Cisco IOS Firewall = Headache

S

SKiTLz

2[H]4U
Joined
Aug 3, 2003
Messages
2,664
Ok my frustration with the IOS firewall is definitiley kicking in. It is I'm sure due to my green nature but still.

In the following config, the tunnel comes up, and users on the 192.168.5.0/24 end can connect to everything they need on the 192.168.0.0/24 end. I cannot however access 192.168.5.0/24 from the 192.168.0.0/24 side.

192.168.0.0/24 - FortiGate 60B
192.168.5.0/24 - Cisco 881

I can see in the logs that traffic is passing from the FortiGate, so the problem is definitely an inbound ACL on the Cisco.

I would like to allow ALL traffic from 192.168.0.0/24 to 192.168.5.0/24. Any ideas? I've been fighting with this for weeks.

BTW: The new Cisco CP (GUI) is an absolute piece.

Code: 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname #########
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret 5 ###############
!
no aaa new-model
!
no ip source-route
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool internal-dhcp
   import all
   network 192.168.5.0 255.255.255.0
   dns-server 75.154.132.68 75.154.132.100 4.2.2.2 
   default-router 192.168.5.1
   option 176 ascii "TFTPSRVR=192.168.0.202,MCIPADD=192.168.0.207,MCPORT=1719" 
!
!
ip cef
no ip bootp server
ip domain name #################
ip name-server 75.154.132.68
ip name-server 75.154.132.100
ip name-server 4.2.2.2
!
!
!
!
username admin privilege 15 secret 5 ##############################
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ############ address ########### no-xauth
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime kilobytes 5120000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to Head-Office
 set peer ############
 set transform-set ESP-3DES-SHA 
 match address 100
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 105
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 104
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 103
class-map type inspect match-any dhcp-self-to-out
 match protocol bootps
 match protocol bootpc
class-map type inspect match-any dhcp-out-to-self
 match protocol bootpc
 match protocol bootps
class-map type inspect match-all ccp-invalid-src
 match access-group 102
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class type inspect dhcp-self-to-out
  pass
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect 
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect CCP-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect ccp-permit
 class type inspect dhcp-out-to-self
  pass
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-access
  inspect 
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
 permit ahp any any
ip access-list extended SDM_ESP
 permit esp any any
ip access-list extended SDM_HTTPS
 permit tcp host #####WAN IP #1###### any eq 443
 permit tcp host #####WAN IP #2###### any eq 443
ip access-list extended SDM_SHELL
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 permit tcp host #####WAN IP #1###### any eq 22
 permit tcp host #####WAN IP #2###### any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 permit ip host #####WAN IP #1###### any
access-list 104 permit ip host #####WAN IP #2###### any
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login # Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user! #
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
Last edited:
C'mon guys. I've been staring at this for weeks now. Maybe a fresh set of eyes will see it? Could really use some help.
 
The issue is that you are NAT'ing the traffic from the hosts on the 192.168.5.0/24 network via the overload statement prior to the traffic being checked against the crypto map.

Do the following:

Code: 
ip access-list ext 101
9 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
end
clear ip nat trans *
clear crypto sa
wri me
 
Last edited:
Yeah, you need to exempt your local subnets from being nat'd when they go over the site to site VPN.
 
You must log in or register to reply here.
Back
Top