Re: vpn configuration depends on the provided parameters from head office

amralrazzaz · ‎05-05-2020

dears

i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this

parameters:

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

thanks

amr alrazzaz

Rob Ingram · ‎05-06-2020

Hi,
You should modify your ACL used to define the interesting traffic, this should be established using ip between the local and remote networks, rather than tcp/udp ports - this will reduce complexity and the number of IPSec SAs.

Once the VPN is established, if you wish to lock down access you can apply an ACL or implement Zone Based Firewall to restrict access over the VPN tunnel.

Also you've got "ip nat outside" defined on the outside interface, if you are using nat make sure you are not natting traffic from your local networks to the remote networks.

HTH

amralrazzaz · ‎05-10-2020

You should modify your ACL used to define the interesting traffic, this should be established using ip between the local and remote networks, rather than tcp/udp ports - this will reduce complexity and the number of IPSec SAs.

Please check below dest. Ip addresses and port numbers on below also the object group network and service and check if my configuration is okay or not :

acl and ports as below :

dest, networks and hosts	PORTS SERVICE
DNS SERVERS 10.20.x.x	53/tcp
10.x.17.3	53/udp

SAP servers 10.102.37.15	3200-3399/tcp
10.102.x1.19	3600-3699/tcp
10.102.41.1x6	8000-8099/tcp
10.102.46.2x	50000-59900/tcp
10.102.46.37
10.1x.18.16
10.1x.18.46
10.x.1x.2
	SERVICE AD services
H.O NETWORKS 10.35.3.0/24	25/tcp
10.x5.x.0/24	53/tcp
10.x5.5.0/24	53/udp
10.x0.1x.0/24	67/udp
x0.8x.1x.0/25	68/udp
	88/udp
	123/udp
	135/tcp
	137/udp
	138/udp
	139/upd
	389/tcp
	389/udp
	445/tcp
	445/udp
	464/tcp
	464/udp
	636/tcp
	3268/tcp
	3269/tcp
	5722/tcp
	9389/tcp
	49152-65535/tcp
	49152-65535/udp

	SERVICE SCCM services
	135/tcp
	137/udp
	138/udp
	1433/tcp
	1779/udp
	2701/tcp
	3268/tcp
	445/tcp
	445/udp
	5080/tcp
	5443/tcp
	80/tcp
	8530/tcp


DC server 10.2x.11.1x	1024-65535/tcp
	123/udp
	135/tcp
	135/udp
	137/udp
	138/udp
	139/tcp
	139/tcp
	1688/tcp
	3268/tcp
	3269/tcp
	389/tcp
	389/udp
	42/tcp
	42/udp
	445/tcp
	445/udp
	464/tcp
	464/tcp
	464/udp
	464/udp
	49152-65535/udp
	53/tcp
	53/udp
	53248/tcp
	5722/tcp
	57344/tcp
	636/tcp
	636/udp
	647/tcp
	67/udp
	88/tcp
	88/udp
	44/tcp
	80/tcp
	9389/tcp

object-group network FC-EGCAI01_local

description FC-NW

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

object-group network EGCAI01_remote

description EGY-LOCAL-NW

192.168.0.0/20

object-group network SAP-Servers

description SAP-SYSTEMS

host 10.1x2.3x.1xx

host 1x.21x.1x2.2x

host 10.220.1x.65

host 10.2x0.1x.80

host 1x.x2x.18x.1x

host 10.2x1.2x9.x

host 10.2x.35.71

host 10.38.0.2x

host 10.3x.1.2x8

host 10.x8.1.x

host 10.x1.x57.10x

host 10.x1.x8.8x

host 10.x.39.1x

host 10.8x.x.1x

object-group network DNS-Servers

description FC-DNS

host 1x.x8.0.1x

host 10.x8.x.21x

object-group network FC-Domain-Controller

description FC-DC

host 1x.x30.1x.x

object-group network Wipro-DC

description DWP-WIPRO-NW

1x.38.x.0/24

1x.x8.x.0/24

1x.3x.2.0/24

1x.x0.1x.0/24

object-group network Other-APPS

description MSTR-HFM-BASWARE-DSP

host 10.1x4.20.1x4

host 10.2x.12.xx

host 10.1x9.8.x

host 1x.x9.8.x

host 10.2x0.2x4.5

host 1x.1x.60.x

host 10.x0.x1.10x

host 1x.18x.8.4x

host 10.189.72.18x

host 1x.2x.1x9.5x

host 1x2.x0.39.x

host 1x.x.0.x

host 10.2x.x2.x

host 10.x.1.x

-------------------

object-group service SERVICE-LDAP

description FC-LDAP

tcp 389

ldap-389

object-group service AD-Services

description wipro-AD

TCP 25

tcp-udp 53

udp 67

udp 68

udp 88

udp 123

tcp 135

udp 137

udp 138

upd 139

tcp 389

udp 389

tcp 445

udp 445

tcp 464

udp 464

tcp 636

tcp 3268

tcp 3269

tcp 5722

tcp 9389

tcp-udp range 49152-65535

object-group service SCCM-Services

description wipro-SCCM

tcp 135

udp 137

udp 138

tcp 1433

udp 1779

tcp 2701

tcp 3268

tcp-udp 445

tcp 5080

tcp 5443

tcp 80

tcp 8530

object-group service FC-DC-SERVICES

description FC-DC-SERVICES

tcp range 1024-65535

udp 123

tcp-udp 135

udp 137

udp 138

tcp 139

tcp 1688

tcp 3268

tcp 3269

tcp-udp 389

tcp-udp 42

tcp-udp 445

tcp-udp 464

udp range 49152-65535

tcp-udp 53

tcp 53248

tcp 5722

tcp 57344

tcp-udp 636

tcp 647

udp 67

tcp-udp 88

tcp 44

tcp 80

tcp 9389

Once the VPN is established, if you wish to lock down access you can apply an ACL or implement Zone Based Firewall to restrict access over the VPN tunnel.

Didn’t get u ?

Also you've got "ip nat outside" defined on the outside interface, if you are using nat make sure you are not natting traffic from your local networks to the remote networks.

I already have more than 1 free public ip address so I specify 1 for nat traffic and the other one is configured on the wan interface for the vpn traffic

actually i have inter vlans but the main n.w id is 192.168.0.0/20 , so shall i add them one by one permit on each or its just give access to the all n.w id same as i did ??

Ihave 5 vlans configured and the network id is 192.168.0.0/24 so my question shall i add each subnet one by one on ACL with different type of ports or same as i did enough with mentioning the network id only and all subnets within this ID will have access to pass the traffic to Head office ?

amr alrazzaz

Rob Ingram · ‎05-10-2020

What I am saying is for the ACL, do not configure a complicated crypto ACL (the ACL used to define the interesting traffic for the VPN) using TCP or UDP ports, it's not recommended by Cisco and no guarantee the peer vendor hardware supports it either.

Your crypto ACL should use IP to define the interesting traffic to be encrypted, e.g.

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group SAP-Servers
 permit ip object-group EGCAI01_remote object-group Wipro-DC
 permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local

When creating the crypto ACL I would use a network object that covers all hosts, rather than multiple smaller networks or host objects. In doing so this improves the overall performance.

Once the VPN is established if you wish to filter the traffic by restricting access to certain ports/protocols (udp/53, tcp/389 etc), then this is when you would use an interface ACL (different ACL used to define interesting traffic for the VPN) or use Zone Based Firewall.

HTH

amralrazzaz · ‎05-10-2020

so no need to configure object-group service ?
and no need to specify th ports to the certain hosts or network to get access on it ? just use access network to network only ?
and the ports which opened on the other site (head office) enough to pass traffic from my side to the head office ?

so the acl easier to use permit ip between hosts and networks only ?

ip access-list extended VPN_ACL
permit ip object-group EGCAI01_remote object-group SAP-Servers
permit ip object-group EGCAI01_remote object-group Wipro-DC
permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local
permit ip object-group EGCAI01_remote object-group DNS-Servers
permit ip object-group EGCAI01_remote object-group Other-APPS

another thing which is the network id of my network is 192.168.0.0/20 and i have 5 vlans so shall i added these subnets
one by one or enough woth network id ?

Once the VPN is established if you wish to filter the traffic by restricting access to certain ports/protocols (udp/53, tcp/389 etc), then this is when you would use an interface ACL (different ACL used to define interesting traffic for the VPN) or use Zone Based Firewall.

and the ports which opened on the other site (head office) enough to pass traffic from my side to the head office ? and no need to configure it also on my ACL ?

last think is my configuration is wrong or its just complicated but it will work ? or cisco router HW not support ?

amr alrazzaz

Rob Ingram · ‎05-10-2020

Correct, don't define the services (object-group service).

You example ACL looks better. However I would suggest perhaps if possible looking at your objects and seeing if you could summarise them.

Whatever you define in your crypto ACL, just ensure that you mirror the same configuration on the peer firewall.....they need to be the same, otherwise you will have issues.

Are those 5 VLANS within the network 192.168.0.0/20? If not then you will need to add additional lines to the crypto ACL.

Your configuration just needs modifying, however a cisco router with complex ACL/firewall rules as you may require, would probably be easier to implement on an ASA or FTD.

HTH

amralrazzaz · ‎05-10-2020

Correct, don't define the services (object-group service).

okay fine ill do same what u said to me :) thanks

You example ACL looks better. However I would suggest perhaps if possible looking at your objects and seeing if you could summarise them.

ill share it with u sir for some help ... thanks in advance :) maybe i can sent to u in massage

Whatever you define in your crypto ACL, just ensure that you mirror the same configuration on the peer firewall.....they need to be the same, otherwise you will have issues.

i will share with u the access list and port number that they should already opened for me ....

Are those 5 VLANS within the network 192.168.0.0/20? If not then you will need to add additional lines to the crypto ACL.

yes it is within the network

Your configuration just needs modifying, however a cisco router with complex ACL/firewall rules as you may require, would probably be easier to implement on an ASA or FTD.

for now i dont have ASA or FTD thats why im using router and need license to configure it :) maybe later ill purchase one

what kind of modifying i need please ... ill just share with u what i did and then if u have sometime for help would be appreciate :)

thanks

amr alrazzaz

Rob Ingram · ‎05-10-2020

Ok, send me the list of objects and I can summarise them for you.

Ok, if those 5 VLANS are within that /20 then no need to modify the crypto ACL.

Sorry, I was referring to modifying the configuration we had been discussing. So as long as you don't over complicate the crypto ACL using ports/protocols then establishing the VPN should be fine.

amralrazzaz · ‎05-10-2020

hello boss im sharing the config file that i prepared and need to paste on router after getting license

please check the proposed acl from head office and my prepared config if need any modify and config are ok with these parameters parameters

check attached please :)

amr alrazzaz

Rob Ingram · ‎05-10-2020

Ok, if that IKEv2.txt file came from Head Office, then it looks like they have already defined the "Phase 2 Selectors"

Phase 2 selectors:

Local subnets:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Remote subnets:
192.168.0.0/20

I assume Local Subnets is the remote end to you, which you are referring to "EGCAI01_local" elsewhere in your configuration?

If correct, create an object-group containing those 3 subnets, use your existing "EGCAI01_remote "object-group and create the ACL using those 2 objects. The source will be your look networks (EGCAI01_remote) with the destination of the Head Office networks (EGCAI01_local).

object-group network EGCAI01_local 
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16

object-group network EGCAI01_remote
 description EGY-LOCAL-NW
 192.168.0.0/20

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group EGCAI01_local

The example above will be used for the crypto ACL.

For testing establish the VPN tunnel, get that working first and then after you have confirmed the VPN is working, look to apply an interface ACL or Zone-Based Firewall to restrict access.

HTH

amralrazzaz · ‎05-10-2020

the proposed excel sheet ACl and the parameters came from head office but the ikve2 file is what i were prepared and need to check if its fine to go ahead and configure it on router :)

i defined remote as my network ( 192.168.0.0/20)

local network is head office

maybe confused but i assume im the remote and the head office is the main

object-group network EGCAI01_remote
description EGY-LOCAL-NW (just to know this is my local network)
192.168.0.0/20

object-group network FC-EGCAI01_local (head office)
description FC-NW ( FC refer to head office my company name )
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

amr alrazzaz

Rob Ingram · ‎05-10-2020

Ok, it's slightly confusing as referring to your local network as remote, but I understood.

If all you've changed is the name of the object group, then you just need to amend the ACL I provided to reflect the correct name.

amralrazzaz · ‎05-10-2020

so ill use only this ACL as it include all the networks and delete other created access list ??

if its like that so ill delete all ACL and keep what u mentioned ? am i correct ?

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group EGCAI01_local

after testing... shall back to add other access lists > ? like below and without putting the object-group service ???

permit ip object-group EGCAI01_remote object-group Other-APPS

permit ip object-group EGCAI01_remote object-group SAP-Servers

permit ip object-group EGCAI01_remote object-group Wipro-DC

amr alrazzaz

Rob Ingram · ‎05-10-2020

No, that VPN_ACL does not change.

I was referring to creating an additional interface ACL or Zone-Based Firewall to restrict access over the VPN tunnel. On that ACL you can define the services (ports/protocols) - you just don't define the services used for the crypto ACL (VPN_ACL), which is merely used to establish the VPN.

amralrazzaz · ‎05-10-2020

thanks for your help :)

can i ask u when u free for sure :) i had sent to u the config file already if u can modify it on the config file and then send to me so ill copy paste it directly to my router

just little bit confused with the port numbers and acl list that i configured specially when u said no need for object-group service :) also creating an additional interface ACL or Zone-Based Firewall to restrict access over the VPN tunnel so if u can help to add too

here u are again the config file just when ever u free modify what use its perfect :) thanks

please do it when u free only .. i do excuse you :) thanks sir

amr alrazzaz