SR520 VPN L2L Dynamic to Static Configuration

eugeneg · ‎03-07-2012

Hi Guys

I have a bit of a head-scratcher I need some help with - here's a picture:

( ^ )

LOCAL ( ) REMOTE

LAN --------------------------------------------------- SR520 >>>>>>( )<<<<<<SR520 -------------------------------------------- LAN

IRVINE ( ) INVERNESS

192.168.0.0 .1 DYNAMIC ( _ ) 10.1.1.1 .1 192.168.1.0

IRVINE is the head office of ABC widgets, the WAN address is issued by the ISP on connection (ie dynamic), INVERNESS is the branch office which connects to IRVINE via a VPN, INVERNESS' IP address is staticially assigned.

Each site has a SR520 running IOS v12.4

I set up the 2 SR520s for internet access and created a dynamic to static VPN where IRVINE connects to INVERNESS - the VPN is up, a show crypto ipsec sa marks the VPN as active

IRVINE_SR520#sh cry ipsec sa

interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 124.148.236.142

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 22219, #pkts encrypt: 22219, #pkts digest: 22219
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 51, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access1
Crypto map tag: SDM_CMAP_1, local addr 0.0.0.0

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access1
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

IRVINE_SR520#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.0.0.1 QM_IDLE 2117 0 ACTIVE

IPv6 Crypto ISAKMP SA

INVERNESS_SR520#sh cry ipsec sa

interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 10.1.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 10.0.0.1 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x4D582421(1297622049)

     inbound esp sas:
      spi: 0xA9F4F489(2851402889)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 167, flow_id: Motorola SEC 1.0:167, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4498856/3528)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x4D582421(1297622049)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 168, flow_id: Motorola SEC 1.0:168, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4498857/3528)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

INVERNESS_SR520#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.0.0.1 QM_IDLE 2029 0 ACTIVE

IPv6 Crypto ISAKMP SA

The problem is when I try to ping from one side to the other I get no response (ping 192.168.1.1 source 192.168.0.1 times out)

Here are the configs:

IRVINE:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname IRVINE_SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging rate-limit
enable secret 5 *******
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone WST 8
!
crypto pki trustpoint TP-self-signed-160999964
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-160999964
revocation-check none
rsakeypair TP-self-signed-160999964
!
!
crypto pki certificate chain TP-self-signed-160999964
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
...snip...

dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip name-server aaa.bbb.ccc.ddd
ip inspect log drop-pkt
!
no ipv6 cef
multilink bundle-name authenticated

parameter-map type inspect z1-z2-pmap
audit-trail on
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

!
!
username admin privilege 15 secret 5 *****
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key secret address <remote host>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Inverness
set peer 10.1.1.1
set transform-set ESP-3DES-SHA
match address 106
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-h323-1
match access-group 103
match protocol h323
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-nat-sip-2
match access-group 102
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-nat-sip-1
match access-group 101
match protocol sip
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
service-policy http sdm-action-app-http
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
drop log
class type inspect sdm-protocol-im
drop log
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass
class type inspect SDM-Voice-permit
pass
class type inspect sdm-nat-sip-1
inspect
class type inspect sdm-nat-sip-2
inspect
class type inspect sdm-nat-h323-1
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN via ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname user@domain.com
ppp chap password 7 *****
ppp pap sent-username user@domain.com password 7 *****
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list Internet interface Dialer0 overload
ip nat inside source static tcp 192.168.1.11 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.68 80 interface Dialer0 80
!
ip access-list extended Internet
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
permit tcp any any eq smtp
permit tcp any any eq 3389
permit udp any any eq 3389
permit tcp any any eq www
permit udp any any eq 80
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.1
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.1
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.1
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

INVERNESS:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname INVERNESS_SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone WST 8
!
crypto pki trustpoint TP-self-signed-2514221478
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2514221478
revocation-check none
rsakeypair TP-self-signed-2514221478
!
!
crypto pki certificate chain TP-self-signed-2514221478
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
....snip....

dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool Inverness
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 203.191.160.68 203.191.160.83
!
!
ip cef
no ip bootp server
ip inspect log drop-pkt
!
no ipv6 cef
multilink bundle-name authenticated

parameter-map type inspect z1-z2-pmap
audit-trail on
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
username tfx privilege 15 secret 5 $1$QN3W$r7VYzERQg2y437hyCTnoI0
username kytec privilege 15 secret 5 $1$jFNs$ahZ995R7RXkI6SYYag.tj0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key secret address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 105
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-h323-1
match access-group 103
match protocol h323
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-nat-sip-2
match access-group 102
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-nat-sip-1
match access-group 101
match protocol sip
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
service-policy http sdm-action-app-http
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
drop log
class type inspect sdm-protocol-im
drop log
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass
class type inspect SDM-Voice-permit
pass
class type inspect sdm-nat-sip-1
inspect
class type inspect sdm-nat-sip-2
inspect
class type inspect sdm-nat-h323-1
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN via ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname host@domain.com
ppp chap password 7 *****
ppp pap sent-username host@domain.com password 7 *****
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static udp 192.168.0.250 4370 interface Dialer0 4370
ip nat inside source static tcp 192.168.0.99 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.99 9013 interface Dialer0 9013
ip nat inside source static udp 192.168.0.99 9013 interface Dialer0 9013
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list extended Internet
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended capi
ip access-list extended capo
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.1
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.1
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.0.1
access-list 104 permit tcp any any range 3001 3999
access-list 104 permit udp any any range 3001 3999
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
route-map nonat permit 10
match ip address Internet
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

That's it apart from a desire to simplify the config and get rid of all the class-map and policy-map and zone-pair commands which clutter things up a tad IMHO.

Any ideas why my L2L traffic is blocked?

cindy toy · ‎03-07-2012

Hi Eugene,

Which SR520 do you have?

The only SR520 product ID number that falls under the Small Business umbrella is the SR520-T1-K9.

However if you have the SR520-FE product, that is supported by Cisco TAC not SBSC. If you have the SR520-FE, I can move your question into the correct support area so that you don't have to repost.

Regards,

Cindy Toy

Cisco Small Business Community Manager

for Cisco Small Business Products

www.cisco.com/go/smallbizsupport

twitter: CiscoSBsupport

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!

eugeneg · ‎03-07-2012

Hi Cindy

Thanks for your prompt response - the routers are SR520-ADSL which are oddly enough listed under Cisco's Small Business products, but if you don't support them, please re-post to whoever does.

cindy toy · ‎03-07-2012

Hi Eugene,

Yes, the SR520-ADSL is also a TAC supported product. It is a bit confusing since it is a Small Business product too. There are certain small business products that TAC can support while the SBSC engineers cannot.

I moved your question into the WAN, Routing, and Switching area. If you don't get a resolution, I suggest you contact TAC for help.

Regards,

Cindy Toy

Cisco Small Business Community Manager

for Cisco Small Business Products

www.cisco.com/go/smallbizsupport

twitter: CiscoSBsupport

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!

eugeneg · ‎03-20-2012

Further to my original post, I reconfigured the 520s using an example I found which seemed to fit the criteria. The link VPN tunnel came up and all seemed okay until an hour or so later when the tunnel collapsed and no inter LAN traffic seems to bring it up again - any ideas? I'm going to re-post this in the VPN forum since I have received no response here - you did move it didn't you Cindy?

eugeneg · ‎03-22-2012

More Info:

The scenario is you typical DYNAMIC TO STATIC router configuration in reverse, in this case the DYNAMIC router is at the Head Office and the STATIC router is at the Branch Office. This should not really affect the VPN, but just in case it does, I set up a DynDNS account for the HO and configured the BO router to use DNS, ran ping tests to the HO name and viola! it resolves the address without an issue.

Now to reconfigure the routers using examples gleaned from all over the web:

HEAD OFFICE SR520

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 2.2.2.2 !BO STATIC address

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set myset
match address 106

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname headoffice

ppp chap password 7 1234567890ABCDEF

ppp pap sent-username headoffice password 7 1234567890ABCDEF

crypto map mymap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 105 remark NAT Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 106 deny ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10
match ip address 105
BRANCH OFFICE SR520

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address host.dyndns.org !HO resolved address

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer host.dyndns.org
set transform-set myset
match address 106

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname branchoffice

ppp chap password 7 1234567890ABCDEF

ppp pap sent-username branchoffice password 7 1234567890ABCDEF

crypto map mymap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 105 remark NAT Rule
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 deny ip 192.168.0.0 0.0.0.255 any

!

route-map nonat permit 10
match ip address 105

Following the reconfiguration the VPN connection established and a show crypto isakmp sa returns:

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2.2.2.2 1.1.1.1 QM_IDLE 2887 0 ACTIVE

which is good, right? show crypto ipsec sa returns:

interface: Dialer0
Crypto map tag: mymap, local addr 124.148.236.142
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3145, #pkts encrypt: 3145, #pkts digest: 3145
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 14, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access1
Crypto map tag: mymap, local addr 124.148.236.142
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3145, #pkts encrypt: 3145, #pkts digest: 3145
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 14, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

This is also good, right? So why can't I ping BO from HO?

HEADOFFICE#ping

Protocol [ip]:

Target IP address: 192.168.0.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: vlan75

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]: verbose

Loose, Strict, Record, Timestamp, Verbose[V]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

Request 0 timed out

Request 1 timed out

Request 2 timed out

Request 3 timed out

Request 4 timed out

Success rate is 0 percent (0/5)

Any assistance will be appreciated