Routing from 877 with Site ot Site VPN terminating on it 1

[terrywilson]

I'm sure I have been told the whys and wherefores of why this won't work, here it goes though.

Current scenario, Cisco 877 setup with a site to site VPN that terminates on an ASA firewall. VPN comes up ok and all works fine, there are two vlan's defined, vlan2 is connected to the ISP router (say 172.32.1.1) and vlan1 is assigned their local lan (say 10.13.0.254), I can get traffic over this link and everything works fine.

However, I cannot ping from the router to the other side of the vpn (say 10.1.0.1), this does work form workstations on teh 10.13 subnet though. SH IP ROUTE shows me that there is no specific route for the 10.1.0.0 subnet, I'm guessing that my problems lies here as a trace sees traffic go to the Internet, anyone have any bright ideas?

 

[burtsbees]

Does any other protocol work, like RDC from 172 to 10? Does anything work from 10 to 172? Can you ping the inside interface of the router from the ASA? For pings to go through an ASA, you have to specifically let them with an acl or a conduit, like
conduit permit icmp any any eq echo
conduit permit icmp any any eq echo-reply
conduit permit icmp any any eq source-quench
conduit permit icmp any any eq time-exceeded
Maybe a few others...
The conduit statements were famous for the older PIXs, so I don't know if they'll work on an ASA...I'm thinking they should, but some believe that acls are a better way to do this.
Post a sh run from the router and the ASA.

Burt

 

[blueshark101]

It's where the router is generating its ICMP traffic from... because the ping is not coming through the LAN interface it is not being matched as interesting traffic and so does not cause the traffic to create and travel through the VPN.

I believe by default the router uses the default gateway interface for pings. In order to force the pings to work as expected you must specify the source interface using the extended ping command.

-Blue
The significant problems we face cannot be solved at the same level of thinking we were at when we created them

 

[terrywilson]

Blueshark, that was exactly the problem. Instead of just typing "ping 192.168.1.254" if I use "ping 192.168.1.254 source 192.168.2.254" it works perfectly. Thanks for that.

 

[blueshark101]

No problem...

ps..stars can be given here...

-Blue
The significant problems we face cannot be solved at the same level of thinking we were at when we created them

 

[terrywilson]

Ahhh, so they can; thanks again!

 

[GamonAdmin]

I have a Cisco 871 router that is being used for a client VPN. At the remote site I have a computer and a cisco VOIP phone that communicate fine with my network. At the remote site, I want to connect a PS3 because i am having a issue with the PS3 communicating with the Sony servers. I have entered all kinds of access-list commands to open all access to the PS3's static ip address with no success.

Any help will be greatly appreciated. Attached is my config




Building configuration...
Current configuration : 6442 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Chicago
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3933032943
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3933032943
revocation-check none
rsakeypair TP-self-signed-3933032943
!
!
crypto pki certificate chain TP-self-signed-3933032943
certificate self-signed 01
30820260 308201C9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393333 30333239 3433301E 170D3038 30383230 30353036
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39333330
33323934 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA1D F40038A5 C164B92C C6282186 0FB0DC55 3865BC66 C650AE81 AB8AFA77
06E75C9C 886B1A4E 5E7B0FCE 23E64F61 895E8CEA C9718048 582AC5D7 68FDD433
1CD9C609 B45FDD0A 7AA9A87F 7C5CA947 5C4A7DE7 955EFC73 DAE58E52 0FC6EFF8
D501D31B FF86D4DB C9B5255B EABE8FA7 9BD194F3 B36007FA 02E6D2B1 9316ECCA
3CC10203 010001A3 81873081 84300F06 03551D13 0101FF04 05300301 01FF3031
0603551D 11042A30 28822654 72617669 73383731 2D436869 6361676F 2E687364
312E696C 2E636F6D 63617374 2E6E6574 2E301F06 03551D23 04183016 80140446
CCCCBCF5 D41F2215 2E37D73E EA4E7032 C5EA301D 0603551D 0E041604 140446CC
CCBCF5D4 1F22152E 37D73EEA 4E7032C5 EA300D06 092A8648 86F70D01 01040500
03818100 AD32D6DE F2ABF49C FDC1E0D2 2FEC1FF3 7D260D24 ED8C443A 8639DF38
C8AA4E6A D1C23E18 1E7BF070 DA135792 8370E6B7 09E924DC 0D4B95AD FB3D23CA
E1A66202 5FADA564 18872FAC B1007905 F89E84DC 12A1C153 ED4509D3 9AA15E02
D61CD5EA B6576EC4 D42D7A0F D2721A64 22791205 E8A6B1C2 DA51EDF6 DC91390C 0E2F7BC1
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.3.1 192.168.3.5
!
ip dhcp pool
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
domain-name (left out)
dns-server 192.168.1.13 192.168.1.14 192.168.3.254
option 150 ip 192.168.1.167
!
!
ip cef
ip name-server 192.168.1.13
ip name-server 192.168.1.14
!
!
!
!
!
crypto logging session
crypto isakmp keepalive 15 15 periodic
!
!
!
!
!
crypto ipsec client ezvpn VPN
connect auto
group VPN
mode client
peer 216.159.x.x
username ---- password ----
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
description $ETH-LAN$$FW_INSIDE$
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn VPN
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.3.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN inside
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.255 192.168.4.0
ip route 192.168.4.0 255.255.255.255 192.168.1.0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
logging source-interface FastEthernet0
logging 192.168.1.13
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.254 eq 22
access-list 100 permit tcp 192.168.3.0 0.0.0.255 host 192.168.3.254 eq 22
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.254 eq 443
access-list 100 permit tcp 192.168.3.0 0.0.0.255 host 192.168.3.254 eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.254 eq cmd
access-list 100 permit tcp 192.168.3.0 0.0.0.255 host 192.168.3.254 eq cmd
access-list 100 permit ip any any
access-list 100 permit tcp any any eq 5001
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) TravisVPN
access-list 101 permit udp host 216.159.x.x any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) TravisVPN
access-list 101 permit udp host 216.159.x.x any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) TravisVPN
access-list 101 permit udp host 216.159.x.x any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) TravisVPN
access-list 101 permit esp host 216.159.x.x any
access-list 101 remark Auto generated by SDM for EzVPN (esp) TravisVPN
access-list 101 permit ahp host 216.159.x.x any
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 102 permit ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000

 

[terrywilson]

Is FastEth/4 the LAN side that your clients are on?

I don't see a default route there though; traffic to addressess outside of the 1.x and 4.x subnets won't go anywhere, start with adding that.

Looking at your ACL's they look pretty open, I'm guessing 101 is for the WAN side and it looks like it would let the reponses from the servers in.

access-list 100 permit ip any any looks like it would permit anything to anywhere and actually lets anything through - making the preceeding lines needless.

If you turned off the phone and PC and just had a PS3 plugged in you could see if its hitting the ACL's by doing

sh ip access-list 101, this will show you which lines are getting hit by what rules. If you changed the last line to be access-list 100 permit ip any any log then you could also do a show log and see what is being let through.