Cisco WAN :: 2851 - VPN Traffic Not Captured By IPSec Access List
Aug 29, 2012
we have two 2851's. One in Australia, one in NZ, IPsec VPN between the two.
We have multiple subnets behind the tunnels. From all the sunbets in Aus we can reach all the subnets in NZ, except for one. From NZ we can reach all the subnets in Aus. The traceroute and pings from the subnet in question in Aus goes out the internet interface of the router instead of going into the tunnel.
The subnets in question are 10.110.220/24 (Aus), 10.110.250/24 (NZ)
The access lists at both ends cover the traffic required but for some reason when leaving Australia the traffic is not captured by:
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
I'm configuring Control Plane Police in a Catalyst 6509. This equipment is using IS-IS like its IGP routing protocol, and iBGP. In order to make CoPP work Im classifying the traffic entering the control plane like CRITICAL, IMPORTANT, NORMAL, UNDESIRABLE and DEFAULT. Obviously routing protocol traffic must be classified like CRITICAL. Doing so is easy to BGP because it runs over TCP/IP and I can configure the following access list to classify BGP:
ip access-list extended CP-CRITICAL-IN remark #### CONTROL PLANE CRITICAL TRAFFIC INBOUND #### remark #### ROUTING TRAFFIC - BGP #### permit tcp host [BGP neighbor addr] eq bgp host [local BGP addr] permit tcp host [BGP neighbor addr] host [local BGP addr] eq bgp deny ip any any
But IS-IS is also a CRITICAL traffic, but IS-IS doesn't run over TCP/IP, rather it exchange its own PDUs. So, how do I classify IS-IS traffic with an access list?
I have been trying to figure out a NAT issue on my 2811 and the inspect engine.I have 'ip inspect FW out' on my outside interface. If I turn it off, I also have to remove the access-list applying to inbound traffic on that same interface. Why is that? This whole thing centered around SIP registrations from devices on my LAN to my provider. The provieder is showing that I am registering from a high end port (1024 or something crazy). He said that it sounds like some type of SIP ALG or something on my router. For the life of me, I can't figure out what would be causing it. I am just using a standard route-map that points to the outside interface using 'overload'.
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH permit #host 0000.XXXX.YYYY any interface range fa 2/5 - 20 mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests. The http traffic is getting filtered properly, but the https traffic is not getting filtered. The two commands I ahev given for http & http are as follows: ip inspect name test http urlfilter ip inspect name test https.
I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config: [Code] .......
Where 184.108.40.206 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
Ive just downloaded wireshark just to mess around and ive noticed that even when ive got nothing open its still capturing packets. It gives me a choice of interfaces i want to choose to monitor and i would of thought it be "Realtek PCIe Family Controller" as this is normally the default one (im using wireless) but its saying no packets are being captured from this interface its the "Microsoft" Interface thats capturing the packets. Ive attached a screenshot, i know this isnt nothing bad but was just wondering 1) why isnt my Realtek PCIe interface capturing anything?
i'm planning to use wireshark in my final year project (packet sniffing in wireless networks)and i alraedy installed it and captured some packets, but i don't know how to analyze those packets.I have basic information about networking from CCNA1. I want to learn how to anaylze the captured packets and what the hexadecimal values i got with each packet represent and how to read them.
In my environment we have 3750x switches running ios 15.0 (1) SE2. We have port security mac address sticky configured on all our switch ports. I noticed that we have several interfaces (on different switches) that are up but have not captured the MAC address from the workstation. Here is one example:
why my VPN setup is not working correctly. The device is an ASA 5505 running IOS version 8.2. It has a license for 2 SSL VPNS, and 25 IPSec VPNs. The previous Admin had set up both but only the SSL VPN apparently works. I attempted to set up my own IPSec VPN using the ASDM wizard, with an IP range of 192.168.40.10-50. I am connecting from a Mac, 10.6. My local network (home) is a standard 192.168.1.0/24; the remote networks are 192.168.2.0 and 192.168.3.0. I tried connecting using the built-in Snow Leopard client, and although it said I was connected I couldn't actually contact anything on the corporate LAN.\
We have a business need that we have to set up a IPsec L2L tunnel (from multiple locations) to a business partner, we require that the connection can only be initiated from our side, not business partner side. I searched the web, one option is configure our side ASA to initate IKE only, this does not seem to meet our requirement, because once IPsec SA is up, IP layer traffic will flow freely in either direction; the other option people suggested is to use VPN filter in tunnel group policy, but the documention of how to use this vpn-filter to enforce one way traffic policy is not crystal clear to me; I actually configured reflexive ACL on core L3 switch before the traffic hits ASA to reflect/evalulate specific traffic to businness partner's LAN network, that worked well. However one of our branch office's core L3 switch is Cat4K which does not support reflexive ACL with the image it is currently running, so I am stuck again .
I have configured the IPsec vpn between Cisco 877 and ISA server which is working fine and ok. But the issue is I have multiple subnet on the TMG "Treat Managmenet Gateway" side and only one subnet on the Cisco 877 side. I can only sending some subnet's traffics from Cisco 877 through the vpn tunnel to the other side which is TMG server and I have recieved teh timeout request for the rest of teh subnets.
However, if I initiated the ping from inside the ISA with different sources , I can reached the Cisco 877 and from then I can be able to send traffic.
So, the tunnel is up and active but it should be initated from ISA server to have a full connectivity.
I have C1841 as EZVPN server and remote C1841 as EZVPN client. Connection between them is providers L3 VPN, so it is not over the internet. IPSec tunnels go up with no problem. Client is NEM. Problem is that traffic won't go via IPSec. No packets are encapsulated. I want all trafiic to go via tunnel, no split tunneling here. On client side Dialer0 is outside interface, since L3 VPN is over ADSL. On server's side I have only one interface connected to corporate network. Peer address is server's loopback address.
After IPSec is up, server gets remote subnets as static routes and redistribute them to OSPF. That part works fine, but remote site's traffic doesn't flow over IPSec to the coorporate LAN. Could be TCP MSS or something like that?
I am trying to pass Traffic thru the IPSEC tunnel but it does not work ([Cisco Router 892] <---> [Cisco ASA 5510] <---> [Cisco Router 892]) The Cisco ASA 5510 doesn't pass traffic UDP=500 & UDP=4500 ports...
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505 Peer A: x.x.x.x Lan A: 192.168.0.0 255.255.255.0 Fortinet FortiGate-50b Peer B: y.y.y.y Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE") "show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS An IPSEC site to site tunnel has been built between the two sites on different networks. PIX 515E - MAIN SITE Network 172.16.0.0/24 CISCO 1841 - REMOTE SITE Network 172.16.99.0/24
ISSUE All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network. 2. Have tried various NAT entries. 3. Have removed and then recreated the VPN tunnel from a fresh start. 4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
I am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.
All of my remote sites use various routers to route all of their traffic via IPsec. However, I have one WRVS4400N w/firmware 220.127.116.11 configured with a working tunnel. My issue is I need to set the Remote Group to 0.0.0.0 0.0.0.0 so all traffic is forced via IPsec tunnel and not out the local gateway. When I do the error, Remote Security Group and Local Security Group cannot be in the same network. However, it works with Cisco/Linksys RV042.
We have multiple vpn tunnels coming to our cisco asa 5520 , the problem is that when we create another tunnel with the same network as another network on the firewall , it does not know how to route the traffic to which interface or sub interface.
I am trying to set up a LAN-to-LAN VPN tunnel between two sites. One site has a 5505, and the other site has a 5510. It looks like the tunnel is being established fine (both ISAKMP and IPSEC SAs look OK), but traffic doesn't appear to be routing across the internet between the devices. [code]
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.