- Cisco Community
- Technology and Support
- Security
- VPN
- Second Site-to-Site VPN on 881 router
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Second Site-to-Site VPN on 881 router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2013 09:54 AM
Having issues with a router that I took over management of from another tech who liked to use SDM to make his config files. Here is what I am trying to accomplish:
The VPN parameters are as follows:
Peer IP: 174.XXX.XXX.1
Remote Network: 174.XXX.XXX.16/28
IPSec Phase 1
Hashing: SHA1
Authentication: PSK (I'll relay this over the phone)
Group: DH Group 2
Lifetime: 86,400 seconds
Encryption: AES-256
Mode: Main
IPSec Phase 2
Hashing: SHA1
Encryption: AES-256
Lifetime: 28,800 seconds, 4,608,000 kilobytes
PFS: Group 2
Additional network configuration
Client traffic:
Clients at your site would ideally be NAT'd to your peer IP, but we can work out an alternative if this is not feasible.
SuccessEHS>NAS/file share traffic:
The peer IP (or substitute) will need TCP ports 137, 139, and 445, and UDP ports 137 and 138 forwarded to your file share/NAS IP.
Here is the current config:
!
! Last configuration change at 11:44:57 PCTime Fri Nov 15 2013 by mhcnetadmin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mhc-mccloud-881w
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 4 vT1FrQfvI1nAc7a8EtFNInJZAS.QKGsv5RLzMpaQSUA
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -8 0
clock summer-time PDT recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3594840092
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3594840092
revocation-check none
rsakeypair TP-self-signed-3594840092
!
!
crypto pki certificate chain TP-self-signed-3594840092
certificate self-signed 01
{Cert Removed}
quit
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain name yrekacpas.local
ip name-server 192.168.10.10
ip name-server 8.8.8.8
ip port-map user-RWW port tcp 987
ip port-map user-RDP port tcp 3389
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX163987LN
!
!
username mhcnetadmin privilege 15 secret 4 vT1FrQfvI1nAc7a8EtFNInJZAS.QKGsv5RLzMpaQSUA
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-ldap-1
match access-group 104
match protocol ldap
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-user-RDP-1
match access-group 105
match protocol user-RDP
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-6
match class-map sdm-mgmt-cls-0
match access-group 116
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-5
match class-map sdm-mgmt-cls-0
match access-group 115
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-4
match class-map sdm-mgmt-cls-0
match access-group 114
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-3
match class-map sdm-mgmt-cls-0
match access-group 113
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-2
match class-map sdm-mgmt-cls-0
match access-group 112
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-1
match class-map sdm-mgmt-cls-0
match access-group 111
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 110
class-map type inspect match-all sdm-nat-user-RWW-1
match access-group 103
match protocol user-RWW
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-RWW-1
inspect
class type inspect sdm-nat-ldap-1
inspect
class type inspect sdm-nat-user-RDP-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-mgmt-cls-ccp-permit-0
inspect
class type inspect sdm-mgmt-cls-ccp-permit-1
inspect
class type inspect sdm-mgmt-cls-ccp-permit-2
inspect
class type inspect sdm-mgmt-cls-ccp-permit-3
inspect
class type inspect sdm-mgmt-cls-ccp-permit-4
inspect
class type inspect sdm-mgmt-cls-ccp-permit-5
inspect
class type inspect sdm-mgmt-cls-ccp-permit-6
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key {Key Removed} address 24.XXX.XXX.47
!
!
crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set RTRtran
!
!
!
!
!
!
interface Tunnel10
description Tunnel to Dunsmuir
ip address 10.0.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1100
tunnel source 64.XXX.XXX.99
tunnel mode ipsec ipv4
tunnel destination 24.XXX.XXX.47
tunnel protection ipsec profile VTI
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export version 5
ip flow-export destination 192.168.10.10 2055
!
ip nat inside source static tcp 192.168.10.10 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.10.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.10.10 987 interface FastEthernet4 987
ip nat inside source static tcp 192.168.10.10 389 interface FastEthernet4 33389
ip nat inside source static tcp 192.168.10.10 3389 interface FastEthernet4 3389
ip nat inside source list 1 interface FastEthernet4 overload
ip route 192.168.11.0 255.255.255.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.10.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.10.10
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip 216.XXX.XXX.64 0.0.0.15 any
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip host 216.XXX.XXX.226 any
access-list 105 permit ip 216.XXX.XXX.96 0.0.0.15 any
access-list 105 permit ip host 68.XXX.XXX.186 any
access-list 105 permit ip host 216.XXX.XXX.243 any
access-list 105 permit ip host 108.XXX.XXX.20 any
access-list 105 permit ip host 76.XXX.XXX.177 any
access-list 110 remark Auto generated by SDM Management Access feature
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 216.XXX.XXX.50 any
access-list 111 remark Auto generated by SDM Management Access feature
access-list 111 remark CCP_ACL Category=1
access-list 111 permit ip host 12.XXX.XXX.55 any
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark CCP_ACL Category=1
access-list 112 permit ip 216.XXX.XXX.96 0.0.0.15 any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark CCP_ACL Category=1
access-list 113 permit ip host 216.XXX.XXX.226 any
access-list 114 remark Auto generated by SDM Management Access feature
access-list 114 remark CCP_ACL Category=1
access-list 114 permit ip host 216.XXX.XXX.243 any
access-list 115 remark Auto generated by SDM Management Access feature
access-list 115 remark CCP_ACL Category=1
access-list 115 permit ip host 76.XXX.XXX.177 any
access-list 116 remark Auto generated by SDM Management Access feature
access-list 116 remark CCP_ACL Category=1
access-list 116 permit ip host 108.XXX.XXX.20 any
no cdp run
!
!
!
!
snmp-server community {Removed} RO
snmp-server trap-source Vlan1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler interval 500
ntp server 173.XXX.XXX.10 source FastEthernet4
ntp server 216.XXX.XXX.142 source FastEthernet4
ntp server 131.XXX.XXX.100 prefer source FastEthernet4
ntp server 184.XXX.XXX.247 source FastEthernet4
end
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2013 04:11 PM
Wanted to know if this will do the trick? I marked the lines I will be deleting with an "X" and the ones I am adding with an "-" so that they can be checked for clarity. I removed the zone based firewall filtering from the tunnel, created a crypto map and applied it to the tunnel interface. Please help.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key k65QqZemD2RXKwZGsHwhmYhwCY address 24.49.206.47
crypto isakmp key ca1528maj2simidk8o5ty address 174.46.127.1
!
!
crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
crypto ipsec transform-set SuccessEHSTran esp-aes 256 esp-sha-hmac
!
X crypto ipsec profile VTI
set transform-set RTRtran
!
- crypto map VPNTunnels 1 ipsec-isakmp
description Tunnel to24.49.206.47
set transform-set SuccessEHSTran
set peer 24.49.206.47
match address 108
- crypto map VPNTunnels 2 ipsec-isakmp
description Tunnel to174.46.127.1
set transform-set SuccessEHSTran
set peer 174.46.127.1
match address 106
!
!
!
!
!
interface Tunnel10
description Tunnel to Dunsmuir
ip address 10.0.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
X zone-member security in-zone
ip tcp adjust-mss 1100
X tunnel source 64.139.253.99
X tunnel mode ipsec ipv4
X tunnel destination 24.49.206.47
X tunnel protection ipsec profile VTI
- crypto map VPNTunnels
ip route 192.168.11.0 255.255.255.0 10.0.0.2
- ip route 174.46.127.16 255.255.255.240 Tunnel10
ip route 0.0.0.0 0.0.0.0 dhcp
access-list 105 permit ip host 76.246.248.177 any
- access-list 106 permit ip 192.168.10.0 0.0.0.255 174.46.127.16 0.0.0.15
- access-list 106 permit ip 192.168.11.0 0.0.0.255 174.46.127.16 0.0.0.15
- access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 remark Auto generated by SDM Management Access feature
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide