Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
1
Replies

Newbie help. Site to Site VPN between cisco 1941 and Sophos UTM

benjamin.molloy
Level 1
Level 1

‎08-13-2016 09:17 AM

Hi,

I am trying to establish a site to site vpn (IPSEC) between a 1941/K9 and a sophos utm (SG330) but have had no luck and come to a dead end.

the cisco 1941 side consists of subnet 192.168.250.0/24 and the sophos side is 192.168.0.0/24

1941 config below

Building configuration...

Current configuration : 5712 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable password $%^$@&@
!
no aaa new-model
!
!
!
memory-size iomem 10
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.250.1
ip dhcp excluded-address 192.168.250.220 192.168.250.254
ip dhcp excluded-address 192.168.250.2 192.168.250.149
!
ip dhcp pool CUSTOMER_LAN_POOL
   network 192.168.250.0 255.255.255.0
   dns-server 192.168.250.55
   default-router 192.168.250.254
!
!
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-991708583
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-991708583
 revocation-check none
 rsakeypair TP-self-signed-991708583
!
!
crypto pki certificate chain TP-self-signed-991708583
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39393137 30383538 33301E17 0D313530 37303930 30313830
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939 31373038
  35383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E82F2B1F F69B9DFD 73786022 46779BC4 27C22CED 6A4288B5 22FBC2F5 68B1F96E
  D4412038 AA5AA71E 60EA5018 38E31D93 E05A76F1 007D63EE 38B0E39B CB999E3A
  4F30C17A C9F58B9E CC17F9F4 8EB57FD3 67911BD2 424651DA 743B58BC C340D128
  23F83C02 8B1D4884 DF35054B BA849C7E 06A31E78 A915BCC4 5662F65C 253819F3
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821754 54534173 736F6369 61746573 2E747473 2E6C6F63 616C301F
  0603551D 23041830 168014BC FE8FBA06 CFF66E43 7E0B2752 A73C8478 B15B6A30
  1D060355 1D0E0416 0414BCFE 8FBA06CF F66E437E 0B2752A7 3C8478B1 5B6A300D
  06092A86 4886F70D 01010405 00038181 003BE2B3 D0716A26 575D0251 6AF1D3BB
  DC52D21C F92D8428 6E77CDEC B5C072D5 516058A4 BEB2F26F B5789289 4957E499
  29FB851E FBE82655 835D5AAB 1B97FF34 76FFAE7E AA37500A F9A4BD66 5D8B1C76
  21F27154 4D9064B9 313EB4C1 7ADAE339 58D6B06C E6E24081 94FAEEF9 FB90EE5E
  7798C37D 45068A22 884D9CBE C69C1457 04
        quit
license udi pid CISCO1941/K9 sn FGL154424DE
!
!
username xxxxxxx privilege 15 secret 5 $1$FAud$ixx7yHv7HqJOyZqMhpQt9/
!
redundancy
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key password address 43.225.x.x
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set SunriseExchangetrans esp-3des esp-md5-hmac
!
!
crypto map SunriseExchangevpn 10 ipsec-isakmp
 set peer 43.225.x.x
 set transform-set SunriseExchangetrans
 set pfs group2
 match address 100
!
!
bridge irb
!
!
!
!
interface Loopback1
 no ip address
 !
!
interface GigabitEthernet0/0
 description Customer LAN
 ip address 192.168.250.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
!
interface GigabitEthernet0/1
 description Connection to internet
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 crypto map SunriseExchangevpn
 !
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1436
 dialer pool 1
 ppp chap hostname xxxxxx@pig.tpg.com.au
 ppp chap password 0 xxxxxxx
 ppp pap sent-username xxxxxxxxx@pig.tpg.com.au password 0 xxxxxxxx
 ppp ipcp route default
 no cdp enable
 !
!
ip forward-protocol nd
!
ip pim bidir-enable
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 22 interface Dialer1 overload
ip nat inside source static tcp 192.168.250.55 3389 interface Dialer1 3389
ip nat inside source route-map internetnat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended acl_nat
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 22 permit 192.168.250.0 0.0.0.255
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.0.254 192.168.0.0 0.0.0.255
!
!
!
!
route-map SunriseExchangenat permit 10
 match ip address 101
!
route-map internetnat permit 20
 match ip address 102
!
route-map nonat permit 10
 match ip address 120
!
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
!
control-plane
 !
!
!
line con 0
 login local
 transport output all
line aux 0
 transport output all
line vty 0 2
 access-class 22 in
 exec-timeout 20 0
 privilege level 15
 password xxxxxxx
 login local
 transport input telnet
line vty 3 4
 access-class 23 in
 exec-timeout 20 0
 privilege level 15
 password xxxxxxxx
 login local
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Router#

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎08-15-2016 11:44 AM

Hi benjamin.molloy,

Take in consideration the ***:

crypto map SunriseExchangevpn 10 ipsec-isakmp
set peer 43.225.x.x
set transform-set SunriseExchangetrans
set pfs group2
match address 100

access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255

ip access-list extended acl_nat
permit ip 192.168.250.0 0.0.0.255 any**** The permit should be at the end since you need to deny                                                                      the traffic so is not gong to be natted and then permit                                                                                              any.

ip access-list extended acl_nat

deny ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 any

route-map nonat permit 10 *** I found this route map but i dont see any acl 120 or this one applied                                                  on the nat
 match ip address 120


ip nat inside source list acl_nat interface Dialer1 overload*** Considering you configuration i will                                                                                                      add this line so the nonat is going to                                                                                                    take effect.

After doing that you can send traffic and run the following commands:

sh cry isa sa 

sh cry ipsec sa peer 43.225.x.x

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Customers Also Viewed These Support Documents