Issue with Cisco router CBAC + VPN + IOS 12.3

Discussion in 'Cisco' started by Frank, Dec 6, 2003.

  1. Frank

    Frank Guest

    Hi,

    I have a Cisco router with the IOS FW 3DES Feature Set that I had
    setup months ago with multiple tunnels to remote sites. It also had
    an inbound access-list on the external interface, along with an
    outbound CBAC ruleset.

    I had everything working fine on IOS 12.2, you could reach the remote
    networks from the local one via the VPN tunnels, and vice versa.
    Additionally, I had CBAC watching the Internet access originating from
    my local network as well, which allowed access out without having to
    write a complex inbound acl.

    After upgrading to IOS 12.3, now the remote networks cannot access my
    local network for services via VPN. ICMP pings work, but tcp and udp
    services can't be reached. The local network can still reach the
    services at the remote sites via the VPN, and I have Internet still
    working here locally as well. After investigating the setup, it seems
    that CBAC is blocking the access inbound from the VPN tunnels. If I
    take CBAC out of the interface setup, the tunnels pass traffic
    bidirectionally with no problem, but I lose Internet access from my
    local network. It seems the only way to make it work correctly is to
    have CBAC enabled running both in inbound and outbound directions on
    the interface at the same time.

    What has changed in 12.3 that seems to now cause CBAC to inspect IPSEC
    traffic?

    Any help is appreciated.
    Frank
    Frank, Dec 6, 2003
    #1
    1. Advertising

  2. Frank

    Rik Bain Guest

    On Sat, 06 Dec 2003 17:15:33 -0600, Frank wrote:

    > Hi,
    >
    > I have a Cisco router with the IOS FW 3DES Feature Set that I had setup
    > months ago with multiple tunnels to remote sites. It also had an
    > inbound access-list on the external interface, along with an outbound
    > CBAC ruleset.
    >
    > I had everything working fine on IOS 12.2, you could reach the remote
    > networks from the local one via the VPN tunnels, and vice versa.
    > Additionally, I had CBAC watching the Internet access originating from
    > my local network as well, which allowed access out without having to
    > write a complex inbound acl.
    >
    > After upgrading to IOS 12.3, now the remote networks cannot access my
    > local network for services via VPN. ICMP pings work, but tcp and udp
    > services can't be reached. The local network can still reach the
    > services at the remote sites via the VPN, and I have Internet still
    > working here locally as well. After investigating the setup, it seems
    > that CBAC is blocking the access inbound from the VPN tunnels. If I
    > take CBAC out of the interface setup, the tunnels pass traffic
    > bidirectionally with no problem, but I lose Internet access from my
    > local network. It seems the only way to make it work correctly is to
    > have CBAC enabled running both in inbound and outbound directions on the
    > interface at the same time.
    >
    > What has changed in 12.3 that seems to now cause CBAC to inspect IPSEC
    > traffic?
    >
    > Any help is appreciated.
    > Frank



    It's hard to tell without seeing your config, topology and a specific
    example of the failure. CBAC does not care if the traffic is IPSEC or
    not.

    My first guess is that you are running into the "check twice" nature of
    IPSEC and acl's and previously you were running one of the few versions
    of IOS that did not do it. Revert to your previous version and toggle
    switching methods and see if it doesnt happen with it as well.
    Rik Bain, Dec 7, 2003
    #2
    1. Advertising

  3. Frank

    Tosh Guest

    > My first guess is that you are running into the "check twice" nature of
    > IPSEC and acl's and previously you were running one of the few versions
    > of IOS that did not do it.


    I bet my last euro on it.
    Bye,
    Tosh.
    Tosh, Dec 7, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Stewart
    Replies:
    7
    Views:
    744
    Paul Stewart
    Jan 22, 2004
  2. Ben

    Cisco CBAC, ESMTP

    Ben, May 11, 2004, in forum: Cisco
    Replies:
    7
    Views:
    2,280
  3. Vandegraff

    Question regarding CBAC Firewall IOS

    Vandegraff, Jul 13, 2004, in forum: Cisco
    Replies:
    0
    Views:
    654
    Vandegraff
    Jul 13, 2004
  4. OZ
    Replies:
    3
    Views:
    11,003
  5. Replies:
    2
    Views:
    1,443
Loading...

Share This Page