Access-list needed for vpn

Hi,
if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
Thanks

There are two way you can filter traffic which is moving over VPN.
1) Filter at source ofcourse ACLs are required.
  For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where  10.0.0.0/24  is configured .Lets assume port 80 we want to deny.
ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
                                                                            permit any any
                              acess-group xxxx in inside
So this will deny port 80 and permit rest of the traffic.
2) You can configure VPN filter which is called under group policy .
Thanks
Ajay

Similar Messages

  • Different "access-list outside_cryptomap" for every VPN?

    Hi,
    Just for my understanding.
    I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?
    Currently I have:
    access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
    I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
    But wondered if I could use some thing like:
    access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks
    When I do this though I guess it will cause a problem with the peer address?

    Is there a certain order I need to add the config into the CLI aswell?
    I have this to add:
    access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
    crypto map outside_map 1 match address outside_MYcryptomap_1
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 1.2.3.4
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 86400
    tunnel-group 1.2.3.4 type ipsec-l2l
    tunnel-group 1.2.3.4 general-attributes
    default-group-policy CBSO-L2L
    tunnel-group 1.2.3.4 ipsec-attributes
    pre-shared-key abcdefgh

  • Help needed for VPN IPSEC configuration.

    Hi There,
    I'm trying to set up a IPSEC VPN connection in my GNS3 lab and all the show commands and debugs does not seem to give me any clues of what is wrong or missing...can someone please help me in troubleshooting my VPN config. Below is the config of router 1
    R1#sh run
    crypto isakmp policy 1
    authentication pre-share
    group 2
    crypto isakmp key 6 cisco123 address 200.20.1.1
    crypto ipsec transform-set CISCO_SET esp-des esp-sha-hmac
    crypto map VPN_map 10 ipsec-isakmp
    ! Incomplete
    set peer 200.20.1.1
    set security-association lifetime seconds 190
    set transform-set CISCO_SET
    match address INT_TRAFFIC
    interface Loopback1
    ip address 172.16.1.1 255.255.255.255
    interface Loopback2
    ip address 172.16.1.2 255.255.255.255
    interface FastEthernet0/0
    ip address 200.11.1.1 255.255.255.252
    ip ospf 1 area 0
    duplex auto
    speed auto
    crypto map VPN_map
    router ospf 1
    log-adjacency-changes
    network 172.16.0.0 0.0.255.255 area 0
    router bgp 65001
    no synchronization
    bgp log-neighbor-changes
    network 200.11.1.0 mask 255.255.255.252
    neighbor 200.11.1.2 remote-as 65030
    no auto-summary
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip access-list extended INT_TRAFFFIC
    permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log
    end
    R1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    IPv6 Crypto ISAKMP SA
    R1#show crypto ipsec sa
    nill.......
    R1#sh debugging
    Cryptographic Subsystem:
      Crypto ISAKMP debugging is on
      Crypto Engine debugging is on
      Crypto IPSEC debugging is on
    settlement:
      memory tracing is on
    R1#sh ip route
    Gateway of last resort is not set
         200.20.1.0/30 is subnetted, 1 subnets
    B       200.20.1.0 [20/0] via 200.11.1.2, 01:28:21
         200.11.1.0/30 is subnetted, 1 subnets
    C       200.11.1.0 is directly connected, FastEthernet0/0
         172.16.0.0/32 is subnetted, 2 subnets
    C       172.16.1.1 is directly connected, Loopback1
    C       172.16.1.2 is directly connected, Loopback2
    R1#ping 200.20.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 200.20.1.1, timeout is 2 seconds:
    Cheers,
    Fabio

    Thanks guys for getting back to me.
    I found one problem!!!! The ACL spelling it's been fixed....
    crypto map VPN_map 10 ipsec-isakmp
    ! Incomplete
    set peer 200.20.1.1
    set security-association lifetime seconds 190
    set transform-set CISCO_SET
    match address INT_TRAFFIC
    p access-list extended INT_TRAFFFIC
    permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log
    now when I do "sh crypto ipsec sa" sure enough I can see the VPN putput
    interface: FastEthernet0/0
        Crypto map tag: VPN_map, local addr 200.20.1.1
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
       current_peer 200.11.1.1 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 200.20.1.1, remote crypto endpt.: 200.11.1.1
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x0(0)
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
    sh isa    
    and
    R1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    200.20.1.1      200.11.1.1      QM_IDLE           1001    0 ACTIVE
    IPv6 Crypto ISAKMP SA
    and for the last
    R1#ping 192.168.1.1 source 172.16.1.1 repeat 10
    Type escape sequence to abort.
    Sending 10, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    Packet sent with a source address of 172.16.1.1
    Success rate is 100 percent (10/10), round-trip min/avg/max = 36/62/80 ms
    Hey Brian I put that OSPF to run for troubleshooting purposes but I confess it was very silly....
    Thanks guys all fixed and it's so good every now and then to brush up your cisco skills... don't you reckon??
    Cheers,
    Fabio

  • Grocery List Needed for WLAN Guest NAC

    Hello - what I want to do is put a solution in place that will control any guest wireless that is out of bounds. What i mean by that for locations that have a DSL line along side the corporate network to be controlled through a NAC guest server.
    Scope of the enterprise is:
    * 2k8 domain.
    * cisco 1200 and 1240 AP's
    * 1 cisco NAC guest server
    * 1 acs
    * sites are all connected via MPLS
    What else do I need? Of course I am trying to be mindful regarding budgetary numbers.
    From reading the configuration guise for the clean access server I assume I need the Client Access manager NAC appliace as well, to have this all tie together?
    Please advise on any other things, tips or tricks. :)
    thank you kindly in advance.

    NAC Out-Of-Band (OOB) Wireless Configuration Example
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

  • AutoSuggest List Needed for  Department Id?

    Hi,
    I am using Jdev 11.1.1.4
    I have droppped DepartmentVO on to the form and added <af:autoSuggestBehavior> for Department Id.
    My Use Case:
    User can enter either Department Id / Name in the Department Id InputTextBox( <af:autoSuggestBehavior> )
    For this i need to display related Department Id's in AutoSuggest List
    How to achieve this?

    Hi,
    This might help
    <http://www.gebs.ro/blog/oracle/oracle-adf-form-autocomplete-using-autosuggest-behavior-search-view-add-edit/>
    Regards,
    santosh

  • Advice needed for VPN connections

    OK to first describe what I'm looking at .We have a bookmobile that goes to 13 different locations within our county. At each stop we are using the service provider's DSL modem to connect to their network, we have two different providers and staff changes the modem at each stop, and a Cisco831 router to make a VPN connection to our PIX. We are using the router to make the VPN connection so that we can have two staff computers use internal network resources i.e. Library database, network drives, e-mail. We tried using Cisco VPN client on the local machine but when we have two clients going on two machines at the same time neither would work. So we let the router make that connection.
    We are going to have two bookmobiles operating and I need to purchase another router to make the connection and I am wondering which router would be a better solution for us.
    So for me the question is
    1) should I keep things as they are and buy a 871 and have staff change modems as needed
    2) Should I get an 877, 878 router and make configuration changes daily as needed. Staff have not been able to do this in past. I've enough to do without this!
    3) Up for any suggestions Maybe SDM with a pretty GUI for staff to use. It seems Cisco's CLI was too much for them.
    Thanks to all for any help
    Systems A

    No Nat-traversal is enabled.
    When we tried multiple VPN connections it was through a DSL modem/router. This is why we went to a Cisco831 router and having it make the secure connection to our PIX.
    Thanks for you help

  • Regex list need for speed

    Hi,
    I'm facing the problem to classify a continuous stream of long strings using a list of regex, if a regex matches the system assigns a class to the string; all the regex (>200) have to be evaluated, hence many classes could be assigned to the string.
    Obviously the speed is crucial requirement.
    Any suggestion ? Are regex the best choice?
    Thanks
    n.

    To demonstrate what prometheuzz was talking about, here's a much more efficient version of your regex: "\\bhttps?+://[-a-zA-Z0-9]++.abcdefg.com" +  // domain
    "(?>:[0-9]++)?+" +                           // optional port
    "(?>/[-a-zA-Z0-9+&@#/%=~_|!:,.;]*+)?+" +     // optional path
    "(?>\\?[-a-zA-Z0-9+&@#/%=~_|!:,.;]*+)?+"     // optional parameters All the quantifiers are now possessive, most of the groups are gone, and those that remain are not just non-capturing, they're atomic, for even greater efficiency.
    If you need to test several regexes against the same string, you can cycle through them efficiently with Matcher's usePattern() method: for (Pattern p : patternList)
      if (matcher.usePattern(p).matches())
        // bingo!
    } You can even apply the regexes within a larger string (or preferably a CharBuffer, if you're reading the text from a stream) by using the lookingAt() method instead of matches(). That's a bit more involved; I'll elaborate if you're interested.

  • My Windows phone 8.1 can't seem to find any certificates, needed for VPN

    Hello,
    I set up an IKEv2 VPN at home so I could use it on my desktop as well as on my Windows phone.
    Now, I have two options which are supported by the VPN: 1) I can use username/password, but then I have to install the root certificate. 2) Use the client certificate.
    Now I've tried both but none seem to work. When I use username/password I get error 13801, which apparantly means that it can't find the root certificate. When I try to set up the VPN using the client certificate, I can't set it up because when I want to
    choose a certificate, it says there aren't any.
    I have installed both (several times by now) using the PFX and PF12 formats. I've tried regenerating them. None of this helps.
    My phone won't accept any crt or pem files so that's not gonna work either.
    I've tried restarting the phone, that didn't help either.
    Any suggestions?
    Thanks!

    Okay, I didn't get it to work with user/password authentication, but I did manage to use a client certificate.
    What I had to do was regenerate the certificate with Extended Key Usage: ClientAuth.
    Now, I'm facing a new issue because the server isn't accepting me for some reason, which apparantly has something to do with authentication or encryption. I haven't figured that out yet so I'll have a look at the server software instead.
    But if anyone knows what kind of thing Windows phone could be asking for that Windows desktop doesn't, that could be useful.

  • Shipping Papers (BOL, Packing List) needed for 3rd Party Sales Order

    The Process followed is as follows:
    Plant "A" enters Sales Orders for a Customer.
    Sales Orders generate the material requirement on Plant "A"
    The material req gets turned into a Purchase order on External Vendor.
    Vendor provides the shipment information and a goods receipt is done on Plant "A"
    Once the goods receipt is entered, it closes the Sales Order and the customer invoice prints.
    The goods receipt, however, does NOT produce inventory, it basically passes through directly to the Sales Order. 
    Now incase of a export order, need to find a way to configure so that Export Documentation can be trigeered in the form of an Output Type, in short a Delivery needs to be created.

    Hi Kaustubh
    The answer lies in how the sales order is closed and invoice is printed when the GR is done.
    Please check if it is possible to update the invoice  with the information you want to be printed on the Export doc and Packing slip.If this can be acheived then you print the information out of the invoice without using the delivery.
    Hope this helps.
    Thanks

  • Cleaning up Access Lists

    Here is an access list I want to know if I can "clean up" :
    access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
    access-list outside_access_in extended permit object RDP any any
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in_1 extended permit object RDP any object FileServer
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
    access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
    access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
    access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
    access-list outside_access_in_1 extended permit icmp any object DattoDevice
    access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
    access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
    What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

    Hi,
    To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
    The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
    I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
    show run access-group
    You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
    The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
    Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
    The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
    The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
    At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
    You can check what is in use with the command
    show run crypto map
    Hope this helps :)
    - Jouni

  • With Timed Access List on, Guest users cannot access Guest network.

    I have a ABS with 7.5 version. In the Timed Access window i have default set to "no access". Then, all the computers that are allowed access to the main network are on the list. Then i have the main network hidden. My guest network is broadcasting but when a user tries to connect to it, they get a "Unable to connect". If I change the default access in Timed Access to "Everyday", users are then able to connect to the Guest network again.
    Obviously, this is a bug. I don't want people accessing the main network that aren't on the timed access list. However, I still want guest users to access the Guest Network.
    It looks to me that the Timed Access window is controlling the restriction of the Guest and Main network, when it should only be controlling the Main only.
    Hopefully, apple has noted this issue and will be fixed on the new update. If other people are experiencing this problem, Please let me know.
    -Ghost

    Apple just updated the airport to 7.5.1. But there is still a problem with the the guest network not allowing access. If the "Unlimited" is set to "No Access" in the access list it prevents anybody from accessing the guest network. It should only deny your Main wireless Network.
    In other words, the Access List is controlling the access for both wireless networks(Guest and Main network)
    Either apple needs to create two Access Lists, One for Main network, and One for guest network. Or just have to option to choose which Network you want to restrict leaving the second one open for all.
    -Ghost

  • Packets not hitting the route-map's NAT access-list

    Hi Everyone,
    I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
    interface GigabitEthernet0/1.102
    description "xxx"
    encapsulation dot1Q 102
    ip address 10.300.301.1 255.255.255.0
    ip access-group xxx_ACL in
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool xxx_POOL ??
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map xxx pool xxx_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip access-list extended xxx-VPN
    remark VPN to xxx
    permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
    ip access-list extended xxx_ACL
    deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
    permit ip any any
    ip access-list extended xxx_NAT
    deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
    deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 10.300.301.0 0.0.0.255 any
    route-map ??? permit 10
    match ip address ???_NAT
    route-map xxx permit 10
    match ip address xxx_NAT
    route-map ??? permit 10
    match ip address NAT_???
    route-map ??? permit 10
    match ip address ???_NAT
    control-plane
    banner motd ^C

    As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
    So just a guess:
    The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
    HTH, Karsten

  • Access list issues

    Hello,
    There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.
    The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
    Here is access list:
    ip access-list extended Quarantine_IN_L1
    permit icmp any any
    permit udp any any eq bootps
    permit udp any any eq bootpc
    permit upd any any eq domain
    permit tcp any eq 3389 any
    permit ip any host x.x.x.x (baseline server)
    permit ip any host x.x.x.x (share drive)
    permit ip any host x.x.x.x (domain controller)
    permit ip any host x.x.x.x (domain controller)
    ip access-list extended Quarantine_Out_L1
    permit icmp any any
    permit udp any any eq bootps
    permit udp any any eq bootpc
    permit udp any an any eq domain
    permit tcp any any eq 3389
    permit ip host (baseline server) any
    permit ip host (share drive) any
    permit ip host (domain controller) any
    permit ip host (domain controller) any
    As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.
    Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
    Thanks,
    Kiley

    Paul,
    When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:
    int vlan 500
    description BASELINE VLAN
    ip addres x.x.x.x x.x.x.x
    ip access-group Quarantine_IN_L1 in
    ip access-group Quarantine_Out_L1 out
    ip helper-address x.x.x.x
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    Thanks,
    Kiley

  • Need help for access list problem

    Cisco 2901 ISR
    I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
    I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
    Anybody can help?
             DENY       10.25.0.1 – 10.25.0.255
                              10.25.1.1 – 10.25.1.255
    Permit only 1 host for Internet
                    10.25.7.136  255.255.255.192 ------ TMG Server
    Using access-list.
    ( Current configuration  )
    object-group network IP
    description Block_IP
    range 10.25.0.2 10.25.0.255
    range 10.25.1.2 10.25.1.255
    interface GigabitEthernet0/0
    ip address 192.168.2.3 255.255.255.0
    ip nat inside
    ip virtual-reassembly in max-fragments 64 max-reassemblies 256
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    description ### ADSL WAN Interface ###
    no ip address
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface ATM0/0/0
    no ip address
    no atm ilmi-keepalive
    interface Dialer1
    description ### ADSL WAN Dialer ###
    ip address negotiated
    ip mtu 1492
    ip nat outside
    no ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
    ip nat inside source list 101 interface Dialer1 overload
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 10.25.0.0 255.255.0.0 192.168.2.1
    access-list 101 permit ip 10.25.0.0 0.0.255.255 any
    access-list 105 deny   ip object-group IP any
    From the 4500 Catalyst switch
    ( Current Configuration )
    interface GigabitEthernet0/48
    no switchport
    ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
    ip route 0.0.0.0 0.0.0.0 192.168.2.3

    Hello,
    Host will can't get internet connection
    I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
    and change the configuration ....      ip access-list extended 101
                                                                5 permit ip host 10.25.7.136 any
    In this case I will allow only host 10.25.7.136 but it isn't work.
    No internet connection from the TMG Server.

  • Internet access via hairpinning for Spoke to Hub IPSec VPN

    I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
    I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
    I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
    Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
    I can get traffic to the internet (in my test lab) from the lookback connector (1.1.1.1) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
    Thanks in advance for any help
    Phil

    Thanks, guys. Yes, those two access lists did need some attention.
    I've changed the access list on the spoke router from
    access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
    to
    access-list 120 permit ip 192.168.8.0 0.0.0.255 any
    which allows traffic from the spoke lan out to the internet via the hub router. I've also taken NAT off the spoke router.
    But I also need to change the matching access list on the hub router. I changed the old access list from
    access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255
    to
    access-list 121 permit ip any 192.168.8.0 0.0.0.255
    but I couldn't pass any traffic over the VPN. If I remove access-list 121 completely, then traffic does pass, but the crypto map on the hub router becomes "incomplete".
    When the tunnel is up, and passing traffic, I can ping an internet address (in my lab), but not all traffic is getting through. Every second ping times out, often there are 3 or 4 pings that time out.
    Any suggestions as to what to do with the access list (121) on the hub router, and what can I do to get more reliable results (i.e. get every ping to work)?
    TIA
    Phil

Maybe you are looking for