09-21-2005 08:23 AM - edited 03-09-2019 12:29 PM
I'm going to be setting up a site-to-site between 2 remote offices and my main site.
main site will have a 2821 and the remotes will be 837 and 831.
main site - internal ip is 172.18.1.1, external is 216.3.1.1
remote1 - internal = 172.31.2.33/27; external = 216.1.1.1/30
remote2 - internal = 172.31.2.65/27; external = 216.2.1.1/30
I'm having difficulties coming up with the crypto maps and the access lists that I will need. Will I need more than 1 crypto map (1 per site)? and will each map need a seperate access list?
09-21-2005 08:48 AM
Hi,
Setting up multiple site-to-site links isn't much harder than setting up one.
You will need a crypto map for each link and an ACL to identify interesting traffic.
crypto isakmp key secret-key address 216.1.1.1
crypto isakmp key another-secret-key address 216.2.1.1
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
crypto map to_remote1 10 ipsec-isakmp
set peer 216.1.1.1
set transform-set to_vpn
match address 101
crypto map to_remote2 11 ipsec-isakmp
set peer 216.2.1.1
set transform-set to_vpn
match address 102
HTH
Kind Regards
Cathy
09-21-2005 10:15 AM
Does the "match address 101" and "match address 102" refer to the crypto map sequence number, or the access-list number? edit: I see that you have the seq #s as 10 and 11.
My reference book uses "100" as both the acl number and the c-map seq number, so I'm getting a little confused.
Also, we will not allow split-tunneling, so all traffic between the sites will be "interesting." I'm getting confused on the ACL - since all remote sites are 172.31.2.x, do I need to use just one ACL?
perhaps something like:
Access-list 101 permit ip 172.31.2.0 0.0.0.255 172.18.101.0 0.0.0.255
Access-list 101 permit ip 172.18.101.0 0.0.0.255 172.31.2.0 0.0.0.255
Or, will I need a different ACL for each remote site?
09-21-2005 07:22 PM
Matt
While I am sure that it made it easier to create the example I am sorry that your reference used 100 as both the ACL number and the crypto map sequence number, since it makes it more difficult to see clearly the relationship. The crypto map needs a sequence number which it uses to order the instances within the crypto map (if the map has more than one instance). The crypto sequence number has no other significance and does not NEED to match anything else. Any matching would be a matter of convenience.
I will suggest an approach slightly different from the one suggested by Cathy. She suggested two crypto maps. Since you need to assign the crypto map to the outbound interface and I am not sure that you have more than one outbound interface I will suggest that you create one crypto map with two instances:
crypto map to_remote 10 ipsec-isakmp
set peer 216.1.1.1
set transform-set to_vpn
match address 101
crypto map to_remote 20 ipsec-isakmp
set peer 216.2.1.1
set transform-set to_vpn
match address 102
In this case it should be a bit more obvious that the match address 101 and match address 102 are matching access lists which you will create. In access list 101 you will be permitting traffic with source of your local lan and destination of the remote lan at the first remote site (with an access list mask that will uniquely identify the remote lan). To facilitate site to site traffic you would also need to permit traffic with source of site 2 and destinatin of site 1. In access list 102 you will be permitting traffic with source of your local lan and destination of the remote lan at the second site (wit an access list mask that will uniquely identify the remote lan). To facilitate site to site traffic you would also need to permit traffic with source of site 1 and destination of site 2. (Since both remote LANs are /27 the mask you need in the access list is 0.0.0.15 which will match a /27 subnet and allow you to uniquely identify each remote.)
The crypto maps at the remote site will need only a single instance of their crypto map. Their access list should be the inverse of the corresponding access list at the central site.
HTH
Rick
09-23-2005 01:23 PM
Rick-
Thank you very much for that info. You answered my next question about using a single crypto map for the remotes!
I do have a question about using the 0.0.0.15 in the access list - I'm not very experienced with access lists and am only familiar with 0's and 255's. I did find this info: http://www.networkclue.com/routing/Cisco/access-lists/advanced.php
but I'm not sure I understand why it would be 0.0.0.15.
My remote sites will also be using dhcp, so:
remote 1: router= 172.31.2.33, dhcp pool= 31.2.44-62
remote 2: router= 172.31.2.65, dhcp pool= 31.2.76-94
If the network for remote 1 is 172.31.2.32, wouldn't I need something like 0.0.0.31, or maybe even 0.0.0.63?
Sorry if the question is stupid, but I've always struggled with access lists.
Thanks in advance.
09-23-2005 03:22 PM
Matt
Very good catch on your part !
My answer of 0.0.0.15 was not correct. I am not sure whether I incorrectly remembered the mask you are using or if I just made a mental mistake. the mask of 0.0.0.15 would have been correct if you were using a /28. For a /27 the correct mask for the access list would be 0.0.0.31.
The logic explained in the link you posted is exactly right. You take the subnet mask and invert the 1s and 0s. So your subnet mask of 224 becomes a filter mask of 31.
You may not be very experienced about access lists but this time you very correctly identified my mistake.
Good for you :)
HTH
Rick
09-26-2005 12:19 PM
I've been talking this over with some other people and here is what we were wondering:
Since all traffic is going to be encrypted between the remote sites and the main site - internet and all other traffic will be routed and filtered at the main site - can't we get by with a very simple ACL?
Maybe something like:
access-list 101 permit ip 172.31.2.32 0.0.0.31 any, and then the inverse going back out to the remote site?
Since the vpn router will be sitting between our border router and also getting filtered through a PIX (before touching the rest of the internal network), can we rely on those to provide our protection?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide