cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1455
Views
0
Helpful
7
Replies
Highlighted

Site to Site VPN Configuration Issue 2911 to SA540

Good morning. I am attempting to establish a Site To Site VPN between our SA540 and 2911 routers and somewhere I have a misconfiguration that eludes me. I suspect maybe in the 2911 Transform Set? Here is the output from the SA540. Thanks so much for your time as always!

Wed Jun 12 09:50:03 2013 (GMT -0400): [Cisco] [IKE] INFO:  Adding IPSec configuration with identifier "PL-GW1-TPA"

Wed Jun 12 09:50:03 2013 (GMT -0400): [Cisco] [IKE] INFO:  Adding IKE configuration with identifier "PL-GW1-TPA"

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:  accept a request to establish IKE-SA: 97.76.78.218

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:  Configuration found for 97.76.78.218.

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:  Configuration found for 97.76.78.218.

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:  Initiating new phase 1 negotiation: 67.78.146.158[500]<=>97.76.78.218[500]

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:  Beginning Identity Protection mode.

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Wed Jun 12 09:50:32 2013 (GMT -0400): [Cisco] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Wed Jun 12 09:51:03 2013 (GMT -0400): [Cisco] [IKE] ERROR:  Invalid SA protocol type: 0

Wed Jun 12 09:51:03 2013 (GMT -0400): [Cisco] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

7 REPLIES 7
Highlighted

Site to Site VPN Configuration Issue 2911 to SA540

Hi Ross,Can you check if you are using DH group in phase 2. If yes, make sure that you have the same DH group both sites.

DH1 = 512 and DH2 = 1024 bits. So make sure that the DH values are correct and also match the transform set.

Also, make sure that if NATTING is happening on the external part ( UDP 500 and 4500 is open)

If you can share the Router's configuration, we would be sure shot with the policies mismatch occuring at which line.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Hello Abhishek,

I'm sorry for the delay in reply, I wasn't (I think) notified of your response. I am fairly new to the 2911 router so please bear with me a bit. I have been able to establish the tunnels from the 2911 to the SA540/520 but the tunnels keep collapsing after @ 10 mins or so, the 2911 in CCP shows the tunnels established but the SA540 shows them disconnected and I cannot ping etc. If I reload the 2911 they come back up for a few minutes and then go down again. I am posting the router config. I need to stablize the tunnels and keep them open. Please let me know what information I can provide. My VPN client which was also working is now down (Peer not responding) so Im kinda at a loss. Thanks very much!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname pl-gw1-tpa

!

boot-start-marker

boot-end-marker

!

!

logging buffered 52000

enable secret 5 $1$PY04$lr7M7hXShNpHY2OFzi8Yj1

enable password 7 153F080F1126272B3D216C71415757

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication enable default enable

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

clock timezone NewYork -5 0

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.0.15.1 10.0.15.9

ip dhcp excluded-address 10.0.15.21 10.0.15.30

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool ccp-pool1

network 10.0.15.0 255.255.255.224

domain-name platautofinance.com

dns-server 208.67.220.220 208.67.222.222

default-router 10.0.15.1

!

ip dhcp pool LAN_POOL

import all

network 192.168.10.0 255.255.255.224

domain-name platuautofinance.com

dns-server 192.168.10.2 208.67.220.220

option 150 ip 192.168.10.29

default-router 192.168.10.1

lease 0 8

!

!

no ip bootp server

ip domain name platautofinance.com

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3265635853

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3265635853

revocation-check none

rsakeypair TP-self-signed-3265635853

!

!

crypto pki certificate chain TP-self-signed-3265635853

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323635 36333538 3533301E 170D3133 30363137 31363035

  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32363536

  33353835 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100920C 1E8282C0 73A070FD D38CE7FA 9BFB28A9 2DBB650A E2BDBE39 DE6973B6

  E7D3B5B0 1CB17B0C BD1EDF5A 71110AF8 A284BD91 E53F8759 4983DBBD E30F21AA

  FEA356E8 0ECA20AC FA3A7182 8124C4F5 338EA780 24B05B3E EFF044E4 2D32805F

  10E34A2A 92D88F7F BEC18A26 C81F719B 4F40B442 3AA29410 362C2831 579DC2FF

  784B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1482EF2E AA9A36F0 5E63266D 42493D85 2DC1474A 38301D06

  03551D0E 04160414 82EF2EAA 9A36F05E 63266D42 493D852D C1474A38 300D0609

  2A864886 F70D0101 05050003 81810000 03FA4A1B 645F0399 C5BA4EBD 2CE916F7

  9CE5066E D95E0666 EB3AC88D FDEFEBBC 38207B55 B2803706 2DAA39F4 0635DAF9

  860C3D5F 8CB68A8C D07F9669 260ECCCE 1C6A94B7 6CC6D15F 6B2E35C4 78AF2469

  A138ECA9 72C6BC5E 8C6ADEFF 5896B228 32B19F52 7A938A05 A59B4421 13ADFAE9

  413DC2DF FF0A9CB3 5B9D3E3E B383B5

   quit

license udi pid CISCO2911/K9 sn FGL162410ZE

license boot module c2900 technology-package securityk9

!

!

object-group service Asterisk

description SIP Communication Settings

udp eq 5060

udp range 16384 16482

!

object-group service MSExchange

description Exchange Server Services

tcp eq pop3

tcp eq 143

tcp eq 443

tcp eq smtp

tcp eq www

!

object-group service OpenFire

description Openfire IM Services

tcp eq 7777

tcp range 5222 5223

!

object-group service ReadyDesk

description ReadyDesk Helpdesk Applications

tcp range 7575 7576

tcp eq 8081

!

username cisco privilege 15 password 7 0722224F5B05150A0200525F567A

username blakmoon91 privilege 15 password 7 132814111E0008253E3671606772

!

redundancy

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXXX address 67.78.146.158

crypto isakmp key XXXXXXXXXXX address 71.40.160.123

crypto isakmp key XXXXXXXXXXX address 98.101.151.234

!

crypto isakmp client configuration group PlatinumVPN

key XXXXXXXXXXXXXX

dns 192.168.10.2 208.67.220.220

domain clearwater.thrifty.com

pool SDM_POOL_1

acl 107

include-local-lan

split-dns clearwater.thrifty.com

pfs

max-users 25

netmask 255.255.255.224

banner ^CYou are connecting to a secure network.

All connections are monitored.

Please contact the MIS IT Department for more information at x1000.       ^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group PlatinumVPN

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address initiate

   client configuration address respond

   virtual-template 1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

description Tunnels connecting the branches together.

set security-association lifetime seconds 3600

set transform-set ESP-3DES-SHA

set pfs group2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to67.78.146.158

set peer 67.78.146.158

set transform-set ESP-3DES-SHA

match address 103

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to71.40.160.123

set peer 71.40.160.123

set transform-set ESP-3DES-SHA

match address 105

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to98.101.151.234

set peer 98.101.151.234

set transform-set ESP-3DES-SHA

match address 106

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description INTERNET_UPLINK$ETH-WAN$$FW_OUTSIDE$

ip address 97.76.78.218 255.255.255.248

no ip redirects

ip flow ingress

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LAN$ETH_LAN$$ETH-LAN$$FW_INSIDE$

ip address 192.168.10.1 255.255.255.224

no ip redirects

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

load-interval 30

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description $ETH-LAN$$FW_INSIDE$

ip address 10.0.15.1 255.255.255.224

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

no ip redirects

ip flow ingress

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 192.168.0.1 192.168.0.25

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip dns server

ip nat inside source route-map SDM_RMAP interface GigabitEthernet0/0 overload

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.13 21 97.76.78.218 21 route-map SDM_RMAP_10 extendable

ip nat inside source static tcp 192.168.10.2 25 97.76.78.218 25 route-map SDM_RMAP_6 extendable

ip nat inside source static udp 192.168.10.29 69 97.76.78.218 69 route-map SDM_RMAP_4 extendable

ip nat inside source static tcp 192.168.10.2 80 97.76.78.218 80 route-map SDM_RMAP_12 extendable

ip nat inside source static tcp 192.168.10.2 110 97.76.78.218 110 route-map SDM_RMAP_15 extendable

ip nat inside source static udp 192.168.10.28 161 97.76.78.218 161 route-map SDM_RMAP_8 extendable

ip nat inside source static tcp 192.168.10.2 443 97.76.78.218 443 route-map SDM_RMAP_9 extendable

ip nat inside source static udp 192.168.10.29 514 97.76.78.218 514 route-map SDM_RMAP_5 extendable

ip nat inside source static tcp 192.168.10.29 3389 97.76.78.218 3389 route-map SDM_RMAP_3 extendable

ip nat inside source static udp 192.168.10.12 5060 97.76.78.218 5060 route-map SDM_RMAP_11 extendable

ip nat inside source static tcp 192.168.10.28 5222 97.76.78.218 5222 route-map SDM_RMAP_14 extendable

ip nat inside source static tcp 192.168.10.28 5223 97.76.78.218 5223 route-map SDM_RMAP_13 extendable

ip nat inside source static tcp 192.168.10.28 8081 97.76.78.218 8081 route-map SDM_RMAP_7 extendable

ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE

!

ip access-list extended NAT_ACL

remark Master NAT_ACL

permit ip any any

!

access-list 100 remark CCP_ACL Category=18

access-list 100 deny   tcp host 192.168.10.13 eq ftp any

access-list 100 deny   tcp host 192.168.10.2 eq smtp any

access-list 100 deny   udp host 192.168.10.29 eq tftp any

access-list 100 deny   tcp host 192.168.10.2 eq www any

access-list 100 deny   tcp host 192.168.10.2 eq pop3 any

access-list 100 deny   udp host 192.168.10.28 eq snmp any

access-list 100 deny   tcp host 192.168.10.2 eq 443 any

access-list 100 deny   udp host 192.168.10.29 eq syslog any

access-list 100 deny   tcp host 192.168.10.29 eq 3389 any

access-list 100 deny   udp host 192.168.10.12 eq 5060 any

access-list 100 deny   tcp host 192.168.10.28 eq 5222 any

access-list 100 deny   tcp host 192.168.10.28 eq 5223 any

access-list 100 deny   tcp host 192.168.10.28 eq 8081 any

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.1

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.2

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.3

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.4

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.5

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.6

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.7

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.8

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.9

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.10

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.11

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.12

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.13

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.14

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.15

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.16

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.17

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.18

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.19

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.20

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.21

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.22

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.23

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.24

access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.25

access-list 100 remark IPSec Rule

access-list 100 deny   ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 deny   ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.31 any

access-list 101 remark CCP_ACL Category=16

access-list 101 permit udp any host 97.76.78.218 eq tftp

access-list 101 permit tcp any host 97.76.78.218 eq ftp

access-list 101 permit tcp any host 97.76.78.218 eq 22

access-list 101 permit udp any host 97.76.78.218 eq snmp

access-list 101 permit udp any host 97.76.78.218 eq syslog

access-list 101 permit object-group OpenFire any host 97.76.78.218

access-list 101 permit object-group Asterisk any host 97.76.78.218

access-list 101 permit object-group MSExchange any host 97.76.78.218

access-list 101 permit object-group ReadyDesk any host 97.76.78.218

access-list 102 remark CCP_ACL Category=2

access-list 102 deny   tcp host 192.168.10.13 eq ftp any

access-list 102 deny   tcp host 192.168.10.2 eq smtp any

access-list 102 deny   udp host 192.168.10.29 eq tftp any

access-list 102 deny   tcp host 192.168.10.2 eq www any

access-list 102 deny   tcp host 192.168.10.2 eq pop3 any

access-list 102 deny   udp host 192.168.10.28 eq snmp any

access-list 102 deny   tcp host 192.168.10.2 eq 443 any

access-list 102 deny   udp host 192.168.10.29 eq syslog any

access-list 102 deny   tcp host 192.168.10.29 eq 3389 any

access-list 102 deny   udp host 192.168.10.12 eq 5060 any

access-list 102 deny   tcp host 192.168.10.28 eq 5222 any

access-list 102 deny   tcp host 192.168.10.28 eq 5223 any

access-list 102 deny   tcp host 192.168.10.28 eq 8081 any

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.1

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.2

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.3

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.4

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.5

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.6

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.7

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.8

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.9

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.10

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.11

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.12

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.13

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.14

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.15

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.16

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.17

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.18

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.19

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.20

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.21

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.22

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.23

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.24

access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.25

access-list 102 remark IPSec Rule

access-list 102 deny   ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny   ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255

access-list 102 permit ip 10.0.15.0 0.0.0.31 any

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255

access-list 107 remark CCP_ACL Category=4

access-list 107 permit ip 192.168.10.0 0.0.0.31 any

access-list 108 remark CCP_ACL Category=2

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.25

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.24

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.23

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.22

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.21

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.20

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.19

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.18

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.17

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.16

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.15

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.14

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.13

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.12

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.11

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.10

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.9

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.8

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.7

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.6

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.5

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.4

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.3

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.2

access-list 108 deny   ip host 192.168.10.29 host 192.168.0.1

access-list 108 permit tcp host 192.168.10.29 eq 3389 any

access-list 109 remark CCP_ACL Category=2

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.25

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.24

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.23

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.22

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.21

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.20

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.19

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.18

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.17

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.16

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.15

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.14

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.13

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.12

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.11

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.10

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.9

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.8

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.7

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.6

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.5

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.4

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.3

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.2

access-list 109 deny   ip host 192.168.10.29 host 192.168.0.1

access-list 109 permit udp host 192.168.10.29 eq tftp any

access-list 110 remark CCP_ACL Category=2

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.25

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.24

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.23

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.22

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.21

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.20

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.19

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.18

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.17

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.16

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.15

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.14

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.13

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.12

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.11

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.10

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.9

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.8

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.7

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.6

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.5

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.4

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.3

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.2

access-list 110 deny   ip host 192.168.10.29 host 192.168.0.1

access-list 110 permit udp host 192.168.10.29 eq syslog any

access-list 111 remark CCP_ACL Category=2

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.25

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.24

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.23

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.22

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.21

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.20

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.19

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.18

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.17

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.16

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.15

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.14

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.13

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.12

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.11

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.10

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.9

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.8

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.7

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.6

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.5

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.4

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.3

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.2

access-list 111 deny   ip host 192.168.10.2 host 192.168.0.1

access-list 111 permit tcp host 192.168.10.2 eq smtp any

access-list 112 remark CCP_ACL Category=2

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.25

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.24

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.23

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.22

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.21

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.20

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.19

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.18

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.17

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.16

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.15

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.14

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.13

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.12

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.11

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.10

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.9

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.8

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.7

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.6

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.5

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.4

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.3

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.2

access-list 112 deny   ip host 192.168.10.28 host 192.168.0.1

access-list 112 permit tcp host 192.168.10.28 eq 8081 any

access-list 113 remark CCP_ACL Category=2

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.25

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.24

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.23

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.22

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.21

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.20

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.19

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.18

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.17

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.16

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.15

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.14

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.13

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.12

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.11

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.10

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.9

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.8

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.7

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.6

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.5

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.4

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.3

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.2

access-list 113 deny   ip host 192.168.10.28 host 192.168.0.1

access-list 113 permit udp host 192.168.10.28 eq snmp any

access-list 114 remark CCP_ACL Category=2

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.25

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.24

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.23

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.22

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.21

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.20

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.19

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.18

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.17

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.16

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.15

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.14

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.13

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.12

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.11

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.10

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.9

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.8

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.7

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.6

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.5

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.4

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.3

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.2

access-list 114 deny   ip host 192.168.10.2 host 192.168.0.1

access-list 114 permit tcp host 192.168.10.2 eq 443 any

access-list 115 remark CCP_ACL Category=2

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.25

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.24

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.23

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.22

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.21

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.20

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.19

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.18

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.17

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.16

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.15

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.14

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.13

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.12

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.11

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.10

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.9

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.8

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.7

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.6

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.5

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.4

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.3

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.2

access-list 115 deny   ip host 192.168.10.13 host 192.168.0.1

access-list 115 permit tcp host 192.168.10.13 eq ftp any

access-list 116 remark CCP_ACL Category=2

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.25

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.24

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.23

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.22

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.21

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.20

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.19

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.18

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.17

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.16

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.15

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.14

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.13

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.12

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.11

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.10

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.9

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.8

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.7

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.6

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.5

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.4

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.3

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.2

access-list 116 deny   ip host 192.168.10.12 host 192.168.0.1

access-list 116 permit udp host 192.168.10.12 eq 5060 any

access-list 117 remark CCP_ACL Category=2

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.25

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.24

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.23

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.22

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.21

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.20

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.19

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.18

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.17

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.16

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.15

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.14

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.13

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.12

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.11

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.10

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.9

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.8

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.7

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.6

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.5

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.4

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.3

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.2

access-list 117 deny   ip host 192.168.10.2 host 192.168.0.1

access-list 117 permit tcp host 192.168.10.2 eq www any

access-list 118 remark CCP_ACL Category=2

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.25

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.24

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.23

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.22

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.21

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.20

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.19

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.18

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.17

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.16

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.15

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.14

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.13

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.12

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.11

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.10

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.9

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.8

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.7

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.6

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.5

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.4

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.3

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.2

access-list 118 deny   ip host 192.168.10.28 host 192.168.0.1

access-list 118 permit tcp host 192.168.10.28 eq 5223 any

access-list 119 remark CCP_ACL Category=2

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.25

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.24

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.23

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.22

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.21

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.20

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.19

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.18

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.17

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.16

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.15

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.14

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.13

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.12

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.11

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.10

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.9

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.8

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.7

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.6

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.5

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.4

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.3

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.2

access-list 119 deny   ip host 192.168.10.28 host 192.168.0.1

access-list 119 permit tcp host 192.168.10.28 eq 5222 any

access-list 120 remark CCP_ACL Category=2

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.25

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.24

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.23

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.22

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.21

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.20

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.19

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.18

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.17

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.16

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.15

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.14

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.13

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.12

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.11

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.10

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.9

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.8

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.7

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.6

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.5

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.4

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.3

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.2

access-list 120 deny   ip host 192.168.10.2 host 192.168.0.1

access-list 120 permit tcp host 192.168.10.2 eq pop3 any

!

no cdp run

!

!

!

route-map SDM_RMAP permit 1

match ip address 100

!

route-map SDM_RMAP_15 permit 1

match ip address 120

!

route-map SDM_RMAP_14 permit 1

match ip address 119

!

route-map SDM_RMAP_11 permit 1

match ip address 116

!

route-map SDM_RMAP_10 permit 1

match ip address 115

!

route-map SDM_RMAP_13 permit 1

match ip address 118

!

route-map SDM_RMAP_12 permit 1

match ip address 117

!

route-map SDM_RMAP_4 permit 1

match ip address 109

!

route-map SDM_RMAP_5 permit 1

match ip address 110

!

route-map SDM_RMAP_6 permit 1

match ip address 111

!

route-map SDM_RMAP_7 permit 1

match ip address 112

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

route-map SDM_RMAP_3 permit 1

match ip address 108

!

route-map SDM_RMAP_8 permit 1

match ip address 113

!

route-map SDM_RMAP_9 permit 1

match ip address 114

!

route-map RMAP-NAT permit 10

match ip address NAT_ACL

!

!

snmp-server community public RO

snmp-server community ourCommStr RW

snmp-server location Tampa, Florida, USA

snmp-server contact MIS IT Services x1000

snmp-server enable traps snmp linkdown linkup coldstart

snmp-server host 192.168.10.28 version 2c ourCommStr

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 02160B5E520F020D494F5D4A

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 12.10.191.151 source GigabitEthernet0/0

ntp server 96.226.123.157 source GigabitEthernet0/0

ntp server 129.6.15.30 prefer source GigabitEthernet0/0

end

Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Hi Ross,

No issues with that.

Please let me know if this is the tunnel with the issue. (Below is the sorted configuration)

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to67.78.146.158

set peer 67.78.146.158

set transform-set ESP-3DES-SHA

match address 103

crypto isakmp key XXXXXXXXXXX address 67.78.146.158

I see two things in the configuration.

1) You have configured ESP-3DES-SHA in the transform-set. You need to confirm this at the other end as well.

2) There is no PFS configured, so this also needs to be checked.

We would need the output of the following debug and we will be using conditional debugging for the specific peer.

  deb crypto condition peer ipv4 67.78.146.158

  deb cry isakmp

  deb cry ipsec

Let me know if this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Hello Abhishek,

Thanks very much for the reply. I have done the following to try and help this along:

Yes, the connection in question is 67.78.146.158 but all three routes will be in operation. Once we figure out one I will duplicate to the others, all are 540/520 routers.

I have added the PFS Group 2 to all the connections in the 2911.

I don't know how to add ESP-3DES-SHA to a 540 router, I have it on AutoPolicy but I assume this would be manual policy in VPN connections however I am unsure of the values to put in there as outlined in your #1 above.

I have added the debug commands however nothing in being outputted to the console windows. Perhaps I missed a step to generate the traffic?

I can confirm that both SSH outside access and IPSec VPN clients are not working (they were once before)

SSH is working on the inside.

It almost seems as if traffic is being blocked to the outside interface or NAT rules are in the way? I used to have only 2-3 ACL before CCP generated a huge amount of rules when I tried to add a DMZ for another outside block I own.

Eth2 10.0.15.1  --> 97.76.78.219 for example created huge amount of ACL i didn't have before. I wish to put a couple of webservers there for example.

Thank you so much for your support and help!

      

protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.224/0/0)
   remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
   current_peer 67.78.146.158 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 86, #pkts encrypt: 86, #pkts digest: 86
    #pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 97.76.78.218, remote crypto endpt.: 67.78.146.158
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x171678B(24209291)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x1CE5CD9D(484822429)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto ma                                                                                                                                                             p: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4504367/86213)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x171678B(24209291)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto ma                                                                                                                                                             p: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4504383/86213)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
     outbound pcp sas:

Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Hi Ross,

For the SA 540, refer the link (pdf) below.

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_vpnclient_appnote.pdf

In here you can see the settings and then change the settings accordingly on the router.

Yes, in order to see the debugs, you need to generate the traffic.

For the SSH, I believe you would need to add t lines at the bottom of the 2 route-maps.

I see that it should work as permit is present at the bottom.

access-list 100 permit ip 192.168.10.0 0.0.0.31 any

access-list 102 permit ip 10.0.15.0 0.0.0.31 any

route-map SDM_RMAP permit 1

match ip address 100

Add to ACL 100

access-list 100 permit ip any any

no  access-list 100 permit ip 192.168.10.0 0.0.0.31 any

route-map SDM_RMAP_1 permit 1

match ip address 102

Add to ACL 102

access-list 102 permit ip any any

no access-list 102 permit ip 10.0.15.0 0.0.0.31 any

NOTE: MAKE SURE THAT YOU FIRST ADD PERMIT IP ANY ANY AND THEN REMOVE THE PERMOT IP ANY

Regards,
Abhishek Purohit
CCIE-S- 35269

-- Please rate if post is helpful.

Regards, Abhishek Purohit CCIE-S- 35269
Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Abhishek,

Thank you again for your continued responses. Yesterday after our discussion I went back and noticed that although I was adding the PFS Group 2 to the interfaces there weren't "taking" to the interface in CCP. After adding them again, telling CCP to write to startup config and rebooting the 2911 all 3 tunnels came up without changing the policies on the 540/520 from auto to manual. So far the tunnels have been lit and stable for almost 24 hours so I will see what happens when the SA lifetime expires if they renew properly. Im hoping based on the current results this problem has been solved and will report back shortly.

Ill adjust the ACL for the config you posted to resolve the SSH problem. After than I have to sort out the VPN issues and call it a day! I'll report my findings shortly. Thank you again for your expert help.

Highlighted

Re: Site to Site VPN Configuration Issue 2911 to SA540

Abhishek,

Good morning. After a week of hunting around I can report that the tunnels are still very buggy. I have found several things I would like to pass along for your input.

I had an issue on the 2911 router with the clock source being off an hour, I have switched to NTP and that issue is resolved now, clock is accurate.

Phase 1 negotiation between all SA routers and the 2911 router keeps failing. If I reboot the SA540 it will not reconnect upon startup. If I reboot the 2911 the tunnels will re-establish on startup until the next time they collapse.

On the 2911 yesterday for instance I got the EasyVPN server working where I could connect at least to the 2911. Today the 2911 isn't responding to peers again. This is very frustrating as you can well understand, the inter-operability between standards based cisco products should be a given. This is identical to the issue posted here https://supportforums.cisco.com/thread/2018746 except we are obviously running much newer firmware than when this article was listed.

I would love some input on how to iron this issue out. These VPN tunnels are connecting DC's together and the resulling loss of sync between them is starting to be a real headache.

SA540 Log1

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: 98.101.151.234[500]<=>97.76.78.218[500]

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Mon Jul 08 06:03:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Mon Jul 08 06:04:15 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234

Mon Jul 08 06:05:34 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. 77d5a6ba6ca43d88:0000000000000000

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: 98.101.151.234[500]<=>97.76.78.218[500]

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Mon Jul 08 06:15:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Mon Jul 08 06:16:15 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234

Mon Jul 08 06:17:34 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. 782eb7c9cc39c70d:0000000000000000

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: 98.101.151.234[500]<=>97.76.78.218[500]

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Mon Jul 08 06:27:44 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Mon Jul 08 06:28:15 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234

Mon Jul 08 06:29:34 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. 4b9e1c67273e8214:0000000000000000

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  accept a request to establish IKE-SA: 97.76.78.218

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Configuration found for 97.76.78.218.

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: 98.101.151.234[500]<=>97.76.78.218[500]

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Mon Jul 08 06:36:48 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9