Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
0
Replies

configure ipsec access list for vpn site to site

amralrazzaz
Level 5
Level 5

‎04-25-2020 07:48 PM

actually i have destinations ip addresses with ports numbers and it need ACL to provide allowing the ipsec vpn traffic between remote location and H.O 

if u can give example and how to create this please 

configuration on my router isr 2911

note: my side (remote location) is router and HO side is firewall

so if they configured all ip addresses and ports numbers from there side to allowing traffic to my site 

so shall i add all these ip with ports in my router or just ip addresses on acl ?

please check attached with information's 

--------------------------

 

can u please check the below configurations for firewall and i have router in my site (remote site) and H.O site using asa firewall and , 

i need the same configuration but in router because what im sharing is for firewall!!

so if i need to make same config exactly but in router how that ?

 

note: is the port only opened from H.O firewall site and no need to configure again on my remote site (router 2911) and just make the acl ??

 

object network remotesite_LOCAL
subnet 10.245.160.0 255.255.224.0

object network NET-172.16
subnet 172.16.0.0 255.240.0.0

object network NET-192.168
subnet 192.168.0.0 255.255.0.0

object network NET-10
subnet 10.0.0.0 255.0.0.0

object network any-ipv4
subnet 0.0.0.0 0.0.0.0

object network |10.102.44.37
host 10.102.44.37
object network |10.102.40.156
host 10.102.40.156
object network |10.102.40.129
host 10.102.40.129
object network |10.102.44.23
host 10.102.44.23
object network |10.102.36.154
host 10.102.36.154
object network |10.174.168.46
host 10.174.168.46
object network |10.174.168.16
host 10.174.168.16
object network |10.220.189.171
host 10.220.189.171
object network |10.245.35.71
host 10.245.35.71
object network |10.215.12.21
host 10.215.12.21
object network |10.215.12.22
host 10.215.12.22
object network |10.215.12.23
host 10.215.12.23
object network |10.231.229.11
host 10.231.229.11
object network |10.81.157.101
host 10.81.157.101
object network |10.38.0.217
host 10.38.0.217
object network |10.38.0.162
host 10.38.0.162
object network |10.38.0.151
host 10.38.0.151
object network |10.39.0.21
host 10.39.0.21
object network |10.38.1.175
host 10.38.1.175
object network |10.89.31.140
host 10.89.31.140
object network |10.38.1.248
host 10.38.1.248
object network |10.207.224.5
host 10.207.224.5
object network |10.207.96.5
host 10.207.96.5
object network |10.232.199.57
host 10.232.199.57
object network |10.206.160.5
host 10.206.160.5
object network |10.81.28.82
host 10.81.28.82
object network |10.88.39.154
host 10.88.39.154
object network |10.88.39.152
host 10.88.39.152
object network |10.38.1.7
host 10.38.1.7
object network |10.207.111.2
host 10.207.111.2
object network |172.30.105.30
host 172.30.105.30
object network |172.30.108.207
host 172.30.108.207
object network |172.30.39.200
host 172.30.39.200
object network |172.30.197.20
host 172.30.197.20
object network |192.168.235.125
host 192.168.235.125
object network |10.102.0.0
subnet 10.102.0.0 255.255.0.0
----------
object-group network RFC1918-NETS
network-object object NET-10
network-object object NET-192.168
network-object object NET-172.16

object-group network DNS-Servers
network-object object |10.39.0.21
network-object object |10.39.0.11

object-group network SAP-Servers
network-object object |10.102.36.154
network-object object |10.102.40.129
network-object object |10.102.40.156
network-object object |10.102.44.23
network-object object |10.102.44.37
network-object object |10.174.168.16
network-object object |10.174.168.46
network-object object |10.207.111.2
network-object object |10.215.12.21
network-object object |10.220.189.171
network-object object |10.231.229.11
network-object object |10.245.35.71
network-object object |10.38.0.217
network-object object |10.38.1.248
network-object object |10.38.1.7
network-object object |10.81.157.101
network-object object |10.81.28.82
network-object object |10.88.39.152
network-object object |10.88.39.154
network-object object |10.89.31.140
network-object object |172.30.105.30
network-object object |172.30.108.207
network-object object |172.30.197.20
network-object object |172.30.39.200
network-object object |192.168.235.125
network-object object |10.207.224.5
network-object object |10.207.96.5
network-object object |10.215.12.22
network-object object |10.215.12.23
network-object object |10.232.199.57
network-object object |10.38.1.175

object-group network |s2sAclSrcNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055
network-object object remotesite_LOCAL
object-group network |s2sAclDestNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055
network-object object NET-10
network-object object NET-192.168
network-object object NET-172.16
---------------------------
access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: Allow SAP access

access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 3200 3399 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 8000 8099 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 50000 59900 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 3600 3699 rule-id 268435472

access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Allow DNS Access
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group DNS-Servers eq domain rule-id 268435463
access-list NGFW_ONBOX_ACL advanced permit udp object remotesite_LOCAL ifc outside object-group DNS-Servers eq domain rule-id 268435463

access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Any-Test
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 268435459


access-list |s2sAcl|ffdca9e5-034c-11e9-8ca8-f51c2173f055 extended permit ip object-group |s2sAclSrcNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055 object-group |s2sAclDestNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055

---------------------------------------------------------------------

nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-10 NET-10
nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-172.16 NET-172.16
nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-192.168 NET-192.168
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global

 

amr alrazzaz
Preview file
4 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents