Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
2
Replies

Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

sameer.savla
Level 1
Level 1

‎11-20-2013 11:28 AM

Hi All,

I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

2811 having C2800NM-ADVIPSERVICESK9-M

2811 router connects to the Internet SW then connects to the Internet router.

Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?

Below is router config for VPN & NAT

----------------------------------------------------------

crypto keyring ISR_Keyring
  pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
   keyring ISR_Keyring
   self-identity user-fqdn psk.hosted.00~16~9d~fb~8c~01@websense.com
   match identity user vpn-proxy.websense.net
!        
!
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
!
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
!

interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER

access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www

access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any

ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overload

Labels:
0 Helpful
2 Replies 2

sameer.savla
Level 1
Level 1

‎11-21-2013 05:53 AM

Can somebody please help  me in this ?

0 Helpful

Peter Koltl
Level 7
Level 7
In response to sameer.savla

‎11-21-2013 02:17 PM

How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?

Check

show crypto isakmp sa

show crypto ipsec sa

show crypto session

You'd better remove the preshared key from your post.

0 Helpful
Customers Also Viewed These Support Documents