object group network and service for ext. acl for vpn traffic (need help mainly on ACL)

amralrazzaz · ‎05-02-2020

dear

im going to configure the router isr 2911 with vpn site to site and im needing help on acl for the below information

please check if my ACL on below is fine or not ? thanks a lot

crypto isakmp policy 10
authentication pre-share
encryption AES256
hash SHA256
group 14
lifetime 86400
end
---------------------
crypto isakmp key ++++++++ address 193.249.135.134
----------------------------------
crypto ipsec transform-set ESP-TUNNEL esp-AES256 esp-sha256-hmac
------------------
crypto map S2S-MAP 10 ipsec-isakmp
match address VPN-ACL
set peer 193.249.135.134
set transform-set ESP-TUNNEL
exit

---------------------------

interface g0/1
description Cconnected-to-wan-isp-interface
crypto map S2S-MAP
ip access-group VPN-ACL in | out (not sure) dont know if needed
end

-----------------------------------------------
object-group network FC-EGCAI01_H.O
description FC-NW
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

object-group network EGCAI01_remote
description EGY-LOCAL-NW
192.168.0.0/20

object-group network SAP-Servers
description SAP-SYSTEMS
host 10.22.36.154
host 10.52.40.129
host 10.52.40.156
host 10.22.44.23
host 10.32.44.37
host 10.21.229.11
host 10.24.34.72
host 10.68.0.217
host 10.58.11.24
host 10.38.17.79
host 10.81.157.101
host 10.81.28.82
host 10.88.39.152
host 10.88.39.154
host 10.89.31.140
host 172.37.19.3
host 172.38.18.27
host 172.38.17.20
host 172.38.30.20
host 192.168.25.25
host 10.20.224.50
host 10.27.96.59
host 10.15.12.22
host 10.15.12.23
host 10.22.199.57
host 10.36.1.175
host 10.14.132.60
host 10.20.17.19

object-group network DNS-Servers
description FC-DNS
host 10.39.0.154
host 10.39.0.215

object-group network FC-Domain-Controller
description FC-DC
host 10.210.17.13

object-group network Wipro-DC
description DWP-WIPRO-NW
10.24.0.0/24
10.24.1.0/24
10.24.2.0/24
10.60.165.0/24
10.60.167.0/25

object-group network Other-APPS
description MSTR-HFM-BASWARE-DSP
host 10.14.20.14
host 10.20.12.13
host 10.18.8.7
host 10.18.8.125
host 10.23.224.5
host 10.167.60.50
host 10.167.61.100
host 10.19.8.42
host 10.19.72.183
host 10.23.199.57
host 172.36.39.200
host 10.39.0.21
host 10.217.112.26
host 10.39.10.70

ip access-list extended VPN-ACL
remark Link to the NLAMS02E-Fortigate3951
permit ip object-group EGCAI01_remote object-group FC-EGCAI01_H.O
permit tcp object-group EGCAI01_remote object-group DNS-Servers eq 53
permit udp object-group EGCAI01_remote object-group DNS-Servers eq 53
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3200 3399
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 8000 8099
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 50000 59900
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3600 3699
permit object-group AD-Services object-group EGCAI01_remote object-group Wipro-DC
permit object-group SCCM-Services object-group EGCAI01_remote object-group Wipro-DC
permit tcp object-group EGCAI01_remote object-group FC-EGCAI01_H.O eq 389
permit ldap object-group EGCAI01_remote object-group FC-EGCAI01_H.O eq 389
permit object-group FC-DC-SERVICES object-group EGCAI01_remote object-group FC-Domain-Controller
permit ip object-group EGCAI01_remote object-group Other-APPS

object-group service AD-Services
description wipro-AD
TCP 25
tcp-udp 53
udp 67
udp 68
udp 88
udp 123
tcp 135
udp 137
udp 138
upd 139
tcp 389
udp 389
tcp 445
udp 445
tcp 464
udp 464
tcp 636
tcp 3268
tcp 3269
tcp 5722
tcp 9389
tcp-udp range 49152-65535

object-group service SCCM-Services
description wipro-SCCM
tcp 135
udp 137
udp 138
tcp 1433
udp 1779
tcp 2701
tcp 3268
tcp-udp 445
tcp 5080
tcp 5443
tcp 80
tcp 8530

object-group service FC-DC-SERVICES
description FC-DC-SERVICES
tcp range 1024-65535
udp 123
tcp-udp 135
udp 137
udp 138
tcp 139
tcp 1688
tcp 3268
tcp 3269
tcp-udp 389
tcp-udp 42
tcp-udp 445
tcp-udp 464
udp range 49152-65535
tcp-udp 53
tcp 53248
tcp 5722
tcp 57344
tcp-udp 636
tcp 647
udp 67
tcp-udp 88
tcp 44
tcp 80
tcp 9389

amr alrazzaz

Deepak Kumar · ‎05-02-2020

Hi,

We don't need to acl under the interface in your case.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-02-2020

do u mean this

interface g0/1
description Cconnected-to-wan-isp-interface
crypto map S2S-MAP
ip access-group VPN-ACL in | out (not sure) dont know if needed should be removed ?
end

and what about the rest of ACL and configuration in general and overall ? is there any thing need to be added or its fine and should i go and paste it on router directly ?

thanks

amr alrazzaz

Deepak Kumar · ‎05-02-2020

Hi,

Yes, it should be removed.

Other configuration is looking fine but makes sure that Phase1, Phase2, ACL, and Preshared key must match at both ends. Matching the ACL is not a mean that you will copy the same but both ends interested traffic must match.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-02-2020

many thanks for your help

pleas if u dont mind to share the parameters for site to site vpn which i received from HO to make similar in my router

note: HO using FW and me using router 2911 ISR

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

did i miss any to add from the above parameters ?

amr alrazzaz

Deepak Kumar · ‎05-02-2020

Hi,

If you received the mentioned information then it completely wrong. Your HQ is configured with IKEV2 and you are using an IKEV1. It will not work.

Check the mentioned URL for IKEV2:

https://www.omnisecu.com/ccna-security/how-to-configure-site-to-site-ikev2-ipsec-vpn-using-pre-shared-key-authentication.php

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-02-2020

ops!!

so please can u help me to configure it correctly if u dont mind :) with many thanks sir

amr alrazzaz

amralrazzaz · ‎05-02-2020

so what all i need is to follow steps u shared to configure ikev2 ? and the acl ill keep it same no changes ?

am i correct sir ?

amr alrazzaz

Deepak Kumar · ‎05-02-2020

Yes, you are correct

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-02-2020

sorry for asking again

can u please check depending on my parameters if im correct with this config?

LOCAL#configure terminal
LOCAL(config)#crypto ikev2 keyring KR-1
LOCAL(config-ikev2-keyring)#peer SITE2
LOCAL(config-ikev2-keyring-peer)#address x.x.x.x
LOCAL(config-ikev2-keyring-peer)#pre-shared-key ++++++++++++++++++++++++
LOCAL(config-ikev2-keyring-peer)#exit
LOCAL(config-ikev2-keyring)#exit
LOCAL(config)#exit
-----------------
LOCAL#configure terminal
LOCAL(config)#crypto ikev2 proposal PROP-SITE2
LOCAL(config-ikev2-proposal)#encryption aes-cbc-256
LOCAL(config-ikev2-proposal)#integrity sha256
LOCAL(config-ikev2-proposal)#group 14
LOCAL(config-ikev2-proposal)#exit
LOCAL(config)#exit
LOCAL#exit
-------------------------------
LOCAL#configure terminal
LOCAL(config)#crypto ikev2 policy POL-SITE2
LOCAL(config-ikev2-policy)#proposal PROP-SITE2
LOCAL(config-ikev2-policy)#exit
LOCAL(config)#exit

-----------------
LOCAL#configure terminal
LOCAL(config)#crypto ipsec transform-set SITE2-TS esp-aes 256 esp-sha256-hmac
LOCAL(cfg-crypto-trans)#exit
LOCAL(config)#exit
---------------------
LOCAL#configure terminal
LOCAL(config)#crypto ikev2 profile SITE2-PROFILE
LOCAL(config-ikev2-profile)#match identity remote address X.X.X.X
LOCAL(config-ikev2-profile)#authentication local pre-share
LOCAL(config-ikev2-profile)#authentication remote pre-share
LOCAL(config-ikev2-profile)#keyring local KR-1
LOCAL(config-ikev2-profile)#lifetime 86400
LOCAL(config-ikev2-profile)#exit
LOCAL(config)#exit
LOCAL#
-------------------------------
LOCAL#configure terminal
LOCAL(config)#crypto map CMAP-SITE2 10 ipsec-isakmp
LOCAL(config-crypto-map)#set peer X.X.X.X
LOCAL(config-crypto-map)#set pfs group5
LOCAL(config-crypto-map)#set security-association lifetime seconds 28800
LOCAL(config-crypto-map)#set transform-set SITE2-TS
LOCAL(config-crypto-map)#set ikev2-profile SITE2-PROFILE
LOCAL(config-crypto-map)#match address VPN-ACL
LOCAL(config-crypto-map)#exit
LOCAL(config)#exit
--------------------------
ISCO2911-EGCAI01#configure terminal
LOCAL(config)#interface gi0/0
LOCAL(config-if)#crypto map CMAP-SITE2
LOCAL(config-if)#exit
LOCAL(config)#exit
LOCAL#

amr alrazzaz

Deepak Kumar · ‎05-02-2020

Hi,
Seems like it will work for you.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-03-2020

hi deepak

just need to ask u about the below :

CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 profile NLAMS02E-PROFILE
CISCO2911-EGCAI01(config-ikev2-profile)#match identity remote address X.x.x.x (specify mask ??????) shall i add the mask of the peer ip which is 255.255.255.255 ? or no need ?
CISCO2911-EGCAI01(config-ikev2-profile)#authentication local pre-share
CISCO2911-EGCAI01(config-ikev2-profile)#authentication remote pre-share
CISCO2911-EGCAI01(config-ikev2-profile)#keyring local KR-1
CISCO2911-EGCAI01(config-ikev2-profile)#lifetime 86400
CISCO2911-EGCAI01(config-ikev2-profile)#exit
CISCO2911-EGCAI01(config)#exit

SHALL I ADD THIS ALSO OR NO NEED ( CISCO2911-EGCAI01(config-ikev2-profile)#match address local X.X.X.X )

also here

CISCO2911-EGCAI01#configure terminal
CISCO2911-EGCAI01(config)#crypto ikev2 policy POL-NLAMS02E
CISCO2911-EGCAI01(config-ikev2-policy)#proposal PROP-NLAMS02E
CISCO2911-EGCAI01(config-ikev2-policy)#exit

SHALL I ADD THIS ALSO OR NO NEED ( CISCO2911-EGCAI01(config-ikev2-policy)#match address local X.X.X.X )

amr alrazzaz

Deepak Kumar · ‎05-03-2020

Hi,

CISCO2911-EGCAI01(config-ikev2-profile)#match identity remote address X.x.x.x (specify mask ??????) shall i add the mask of the peer ip which is 255.255.255.255 ? or no need ?

It will be as CISCO2911-EGCAI01(config-ikev2-profile)#match identity remote address X.x.x.x 255.255.255.255

SHALL I ADD THIS ALSO OR NO NEED ( CISCO2911-EGCAI01(config-ikev2-profile)#match address local X.X.X.X )

No need

SHALL I ADD THIS ALSO OR NO NEED ( CISCO2911-EGCAI01(config-ikev2-policy)#match address local X.X.X.X )

No need

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

amralrazzaz · ‎05-04-2020

hello eng. deepak

i need to know about below acl ( this is for firewall of one location of us ) i need to know how to type in on my router 2911 isr ?? :

actually i have inter vlans but the main n.w id is 192.168.0.0/20 , so shall i add them one by one permit on each or its just give access to the all n.w id same as i did ??

Ihave 5 vlans configured and the network id is 192.168.0.0/24 so my question shall i add each subnet one by one on ACL with different type of ports or same as i did enough with mentioning the network id only and all subnets within this ID will have access to pass the traffic to Head office ?

access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: Client-INTERWAN
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq www rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq https rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq smtp rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq 465 rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq www rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq https rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq smtp rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq 465 rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 eq ntp rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 eq ntp rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit icmp ifc it-client-ap object any-ipv4 ifc outside object any-ipv4 rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL advanced permit icmp ifc it-client-lan object any-ipv4 ifc outside object any-ipv4 rule-id 268435465 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: Guest-INTERWAN
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq smtp rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq 465 rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq www rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq https rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq domain rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc it-guest object any-ipv4 ifc outside object any-ipv4 eq ntp rule-id 268435466 event-log both

amr alrazzaz

Meheretab Mengistu · ‎05-02-2020

Hi Amr,

Yes, you do not need the ACL under the interface as Deepark mentioned. Your interface configuration should be as follows:

interface g0/1
description Connected-to-wan-isp-interface
crypto map S2S-MAP
end

The interesting traffic to be processed through the IPSec tunnel is mentioned in VPN-ACL, and is configured in crypto map S2S-MAP; as a result, you do not need to configure additional ACL config under the interface. Note that: you will need to configure mirror image ACL on the remote peer.

HTH,

Meheretab

HTH,
Meheretab