configure site to site vpn and vpn acl

amralrazzaz · ‎04-30-2020

i need help depending on below parameters to configure vpn site to site + vpn acl on ISR 2911 router

i have group of destination servers and network with port numbers and need
to know how to make this coz many ports and networks and hosts so i have to add each one repeat for each port number or shall make like group or something

these below parameters already configured on H.O firewall and my remote site is router 2911 isr and need to configure same inputs

my local network id (remote site) 192.168.0.0/20 source

Public IP addresses 196.220.40.177

IKE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ...........
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

acl and ports as below :

dest, networks and hosts	PORTS SERVICE
DNS SERVERS 10.20.17.2	53/tcp
10.30.17.3	53/udp

SAP servers 10.102.37.15	3200-3399/tcp
10.102.41.19	3600-3699/tcp
10.102.41.156	8000-8099/tcp
10.102.46.23	50000-59900/tcp
10.102.46.37
10.174.18.16
10.174.18.46
10.27.111.2
	SERVICE AD services
H.O NETWORKS 10.35.3.0/24	25/tcp
10.35.4.0/24	53/tcp
10.35.5.0/24	53/udp
10.80.100.0/24	67/udp
10.80.151.0/25	68/udp
	88/udp
	123/udp
	135/tcp
	137/udp
	138/udp
	139/upd
	389/tcp
	389/udp
	445/tcp
	445/udp
	464/tcp
	464/udp
	636/tcp
	3268/tcp
	3269/tcp
	5722/tcp
	9389/tcp
	49152-65535/tcp
	49152-65535/udp

	SERVICE SCCM services
	135/tcp
	137/udp
	138/udp
	1433/tcp
	1779/udp
	2701/tcp
	3268/tcp
	445/tcp
	445/udp
	5080/tcp
	5443/tcp
	80/tcp
	8530/tcp


DC server 10.230.11.108	1024-65535/tcp
	123/udp
	135/tcp
	135/udp
	137/udp
	138/udp
	139/tcp
	139/tcp
	1688/tcp
	3268/tcp
	3269/tcp
	389/tcp
	389/udp
	42/tcp
	42/udp
	445/tcp
	445/udp
	464/tcp
	464/tcp
	464/udp
	464/udp
	49152-65535/udp
	53/tcp
	53/udp
	53248/tcp
	5722/tcp
	57344/tcp
	636/tcp
	636/udp
	647/tcp
	67/udp
	88/tcp
	88/udp
	44/tcp
	80/tcp
	9389/tcp

amr alrazzaz

Mohammed al Baqari · ‎04-30-2020

Follow this

https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

amralrazzaz · ‎05-01-2020

thanks

but my main concern is how to create acl list for all these servers and networks with ports number

its too much ,, shall i type every one and repeat with different type of port number

is there any option on router similar to object group network and object group service which using on ASA ?

just to be more easy and save more command lines on acl lists with organization too !!

lets take this an example : (how to create vpn access-list for this)

can i collect all sap servers on one group and then repeat the command with each range of ports or how can it be

destination ports my local network (192.168.0.0/20)

SAP servers 10.102.37.15	3200-3399/tcp
10.102.41.19	3600-3699/tcp
10.102.41.156	8000-8099/tcp
10.102.46.23	50000-59900/tcp
10.102.46.37
10.174.18.16
10.174.18.46
10.27.111.2

amr alrazzaz