Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2697
Views
35
Helpful
15
Replies

object group network and service for ext. acl for vpn traffic (need help mainly on ACL)

amralrazzaz
Level 5
Level 5

‎05-02-2020 08:03 PM - edited ‎05-02-2020 08:05 PM


dear 

im going to configure the router isr 2911 with vpn site to site and im needing help on acl for the below information 

please check if my ACL on below is fine or not ? thanks a lot 


crypto isakmp policy 10
authentication pre-share
encryption AES256
hash SHA256
group 14
lifetime 86400
end
---------------------
crypto isakmp key ++++++++ address 193.249.135.134
----------------------------------
crypto ipsec transform-set ESP-TUNNEL esp-AES256 esp-sha256-hmac
------------------
crypto map S2S-MAP 10 ipsec-isakmp
match address VPN-ACL
set peer 193.249.135.134
set transform-set ESP-TUNNEL
exit

---------------------------

interface g0/1
description Cconnected-to-wan-isp-interface
crypto map S2S-MAP
ip access-group VPN-ACL in | out (not sure) dont know if needed
end

-----------------------------------------------
object-group network FC-EGCAI01_H.O
description FC-NW
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

object-group network EGCAI01_remote
description EGY-LOCAL-NW
192.168.0.0/20

object-group network SAP-Servers
description SAP-SYSTEMS
host 10.22.36.154
host 10.52.40.129
host 10.52.40.156
host 10.22.44.23
host 10.32.44.37
host 10.21.229.11
host 10.24.34.72
host 10.68.0.217
host 10.58.11.24
host 10.38.17.79
host 10.81.157.101
host 10.81.28.82
host 10.88.39.152
host 10.88.39.154
host 10.89.31.140
host 172.37.19.3
host 172.38.18.27
host 172.38.17.20
host 172.38.30.20
host 192.168.25.25
host 10.20.224.50
host 10.27.96.59
host 10.15.12.22
host 10.15.12.23
host 10.22.199.57
host 10.36.1.175
host 10.14.132.60
host 10.20.17.19


object-group network DNS-Servers
description FC-DNS
host 10.39.0.154
host 10.39.0.215

object-group network FC-Domain-Controller
description FC-DC
host 10.210.17.13

object-group network Wipro-DC
description DWP-WIPRO-NW
10.24.0.0/24
10.24.1.0/24
10.24.2.0/24
10.60.165.0/24
10.60.167.0/25

object-group network Other-APPS
description MSTR-HFM-BASWARE-DSP
host 10.14.20.14
host 10.20.12.13 
host 10.18.8.7
host 10.18.8.125
host 10.23.224.5
host 10.167.60.50
host 10.167.61.100
host 10.19.8.42
host 10.19.72.183
host 10.23.199.57
host 172.36.39.200
host 10.39.0.21
host 10.217.112.26
host 10.39.10.70


ip access-list extended VPN-ACL
remark Link to the NLAMS02E-Fortigate3951
permit ip object-group EGCAI01_remote object-group FC-EGCAI01_H.O
permit tcp object-group EGCAI01_remote object-group DNS-Servers eq 53
permit udp object-group EGCAI01_remote object-group DNS-Servers eq 53
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3200 3399
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 8000 8099
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 50000 59900
permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3600 3699
permit object-group AD-Services object-group EGCAI01_remote object-group Wipro-DC
permit object-group SCCM-Services object-group EGCAI01_remote object-group Wipro-DC
permit tcp object-group EGCAI01_remote object-group FC-EGCAI01_H.O eq 389
permit ldap object-group EGCAI01_remote object-group FC-EGCAI01_H.O eq 389
permit object-group FC-DC-SERVICES object-group EGCAI01_remote object-group FC-Domain-Controller
permit ip object-group EGCAI01_remote object-group Other-APPS


object-group service AD-Services
description wipro-AD
TCP 25
tcp-udp 53
udp 67
udp 68
udp 88
udp 123
tcp 135
udp 137
udp 138
upd 139
tcp 389
udp 389
tcp 445
udp 445
tcp 464
udp 464
tcp 636
tcp 3268
tcp 3269
tcp 5722
tcp 9389
tcp-udp range 49152-65535

object-group service SCCM-Services
description wipro-SCCM
tcp 135
udp 137
udp 138
tcp 1433
udp 1779
tcp 2701
tcp 3268
tcp-udp 445
tcp 5080
tcp 5443
tcp 80
tcp 8530


object-group service FC-DC-SERVICES
description FC-DC-SERVICES
tcp range 1024-65535
udp 123
tcp-udp 135
udp 137
udp 138
tcp 139
tcp 1688
tcp 3268
tcp 3269
tcp-udp 389
tcp-udp 42
tcp-udp 445
tcp-udp 464
udp range 49152-65535
tcp-udp 53
tcp 53248
tcp 5722
tcp 57344
tcp-udp 636
tcp 647
udp 67
tcp-udp 88
tcp 44
tcp 80
tcp 9389

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

amr alrazzaz
0 Helpful
15 Replies 15

amralrazzaz
Level 5
Level 5
In response to Meheretab Mengistu

‎05-02-2020 08:52 PM

many thanks for confirming the same :)

 

note that the h.o end are using Fortigate3951  and im using router 2911 ISR

and this is the intreseting destinations that i requested from them to open for me and they said its done 

 

so my end now should configured and i share what i did and need help to check if i miss any or need to add any or i made any mistake ?

HereYou aRe also the parameters they shared with me, so from the config i share above , did i miss any ?? :

IKE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key (test)
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

 

 

amr alrazzaz
0 Helpful
Customers Also Viewed These Support Documents