cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3094
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to allow all traffic between Site-To-Site VPN - Cisco 2911

Hi All,

I have 3x site-to-site vpn connections setup on my Cisco 2911 router which is based at Head Office. They all connect OK but there appears to be some ports blocked.

For example, I'm able to remote desktop to a server on the remote site, users are able to use Outlook whilst the Exchange server is located at Head Office but users are unable to the following resources from Head Office;

Access any applications using HTTPS

Our Proxy Agent uses port 8280 - When the internal address is used, it doesn't work. When the public address is used, it works.

Printers are unable to use scan to email - Port 25.

I'm confident that nothing is being restricted at the remote sites as all of these functions worked on our old Head Office router.

All i want to do is allow ANY traffic to and from Head Office and all the VPN sites.

I'm fairly new to this type of router having made the jump from small business equipment, so please be gentle on my config

================================================================================================================

Building configuration...

Current configuration : 11889 bytes

!

! Last configuration change at 11:58:26 PCTime Tue Apr 30 2013 by jwalkes

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable secret 4 bomlT57l.1LxAG0LwBi7j1e.bJXLV76Vsxcg7JlchqQ

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

clock timezone PCTime 0 0

!

ip cef

!

!

ip port-map user-protocol--2 port tcp 444

ip port-map user-protocol--1 port tcp 8280

!

!

!

!

ip domain name domain.local

ip name-server 66.28.0.45

ip name-server 66.28.0.61

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1441621744

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1441621744

revocation-check none

rsakeypair TP-self-signed-1441621744

!

!

crypto pki certificate chain TP-self-signed-1441621744

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343431 36323137 3434301E 170D3133 30343238 31303432

  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343136

  32313734 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E79F FBCE3588 E0999E03 399AE1CA 3F0A9C5B 43E52185 86F04754 AAAC33D1

  EF87B0EA 3DE3CEDD 99327CFA E9007D82 040D896D D7260775 E01C4B59 EBB87D35

  7D8355C1 6EC2E212 6F312212 CCD8A6E4 C7EE9855 84D1D1C0 D29E15F9 072D0725

  8A01E809 996868BB EF428975 4BED02C0 51BEE1EE D3C7A8A1 4A028FB0 49952108

  0DD90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 149F0B86 73025ECC 0EE1B176 DAE35BD1 045FB736 50301D06

  03551D0E 04160414 9F0B8673 025ECC0E E1B176DA E35BD104 5FB73650 300D0609

  2A864886 F70D0101 05050003 8181002A 48DD276B 0854B06E 1FEAB009 0BD3A536

  763E4872 5A04E66E B187695F B6DD1243 35D40883 44154378 302CD7E2 237BF566

  9B691517 9F193CD1 A0B4C1FC B026DDB9 308026EC A153A95E FD94267C 9D2377A4

  7D6B5E46 FAFD642F A9288484 7D9B154C C3A466E2 B1738E6B 1D97A61C 99CC6CB9

  D69CDA16 76697E1F 5E6B22D3 94562B

            quit

license udi pid CISCO2911/K9 sn FCZ17086062

!

!

username USER privilege 15 secret 4 bomlT57l.1LxAG0LwBi7j1e.bJXLV76Vsxcg7JlchqQ

!

redundancy

!

!

!

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 106

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 110

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 107

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

match access-group 109

match protocol smtp

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 104

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all sdm-nat-https-1

match access-group 109

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-any sdm-service-sdm-pol-VPNOutsideToInside-1

match protocol pptp

match class-map SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_VPN_PT

match access-group 105

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-all sdm-nat-pptp-1

match access-group 108

match class-map sdm-service-sdm-pol-VPNOutsideToInside-1

!

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect CCP_PPTP

  pass

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-pptp-1

  inspect

class type inspect sdm-nat-smtp-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXX address 2.254.XXX.XXX

crypto isakmp key XXXXXXXX address 17.34.XXX.XXX

crypto isakmp key XXXXXXXX address 9.105.XXX.XXX

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to2.254.XXX.XXX

set peer 2.254.XXX.XXX

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to17.34.XXX.XXX

set peer 17.34.XXX.XXX

set transform-set ESP-3DES-SHA1

match address 102

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to9.105.XXX.XXX

set peer 9.105.XXX.XXX

set transform-set ESP-3DES-SHA2

match address 103

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$FW_INSIDE$

ip address 172.168.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 49.7.XXX.XXX 255.255.255.192

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1/0

no ip address

!

interface GigabitEthernet0/1/1

no ip address

!

interface GigabitEthernet0/1/2

no ip address

!

interface GigabitEthernet0/1/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280

ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723

ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 49.7.XXX.XXX

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 172.168.4.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.168.4.0 0.0.0.255 172.168.3.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 172.168.4.0 0.0.0.255 172.168.6.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 172.168.4.0 0.0.0.255 172.168.5.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 172.168.4.0 0.0.0.255 172.168.3.0 0.0.0.255

access-list 101 permit ip 172.168.4.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 172.168.4.0 0.0.0.255 172.168.5.0 0.0.0.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.168.4.0 0.0.0.255 172.168.6.0 0.0.0.255

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host 255.255.255.255 any

access-list 104 permit ip 127.0.0.0 0.255.255.255 any

access-list 104 permit ip 49.7.XXX.XX 0.0.0.63 any

access-list 105 remark CCP_ACL Category=128

access-list 105 permit ip host 9.105.XXX.XXX any

access-list 105 permit ip host 2.254.XXX.XXX any

access-list 105 permit ip host 17.34.XXX.XXX any

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip 172.168.6.0 0.0.0.255 172.168.4.0 0.0.0.255

access-list 106 permit ip 172.168.5.0 0.0.0.255 172.168.4.0 0.0.0.255

access-list 106 permit ip 172.168.3.0 0.0.0.255 172.168.4.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 permit ip any host 172.168.4.5

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip any host 172.168.4.10

access-list 109 remark CCP_ACL Category=0

access-list 109 permit ip any host 172.168.4.11

access-list 110 remark CCP_ACL Category=0

access-list 110 permit ip any host 172.168.4.16

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

How to allow all traffic between Site-To-Site VPN - Cisco 2911

Hi

I went through the config.

These Nat rules are not allowing you to access the certian ports across the VPN tunnel as they are taking the precedence over the exempt that is configured.

ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280

ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723

ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444

You would  need to configure the static nat rules with the route-map configured

To configure the static nat with the route-map follwo the follwoing doccuments

https://supportforums.cisco.com/docs/DOC-5061

After applying that it should work

Hope this helps you.

Thanks

Raj

View solution in original post

2 REPLIES 2
Highlighted
Beginner

How to allow all traffic between Site-To-Site VPN - Cisco 2911

Hi

I went through the config.

These Nat rules are not allowing you to access the certian ports across the VPN tunnel as they are taking the precedence over the exempt that is configured.

ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280

ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723

ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444

You would  need to configure the static nat rules with the route-map configured

To configure the static nat with the route-map follwo the follwoing doccuments

https://supportforums.cisco.com/docs/DOC-5061

After applying that it should work

Hope this helps you.

Thanks

Raj

View solution in original post

Highlighted
Beginner

How to allow all traffic between Site-To-Site VPN - Cisco 2911

Thanks for your help! That's done the trick!

Thanks!!!!!!!!!!!!!!!!!