Cisco 2811
The VPN Client cannot go out but the PPTP can successfully connect outside.
1. So here we checkout the policy that both router uses.
Policy Map type inspect A_OUTBOUND_INTERNET
Class 0_INVALID_CLASS
Drop log
Class 1_INTERNET_CLASS
Inspect
Class 2_TORRENT_CLASS
Drop
Class 4_IPSEC_CLASS
Pass
Class 5_ICMP_OUT
Inspect
Class class-default
Pass
Policy Map type inspect A_OUTBOUND_POLICY
Class 1_INVALID_TRAFFIC
Drop log
Class 2_TORRENT_TRAFFIC
Drop
Class 3_ICMP_TRAFFIC
Inspect
Class 6_VUE_TRAFFIC
Inspect
Class 7_GRE_TRAFFIC
Pass
Class 8_VPN_TRAFFIC
Pass
Class 9_INTERNET_TRAFFIC
Inspect
Class class-default
Pass
Policy Map type inspect B_INBOUND_INTERNET
Class 7_CISCO_EZVPN
Pass
Class 4_IPSEC_CLASS
Pass
Class class-default
Drop log
Policy Map type inspect B_INBOUND_POLICY
Class 38_VPN_TRAFFIC
Pass
Class 37_IPSEC_TRAFFIC
Pass
Class 33_ICMP_TRAFFIC
Pass
Class 32_WEB_TRAFFIC
Inspect
Class class-default
Drop
2. So look at OUTGOING VPN Traffic using class-map type inspect statement.
Inspect
Class-map: 7_GRE_TRAFFIC (match-any)
Match: class-map match-any CLASS_GRE
291537 packets, 46450924 bytes
30 second rate 4000 bps
Match: access-group name ACL_GRE
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name ACL_L2TP
0 packets, 0 bytes
30 second rate 0 bps
Pass
291537 packets, 46450924 bytes
class-map type inspect match-any 7_GRE_TRAFFIC
match class-map CLASS_GRE
match class-map CLASS_ESP (added but still no go) - so maybe is inbound
class-map type inspect match-any CLASS_GRE
match access-group name ACL_GRE
match access-group name ACL_L2TP
class-map type inspect match-any CLASS_ESP
match access-group name ACL_ESP
ip access-list extended ACL_GRE
permit gre any any
ip access-list extended ACL_L2TP
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
(1841)
class-map type inspect match-any 4_IPSEC_CLASS
match class-map CLASS_ESP (missing statement)
match class-map CLASS_GRE
class-map type inspect match-any CLASS_ESP
match access-group name ACL_ESP
class-map type inspect match-any CLASS_GRE
match access-group name ACL_GRE
ip access-list extended ACL_ESP
permit esp any any
ip access-list extended ACL_GRE
permit gre any any
3. Now let's view the VPN RETURNING TRAFFIC
Service-policy inspect : B_INBOUND_POLICY
Class-map: 38_VPN_TRAFFIC (match-all)
Match: access-group name CISCO_EZVPN_LIST (no necessary?)
Pass
0 packets, 0 bytes
Class-map: 37_IPSEC_TRAFFIC (match-all)
Match: class-map match-any CLASS_ANY_VPN
Match: class-map match-any CLASS_AH
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name ACL_AH
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any CLASS_ESP
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name ACL_ESP
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name ACL_L2TP
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-all CLASS_L2TP
Match: access-group name ACL_L2TP
Match: class-map match-any CLASS_GRE
Match: access-group name ACL_GRE
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name ACL_L2TP
0 packets, 0 bytes
30 second rate 0 bps
Pass
15282 packets, 20003124 bytes
class-map type inspect match-any 37_IPSEC_TRAFFIC
match class-map CLASS_ANY_VPN
match class-map CLASS_L2TP
match class-map CLASS_GRE
class-map type inspect match-any CLASS_ANY_VPN
match class-map CLASS_AH
match class-map CLASS_ESP
class-map type inspect match-any CLASS_AH
match access-group name ACL_AH
class-map type inspect match-any CLASS_ESP
match access-group name ACL_ESP
class-map type inspect match-all CLASS_L2TP
match access-group name ACL_L2TP
class-map type inspect match-any CLASS_GRE
match access-group name ACL_GRE
match access-group name ACL_L2TP
4. Now we use back the same Class-Map for Inbound Traffic
policy-map type inspect B_INBOUND_POLICY
class type inspect 4_IPSEC_CLASS
Pass
class type inspect 38_VPN_TRAFFIC
pass
class type inspect 37_IPSEC_TRAFFIC
pass
class type inspect 33_ICMP_TRAFFIC
pass
class type inspect 32_WEB_TRAFFIC
inspect
class class-default
drop
Still cannot pass thru.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment