08-13-2016 09:17 AM
Hi,
I am trying to establish a site to site vpn (IPSEC) between a 1941/K9 and a sophos utm (SG330) but have had no luck and come to a dead end.
the cisco 1941 side consists of subnet 192.168.250.0/24 and the sophos side is 192.168.0.0/24
1941 config below
Building configuration...
Current configuration : 5712 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable password $%^$@&@
!
no aaa new-model
!
!
!
memory-size iomem 10
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.250.1
ip dhcp excluded-address 192.168.250.220 192.168.250.254
ip dhcp excluded-address 192.168.250.2 192.168.250.149
!
ip dhcp pool CUSTOMER_LAN_POOL
network 192.168.250.0 255.255.255.0
dns-server 192.168.250.55
default-router 192.168.250.254
!
!
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-991708583
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-991708583
revocation-check none
rsakeypair TP-self-signed-991708583
!
!
crypto pki certificate chain TP-self-signed-991708583
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39393137 30383538 33301E17 0D313530 37303930 30313830
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939 31373038
35383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E82F2B1F F69B9DFD 73786022 46779BC4 27C22CED 6A4288B5 22FBC2F5 68B1F96E
D4412038 AA5AA71E 60EA5018 38E31D93 E05A76F1 007D63EE 38B0E39B CB999E3A
4F30C17A C9F58B9E CC17F9F4 8EB57FD3 67911BD2 424651DA 743B58BC C340D128
23F83C02 8B1D4884 DF35054B BA849C7E 06A31E78 A915BCC4 5662F65C 253819F3
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821754 54534173 736F6369 61746573 2E747473 2E6C6F63 616C301F
0603551D 23041830 168014BC FE8FBA06 CFF66E43 7E0B2752 A73C8478 B15B6A30
1D060355 1D0E0416 0414BCFE 8FBA06CF F66E437E 0B2752A7 3C8478B1 5B6A300D
06092A86 4886F70D 01010405 00038181 003BE2B3 D0716A26 575D0251 6AF1D3BB
DC52D21C F92D8428 6E77CDEC B5C072D5 516058A4 BEB2F26F B5789289 4957E499
29FB851E FBE82655 835D5AAB 1B97FF34 76FFAE7E AA37500A F9A4BD66 5D8B1C76
21F27154 4D9064B9 313EB4C1 7ADAE339 58D6B06C E6E24081 94FAEEF9 FB90EE5E
7798C37D 45068A22 884D9CBE C69C1457 04
quit
license udi pid CISCO1941/K9 sn FGL154424DE
!
!
username xxxxxxx privilege 15 secret 5 $1$FAud$ixx7yHv7HqJOyZqMhpQt9/
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key password address 43.225.x.x
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set SunriseExchangetrans esp-3des esp-md5-hmac
!
!
crypto map SunriseExchangevpn 10 ipsec-isakmp
set peer 43.225.x.x
set transform-set SunriseExchangetrans
set pfs group2
match address 100
!
!
bridge irb
!
!
!
!
interface Loopback1
no ip address
!
!
interface GigabitEthernet0/0
description Customer LAN
ip address 192.168.250.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
!
interface GigabitEthernet0/1
description Connection to internet
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map SunriseExchangevpn
!
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1436
dialer pool 1
ppp chap hostname xxxxxx@pig.tpg.com.au
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxxxx@pig.tpg.com.au password 0 xxxxxxxx
ppp ipcp route default
no cdp enable
!
!
ip forward-protocol nd
!
ip pim bidir-enable
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 22 interface Dialer1 overload
ip nat inside source static tcp 192.168.250.55 3389 interface Dialer1 3389
ip nat inside source route-map internetnat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended acl_nat
permit ip 192.168.250.0 0.0.0.255 any
deny ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 22 permit 192.168.250.0 0.0.0.255
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.0.254 192.168.0.0 0.0.0.255
!
!
!
!
route-map SunriseExchangenat permit 10
match ip address 101
!
route-map internetnat permit 20
match ip address 102
!
route-map nonat permit 10
match ip address 120
!
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
!
control-plane
!
!
!
line con 0
login local
transport output all
line aux 0
transport output all
line vty 0 2
access-class 22 in
exec-timeout 20 0
privilege level 15
password xxxxxxx
login local
transport input telnet
line vty 3 4
access-class 23 in
exec-timeout 20 0
privilege level 15
password xxxxxxxx
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Router#
08-15-2016 11:44 AM
Hi benjamin.molloy,
Take in consideration the ***:
crypto map SunriseExchangevpn 10 ipsec-isakmp
set peer 43.225.x.x
set transform-set SunriseExchangetrans
set pfs group2
match address 100
access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended acl_nat
permit ip 192.168.250.0 0.0.0.255 any**** The permit should be at the end since you need to deny the traffic so is not gong to be natted and then permit any.
ip access-list extended acl_nat
deny ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 any
route-map nonat permit 10 *** I found this route map but i dont see any acl 120 or this one applied on the nat
match ip address 120
ip nat inside source list acl_nat interface Dialer1 overload*** Considering you configuration i will add this line so the nonat is going to take effect.
After doing that you can send traffic and run the following commands:
sh cry isa sa
sh cry ipsec sa peer 43.225.x.x
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide