Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Odd acl thing is occuring on my 3640

Status
Not open for further replies.

labgrl76

IS-IT--Management
Dec 2, 2005
40
US
Hi all, I've recently upgraded my 3640 to ios 12.3(26) ipsec 3des and realised something strange. If I apply NO acl at all, I cannot resolve web pages or hit the i-net from I.E. If I apply just a standard permit any I can get out fine. Now I removed all signs of acl's...I scoured the entire config like 10 times. After removing everything, I wrote, reloaded and still I cannot resolve to the internet. I've tried a tracert from winxp and it stops dead in the router at the local ethernet interface...until I apply something like access-list 1 permit any. Then the page resolves to what ever web site I am trying to hit. I don't even have to apply it to an interface. If I take the standard acl out, it goes back to not being able to resolve. The funky thing about all this is I can ping a known working ip on the web (4.2.2.2) and get full responses. I've even tried just entering an ip into the browser address bar and nothing...until I apply that standard acl statement. I've resorted to reverting back to the c3640-io3-mz.124-13a.bin (IOS 12.4 non ipsec) and the same strange thing is happening. Below is my config...(with ipsec IOS 12.3)

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
no ip dhcp conflict logging
!
no ip bootp server
ip cef
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
async-bootp dns-server 10.0.100.4
async-bootp nbns-server 10.0.100.4
!
!
!
!
username xxxxxxxx password xxxxxxxxxxxxxxxxx
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
!
interface Multilink1
description Multilink bundle to Site_B
ip address 172.16.1.1 255.255.255.252
ip nat inside
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
description Multilink bundle to Site_B
no ip address
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1
description Multilink bundle to Site_B
no ip address
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface FastEthernet1/0
description link to ISP
ip address dhcp
ip nat outside
duplex auto
speed auto
no keepalive
no cdp enable
!
interface FastEthernet2/0
description LAN
ip address 10.0.100.1 255.255.255.0
ip helper-address 10.0.100.4
ip nat inside
speed 100
full-duplex
!
interface Ethernet3/0
no ip address
shutdown
half-duplex
!
interface Serial3/0
ip address 172.16.3.1 255.255.255.252
ip nat inside
encapsulation ppp
no keepalive
clock rate 4000000
!
interface Virtual-Template1
ip unnumbered FastEthernet1/0
ip nat inside
peer default ip address pool test
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
router eigrp 210
redistribute rip
network 10.0.0.0
network 68.0.0.0
network 172.16.0.0
network 192.168.1.0
no auto-summary
!
ip local pool test 10.0.0.1 10.0.0.10
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source static tcp 10.0.100.4 3389 interface FastEthernet1/0 3389
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 68.80.112.1
!
!

no cdp run
!
!
!
!
!
!
!
!
banner login ^CC
------------------------------------------------------------------------
This Device is Private Property.
Unauthorized Access is strictly prohibited.
All connections and attempts to connect are monitored and logged.
Violaters will be prosecuted to the fullest extent of the law.
Message #1-712-23-10-680
Please Disconnect Now if you have reached this prompt unintentionally.
------------------------------------------------------------------------^C
banner motd ^CC
^C
!
line con 0
exec-timeout 0 0
password xxxxxxxxxxxxxxxxx
logging synchronous
speed 115200
line aux 0
line vty 0 4
session-timeout 5
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxx
login
!
ntp clock-period 17179988
ntp server 10.0.100.4
ntp server 129.6.15.28
!
end


btw 10.0.100.4 is a local box I run dhcp and rdp
 
I found the answer. Apparently when using cisco ios w/ipsec/fw/3des, there is an implicit deny even if no acl is present.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top