IPSEC VPN to Frame Relay. ACL or Routing error

10 pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
Network security
Networking
VPN
Wireless
scenario-- main site with framerelay connections to several small remote offices using Cisco routers. larger remote office connected to main site with Lan to Lan IPSEC VPN through PIX Firewalls. I can access anything on the main site from any of the remote offices no problem. however I cannot access anything on the remote frame relay sites from the VPN site. I am not sure if it is a routing issue or an ACL issue. if I attempt to access (SSH / TELNET) anything from the frame relay side to the VPN side I get a connection refused error. this leads me more toward the ACL idea. examining the routing statements looks like everything is fine. any ideas
ASKED: October 28, 2005  2:04 PM
UPDATED: October 31, 2005  10:10 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi,

This issue is related to ACL/Ipsec. You need to check the IPsec configuration in both the sides so that it is been enabled to receive as well as send the packets. Because in the IPsec u have an option of restricting the packets one way.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Layer9
    Can you PING the remote site hosts? I would really need to see a little more about this. If I had your PIX configuration it would likewise help of course, but based upon what you said so far, it sounds like it my be a NATPAT issue on the remote side. If the remote sites are using PAT, then expected port numbers would not be available for the return traffic, hence the connection would be dropped. Let us know if you can ping the hosts on the remote site? Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Bouncybrit
    from the main site I can ping hosts on the VPN site. from the main site I can ping hosts on the frame relay site. from the VPN site I can ping hosts on the main site. from the VPN site I cannot ping hosts on the frame relay site and vice versa. I dont have NAT / PAT configured onthe IPSEC tunnel. (at least I dont think so I will check further) I have turned the logging all the way up and will dig into that a little deeper. I will also take a look at the ACLs to see if I have screwed up somewhere.
    10 pointsBadges:
    report
  • Bobkberg
    When you do a "show access-list", do you get (xxx Matches) after any of the entries? If so, then reset/clear your statistics, and try your tests to see which (if any) of your ACL entries get hits - either permit or deny. If you can do this testing with little other traffic on the net, then this will help to tell you just how far your packets got before falling off the edge of the Earth. Bob
    1,070 pointsBadges:
    report
  • Bouncybrit
    thanks everyone for your help. trhe problem was not the ACLs or the routing, the problem was my own idiocy in defining the IPSEC tunnel and what subnets where available on each side. cheers everyone
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following