Crypto ipsec securityassociation pmtuaging infinite

crypto ipsec securityassociation pmtuaging

by MitchellG on Jun 8, 2020 at 14:14 UTC

Well what catches my eye are these two traces..

What are you doing here? First of all NONAT you are telling the firewall to drop the choices packets from the choices 10 network. I suppose this is retaining the firewall from running… it is definitely backwards. You need a PERMIT now not DENY. It tells the firewall to not NAT the traffic (sending to net) and allow it over the VPN.

Secondly,teh 2PACL is allowing the FULL CLASS A 24.X.X.X.X to reach the seventy three.X.X.X network.. This seems incorrect. It need to be very specific if something. But I assume this command isn’t right. It lets in ANY company on a 24.X.X.X network to attain and go through your firewall at seventy three.X.X.X It permits way too much.. however actually is not wanted for the choices VPN.

Also this isn’t always wished.. Delete it.. This command is used to NAT and outside deal with into an INSIDE deal with like a webserver… or digicam gadget. I suppose you are the usage of it for the choices VPN.. which wont work.

properly I’m a bit stressed on what desires to be allowed in ACL’s and what does not

so here “get entry to-list 2PACL prolonged permit ip 24.0.zero.0 255.zero.zero.zero 73.zero.0.0 255.0.0.0 log” changed into basically to permit the choices outside interface public IP 24.x.x.x to get to seventy three.x.x.x sure I opened it up to /8 only for comfort

and its sort of complicated due to the fact from what ive seen you want to mark the choices visitors going from web page a to web site b and deny it so it doesn’t get nat-ed

and this “nat (internal,out of doors) supply static GLAN GLAN vacation spot static KLAN KLAN no-proxy-arp direction-lookup” from what I apprehend is wanted as double NAT-ing will prevent it from getting NAT-ed

You do no longer want to allow the encrypted vpn traffic between the two hosts – permitting the choices crypto map on the outdoor will enable this site visitors.so dispose of the acl access ” get entry to-list 2PACL extended allow ip 24.zero.0.0 255.zero.zero.0 seventy three.zero.zero.0 255.zero.0.zero log”Also the choices NONAT ACL isn’t always getting used – this will were used in a pre object nat state of affairs (however as john 3367 stated it’d have wished a permit to fit the choices site visitors)

You item nat statement ” nat (interior,out of doors) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp direction-research” is as you are saying doing the no-nat. It method – while going from interior to outdoor, from GLAN to KLAN, set the supply as GLAN and the dest as KLAN = set it as original (do not change it). I locate the choices cisco manner wierd because it technically says nat to the choices original – i love to think about it as keep as the choices original.

Is KFIREWALL a comparable config? (reversing the subnets and so on) – if now not I suspect it’s miles the KFIREWALL stopping the go back.

Try with that “access-listing 2PACL prolonged allow ip 24.zero.zero.zero 255.0.0.zero seventy three.0.0.zero 255.0.0.0 log” eliminated. replace the far flung give up additionally to in shape.

so right here are my get entry to lists currently and additionally my NAT info

GFIREWALL# display get entry to-listaccess-listing cached ACL log flows: total zero, denied zero (deny-drift-max 4096) alert-c language 300access-listing P2PACL; 2 factors; call hash: 0x2c42e803access-listing P2PACL line 1 prolonged allow ip 192.168.2.zero 255.255.255.0 192.168.10.zero 255.255.255.0 log emergencies c programming language 10 (hitcnt=6) 0x66c3682eaccess-listing P2PACL line 2 extended allow ip 24.X.X.X 255.255.255.252 73.X.X.X 255.255.255.248 log emergencies c language 10 (hitcnt=9) 0x9c2a297aaccess-listing ICMPACL; 1 factors; name hash: 0x631a4e3faccess-list ICMPACL line 1 extended permit icmp any any log informational c program languageperiod three hundred (hitcnt=0) 0x0cee290fGFIREWALL#GFIREWALL#GFIREWALL#GFIREWALL#GFIREWALL#GFIREWALL# display nat deGFIREWALL# display nat detailManual NAT Policies (Section 1)1 (interior) to (out of doors) supply static GLAN GLAN destination static KLAN KLAN no-proxy-arp course-research translate_hits = fifty one, untranslate_hits = fifty one Source – Origin: 192.168.2.0/24, Translated: 192.168.2.0/24 Destination – Origin: 192.168.10.zero/24, Translated: 192.168.10.zero/242 (interior) to (outside) supply dynamic any interface translate_hits = 17819, untranslate_hits = 1513 Source – Origin: zero.0.0.0/zero, Translated: 24.X.X.X/20

I nevertheless cant ping the alternative aspect,,, bizarre things are it seems like while the choices tunnel is negotiating I get hit counts on my get entry to lists however normal pings I do, don’t hit the choices ACL’s

however the 1st Nat declaration does move up in hits after I do ordinary pings

IDK what I’m doing incorrect

right here is jogging config from KFIREWALL (Site B)

dhcpd auto_config outside!dhcpd deal with 192.168.10.2-192.168.10.253 insidedhcpd dns eight.eight.4.4 interface insidedhcpd permit inner!risk-detection simple-threatthreat-detection records get right of entry to-listno chance-detection records tcp-interceptusername admin password Xd4yTLiYyLBfvEdu encrypted privilege 15tunnel-institution 24.X.X.X kind ipsec-l2ltunnel-organization 24.X.X.X ipsec-attributesikev1 pre-shared-key *****!magnificence-map inspection_defaultmatch default-inspection-site visitors!!policy-map kind inspect dns preset_dns_mapparametersmessage-length most patron automessage-period maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect ip-optionsinspect icmp!service-policy global_policy globalprompt hostname contextno call-domestic reporting anonymousCryptochecksum:0f1724eaa51238bfe6fb0991afc0940c: endKFIREWALL#

WOW ok so I resolved the difficulty essentially…. windows firewall was blocking off ICMP on each facets and I did not problem this command

on each firewalls so it is why I couldn’t ping the firewalls both

To maintain this discussion, please ask a new question.