Ok my frustration with the IOS firewall is definitiley kicking in. It is I'm sure due to my green nature but still.
In the following config, the tunnel comes up, and users on the 192.168.5.0/24 end can connect to everything they need on the 192.168.0.0/24 end. I cannot however access 192.168.5.0/24 from the 192.168.0.0/24 side.
192.168.0.0/24 - FortiGate 60B
192.168.5.0/24 - Cisco 881
I can see in the logs that traffic is passing from the FortiGate, so the problem is definitely an inbound ACL on the Cisco.
I would like to allow ALL traffic from 192.168.0.0/24 to 192.168.5.0/24. Any ideas? I've been fighting with this for weeks.
BTW: The new Cisco CP (GUI) is an absolute piece.
In the following config, the tunnel comes up, and users on the 192.168.5.0/24 end can connect to everything they need on the 192.168.0.0/24 end. I cannot however access 192.168.5.0/24 from the 192.168.0.0/24 side.
192.168.0.0/24 - FortiGate 60B
192.168.5.0/24 - Cisco 881
I can see in the logs that traffic is passing from the FortiGate, so the problem is definitely an inbound ACL on the Cisco.
I would like to allow ALL traffic from 192.168.0.0/24 to 192.168.5.0/24. Any ideas? I've been fighting with this for weeks.
BTW: The new Cisco CP (GUI) is an absolute piece.
Code:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname #########
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret 5 ###############
!
no aaa new-model
!
no ip source-route
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool internal-dhcp
import all
network 192.168.5.0 255.255.255.0
dns-server 75.154.132.68 75.154.132.100 4.2.2.2
default-router 192.168.5.1
option 176 ascii "TFTPSRVR=192.168.0.202,MCIPADD=192.168.0.207,MCPORT=1719"
!
!
ip cef
no ip bootp server
ip domain name #################
ip name-server 75.154.132.68
ip name-server 75.154.132.100
ip name-server 4.2.2.2
!
!
!
!
username admin privilege 15 secret 5 ##############################
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############ address ########### no-xauth
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime kilobytes 5120000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Head-Office
set peer ############
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 103
class-map type inspect match-any dhcp-self-to-out
match protocol bootps
match protocol bootpc
class-map type inspect match-any dhcp-out-to-self
match protocol bootpc
match protocol bootps
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class type inspect dhcp-self-to-out
pass
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect dhcp-out-to-self
pass
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
permit ahp any any
ip access-list extended SDM_ESP
permit esp any any
ip access-list extended SDM_HTTPS
permit tcp host #####WAN IP #1###### any eq 443
permit tcp host #####WAN IP #2###### any eq 443
ip access-list extended SDM_SHELL
permit tcp any any eq cmd
ip access-list extended SDM_SSH
permit tcp host #####WAN IP #1###### any eq 22
permit tcp host #####WAN IP #2###### any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 permit ip host #####WAN IP #1###### any
access-list 104 permit ip host #####WAN IP #2###### any
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login # Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user! #
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Last edited: