Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem

Discussion in 'Cisco' started by stretch, Jan 21, 2004.

  1. stretch

    stretch Guest

    Hi

    I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
    router. The tunnel works fine for tcp/udp applications but I cannot ping
    between the remote site and the central office (initiating from either end).
    The icmp echo packet is denied by the access list on the public interface of
    the 837. I don;t know why this is as it comes through the encrypted tunnel.
    Ping works fine IF I remove the "ip nat outside" statement from the
    interface dialer0 (as below)??

    Any pointers?

    Config as follows:

    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname cj-192.168.150.1
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 16384 debugging
    no logging console
    enable secret 5 xxx
    !
    username xxxx password 7 xxxx
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    no aaa new-model
    ip subnet-zero
    no ip source-route
    no ip icmp rate-limit unreachable
    ip tcp path-mtu-discovery
    no ip domain lookup
    ip domain name xxx
    ip host helsinki xxx
    ip host vpn3005 xxx
    ip host publicip xxx
    !
    !
    no ip bootp server
    ip inspect name fwout cuseeme
    ip inspect name fwout ftp
    ip inspect name fwout http
    ip inspect name fwout skinny
    ip inspect name fwout tcp
    ip inspect name fwout udp
    ip inspect name fwout vdolive
    ip inspect name fwout fragment maximum 256 timeout 1
    ip inspect name fwout h323
    ip inspect name fwout netshow
    ip inspect name fwout icmp
    ip inspect name fwout realaudio
    ip inspect name fwout smtp
    ip inspect name fwout sqlnet
    ip inspect name fwout streamworks
    ip inspect name fwout rcmd
    ip inspect name fwout rtsp
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key xxxx address xxxx
    !
    !
    crypto ipsec transform-set office-set esp-3des esp-sha-hmac
    !
    crypto map office-map 10 ipsec-isakmp
    set peer xxxx
    set security-association lifetime kilobytes 10000
    set security-association lifetime seconds 28800
    set transform-set office-set
    set pfs group2
    match address TO-OFFICE
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.150.1 255.255.255.252
    ip access-group OUTBOUND in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip inspect fwout in
    no ip route-cache
    no ip mroute-cache
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 256
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer0
    ip address negotiated
    ip access-group INBOUND in
    no ip redirects
    no ip proxy-arp
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    dialer pool 1
    dialer string 37
    ppp chap hostname xxxxxxxx
    ppp chap password 7 xxxxxxx
    crypto map office-map
    !
    ip nat inside source list NONAT interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip access-list extended INBOUND
    permit esp host xxxx host xxxx
    permit udp host xxxx eq isakmp host xxxx eq isakmp
    permit tcp host xxxx host xxxx eq 22 log
    permit tcp host xxxx host xxxx eq telnet log
    permit icmp any host xxxx echo-reply
    permit icmp any host xxxx unreachable
    permit icmp any host xxxx ttl-exceeded
    permit icmp any host xxxx source-quench
    permit udp host xxxx eq ntp host xxxx eq ntp
    permit udp host xxxx eq ntp host xxxx eq ntp
    deny ip any any log
    ip access-list extended NONAT
    deny ip 192.168.150.0 0.0.1.255 10.0.0.0 0.0.0.255
    permit ip 192.168.150.0 0.0.1.255 any
    deny ip any any
    ip access-list extended OUTBOUND
    permit ip 192.168.150.0 0.0.1.255 any
    deny ip any any
    ip access-list extended TO-OFFICE
    permit ip 192.168.150.0 0.0.0.3 10.0.0.0 0.0.0.255
    access-list 1 permit xxxx
    access-list 2 permit 137.33.0.0 0.0.255.255
    no cdp run
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    access-class 1 in
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    sntp server xxxx
    sntp server xxxx
    !
    end

    Thanks in advance.
    stretch, Jan 21, 2004
    #1
    1. Advertising

  2. stretch

    stretch Guest

    "stretch" <> wrote in message
    news:...
    > Hi
    >
    > I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
    > router. The tunnel works fine for tcp/udp applications but I cannot ping
    > between the remote site and the central office (initiating from either

    end).
    > The icmp echo packet is denied by the access list on the public interface

    of
    > the 837. I don;t know why this is as it comes through the encrypted

    tunnel.
    > Ping works fine IF I remove the "ip nat outside" statement from the
    > interface dialer0 (as below)??
    >
    > Any pointers?
    >
    > Config as follows:
    >
    > ..snip...
    >


    I have done some more testing and having removed NAT completly I still get
    the same problem. Packets are decrypted but are denied by the INBOUND acl.
    I have since added statements for the LAN to LAN private traffic to the
    INBOUND acl and it works ok now.

    access-list INBOUND permit ip <head office network> <remote network>

    Is this correct? Why isn't traffic that comes through the tunnel allowed to
    bypass the acl?
    stretch, Jan 21, 2004
    #2
    1. Advertising

  3. stretch

    stretch Guest

    "stretch" <> wrote in message
    news:...
    >
    > "stretch" <> wrote in message
    > news:...
    > > Hi
    > >
    > > I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL
    > > router. The tunnel works fine for tcp/udp applications but I cannot ping
    > > between the remote site and the central office (initiating from either

    > end).
    > > The icmp echo packet is denied by the access list on the public

    interface
    > of
    > > the 837. I don;t know why this is as it comes through the encrypted

    > tunnel.
    > > Ping works fine IF I remove the "ip nat outside" statement from the
    > > interface dialer0 (as below)??
    > >
    > > Any pointers?
    > >
    > > Config as follows:
    > >
    > > ..snip...
    > >

    >
    > I have done some more testing and having removed NAT completly I still get
    > the same problem. Packets are decrypted but are denied by the INBOUND

    acl.
    > I have since added statements for the LAN to LAN private traffic to the
    > INBOUND acl and it works ok now.
    >
    > access-list INBOUND permit ip <head office network> <remote network>
    >
    > Is this correct? Why isn't traffic that comes through the tunnel allowed

    to
    > bypass the acl?
    >
    >

    This is correct its listed as a cisco bug.

    woot
    stretch, Jan 21, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. òTTó
    Replies:
    0
    Views:
    545
    òTTó
    Jul 29, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,095
  3. Scott Townsend
    Replies:
    2
    Views:
    10,095
    Scott Townsend
    May 4, 2006
  4. Trouble
    Replies:
    0
    Views:
    622
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    539
Loading...

Share This Page