Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem

Reply
Thread Tools

Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem

 
 
stretch
Guest
Posts: n/a
 
      01-21-2004
Hi

I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
router. The tunnel works fine for tcp/udp applications but I cannot ping
between the remote site and the central office (initiating from either end).
The icmp echo packet is denied by the access list on the public interface of
the 837. I don;t know why this is as it comes through the encrypted tunnel.
Ping works fine IF I remove the "ip nat outside" statement from the
interface dialer0 (as below)??

Any pointers?

Config as follows:

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cj-192.168.150.1
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
enable secret 5 xxx
!
username xxxx password 7 xxxx
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no aaa new-model
ip subnet-zero
no ip source-route
no ip icmp rate-limit unreachable
ip tcp path-mtu-discovery
no ip domain lookup
ip domain name xxx
ip host helsinki xxx
ip host vpn3005 xxx
ip host publicip xxx
!
!
no ip bootp server
ip inspect name fwout cuseeme
ip inspect name fwout ftp
ip inspect name fwout http
ip inspect name fwout skinny
ip inspect name fwout tcp
ip inspect name fwout udp
ip inspect name fwout vdolive
ip inspect name fwout fragment maximum 256 timeout 1
ip inspect name fwout h323
ip inspect name fwout netshow
ip inspect name fwout icmp
ip inspect name fwout realaudio
ip inspect name fwout smtp
ip inspect name fwout sqlnet
ip inspect name fwout streamworks
ip inspect name fwout rcmd
ip inspect name fwout rtsp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address xxxx
!
!
crypto ipsec transform-set office-set esp-3des esp-sha-hmac
!
crypto map office-map 10 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 10000
set security-association lifetime seconds 28800
set transform-set office-set
set pfs group2
match address TO-OFFICE
!
!
!
!
interface Ethernet0
ip address 192.168.150.1 255.255.255.252
ip access-group OUTBOUND in
no ip redirects
no ip proxy-arp
ip nat inside
ip inspect fwout in
no ip route-cache
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 256
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip access-group INBOUND in
no ip redirects
no ip proxy-arp
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer string 37
ppp chap hostname xxxxxxxx
ppp chap password 7 xxxxxxx
crypto map office-map
!
ip nat inside source list NONAT interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip access-list extended INBOUND
permit esp host xxxx host xxxx
permit udp host xxxx eq isakmp host xxxx eq isakmp
permit tcp host xxxx host xxxx eq 22 log
permit tcp host xxxx host xxxx eq telnet log
permit icmp any host xxxx echo-reply
permit icmp any host xxxx unreachable
permit icmp any host xxxx ttl-exceeded
permit icmp any host xxxx source-quench
permit udp host xxxx eq ntp host xxxx eq ntp
permit udp host xxxx eq ntp host xxxx eq ntp
deny ip any any log
ip access-list extended NONAT
deny ip 192.168.150.0 0.0.1.255 10.0.0.0 0.0.0.255
permit ip 192.168.150.0 0.0.1.255 any
deny ip any any
ip access-list extended OUTBOUND
permit ip 192.168.150.0 0.0.1.255 any
deny ip any any
ip access-list extended TO-OFFICE
permit ip 192.168.150.0 0.0.0.3 10.0.0.0 0.0.0.255
access-list 1 permit xxxx
access-list 2 permit 137.33.0.0 0.0.255.255
no cdp run
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 1 in
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
sntp server xxxx
sntp server xxxx
!
end

Thanks in advance.


 
Reply With Quote
 
 
 
 
stretch
Guest
Posts: n/a
 
      01-21-2004

"stretch" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
> router. The tunnel works fine for tcp/udp applications but I cannot ping
> between the remote site and the central office (initiating from either

end).
> The icmp echo packet is denied by the access list on the public interface

of
> the 837. I don;t know why this is as it comes through the encrypted

tunnel.
> Ping works fine IF I remove the "ip nat outside" statement from the
> interface dialer0 (as below)??
>
> Any pointers?
>
> Config as follows:
>
> ..snip...
>


I have done some more testing and having removed NAT completly I still get
the same problem. Packets are decrypted but are denied by the INBOUND acl.
I have since added statements for the LAN to LAN private traffic to the
INBOUND acl and it works ok now.

access-list INBOUND permit ip <head office network> <remote network>

Is this correct? Why isn't traffic that comes through the tunnel allowed to
bypass the acl?


 
Reply With Quote
 
 
 
 
stretch
Guest
Posts: n/a
 
      01-21-2004

"stretch" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "stretch" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi
> >
> > I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
> > router. The tunnel works fine for tcp/udp applications but I cannot ping
> > between the remote site and the central office (initiating from either

> end).
> > The icmp echo packet is denied by the access list on the public

interface
> of
> > the 837. I don;t know why this is as it comes through the encrypted

> tunnel.
> > Ping works fine IF I remove the "ip nat outside" statement from the
> > interface dialer0 (as below)??
> >
> > Any pointers?
> >
> > Config as follows:
> >
> > ..snip...
> >

>
> I have done some more testing and having removed NAT completly I still get
> the same problem. Packets are decrypted but are denied by the INBOUND

acl.
> I have since added statements for the LAN to LAN private traffic to the
> INBOUND acl and it works ok now.
>
> access-list INBOUND permit ip <head office network> <remote network>
>
> Is this correct? Why isn't traffic that comes through the tunnel allowed

to
> bypass the acl?
>
>

This is correct its listed as a cisco bug.

woot


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend Cisco 2 05-04-2006 02:31 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments