cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
2
Replies
Highlighted
Contributor

configure site to site vpn and vpn acl

i need help depending on below parameters to configure vpn site to site + vpn acl on ISR 2911 router

i have group of destination servers and network with port numbers and need
to know how to make this coz many ports and networks and hosts so i have to add each one repeat for each port number or shall make like group or something 

these below parameters already configured on H.O firewall and my remote site is router 2911 isr and need to configure same inputs

my local network id (remote site) 192.168.0.0/20  source 

Public IP addresses 196.220.40.177

IKE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ...........
Key lifetime 86400
Dead peer detection Enabled

 

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

 

acl and ports as below :

 

dest, networks and hostsPORTS SERVICE 
DNS SERVERS  10.20.17.2      53/tcp
                             10.30.17.3                                         53/udp
  
SAP servers  10.102.37.15    3200-3399/tcp
                       10.102.41.19             3600-3699/tcp
                     10.102.41.156           8000-8099/tcp
                       10.102.46.23                 50000-59900/tcp
                     10.102.46.37 
                   10.174.18.16 
                   10.174.18.46 
                  10.27.111.2 
 SERVICE AD services
H.O  NETWORKS   10.35.3.0/24   25/tcp
                                    10.35.4.0/24          53/tcp
                                 10.35.5.0/24          53/udp
                           10.80.100.0/24        67/udp
                          10.80.151.0/25        68/udp
 88/udp
 123/udp
 135/tcp
 137/udp
 138/udp
 139/upd
 389/tcp
 389/udp
 445/tcp
 445/udp
 464/tcp
 464/udp
 636/tcp
 3268/tcp
 3269/tcp
 5722/tcp
 9389/tcp
 49152-65535/tcp
 49152-65535/udp
  
 SERVICE SCCM services
 135/tcp
 137/udp
 138/udp
 1433/tcp
 1779/udp
 2701/tcp
 3268/tcp
 445/tcp
 445/udp
 5080/tcp
 5443/tcp
 80/tcp
 8530/tcp
  
  
DC server    10.230.11.108     1024-65535/tcp
 123/udp
 135/tcp
 135/udp
 137/udp
 138/udp
 139/tcp
 139/tcp
 1688/tcp
 3268/tcp
 3269/tcp
 389/tcp
 389/udp
 42/tcp
 42/udp
 445/tcp
 445/udp
 464/tcp
 464/tcp
 464/udp
 464/udp
 49152-65535/udp
 53/tcp
 53/udp
 53248/tcp
 5722/tcp
 57344/tcp
 636/tcp
 636/udp
 647/tcp
 67/udp
 88/tcp
 88/udp
 44/tcp
 80/tcp
 9389/tcp

 

amr alrazzaz
2 REPLIES 2
Highlighted
VIP Advisor

Highlighted

thanks 

 

but my main concern is how to create acl list for all these servers and networks with ports number

its too much ,, shall i type every one and repeat with different type of port number 

 

is there any option on router similar to object group network and object group service  which using on ASA ?

just to be more easy and save more command lines on acl lists with organization too !! 

 

lets take this an example : (how to create vpn access-list for this)

can i collect all sap servers on one group and then repeat the command with each range of ports or how can it be 

 

destination                                                   ports                             my local network (192.168.0.0/20)

SAP servers  10.102.37.15    3200-3399/tcp
                       10.102.41.19             3600-3699/tcp
                     10.102.41.156           8000-8099/tcp
                       10.102.46.23                 50000-59900/tcp
                     10.102.46.37 
                   10.174.18.16 
                   10.174.18.46 
                  10.27.111.2 
amr alrazzaz