×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

access list mi-match for vpn setup

access list mi-match for vpn setup

access list mi-match for vpn setup

(OP)
Hi guys,

I have setup 2 remote sites to ipsec site-to-site vpn back to the UK central hub.

Remote site 1 - PIX515E 10.32.0.0/24
Remote site 2 - C1801/k9 10.32.4.0/24
UK            - Cisco ASA5510 10.20.0.0/16 - 10.25.0.0/16 and 10.250.0.0/16

Both work fine but now I need to setup a vpn between the 2 remote sites.  The VPN is showing as up but I dont know where to add access-lists to let the traffic know which tunnel to go out of or straight onto the internet.  With regards to the 1800 series I thought i need to add an access-group to FE0 which is the connection to the internet and create a new ACL?

config for 1801 is attached.

Changes on Cisco 1801 i've made:

1. Created new crypto policy sequence number

crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 5

crypto isakmp key xxxx address 213.42.89.2

2. Created new transform set

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

3. Created new crypto map

crypto map Dubtower 2 ipsec-isakmp
 description Tunnel to Dafza site
 set peer 213.42.89.2
 set transform-set ESP-AES128-SHA
 match address 150

4. Denied it from Nat

ip access-list extended 140
100 deny ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255

5. created new ACL for new crypto map

access-list 150 remark Dafza Office to Arenco Tower
access-list 150 remark IPSec Rule
access-list 150 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255

6. from here do I create a new ACL for traffic to know which vpn tunnel to go down? i.e.

access-list 160 remark IPSec Rule
access-list 160 remark Interesting VPN Traffic
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
access-list 160 permit udp host 212.140.247.20 any eq non500-isakmp
access-list 160 permit udp host 212.140.247.20 any eq isakmp
access-list 160 permit esp host 212.140.247.20 any
access-list 160 permit ahp host 212.140.247.20 any
access-list 160 remark IPSec Rule
access-list 160 permit ip 10.32.2.0 0.0.0.255 10.32.4.0 0.0.0.255
access-list 160 permit udp host 213.42.89.2 any eq non500-isakmp
access-list 160 permit udp host 213.42.89.2 any eq isakmp
access-list 160 permit esp host 213.42.89.2  any
access-list 160 permit ahp host 213.42.89.2  any

Then add access-group to FE 0? To permit ACL 160 or use an existing ACL?  

Can anyone assist i'm totally stuck. I applied the above but didnt work and stopped internet access so removed acl from interface to start again.

I've also attached the config for PIX end which used to use just the implicit outbound any any rule.

RE: access list mi-match for vpn setup

Why not look into DMVPN, where all the spokes can tak to each other?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: access list mi-match for vpn setup

(OP)
Hi,

Thanks for the reply.

unfortunately we have to make do with the resources that we have and its a live issue.

we are soon to be changing ISP with a view to having an MPLS network but it may not happen and we've got people waiting to move into the office but need the vpn between sites in order to access the file shares there.

Regards,

RE: access list mi-match for vpn setup

You would add all the other traffic to the same crypto acl (just one), so all to 150.

Also, what does the default route or any static routes look like?

Myself, I prefer GRE tunnels protected with IPSEC, and forcing the encrypted traffic through the tunnel with static routes.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: access list mi-match for vpn setup

(OP)
As far as i'm aware the ipsec is IPSec/GRE as well.

so in my config i'd have both crypto maps using the same acl and have FE0 using it?

Then just have an ACL for NAT exemption?

Thanks

RE: access list mi-match for vpn setup

Yup.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: access list mi-match for vpn setup

(OP)
Thanks for that. My next question is do I need to specify both the remote site's end point addresses in the ACL?

I changed both crypto maps to use ACL 130 and added the internal subnets in:

Extended IP access list 130
    10 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255 (1681 matches)
    20 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255 (75226 matches)
    30 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255 (1099961 matches)
    40 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255 (41333 matches)
    50 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255 (6572 matches)
    60 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
    70 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
    80 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255 (114 matches)
    90 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
    100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255 (97921 matches)
    110 permit icmp any any echo-reply
    120 permit icmp any any time-exceeded
    130 permit icmp any any unreachable (1 match)
    140 deny ip any any log

Not worked so assuming i need to do more to the ACL but not sure what? I was thinking something like this:

permit udp host 212.140.247.20 any eq non500-isakmp
permit udp host 212.140.247.20 any eq isakmp
permit esp host 212.140.247.20 any
permit ahp host 212.140.247.20 any
permit ip 10.32.0.0 0.0.0.255 10.32.4.0 0.0.0.255
permit udp host 213.42.89.2 any eq non500-isakmp
permit udp host 213.42.89.2 any eq isakmp
permit esp host 213.42.89.2 any
permit ahp host 213.42.89.2 any

any help is gratefully received.

RE: access list mi-match for vpn setup

Let's see the config for both the PIX and the router, at least the router. I want to see something in front of me. I am very tired and can look tomorrow. Can you post a scrubbed config?

BTW, DMVPN is very doable in your situation---have you looked into it? Both the remote sites would talk to eachother by way of NHRP (Next Hop Routing Protocol), getting bounced off the hub. Think of it as frame relay, but it's all just vpn tunnels.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: access list mi-match for vpn setup

(OP)
sorry thought i'd attached them already.

can you try this URL:

http://www.mediafire.com/2020mobile

in terms of DMVPN I only read an article on it after you suggested it and as my knowledge is limited I wanted to not go off track yet.

When I have more time I would look into it more as it does sound good.

Thanks again for all the help.

 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close