04-30-2020 09:16 PM - edited 04-30-2020 09:20 PM
i need help depending on below parameters to configure vpn site to site + vpn acl on ISR 2911 router
i have group of destination servers and network with port numbers and need
to know how to make this coz many ports and networks and hosts so i have to add each one repeat for each port number or shall make like group or something
these below parameters already configured on H.O firewall and my remote site is router 2911 isr and need to configure same inputs
my local network id (remote site) 192.168.0.0/20 source
Public IP addresses 196.220.40.177
IKE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ...........
Key lifetime 86400
Dead peer detection Enabled
IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AES256
Authentication algorithm SHA256
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled
acl and ports as below :
dest, networks and hosts | PORTS SERVICE |
DNS SERVERS 10.20.17.2 | 53/tcp |
10.30.17.3 | 53/udp |
SAP servers 10.102.37.15 | 3200-3399/tcp |
10.102.41.19 | 3600-3699/tcp |
10.102.41.156 | 8000-8099/tcp |
10.102.46.23 | 50000-59900/tcp |
10.102.46.37 | |
10.174.18.16 | |
10.174.18.46 | |
10.27.111.2 | |
SERVICE AD services | |
H.O NETWORKS 10.35.3.0/24 | 25/tcp |
10.35.4.0/24 | 53/tcp |
10.35.5.0/24 | 53/udp |
10.80.100.0/24 | 67/udp |
10.80.151.0/25 | 68/udp |
88/udp | |
123/udp | |
135/tcp | |
137/udp | |
138/udp | |
139/upd | |
389/tcp | |
389/udp | |
445/tcp | |
445/udp | |
464/tcp | |
464/udp | |
636/tcp | |
3268/tcp | |
3269/tcp | |
5722/tcp | |
9389/tcp | |
49152-65535/tcp | |
49152-65535/udp | |
SERVICE SCCM services | |
135/tcp | |
137/udp | |
138/udp | |
1433/tcp | |
1779/udp | |
2701/tcp | |
3268/tcp | |
445/tcp | |
445/udp | |
5080/tcp | |
5443/tcp | |
80/tcp | |
8530/tcp | |
DC server 10.230.11.108 | 1024-65535/tcp |
123/udp | |
135/tcp | |
135/udp | |
137/udp | |
138/udp | |
139/tcp | |
139/tcp | |
1688/tcp | |
3268/tcp | |
3269/tcp | |
389/tcp | |
389/udp | |
42/tcp | |
42/udp | |
445/tcp | |
445/udp | |
464/tcp | |
464/tcp | |
464/udp | |
464/udp | |
49152-65535/udp | |
53/tcp | |
53/udp | |
53248/tcp | |
5722/tcp | |
57344/tcp | |
636/tcp | |
636/udp | |
647/tcp | |
67/udp | |
88/tcp | |
88/udp | |
44/tcp | |
80/tcp | |
9389/tcp |
04-30-2020 11:57 PM
05-01-2020 07:58 AM - edited 05-01-2020 08:02 AM
thanks
but my main concern is how to create acl list for all these servers and networks with ports number
its too much ,, shall i type every one and repeat with different type of port number
is there any option on router similar to object group network and object group service which using on ASA ?
just to be more easy and save more command lines on acl lists with organization too !!
lets take this an example : (how to create vpn access-list for this)
can i collect all sap servers on one group and then repeat the command with each range of ports or how can it be
destination ports my local network (192.168.0.0/20)
SAP servers 10.102.37.15 | 3200-3399/tcp |
10.102.41.19 | 3600-3699/tcp |
10.102.41.156 | 8000-8099/tcp |
10.102.46.23 | 50000-59900/tcp |
10.102.46.37 | |
10.174.18.16 | |
10.174.18.46 | |
10.27.111.2 |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide