Hello,
I have 2 Cisco ISR's that I am trying to set up with a site-to-site VPN. I want the ISR at point A to only push traffic through the VPN to point B if it is destined for certain ports (voip, 1935). All other traffic from point A should not use the VPN. At the moment, I believe I have the VPN set up ok (Though I'm doing this from watching a YT video) but when looking at the show crypt I am not seeing any packets being encrypted. I did not get the terminal message to say ISAKMP is on when applying the crypto-map to the interface - Though may have had terminal turned off.
My second issue is that I am not seeing port 1935 open on ISR at point A even though my ACL says to allow port 1935 on both in and outbound interfaces.
Is my problem here to do with my Nat configuration? Or ACL? I suspect both but would appreciate some pointers..... I'm pretty new to this and have been thrown in at the deepend!
I am currently just testing this by trying to send all traffic through the VPN rather than port based
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
!
aaa session-id common
!
!
!
ip domain name rtr.xxx.com
ip dhcp excluded-address 10.0.22.1 10.0.22.60
!
ip dhcp pool internal-lan
import all
network 10.0.22.0 255.255.255.0
default-router 10.0.22.1
dns-server 8.8.8.8
domain-name space-dubai.com
!
!
!
!
license udi pid ISR4451-X/K9 sn FOC21075LLP
license boot level securityk9
!
spanning-tree extend system-id
!
username xxx password 0 xxx
username xxx privilege 15 password 0 xxx
username xxx privilege 15 password 0 xxx
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any inside-outside-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group name RTMP
class-map type inspect match-any outside-inside-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol http
match protocol https
match protocol dns
match access-group name RTMP
!
policy-map type inspect outside-inside-policy
class type inspect outside-inside-class
inspect
class class-default
drop log
policy-map type inspect inside-outside-policy
class type inspect inside-outside-class
inspect
class class-default
drop log
!
zone security inside
description LAN
zone security outside
description Internet
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-policy
zone-pair security outside-inside source outside destination inside
service-policy type inspect outside-inside-policy
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx! address 84.x.x.x
!
crypto ipsec transform-set dublon esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map dublon 1 ipsec-isakmp
set peer 84.x.x.x
set transform-set dublon
match address 120
!
!
interface GigabitEthernet0/0/0
ip address 10.0.22.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
interface GigabitEthernet0/1/0
ip address 94.x.x.x 255.255.255.248
ip nat outside
zone-member security outside
negotiation auto
crypto map dublon
!
ip nat inside source list 75 interface GigabitEthernet0/1/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 94.x.x.x
ip scp server enable
!
!
ip access-list extended RTMP
permit udp 10.0.22.0 0.0.0.255 eq 1935 any
permit tcp 10.0.22.0 0.0.0.255 eq 1935 any
!
access-list 75 permit 10.0.22.0 0.0.0.255
access-list 120 permit ip 10.0.22.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password xxxxx
transport input ssh
