Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Traffic not being routed across cisco vpn 1

Status
Not open for further replies.
jfmays

jfmays

ISP
Oct 2, 2008
35
US
I have a vpn link to another network. It's setup using crypto isakmp. The vpn comes up when traffic is directed to it...

gw1.newalb#show crypto isakmp sa
dst src state conn-id slot
24.235.29.17 65.119.118.136 QM_IDLE 1 0

but when I try to route traffic across it from one machine to one on the other network that matches the access list...

ip access-list extended PHL-3845-SS7-VPN
permit ip host 24.235.0.25 host 65.119.118.76

... it doesn't go across the vpn. Rather, traceroutes from 24.235.0.25 to 65.119.118.76 show it going across the internet.

root@ss02:~# traceroute 65.119.118.76
traceroute to 65.119.118.76 (65.119.118.76), 30 hops max, 40 byte packets
1 fa2-0-103.core-gw1.noc.win.net (216.24.23.67) 0.956 ms 1.040 ms 1.205 ms
2 fa0-0.cust-gw1.noc.win.net (216.24.30.68) 1.556 ms 1.997 ms 2.314 ms
3 216-24-2-238.ip.win.net (216.24.2.238) 12.139 ms 12.458 ms 16.217 ms
4 66.73.221.253 (66.73.221.253) 25.385 ms 23.740 ms 20.455 ms
5 bb2-g4-0-2.ipltin.ameritech.net (151.164.42.158) 19.451 ms 19.116 ms 18.783 ms
6 69.220.8.51 (69.220.8.51) 37.946 ms 39.349 ms 40.347 ms
7 Te-3-2.Chicago1.Level3.net (4.68.110.197) 43.450 ms 43.117 ms 42.779 ms
8 ae-2-52.bbr2.Chicago1.Level3.net (4.68.101.33) 35.399 ms 35.309 ms 34.693 ms
9 so-1-0-0.mp2.Philadelphia1.Level3.net (209.247.8.65) 52.065 ms 52.138 ms 96.989 ms
10 so-11-0.hsa1.Philadelphia1.Level3.net (64.159.0.154) 54.060 ms 54.095 ms 53.400 ms
11 SWITCH-AND.hsa1.Philadelphia1.Level3.net (209.246.200.118) 49.841 ms !X 49.747 ms !X *
 
Sort by date Sort by votes
Once a VPN is established, RFC1918 addresses can be seen by eachother, not public IP addresses.

Burt
 
Upvote 0 Downvote
I'm not sure I understand your point. If you are saying I should not be able to see the addresses between my VPN device and theirs, I agree. That is the problem -- the intervening addresses are showing up. The question is, why? The vpn is established and the access list is there to tell the VPN device on our end to route traffic from 24.235.0.25 to 65.119.118.76 across the vpn, but when I traceroute 65.119.118.76 from 24.235.0.25 I see all the addresses in between the VPN devices, which indicates to me that the traffic is not traveling across the VPN.

I can include the complete config of the VPN device on our end if that would help.
 
Upvote 0 Downvote
Do a "show crypto ipsec sa". You don't route traffic across a vpn ... you use a crypto map to specify the traffic that is able to traverse a vpn.

Post a scrubed config
 
Upvote 0 Downvote
gw1.newalb#show crypto isakmp sa
dst src state conn-id slot
24.235.29.17 65.119.118.136 QM_IDLE 1 0

gw1.newalb#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: WinnetToSyniverse, local addr. 24.235.29.17

protected vrf:
local ident (addr/mask/prot/port): (24.235.0.25/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (65.119.118.76/255.255.255.255/0/0)
current_peer: 65.119.118.136:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 460, #pkts decrypt: 460, #pkts verify 460
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 24.235.29.17, remote crypto endpt.: 65.119.118.136
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 2BBAE492

inbound esp sas:
spi: 0x94D25645(2496812613)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2054, flow_id: 55, crypto map: WinnetToSyniverse
sa timing: remaining key lifetime (k/sec): (4390471/3566)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2BBAE492(733668498)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2055, flow_id: 56, crypto map: WinnetToSyniverse
sa timing: remaining key lifetime (k/sec): (4390473/3560)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:
gw1.newalb#
 
Upvote 0 Downvote
Here. The relevant vpn is the "WinnetToSyniverse" one...

==

gw1.newalb#show run
Building configuration...

Current configuration : 39271 bytes
!
! Last configuration change at 16:37:25 EDT Thu Sep 18 2008 by admin
! NVRAM config last updated at 11:52:19 EDT Tue Sep 16 2008 by admin
!
version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
no service dhcp
!
hostname gw1.newalb
!
boot-start-marker
boot system disk0:c7200-ik9su2-mz.123-23.bin
boot system disk0:c7200-ik9su2-mz.123-16a.bin
boot system slot1:c7200-is-mz.123-16.bin
boot-end-marker
!
logging buffered 262144 debugging
no logging console
enable secret 5 xxxxxxxxxxxxxxxxx
!
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
aaa session-mib disconnect
!
!
ip subnet-zero
no ip source-route
!
!
ip cef
ip domain list win.net
ip domain name win.net
ip name-server 216.24.27.3
ip name-server 216.24.27.4
ip name-server 199.120.154.17
!
no ip bootp server
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
vpdn logging tunnel-drop
vpdn history failure table-size 50
!
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-all VoIP-RTP
match access-group name voip-acl
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
crypto isakmp key WinnetKYtoIN address 216.24.30.1 no-xauth
crypto isakmp key Amer_Sof_$$7_vpn address 65.119.118.136
!
!
crypto ipsec transform-set XForm-3Des-Tun esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set XForm-1Des-Tun esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TSI2 esp-3des esp-md5-hmac
!
crypto map INtoKYvpn local-address ATM2/0.4
crypto map INtoKYvpn 10 ipsec-isakmp
set peer 216.24.30.1
set security-association lifetime seconds 86400
set transform-set XForm-1Des-Tun
set pfs group2
match address VPNtoKentucky
!
crypto map WinnetToSyniverse 20 ipsec-isakmp
description PHL-3845-SS7-VPN router
set peer 65.119.118.136
set transform-set TSI2
match address PHL-3845-SS7-VPN
!
!
!
!
interface Loopback100
description gw1.newalb.win.net loopback interface
ip address 24.235.0.21 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Tunnel0
bandwidth 4096
ip address 216.24.28.238 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 7 060100234D4C101E0A
ip ospf cost 65000
tunnel source ATM2/0.4
tunnel destination 216.24.30.1
!
interface FastEthernet0/0
description Win.Net New Albany CO LAN
ip address 216.24.28.17 255.255.255.248 secondary
ip address 24.235.29.17 255.255.255.248
ip ospf message-digest-key 1 md5 7 060100234D4C101E0A
duplex full
no cdp enable
crypto map WinnetToSyniverse
!
ip classless
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 ATM2/0.4
ip route 24.235.0.0 255.255.224.0 Null0
ip route 24.235.0.24 255.255.255.248 Serial6/0/8:0
ip route 24.235.1.16 255.255.255.248 Serial6/0/4:0
ip route 24.235.1.68 255.255.255.252 Serial1/7:0
ip route 24.235.1.84 255.255.255.252 Serial1/7:0
ip route 24.235.1.92 255.255.255.252 Serial5/5:0
ip route 24.235.1.136 255.255.255.248 Serial6/0/2:0
ip route 24.235.1.160 255.255.255.240 Serial1/5:0
ip route 24.235.1.176 255.255.255.248 Serial1/4:0
ip route 24.235.1.200 255.255.255.248 Serial6/0/1:0
ip route 24.235.2.0 255.255.255.248 Serial6/0/3:0
ip route 24.235.2.60 255.255.255.252 Serial5/3:0
ip route 24.235.2.96 255.255.255.224 Serial1/3:0
ip route 24.235.2.136 255.255.255.248 Serial6/0/6:0
ip route 24.235.2.160 255.255.255.224 Serial1/2:0
ip route 24.235.13.48 255.255.255.248 Serial1/6:0
ip route 24.235.20.128 255.255.255.192 Serial5/2:0
ip route 72.13.33.200 255.255.255.248 Tunnel0
ip route 72.13.33.200 255.255.255.248 Serial3/0 250
ip route 72.13.33.216 255.255.255.248 Tunnel0
ip route 72.13.33.216 255.255.255.248 Serial3/0 250
ip route 88.191.20.225 255.255.255.255 Null0
ip route 140.126.21.155 255.255.255.255 Null0
ip route 202.102.170.171 255.255.255.255 Null0
ip route 207.210.90.114 255.255.255.255 Null0
ip route 211.176.61.119 255.255.255.255 Null0
ip route 212.180.4.137 255.255.255.255 Null0
ip route 216.24.20.48 255.255.255.248 Serial6/0/4:0
ip route 216.24.20.252 255.255.255.252 Serial5/5:0
ip route 216.24.21.16 255.255.255.248 Serial1/2:0
ip route 216.24.22.224 255.255.255.248 Serial6/0/1:0
ip route 216.24.30.1 255.255.255.255 ATM2/0.4
ip route 216.24.59.176 255.255.255.252 Serial5/3:0
ip route 216.248.0.126 255.255.255.255 ATM2/0.4
ip route 218.27.204.99 255.255.255.255 Null0
ip route 219.166.48.132 255.255.255.255 Null0
ip route 221.1.223.106 255.255.255.255 Null0
ip flow-export source Loopback100
ip flow-export version 5 origin-as
ip flow-export destination 216.24.27.2 2055
no ip http server
no ip http secure-server
!
ip as-path access-list 1 permit .*
ip as-path access-list 12 permit _19094_
ip as-path access-list 13 permit _7132_
!
!
ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 23
!
ip access-list standard allow-our-nets
permit 216.24.0.0 0.0.63.255
permit 24.235.0.0 0.0.31.255
ip access-list standard backbone-links
permit 64.211.206.140 0.0.0.3
permit 216.85.215.180 0.0.0.3
permit 66.73.221.252 0.0.0.3
permit 216.248.0.124 0.0.0.3
ip access-list standard deny-our-nets
deny 216.24.0.0 0.0.63.255
deny 24.235.0.0 0.0.31.255
permit any
!
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended PHL-3845-SS7-VPN
permit ip host 24.235.0.25 host 65.119.118.76
ip access-list extended VPNtoKentucky
permit gre host 66.73.221.254 host 216.24.30.1
ip access-list extended backbone-nospoof-in
permit tcp any any established
deny ip 24.235.0.0 0.0.31.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
remark -- Numerous LSASS-exploiting worms (Sasser, Korgo)
deny tcp any any eq 445 syn
remark -- Korgo worm
deny tcp any any eq 3067 syn log-input
remark -- Bagle worm
deny tcp any any eq 2475 syn log-input
deny tcp any any eq 2745 syn log-input
deny tcp any any eq 2766 syn log-input
deny tcp any any eq 8866 syn log-input
deny tcp any any eq 6777 syn log-input
remark -- Allow everything else
permit ip any any
ip access-list extended backbone-nospoof-out
permit tcp any any established
permit ip 216.24.0.0 0.0.63.255 any
permit ip 24.235.0.0 0.0.31.255 any
permit ip 64.211.206.140 0.0.0.3 any
permit ip 66.73.221.252 0.0.0.3 any
permit ip 216.248.0.124 0.0.0.3 any
deny ip any any log-input
ip access-list extended block-non-l2tp-stuff
permit ip host 10.247.101.5 host 10.247.101.6
permit ip host 10.247.101.9 host 10.247.101.10
permit ip host 10.247.104.5 host 10.247.104.6
permit ip host 10.247.105.5 host 10.247.105.6
permit ip host 10.247.106.5 host 10.247.106.6
deny ip any any log-input
permit ip host 10.247.103.5 host 10.247.103.6
ip access-list extended in-block-nb
remark -- Same as out-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-smtp-nb
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-dangerously-allow-all
permit ip any any
ip access-list extended in-permitlog-smtp
remark -- This one is used to see who we need to not apply blocksmtp to.
remark -- It is functionally identical to in-block-nb.
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp syn log-input
permit tcp any any eq smtp
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended log-all
permit ip any any log-input
ip access-list extended out-block-nb
remark -- Same as in-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-smtp-nb
permit tcp 216.24.27.0 0.0.0.255 eq smtp any
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-dangerously-allow-all
permit ip any any
ip access-list extended out-permitlog-smtp
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended voip-acl
permit ip any any precedence critical tos 12
ip radius source-interface Loopback100
logging trap debugging
logging source-interface Loopback100
logging 216.24.27.219
access-list compiled
access-list 2 permit 216.24.27.0 0.0.0.255
no cdp run
!
route-map att-outbound-prefs permit 30
match as-path 12
set local-preference 110
!
route-map att-outbound-prefs permit 40
match as-path 13
set local-preference 115
!
route-map att-outbound-prefs permit 50
match as-path 1
set local-preference 100
!
route-map ospf-redistrib permit 10
match ip address allow-our-nets
!
route-map ospf-redistrib permit 15
match ip address backbone-links
!
route-map ospf-redistrib deny 20
match interface Null0
!
route-map att-announce permit 10
match ip address allow-our-nets
!
gatekeeper
shutdown
!
banner incoming ^C
Connection established.
^C
banner motd ^C
Win.Net Internet
^C
alias exec srr sho int | i ^[A-Z]|^[a-z]|ts/se.+[1-9] pa|ts/se.+[0-9][0-9] pa
alias exec su enable
!
line con 0
exec-timeout 60 0
transport preferred none
stopbits 1
line aux 0
location Test line
access-class 23 in
exec-timeout 60 0
modem InOut
transport preferred none
transport input telnet
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 4
access-class 23 in
exec-timeout 120 0
logging synchronous
transport preferred none
transport input telnet ssh
!
exception core-file gw1.newalb-core
exception protocol ftp
exception dump 216.24.27.2
exception crashinfo file slot0:crashinfo
ntp clock-period 17179805
ntp update-calendar
ntp server 216.24.27.41 prefer
ntp server 216.24.27.2
!
end

gw1.newalb#
 
Upvote 0 Downvote
According to this post ...

gw1.newalb#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: WinnetToSyniverse, local addr. 24.235.29.17

protected vrf:
local ident (addr/mask/prot/port): (24.235.0.25/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (65.119.118.76/255.255.255.255/0/0)
current_peer: 65.119.118.136:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 460, #pkts decrypt: 460, #pkts verify 460
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 24.235.29.17, remote crypto endpt.: 65.119.118.136
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 2BBAE492

inbound esp sas:
spi: 0x94D25645(2496812613)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2054, flow_id: 55, crypto map: WinnetToSyniverse
sa timing: remaining key lifetime (k/sec): (4390471/3566)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2BBAE492(733668498)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2055, flow_id: 56, crypto map: WinnetToSyniverse
sa timing: remaining key lifetime (k/sec): (4390473/3560)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:
gw1.newalb#

This device is decrypting traffic and not encrypting traffic, thus I would check all your routes on your other gear.
 
Upvote 0 Downvote
I scrubbed the config and took out most of the extraneous info, but removed one important point. This is the only path the data CAN be taking to the net, because it's got the gateway in it. I'll highlight the point where it passes through this device in the traceroute ....


root@ss02:~# traceroute 65.119.118.76
traceroute to 65.119.118.76 (65.119.118.76), 30 hops max, 40 byte packets
1 fa2-0-103.core-gw1.noc.win.net (216.24.23.67) 0.956 ms 1.040 ms 1.205 ms
2 fa0-0.cust-gw1.noc.win.net (216.24.30.68) 1.556 ms 1.997 ms 2.314 ms
3 216-24-2-238.ip.win.net (216.24.2.238) 12.139 ms 12.458 ms 16.217 ms < This is the vpn device with the posted config
4 66.73.221.253 (66.73.221.253) 25.385 ms 23.740 ms 20.455 ms < This is the WAN connection in the vpn device
5 bb2-g4-0-2.ipltin.ameritech.net (151.164.42.158) 19.451 ms 19.116 ms 18.783 ms
6 69.220.8.51 (69.220.8.51) 37.946 ms 39.349 ms 40.347 ms
7 Te-3-2.Chicago1.Level3.net (4.68.110.197) 43.450 ms 43.117 ms 42.779 ms
8 ae-2-52.bbr2.Chicago1.Level3.net (4.68.101.33) 35.399 ms 35.309 ms 34.693 ms
9 so-1-0-0.mp2.Philadelphia1.Level3.net (209.247.8.65) 52.065 ms 52.138 ms 96.989 ms
10 so-11-0.hsa1.Philadelphia1.Level3.net (64.159.0.154) 54.060 ms 54.095 ms 53.400 ms
11 SWITCH-AND.hsa1.Philadelphia1.Level3.net (209.246.200.118) 49.841 ms !X 49.747 ms !X *
 
Upvote 0 Downvote
So that is my problem. I tracerouting from 24.235.0.25 to 65.119.118.76, through a vpn router that contains the following access list...

ip access-list extended PHL-3845-SS7-VPN
permit ip host 24.235.0.25 host 65.119.118.76

... and yet the traffic does not seem to get encrypted for the vpn.
 
Upvote 0 Downvote
Lets back up for a second. Is that your entire router configuration or just snippets?

ip access-list extended PHL-3845-SS7-VPN
permit ip host 24.235.0.25 host 65.119.118.76

Notice
ip route 24.235.0.0 255.255.224.0 Null0


Secondly are you obscuring your configuration or are you actually using public ip addresses on your network? Additionaly if you are trying to traceroute to troubleshoot the VPN the only machine you could do it from is 24.235.0.25.


 
Upvote 0 Downvote
They asked me to "scrub" the config before posting it, so I took out things that seemed to be irrelevant, radius auth, etc. I'll repost the entire config sans passwords.

gw1.newalb#show run
Building configuration...

Current configuration : 39271 bytes
!
! Last configuration change at 16:37:25 EDT Thu Sep 18 2008 by admin
! NVRAM config last updated at 11:52:19 EDT Tue Sep 16 2008 by admin
!
version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
no service dhcp
!
hostname gw1.newalb
!
boot-start-marker
boot system disk0:c7200-ik9su2-mz.123-23.bin
boot system disk0:c7200-ik9su2-mz.123-16a.bin
boot system slot1:c7200-is-mz.123-16.bin
boot-end-marker
!
logging buffered 262144 debugging
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
aaa session-mib disconnect
!
!
aaa group server radius WinAuthAcct
server 216.24.27.48 auth-port 1812 acct-port 1813
server 216.24.27.49 auth-port 1812 acct-port 1813
server 216.24.27.209 auth-port 1645 acct-port 1646
server 216.24.27.200 auth-port 1645 acct-port 1646
server 216.24.27.201 auth-port 1645 acct-port 1646
server 216.24.27.202 auth-port 1645 acct-port 1646
server 216.24.27.203 auth-port 1645 acct-port 1646
server 216.24.27.204 auth-port 1645 acct-port 1646
server 216.24.27.205 auth-port 1645 acct-port 1646
server 216.24.27.206 auth-port 1645 acct-port 1646
server 216.24.27.207 auth-port 1645 acct-port 1646
server 216.24.27.208 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication ppp default local group WinAuthAcct
aaa authentication ppp PermT1 none
aaa authorization exec default local none
aaa authorization network default local group WinAuthAcct
aaa authorization network PermT1 none
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop broadcast group WinAuthAcct
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip domain list win.net
ip domain name win.net
ip name-server 216.24.27.3
ip name-server 216.24.27.4
ip name-server 199.120.154.17
!
no ip bootp server
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
vpdn logging tunnel-drop
vpdn history failure table-size 50
!
vpdn-group SBC-Nwalin01rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname Nwalin01rr.in.AADS
source-ip 10.247.101.5
local name winnetdsl101-a
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxxx
!
vpdn-group SBC-nwal0102rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname nwal0102rr.in.AADS
source-ip 10.247.102.5
local name winnetdsl102
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxxx
!
vpdn-group SBC-nwal0103rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname nwal0103rr.in.AADS
source-ip 10.247.103.5
local name winnetdsl103
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxxxxx
!
vpdn-group SBC-nwal0104rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname nwal0104rr.in.AADS
source-ip 10.247.104.5
local name winnetdsl104
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxxxxxx
!
vpdn-group SBC-nwal0105rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname nwal0105rr.in.AADS
source-ip 10.247.105.5
local name winnetdsl105
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxx
!
vpdn-group SBC-nwal0106rr
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname nwal0106rr.in.AADS
source-ip 10.247.106.5
local name winnetdsl106
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxxxxxxx
!
async-bootp dns-server 216.24.27.3 216.24.27.4 199.120.154.17
frame-relay switching
!
!
virtual-template 1 pre-clone 500
!
!
!
!
!
!
!
!
!
!
memory-size iomem 32
username admin secret 5 xxxxxxxxxxxxxxxx
username mandrews secret 5 xxxxxxxxxxxxxxxx
username mays secret 5 xxxxxxxxxxxxxxxx
username kdavis secret 5 xxxxxxxxxxxxxxxx
username JoshuaHoke secret 5 xxxxxxxxxxxxxxxx
username CodyPate secret 5 xxxxxxxxxxxxxxxx
!
!
controller T1 1/0
framing esf
fdl att
linecode b8zs
channel-group 0 timeslots 1-24
description St. Anthony's Fed CU Clarksville 2 (UNE-DS1-002-020, HCFD.656912..NB, order C2489784009)
!
controller T1 1/1
framing esf
fdl att
linecode b8zs
channel-group 0 timeslots 1-24
description St. Anthony's Fed CU Clarksville 1 (UNE-DS1-002-019, HCFD.656864..NB, order C2489777992)
!
controller T1 1/2
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Better Quality Business Systems (UNE-DS1-002-008, Ameritech DHDU.655256..NB)
!
controller T1 1/3
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Clark County Courthouse, 501 E Court Ave, Jeffersonville IN (UNE-DS1-002-003, Ameritech HCFD.675507..NB)
!
controller T1 1/4
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Kiesler's Police Supply, 3300 Industrial Pkwy, Jeffersonville IN (812-288-5740) (UNE-DS1-002-004, Ameritech HCFD.675506..NB)
!
controller T1 1/5
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Tilton Equipment, 4103 Foundation Blvd, New Albany IN (800-490-4968) (UNE-DS1-002-005, Ameritech DHDU.654464..NB)
!
controller T1 1/6
shutdown
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description UNUSED,WAS--Akin Medical, 2019 State St, New Albany IN (812-945-3557x114) (UNE-DS1-002-006, Ameritech DHDU.654459..NB)
!
controller T1 1/7
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Indco Systems, 4040 Earnings Way, New Albany IN (812-945-4383) (Winnet PON UNE-DS1-002-009, DHDU.655351..NB )
!
controller T1 5/0
shutdown
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description UNUSED -- WAS Eye Associates Jeffersonville (UNE-DS1-002-010, HCFD.655621..NB)
!
controller T1 5/1
shutdown
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description UNUSED -- WAS Eye Associates New Albany (UNE-DS1-002-011, DHDU.655624..NB)
!
controller T1 5/2
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Mac Construction (UNE-DS1-002-012, DHDU.656082..NB)
!
controller T1 5/3
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Retailers Supply (UNE-DS1-002-013, DHDU/656138//NB)
!
controller T1 5/4
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Aircraft Specialists (UNE-DS1-002-014, HCFD/656264//NB)
!
controller T1 5/5
framing esf
fdl att
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description Excellence in Dentistry (UNE-DS1-002-016, DHDU.656795..NB)
!
controller T1 5/6
framing esf
fdl att
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description St. Anthony's Fed CU New Albany 1 (UNE-DS1-002-017, DHDU.656865..NB, order C2489777993)
!
controller T1 5/7
framing esf
fdl att
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24
description St. Anthony's Fed CU New Albany 2 (UNE-DS1-002-018, DHDU.656866..NB, order C2489777996)
!
controller T3 6/0
framing m23
clock source line
t1 1 channel-group 0 timeslots 1-24
t1 2 channel-group 0 timeslots 1-24
t1 3 channel-group 0 timeslots 1-24
t1 4 channel-group 0 timeslots 1-24
t1 5 channel-group 0 timeslots 1-24
t1 6 channel-group 0 timeslots 1-24
t1 7 channel-group 0 timeslots 1-24
t1 8 channel-group 0 timeslots 1-24
t1 9 channel-group 0 timeslots 1-24
t1 10 channel-group 0 timeslots 1-24
t1 11 channel-group 0 timeslots 1-24
t1 12 channel-group 0 timeslots 1-24
t1 13 channel-group 0 timeslots 1-24
t1 14 channel-group 0 timeslots 1-24
t1 15 channel-group 0 timeslots 1-24
t1 16 channel-group 0 timeslots 1-24
t1 17 channel-group 0 timeslots 1-24
t1 18 channel-group 0 timeslots 1-24
t1 19 channel-group 0 timeslots 1-24
t1 20 channel-group 0 timeslots 1-24
t1 21 channel-group 0 timeslots 1-24
t1 22 channel-group 0 timeslots 1-24
t1 23 channel-group 0 timeslots 1-24
t1 24 channel-group 0 timeslots 1-24
t1 25 channel-group 0 timeslots 1-24
t1 26 channel-group 0 timeslots 1-24
t1 27 channel-group 0 timeslots 1-24
t1 28 channel-group 0 timeslots 1-24
description Channelized T3 to SBC (CFA 001 /DSX3 /2 /NWALIN01 /NWALIN01H323)
!
ip rcmd rsh-enable
ip rcmd remote-host diesel 216.24.27.41 root enable
ip rcmd remote-host diesel 216.24.27.2 root enable
ip telnet source-interface Loopback100
ip tftp source-interface Loopback100
ip ftp source-interface Loopback100
ip ftp username cisco
ip ftp password 7 xxxxxxxxxxxxxxxx
ip ssh source-interface Loopback100
!
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-all VoIP-RTP
match access-group name voip-acl
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map QoS-Policy
class VoIP-RTP
priority 384
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxxx address 216.24.30.1 no-xauth
crypto isakmp key xxxxxxxxxxxxxxxx address 65.119.118.136
!
!
crypto ipsec transform-set XForm-3Des-Tun esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set XForm-1Des-Tun esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TSI2 esp-3des esp-md5-hmac
!
crypto map INtoKYvpn local-address ATM2/0.4
crypto map INtoKYvpn 10 ipsec-isakmp
set peer 216.24.30.1
set security-association lifetime seconds 86400
set transform-set XForm-1Des-Tun
set pfs group2
match address VPNtoKentucky
!
crypto map WinnetToSyniverse 20 ipsec-isakmp
description PHL-3845-SS7-VPN router
set peer 65.119.118.136
set transform-set TSI2
match address PHL-3845-SS7-VPN
!
!
!
!
interface Loopback100
description gw1.newalb.win.net loopback interface
ip address 24.235.0.21 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Tunnel0
bandwidth 4096
ip address 216.24.28.238 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxx
ip ospf cost 65000
tunnel source ATM2/0.4
tunnel destination 216.24.30.1
!
interface FastEthernet0/0
description Win.Net New Albany CO LAN
ip address 216.24.28.17 255.255.255.248 secondary
ip address 24.235.29.17 255.255.255.248
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxx
duplex full
no cdp enable
crypto map WinnetToSyniverse
!
interface Serial1/0:0
description CANCEL THIS -- One Vision Fed CU Sherwood Ave Clarksville 2 (UNE-DS1-002-020, HCFD.656912..NB, order C2489784009)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
shutdown
no keepalive
no cdp enable
!
interface Serial1/1:0
description CANCEL THIS -- One Vision Fed CU Sherwood Ave Clarksville 1 (UNE-DS1-002-019, HCFD.656864..NB, order C2489777992)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
shutdown
no keepalive
no cdp enable
!
interface Serial1/2:0
description Better Quality Business Systems (UNE-DS1-002-008, Ameritech DHDU.655256..NB)
bandwidth 1536
ip address 24.235.2.9 255.255.255.248 secondary
ip address 24.235.1.25 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial1/3:0
description Clark County Commissioners, 501 E Court Ave, Jeffersonville IN (UNE-DS1-002-003, Ameritech HCFD.675507..NB)
bandwidth 1536
ip address 24.235.2.37 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
ppp authorization PermT1
!
interface Serial1/4:0
description Kiesler's Police Supply, 3300 Industrial Pkwy, Jeffersonville IN (812-288-5740) (UNE-DS1-002-004, Ameritech HCFD.675506..NB)
bandwidth 1536
ip address 24.235.1.37 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
ppp authorization PermT1
!
interface Serial1/5:0
description Tilton Equipment, 4103 Foundation Blvd, New Albany IN (800-490-4968) (UNE-DS1-002-005, Ameritech DHDU.654464..NB)
bandwidth 1536
ip address 24.235.1.13 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
no cdp enable
!
interface Serial1/6:0
description UNUSED,WAS--Akin Medical, 2019 State St, New Albany IN (812-945-3557x114) (UNE-DS1-002-006, Ameritech DHDU.654459..NB)
bandwidth 1536
no ip address
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
shutdown
no cdp enable
!
interface Serial1/7:0
description Indco Systems, 4040 Earnings Way, New Albany IN (812-945-4383) (Winnet PON UNE-DS1-002-009, DHDU.655351..NB )
bandwidth 1536
ip address 24.235.1.29 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface ATM2/0
description AT&T/SBC backbone(35Mb)/ADSL(10Mb) ATM DS3 (Ameritech 12.HFFJ.000018..SUV [call AT&T NBC for maintenance]) to NWALIN0102W
no ip address
logging event subif-link-status
atm scrambling cell-payload
atm framing cbitplcp
no atm ilmi-keepalive
pvc SBC-ILMI-2 0/16 ilmi
!
!
interface ATM2/0.4 point-to-point
description AT&T/SBC 35Mb DIA backbone tunnel over the ADSL ATM DS3
ip address 66.73.221.254 255.255.255.252
ip access-group backbone-nospoof-in in
ip access-group backbone-nospoof-out out
crypto map INtoKYvpn
pvc attdia 2/65
vbr-nrt 35000 35000
oam-pvc manage
encapsulation aal5mux ip
!
!
interface ATM2/0.101 point-to-point
description PVC to L2TP tunnels to AT&T NWALIN01RR for DSL
ip address 10.247.101.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwalin01rr 3/101
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM2/0.102 point-to-point
description PVC to L2TP tunnels to AT&T NWAL0102RR for DSL
ip address 10.247.102.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwal0102rr 3/102
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM2/0.103 point-to-point
description PVC to L2TP tunnels to AT&T NWAL0103RR for DSL
ip address 10.247.103.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwal0103rr 3/103
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM2/0.104 point-to-point
description PVC to L2TP tunnels to AT&T NWALIN0104RR for DSL
ip address 10.247.104.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwal0104rr 3/104
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM2/0.105 point-to-point
description PVC to L2TP tunnels to AT&T NWALIN0105RR for DSL
ip address 10.247.105.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwal0105rr 3/105
oam-pvc manage
encapsulation aal5snap
!
!
interface ATM2/0.106 point-to-point
description PVC to L2TP tunnels to AT&T NWALIN0106RR for DSL
ip address 10.247.106.5 255.255.255.252
ip access-group block-non-l2tp-stuff out
ip verify unicast reverse-path
ip route-cache same-interface
pvc nwal0106rr 3/106
oam-pvc manage
encapsulation aal5snap
!
!
interface Serial3/0
description New Albany CO to Heyburn DS3 (KDL KDL.HFGS.306444, 00002/DSX3/04/NWALIN01/NWALIN01H21, KDL's Cisco ONS15454 slot 1 port 4)
ip address 216.24.28.246 255.255.255.252
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxx
load-interval 30
auto qos voip
dsu bandwidth 44210
scramble
framing c-bit
cablelength 32
serial restart-delay 0
no cdp enable
service-policy output AutoQoS-Policy-UnTrust
!
interface Serial3/1
description spare DS3 port, jack 20
no ip address
shutdown
dsu bandwidth 44210
framing c-bit
cablelength 175
serial restart-delay 0
no cdp enable
!
interface FastEthernet4/0
description Win.Net New Albany CO LAN 2
ip address 216.24.28.25 255.255.255.248
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxx
duplex full
no cdp enable
!
interface Serial5/0:0
description UNUSED -- WAS Eye Associates Jeffersonville (UNE-DS1-002-010, HCFD.655621..NB)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
shutdown
no keepalive
no cdp enable
!
interface Serial5/1:0
description UNUSED -- WAS Eye Associates New Albany (UNE-DS1-002-011, DHDU.655624..NB)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
shutdown
no keepalive
no cdp enable
!
interface Serial5/2:0
description Mac Construction (UNE-DS1-002-012, DHDU.656082..NB)
bandwidth 1536
ip address 24.235.1.77 255.255.255.252 secondary
ip address 216.24.2.13 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial5/3:0
description Retailers Supply (UNE-DS1-002-013, DHDU/656138//NB)
bandwidth 1536
ip address 24.235.2.57 255.255.255.252 secondary
ip address 216.24.2.17 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
no cdp enable
!
interface Serial5/4:0
description Aircraft Specialists (UNE-DS1-002-014, HCFD/656264//NB)
bandwidth 1536
ip address 24.235.1.133 255.255.255.252 secondary
ip address 216.24.2.21 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
no cdp enable
!
interface Serial5/5:0
description Excellence in Dentistry (UNE-DS1-002-016, DHDU.656795..NB)
bandwidth 1536
ip address 24.235.1.89 255.255.255.252 secondary
ip address 216.24.2.33 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial5/6:0
description One Vision FCU, PtP #1 to Jeff (UNE-DS1-002-017, DHDU.656865..NB, order C2489777993)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial6/0/9:0 16
!
interface Serial5/7:0
description One Vision FCU, PtP #2 to State St (UNE-DS1-002-018, DHDU.656866..NB, order C2489777996)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial6/0/5:0 16
!
interface Serial6/0/1:0
description J. R. Aviation (WNA-UNE-DS1-003-001, HCFD.657129..NB)
bandwidth 1536
ip address 24.235.1.197 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial6/0/2:0
description Forms America
bandwidth 1536
ip address 24.235.1.213 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial6/0/3:0
description Genesis One (UNE-DS1-003-005, HCFD.696469..NB)
bandwidth 1536
ip address 24.235.1.129 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial6/0/4:0
description Genesis One (UNE-DS1-003-004, HCFD.687777..NB)
bandwidth 1536
ip address 24.235.2.41 255.255.255.252 secondary
ip address 216.24.2.49 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial6/0/5:0
description One Vision FCU, PtP #2 to Lewis & Clark (PON, HCFD.694848..NB, order C2682392621)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial5/7:0 16
!
interface Serial6/0/6:0
description PC Building Materials (UNE-DS1-003-007, HCFD.699902..NB)
bandwidth 1536
ip address 24.235.2.33 255.255.255.252
ip access-group in-block-nb in
ip access-group out-block-nb out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp authorization PermT1
!
interface Serial6/0/7:0
description One Vision FCU, PtP #1 to Lewis & Clark (PON, HCFD.700276..NB, order C2682476109)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial6/0/10:0 16
!
interface Serial6/0/8:0
description Win.Net T1 to Heyburn NOC - KDL Circuit ID CC/HCGS/404353//KDL
ip address 216.24.2.238 255.255.255.252
encapsulation ppp
ip ospf message-digest-key 1 md5 7 060100234D4C101E0A
no cdp enable
!
interface Serial6/0/9:0
description One Vision FCU, PtP #1 to Lewis & Clark (PON, HCFD.700276..NB, order C2682476109)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial5/6:0 16
!
interface Serial6/0/10:0
description One Vision FCU, PtP #2 to
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay
no keepalive
frame-relay intf-type dce
frame-relay route 16 interface Serial6/0/7:0 16
!
interface Serial6/0/11:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/12:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/13:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/14:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/15:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/16:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/17:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/18:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/19:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/20:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/21:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/22:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/23:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/24:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/25:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/26:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/27:0
no ip address
shutdown
no cdp enable
!
interface Serial6/0/28:0
no ip address
shutdown
no cdp enable
!
interface Virtual-Template1
description Ameritech ADSL PPPoE template
ip unnumbered Loopback100
ip verify unicast reverse-path
ip route-cache flow
no peer default ip address
ppp max-bad-auth 4
ppp mtu adaptive
ppp authentication pap chap
ppp chap hostname winnet-indsl-1
service-policy output QoS-Policy
!
router ospf 5150
log-adjacency-changes
area 0 authentication message-digest
summary-address 216.24.62.0 255.255.255.0
redistribute connected subnets route-map ospf-redistrib
redistribute static subnets route-map ospf-redistrib
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface Serial1/0:0
no passive-interface Serial3/0
no passive-interface FastEthernet4/0
no passive-interface Serial6/0/8:0
no passive-interface Loopback100
no passive-interface Tunnel0
network 24.235.0.0 0.0.0.255 area 0
network 24.235.0.0 0.0.31.255 area 0
network 216.24.0.0 0.0.63.255 area 0
!
router bgp 7333
no synchronization
bgp router-id 24.235.0.21
bgp cluster-id 3625457473
bgp log-neighbor-changes
bgp bestpath compare-routerid
neighbor 66.73.221.253 remote-as 7132
neighbor 66.73.221.253 description ATT / ameritech.net
neighbor 66.73.221.253 remove-private-AS
neighbor 66.73.221.253 version 4
neighbor 66.73.221.253 distribute-list deny-our-nets in
neighbor 66.73.221.253 distribute-list allow-our-nets out
neighbor 66.73.221.253 route-map att-announce out
neighbor 66.73.221.253 password 7 150502020A2F3F77
neighbor 66.73.221.253 maximum-prefix 250000
neighbor 216.24.30.1 remote-as 7333
neighbor 216.24.30.1 description core-gw1.noc.win.net iBGP
neighbor 216.24.30.1 update-source Loopback100
neighbor 216.24.30.1 version 4
neighbor 216.24.30.1 password 7 08254A59040B11
neighbor 216.24.30.1 maximum-prefix 250000
neighbor 216.24.30.2 remote-as 7333
neighbor 216.24.30.2 description core-gw2.noc.win.net iBGP
neighbor 216.24.30.2 update-source Loopback100
neighbor 216.24.30.2 version 4
neighbor 216.24.30.2 password 7 08254A59040B11
neighbor 216.24.30.2 maximum-prefix 250000
distribute-list prefix max23 in
no auto-summary
!
ip classless
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 ATM2/0.4
ip route 24.235.0.0 255.255.224.0 Null0
ip route 24.235.0.24 255.255.255.248 Serial6/0/8:0
ip route 24.235.1.16 255.255.255.248 Serial6/0/4:0
ip route 24.235.1.68 255.255.255.252 Serial1/7:0
ip route 24.235.1.84 255.255.255.252 Serial1/7:0
ip route 24.235.1.92 255.255.255.252 Serial5/5:0
ip route 24.235.1.136 255.255.255.248 Serial6/0/2:0
ip route 24.235.1.160 255.255.255.240 Serial1/5:0
ip route 24.235.1.176 255.255.255.248 Serial1/4:0
ip route 24.235.1.200 255.255.255.248 Serial6/0/1:0
ip route 24.235.2.0 255.255.255.248 Serial6/0/3:0
ip route 24.235.2.60 255.255.255.252 Serial5/3:0
ip route 24.235.2.96 255.255.255.224 Serial1/3:0
ip route 24.235.2.136 255.255.255.248 Serial6/0/6:0
ip route 24.235.2.160 255.255.255.224 Serial1/2:0
ip route 24.235.13.48 255.255.255.248 Serial1/6:0
ip route 24.235.20.128 255.255.255.192 Serial5/2:0
ip route 72.13.33.200 255.255.255.248 Tunnel0
ip route 72.13.33.200 255.255.255.248 Serial3/0 250
ip route 72.13.33.216 255.255.255.248 Tunnel0
ip route 72.13.33.216 255.255.255.248 Serial3/0 250
ip route 88.191.20.225 255.255.255.255 Null0
ip route 140.126.21.155 255.255.255.255 Null0
ip route 202.102.170.171 255.255.255.255 Null0
ip route 207.210.90.114 255.255.255.255 Null0
ip route 211.176.61.119 255.255.255.255 Null0
ip route 212.180.4.137 255.255.255.255 Null0
ip route 216.24.20.48 255.255.255.248 Serial6/0/4:0
ip route 216.24.20.252 255.255.255.252 Serial5/5:0
ip route 216.24.21.16 255.255.255.248 Serial1/2:0
ip route 216.24.22.224 255.255.255.248 Serial6/0/1:0
ip route 216.24.30.1 255.255.255.255 ATM2/0.4
ip route 216.24.59.176 255.255.255.252 Serial5/3:0
ip route 216.248.0.126 255.255.255.255 ATM2/0.4
ip route 218.27.204.99 255.255.255.255 Null0
ip route 219.166.48.132 255.255.255.255 Null0
ip route 221.1.223.106 255.255.255.255 Null0
ip flow-export source Loopback100
ip flow-export version 5 origin-as
ip flow-export destination 216.24.27.2 2055
no ip http server
no ip http secure-server
!
ip as-path access-list 1 permit .*
ip as-path access-list 12 permit _19094_
ip as-path access-list 13 permit _7132_
!
!
ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 23
!
ip access-list standard allow-our-nets
permit 216.24.0.0 0.0.63.255
permit 24.235.0.0 0.0.31.255
ip access-list standard backbone-links
permit 64.211.206.140 0.0.0.3
permit 216.85.215.180 0.0.0.3
permit 66.73.221.252 0.0.0.3
permit 216.248.0.124 0.0.0.3
ip access-list standard deny-our-nets
deny 216.24.0.0 0.0.63.255
deny 24.235.0.0 0.0.31.255
permit any
!
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended PHL-3845-SS7-VPN
permit ip host 24.235.0.25 host 65.119.118.76
ip access-list extended VPNtoKentucky
permit gre host 66.73.221.254 host 216.24.30.1
ip access-list extended backbone-nospoof-in
permit tcp any any established
deny ip 24.235.0.0 0.0.31.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
remark -- Numerous LSASS-exploiting worms (Sasser, Korgo)
deny tcp any any eq 445 syn
remark -- Korgo worm
deny tcp any any eq 3067 syn log-input
remark -- Bagle worm
deny tcp any any eq 2475 syn log-input
deny tcp any any eq 2745 syn log-input
deny tcp any any eq 2766 syn log-input
deny tcp any any eq 8866 syn log-input
deny tcp any any eq 6777 syn log-input
remark -- Allow everything else
permit ip any any
ip access-list extended backbone-nospoof-out
permit tcp any any established
permit ip 216.24.0.0 0.0.63.255 any
permit ip 24.235.0.0 0.0.31.255 any
permit ip 64.211.206.140 0.0.0.3 any
permit ip 66.73.221.252 0.0.0.3 any
permit ip 216.248.0.124 0.0.0.3 any
deny ip any any log-input
ip access-list extended block-non-l2tp-stuff
permit ip host 10.247.101.5 host 10.247.101.6
permit ip host 10.247.101.9 host 10.247.101.10
permit ip host 10.247.104.5 host 10.247.104.6
permit ip host 10.247.105.5 host 10.247.105.6
permit ip host 10.247.106.5 host 10.247.106.6
deny ip any any log-input
permit ip host 10.247.103.5 host 10.247.103.6
ip access-list extended in-block-nb
remark -- Same as out-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-block-smtp-nb
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
deny tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended in-dangerously-allow-all
permit ip any any
ip access-list extended in-permitlog-smtp
remark -- This one is used to see who we need to not apply blocksmtp to.
remark -- It is functionally identical to in-block-nb.
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp syn log-input
permit tcp any any eq smtp
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended log-all
permit ip any any log-input
ip access-list extended out-block-nb
remark -- Same as in-block-nb
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-block-smtp-nb
permit tcp 216.24.27.0 0.0.0.255 eq smtp any
deny tcp any eq smtp any log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended out-dangerously-allow-all
permit ip any any
ip access-list extended out-permitlog-smtp
permit tcp any 216.24.27.0 0.0.0.255 eq smtp
permit tcp any any eq smtp log-input
deny tcp any any range 135 139 log-input
permit udp any eq netbios-ns host 216.24.27.3 eq domain
permit udp any eq netbios-ns host 216.24.27.4 eq domain
permit udp any eq netbios-ns host 199.120.154.17 eq domain
permit udp host 216.24.27.3 eq domain any eq netbios-ns
permit udp host 216.24.27.4 eq domain any eq netbios-ns
permit udp host 199.120.154.17 eq domain any eq netbios-ns
deny udp any any eq netbios-ns
deny udp any any range 135 netbios-ss log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
permit ip any any
ip access-list extended voip-acl
permit ip any any precedence critical tos 12
ip radius source-interface Loopback100
logging trap debugging
logging source-interface Loopback100
logging 216.24.27.219
access-list compiled
access-list 2 permit 216.24.27.0 0.0.0.255
no cdp run
!
route-map att-outbound-prefs permit 30
match as-path 12
set local-preference 110
!
route-map att-outbound-prefs permit 40
match as-path 13
set local-preference 115
!
route-map att-outbound-prefs permit 50
match as-path 1
set local-preference 100
!
route-map ospf-redistrib permit 10
match ip address allow-our-nets
!
route-map ospf-redistrib permit 15
match ip address backbone-links
!
route-map ospf-redistrib deny 20
match interface Null0
!
route-map att-announce permit 10
match ip address allow-our-nets
!
snmp-server community xxxxxxxxxxxxxxxx RO 2
snmp-server community xxxxxxxxxxxxxxxx RW 2
snmp-server trap-source Loopback100
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps casa
snmp-server enable traps gatekeeper
snmp-server enable traps xgcp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps atm subif
snmp-server enable traps channel
snmp-server enable traps hsrp
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps aaa_server
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps voice poor-qov
snmp-server host 216.24.27.2 version 2c win40trap frame-relay casa gatekeeper isdn xgcp atm entity envmon aaa_server bgp ipmulticast msdp rsvp rtr dlsw dsp voice snmp
snmp-server tftp-server-list 2
!
!
radius-server attribute nas-port format c
radius-server host 216.24.27.209 auth-port 1645 acct-port 1646
radius-server host 216.24.27.200 auth-port 1645 acct-port 1646
radius-server host 216.24.27.201 auth-port 1645 acct-port 1646
radius-server host 216.24.27.202 auth-port 1645 acct-port 1646
radius-server host 216.24.27.203 auth-port 1645 acct-port 1646
radius-server host 216.24.27.204 auth-port 1645 acct-port 1646
radius-server host 216.24.27.205 auth-port 1645 acct-port 1646
radius-server host 216.24.27.206 auth-port 1645 acct-port 1646
radius-server host 216.24.27.207 auth-port 1645 acct-port 1646
radius-server host 216.24.27.208 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 3
radius-server retransmit 0
radius-server timeout 3
radius-server deadtime 2
radius-server key 7 141542115C
radius-server vsa send accounting
radius-server vsa send authentication
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
banner incoming ^C
Connection established.
^C
banner motd ^C
Win.Net Internet
^C
alias exec srr sho int | i ^[A-Z]|^[a-z]|ts/se.+[1-9] pa|ts/se.+[0-9][0-9] pa
alias exec su enable
!
line con 0
exec-timeout 60 0
transport preferred none
stopbits 1
line aux 0
location Test line
access-class 23 in
exec-timeout 60 0
modem InOut
transport preferred none
transport input telnet
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 4
access-class 23 in
exec-timeout 120 0
logging synchronous
transport preferred none
transport input telnet ssh
!
exception core-file gw1.newalb-core
exception protocol ftp
exception dump 216.24.27.2
exception crashinfo file slot0:crashinfo
ntp clock-period 17179801
ntp update-calendar
ntp server 216.24.27.41 prefer
ntp server 216.24.27.2
!
end

gw1.newalb#
 
Upvote 0 Downvote
Yeah, I know, sorry, he implied that it would be necessary to see the entire config to help figure out the problem, so there it is.

 
Upvote 0 Downvote
Man, my head hurts after that ... haha. Anyways is the PHL-3845-SS7-VPN access-list showing any hits?
 
Upvote 0 Downvote
Okay, so I checked the matches on the access list with "show access-lists PHL-3845-SS7-VPN"

gw1.newalb#show access-lists PHL-3845-SS7-VPN
Extended IP access list PHL-3845-SS7-VPN (Compiled)
10 permit ip host 24.235.0.25 host 65.119.118.76 (521 matches)

Checked a few more times and the match number was not counting up. I then pinged 65.119.118.76 from 24.235.0.25, and checked again.

gw1.newalb#show access-lists PHL-3845-SS7-VPN
Extended IP access list PHL-3845-SS7-VPN (Compiled)
10 permit ip host 24.235.0.25 host 65.119.118.76 (541 matches)

The number of matches increased while I was doing the ping, then stopped increasing when I stopped the ping. So I guess the answer is yes, the access list is getting hits.
 
Upvote 0 Downvote
At this point I am clueless as it appears the crypto ACL is taking hits and the egress interface has the crypto map attached. Perhaps its time for some debugs or a Tac case.
 
Upvote 0 Downvote
Thanks for all your help thus far. I'm at least relieved the answer didn't consist of an immediate, "Here's your problem, dope." I haven't been able to figure this one out either, though I have a strong feeling that when I do it will be a slap-my-forehead "Doh!" moment.

If anyone sees something I've obviously gotten wrong in the config or something, please let me know.
 
Upvote 0 Downvote
Assuming the access list matches, I shouldn't have to do anything to route traffic intended for 65.119.118.76 from 24.235.0.25 across the tunnel, should I? I thought it should just get encrypted automatically when it matches the access list.
 
Upvote 0 Downvote
Well I actually just noticed a problem. You don't have a route for 65.119.118.76 and thus it takes the default route which is out ATM2/0.4. You need it to actually go out interface FastEthernet0/0 so you need a route to that interface.

 
Upvote 0 Downvote
Doh!"

I think that fixed it. I added "ip route 65.119.118.76 255.255.255.255 FastEthernet0/0" and the traceroute from 24.235.0.25 now looks like it goes across the internet.

root@ss02:~# traceroute 65.119.118.76
traceroute to 65.119.118.76 (65.119.118.76), 30 hops max, 40 byte packets
1 fa2-0-103.core-gw1.noc.win.net (216.24.23.67) 0.913 ms 1.047 ms 1.202 ms
2 fa0-0.cust-gw1.noc.win.net (216.24.30.68) 2.012 ms 2.166 ms 2.323 ms
3 216-24-2-238.ip.win.net (216.24.2.238) 12.132 ms 12.913 ms 12.907 ms
4 * * *
5 * * *
6 65.119.118.76 (65.119.118.76) 59.249 ms * *

I thought that when the access list matches a crypto map it automatically used the crypto map -- and thus whatever interface the crypto map is attached to.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
449
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
337
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
278
sircles
sircles
F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
242
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top