It seems the only way to make it work correctly is to
have CBAC enabled running both in inbound and outbound directions on
the interface at the same time.

What has changed in 12.3 that seems to now cause CBAC to inspect IPSEC
traffic?

Any help is appreciated.
Frank
 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      12-07-2003
On Sat, 06 Dec 2003 17:15:33 -0600, Frank wrote:

> Hi,
>
> I have a Cisco router with the IOS FW 3DES Feature Set that I had setup
> months ago with multiple tunnels to remote sites. It also had an
> inbound access-list on the external interface, along with an outbound
> CBAC ruleset.
>
> I had everything working fine on IOS 12.2, you could reach the remote
> networks from the local one via the VPN tunnels, and vice versa.
> Additionally, I had CBAC watching the Internet access originating from
> my local network as well, which allowed access out without having to
> write a complex inbound acl.
>
> After upgrading to IOS 12.3, now the remote networks cannot access my
> local network for services via VPN. ICMP pings work, but tcp and udp
> services can't be reached. The local network can still reach the
> services at the remote sites via the VPN, and I have Internet still
> working here locally as well. After investigating the setup, it seems
> that CBAC is blocking the access inbound from the VPN tunnels. If I
> take CBAC out of the interface setup, the tunnels pass traffic
> bidirectionally with no problem, but I lose Internet access from my
> local network. It seems the only way to make it work correctly is to
> have CBAC enabled running both in inbound and outbound directions on the
> interface at the same time.
>
> What has changed in 12.3 that seems to now cause CBAC to inspect IPSEC
> traffic?
>
> Any help is appreciated.
> Frank



It's hard to tell without seeing your config, topology and a specific
example of the failure. CBAC does not care if the traffic is IPSEC or
not.

My first guess is that you are running into the "check twice" nature of
IPSEC and acl's and previously you were running one of the few versions
of IOS that did not do it. Revert to your previous version and toggle
switching methods and see if it doesnt happen with it as well.
 
Reply With Quote
 
 
 
 
Tosh
Guest
Posts: n/a
 
      12-07-2003
> My first guess is that you are running into the "check twice" nature of
> IPSEC and acl's and previously you were running one of the few versions
> of IOS that did not do it.


I bet my last euro on it.
Bye,
Tosh.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
cbac-question-ios-12.3 cconnell_1@lycos.com Cisco 2 06-27-2005 01:03 PM
VPN router-cisco vpn client routing issue OZ Cisco 3 01-14-2005 09:22 PM
Question regarding CBAC Firewall IOS Vandegraff Cisco 0 07-13-2004 04:05 PM
IOS Firewall/IDS/CBAC etc. - Securing a router the best Paul Stewart Cisco 7 01-22-2004 01:44 PM



Advertisments