Hello everyone, I usually try not to use this as my personal tech support forum, but since TAC can't get off their but and provide the solution I thought I'd drop it and see. I have a remote site that connects to our central site via a VPN tunnel. The remote router is a Cisco 1710. We have it setup so remote traffic goes straight to the internet instead of back to us. Becuase of this we're using inspect and have tried to lock it down. However, we have an application running on all the machines inside that require an IPSEC tunnel to be built to them. However it doesn't seem to work even thought I have natting straight through and open the port with the access list, any suggestions? Attached is the config minus any public IPs etc. The latest thing TAC had me do was remove access list 160 from the E0 interface and is reflected in the config below. When the access list was applied, I wasn't getting any hits on the lines in the 160 access list relating to IPSEC. Any suggestions? Thanks in Advance version 12.2 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname bb-mia-rt1 ! logging buffered 12880 debugging aaa new-model ! ! aaa authentication login default local aaa session-id common ! memory-size iomem 25 clock timezone EST -5 clock summer-time EST recurring ip subnet-zero ! ! ip tcp synwait-time 10 no ip domain-lookup ip domain-name .com ip dhcp excluded-address 10.7.2.1 10.7.2.50 ip dhcp excluded-address 10.7.2.150 10.7.2.254 ! ip dhcp pool bb-mia network 10.7.2.0 255.255.255.0 domain-name .com dns-server 172.28.1.240 netbios-name-server 172.28.1.232 172.28.1.234 netbios-node-type h-node default-router 10.7.2.1 lease 3 ! no ip bootp server ip inspect name masfw tcp ip inspect name masfw udp ip inspect name masfw ftp ip inspect name masfw realaudio ip inspect name masfw smtp ip inspect name masfw streamworks ip inspect name masfw vdolive ip inspect name masfw tftp ip inspect name masfw rcmd ip inspect name masfw http ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 3 modemcap entry usrmodem:MSC=&FS0=1&C1&D3&H1&R2&B1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key yaright address 12.X.X.30 ! ! crypto ipsec transform-set strong ah-md5-hmac esp-3des ! crypto map vpn 200 ipsec-isakmp set peer 12.X.X.30 set transform-set strong match address 120 ! ! ! ! interface Tunnel0 description GRE tunnel to the Corporate LAN bandwidth 1544 ip address 10.200.200.66 255.255.255.252 no ip redirects no ip proxy-arp no keepalive tunnel source 67.X.X.66 tunnel destination 12.X.X.30 crypto map vpn ! interface Ethernet0 description Ethernet interface to Internet ip address 67.X.X.66 255.255.255.240 no ip redirects no ip proxy-arp ip nat outside ip inspect masfw out no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map vpn ! interface FastEthernet0 description Ethernet connection to local LAN ip address 10.7.2.1 255.255.255.0 no ip redirects no ip proxy-arp ip nat inside speed 10 half-duplex ! router eigrp 100 network 10.0.0.0 network 172.28.0.0 no auto-summary no eigrp log-neighbor-changes ! ip nat pool bb-mia 67.X.X.67 67.X.X.79 netmask 255.255.255.240 ip nat inside source route-map nonat pool bb-mia ip classless ip route 0.0.0.0 0.0.0.0 67.104.169.65 ip route 12.X.X.30 255.255.255.255 67.X.X.65 no ip http server ip pim bidir-enable ! ! access-list 10 permit 12.X.X.0 0.0.0.255 access-list 10 permit 172.28.0.0 0.0.255.255 access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 deny any log access-list 30 permit 172.28.1.0 0.0.0.255 access-list 120 permit gre host 68.X.X.226 host 12.X.X.30 access-list 120 permit gre host 67.X.X.66 host 12.X.X.30 access-list 130 deny ip 10.7.2.0 0.0.0.255 172.28.0.0 0.0.255.255 access-list 130 deny ip 10.7.2.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 130 permit ip 10.7.2.0 0.0.0.255 any access-list 160 deny ip 10.7.2.0 0.0.0.255 any access-list 160 permit gre host 12.X.X.30 host 67.X.X.66 access-list 160 permit ahp host 12.X.X.30 host 67.X.X.66 access-list 160 permit esp host 12.X.X.30 any access-list 160 permit udp host 12.X.X.30 eq isakmp any access-list 160 permit udp any eq isakmp any access-list 160 permit tcp 12.X.X.0 0.0.0.255 host 67.X.X.66 eq telnet access-list 160 permit icmp 12.X.X.0 0.0.0.255 any access-list 160 permit icmp 172.28.0.0 0.0.0.255 any access-list 160 permit icmp any any echo-reply access-list 160 permit icmp any 10.7.2.0 0.0.0.255 time-exceeded access-list 160 permit icmp any 10.7.2.0 0.0.0.255 packet-too-big access-list 160 permit icmp any 10.7.2.0 0.0.0.255 traceroute access-list 160 permit icmp any 10.7.2.0 0.0.0.255 unreachable access-list 160 permit esp any 67.X.X.64 0.0.0.15 access-list 160 permit udp any 67.X.X.64 0.0.0.15 eq isakmp access-list 160 deny ip any any ! route-map nonat permit 10 match ip address 130
end Robert Fowler Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59476&t=59476 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]