Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
3
Replies

2911 with S2S VPN - Firewall config

raun.williams
Level 3
Level 3

‎07-16-2013 06:50 AM - edited ‎03-07-2019 02:25 PM

With a 2911 on connected to the net and an S2S VPN going out the public interface, whats the best method to lock down the router from the public interface still but not interfering with the vpn tunnel?

-R

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎07-16-2013 07:23 AM

Hi,

How did you configure the L2L VPN with the crypto-map commands or the VTI ?

Have you already got a firewall config in place ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

raun.williams
Level 3
Level 3
In response to cadet alain

‎07-16-2013 08:05 AM

Nothing in place currently...

ip ssh source-interface Virtual-Template1

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXXX address 64.22.241.98    no-xauth

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto map outside_map 10 ipsec-isakmp

set peer 3xx.3xx.3xx.xx3

set transform-set ESP-3DES-SHA

match address 150

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Public

ip address 3xx.3xx.3xx.xx3 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map outside_map

!

interface GigabitEthernet0/1

description Subinterfaces for local vlans

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto ip ssh source-interface Virtual-Template1
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 64.22.241.98    no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map outside_map 10 ipsec-isakmp
set peer 3xx.3xx.3xx.xx3
set transform-set ESP-3DES-SHA
match address 150
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Public
ip address 3xx.3xx.3xx.xx3 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
description Subinterfaces for local vlans
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto

access-list 150 permit ip 192.168.202.0 0.0.0.255 any

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to raun.williams

‎07-16-2013 10:47 AM

Hey you can check this out, http://www.packetpros.com/2012/08/public-interface-acl.html

It is a blog by a memeber of the community, it should be helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card