12-09-2004 11:31 PM - edited 02-21-2020 01:29 PM
Hi, I'm checking on what else I could do to ensure supplier VPN traffic is kept isolated. Also I want to ensure VPN's are only instigated from my head end site and that a particular supplier on my site can only start a VPN to their site. I've taken out the security association stuff etc from config below. PDF Drawing also attached.
Many thanks
Mick
! Security 0 lowest to 100 highest
nameif ethernet0 outside security0
nameif vlan625 supplier1 security10
nameif vlan626 supplier2 security20
! inside is the mgmt VLAN
nameif ethernet1 inside security100
! Create One access list to define the networks at either end of each VPN from a vendor
! These are used by crypto map VPN-supplier ##, where ## is the No pertaining to the Vendor
! i.e.supplier1 remote end network is 192.168.150.0 255.255.255.0
access-list supplier1 permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0
access-list supplier1 deny ip any any
!
! i.e.supplier2 remote end network is 172.25.100.0 255.255.255.0
access-list supplier2 permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0
access-list supplier2 deny ip any any
!
access-list no-outbound remark Deny any non VPN outband initiated access from within supplier mgmt network
access-list no-outbound remark -add permits for each Vendor VPN, deny any other outband traffic
access-list no-outbound permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0
access-list no-outbound permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0
access-list no-outbound deny ip any any
!
ip address outside 131.x.x.x.255.255.0
ip address inside 172.25.48.33 255.255.255.248
ip address supplier1 172.25.48.41 255.255.255.248
ip address supplier2 172.25.48.49 255.255.255.240
!
! NAT exemption for the VPN
nat (inside) 0 access-list no-outbound
! stop any outband access to native Internet services, only VPN's
access-group no-outbound in interface inside
!
route outside 141.141.x.y 255.255.255.0 131.x.x.130 1
route outside 142.142.x.y 255.255.255.0 131.x.x.130 1
!
! permit IPSEC incoming by bypassing any access-list checks
sysopt connection permit-ipsec
!
! crypto map vpn-supplier ## for each IPSEC VPN peer
crypto map vpn-supplier 20 match address supplier1
crypto map vpn-supplier 20 set peer 141.141.x.y
! crypto map vpn-supplier ## for each IPSEC VPN peer
crypto map vpn-supplier 30 match address supplier2
crypto map vpn-supplier 30 set peer 142.142.x.y
!
! apply crypto map to the outside interface
crypto map vpn-supplier interface outside
!
! define security association parameters for IPSEC VPN
isakmp enable outside
isakmp key <secret1> address 141.141.x.y netmask 255.255.255.255
isakmp key <secret2> address 142.142.x.y netmask 255.255.255.255
12-15-2004 02:35 PM
Check the following link...
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSec
12-16-2004 01:50 AM
I've had a look through the IPSec Technologies pages but its not obvious to me exactly what I can change to the config. Any more specific help would be appreciated.
Thanks
Mick
12-16-2004 03:21 AM
Your posted config is really fuzzy, and the description of what you're trying to do made it worse for me. But, let's how close I am to what you want to do:
- Isolate vlan625 from 626
- Isolate supplier1 from 2
- Give inside (mgmt) access to vlan625 and 626 (not supplier1 and supplier2)
If so, see this make sense to you:
Assume:
acl_out = outside
acl_vlan625 = vlan625
acl_vlan626 = vlan626
acl_in = inside
no sysopt conn permit-ipsec.
By removing the permit-ipsec, you'll need the next two acls to allow VPN traffic terminating outside, into your higher interfaces, in this case vlan625 and vlan626.
access-list acl_out permit ip 192.168.150.0 255.255.255.0 172.25.48.40 255.255.255.248
access-list acl_out permit ip 172.25.100.0 255.255.255.0 172.25.48.48 255.255.255.240
access-group acl_out in interface outside
- Permit traffic from SUPPLIERx into VLANx, and Block everything else (no need for deny after assigning access-group)
access-list acl_vlan625 permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0
access-group acl_vlan625 in interface vlan625
access-list acl_vlan626 permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0
access-group acl_vlan626 in interface vlan626
- Permit VLANx into Inside
access-list acl_in permit ip 172.25.48.0 255.255.255.248 172.25.48.48 255.255.255.240
access-list acl_in permit ip 172.25.48.0 255.255.255.248 172.25.48.40 255.255.255.248
access-group acl_in in interface insdie
Now, all you need to do is to get your NAT settings setup to allow access from Inside->VLAN62x
I guess you wouldn't need any other NAT translations from VLANx to Outside.
Don't forget to do nat (vlan62x) 0 access-list acl_nat0
acl_nat0 =
access-list acl_nat0 permit ip
You need two of them of course.
I hope this helps.
Double-check IP address and mask.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide