I am trying to setup a VPN between a Cisco 1720 and a Cisco 837 to allow remote sites to come in behind the corporate firewall complex to the DMZ using a generic internet connection. The problem I have been facing is that list 150 does not appear to be working correctly. On the C1720 config I have added some secondary address is for test purposes and a host connected to the 837 can establish the vpn between the sites and ping the secondary address but not the primary. When I do a deb ip pack det 150 on the 837 I get no output to the console when trying address 172.xx.17.47. The weird part about it is that any address above 172.xx.206.x through to 172.xx.255.255 will establish the VPN, but any address starting at 172.xx.0.0 through to
172.xx.205.255 will not, nor can you see it match on list 150.Here are the current configs that are in place.
C837 Config crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key 0 mykey address xxx.22x.25x.x29 ! ! crypto ipsec transform-set vpn_link esp-3des esp-sha-hmac ! crypto map vpn_link 10 ipsec-isakmp set peer xxx.22x.25x.x29 set transform-set vpn_link match address 150 ! interface Ethernet0 description ** LAN at Branch ** ip address 172.xx.207.1 255.255.255.224 ip helper-address 172.xx.20.1 ip accounting output-packets ip accounting access-violations no ip route-cache no ip mroute-cache hold-queue 100 out ! interface Dialer1 description ** External Link to Internet ** ip address negotiated ip access-group 100 in encapsulation ppp no ip route-cache no ip mroute-cache dialer pool 1 ppp authentication chap callin crypto map vpn_link ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 100 remark Security Access Trial Branch List Statements access-list 100 permit ip host xxx.22x.25x.x29 any log access-list 100 deny ip any any access-list 150 remark ** VPN Branch Access List Statements ** access-list 150 permit ip 172.xx.0.0 0.0.255.255 172.xx.0.0
0.0.255.255C1720 Config crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key mykey address xxx.22x.25x.x56 ! ! crypto ipsec transform-set vpn_link esp-3des esp-sha-hmac ! crypto map vpnlink 10 ipsec-isakmp set peer xxx.22x.25x.x56 set transform-set vpn_link match address 150 ! interface FastEthernet0 ip address 172.xx.222.13 255.255.255.0 secondary ip address 172.xx.17.47 255.255.255.0 speed auto no cdp enable ! interface Dialer1 description ** External Link to Internet ** ip address negotiated ip access-group 100 in encapsulation ppp dialer pool 1 ppp authentication chap callin crypto map vpn_link ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 100 remark Security Access Trial Core List Statements access-list 100 permit ip host xxx.22x.25x.x56 any log access-list 100 deny ip any any access-list 150 remark ** VPN Core Access List Statements ** access-list 150 permit ip 172.xx.0.0 0.0.255.255 172.xx.0.0
0.0.255.255Has anyone got any suggestions on what the cause of this may be. I have replaced both hardware and also done an IOS upgrade on both devices with the same results.
TIA, Andrew