cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3163
Views
50
Helpful
19
Replies

vpn configuration depends on the provided parameters from head office

amralrazzaz
Level 5
Level 5

dears 

i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this 

parameters:

KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled

 

 

 

thanks

 

amr alrazzaz
19 Replies 19

Hi,
You should modify your ACL used to define the interesting traffic, this should be established using ip between the local and remote networks, rather than tcp/udp ports - this will reduce complexity and the number of IPSec SAs.

Once the VPN is established, if you wish to lock down access you can apply an ACL or implement Zone Based Firewall to restrict access over the VPN tunnel.

Also you've got "ip nat outside" defined on the outside interface, if you are using nat make sure you are not natting traffic from your local networks to the remote networks.

HTH

You should modify your ACL used to define the interesting traffic, this should be established using ip between the local and remote networks, rather than tcp/udp ports - this will reduce complexity and the number of IPSec SAs.

 

Please check below dest. Ip addresses and port numbers on below also the object group network and service and check if my configuration is okay or not :

acl and ports as below :

 

dest, networks and hosts

PORTS SERVICE 

DNS SERVERS  10.20.x.x     

53/tcp

                             10.x.17.3                                         

53/udp

 

 

SAP servers  10.102.37.15    

3200-3399/tcp

                       10.102.x1.19             

3600-3699/tcp

                     10.102.41.1x6           

8000-8099/tcp

                       10.102.46.2x                

50000-59900/tcp

                     10.102.46.37

 

                   10.1x.18.16

 

                   10.1x.18.46

 

                  10.x.1x.2

 

 

SERVICE AD services

H.O  NETWORKS   10.35.3.0/24   

25/tcp

                                    10.x5.x.0/24          

53/tcp

                                 10.x5.5.0/24          

53/udp

                           10.x0.1x.0/24        

67/udp

                          x0.8x.1x.0/25        

68/udp

 

88/udp

 

123/udp

 

135/tcp

 

137/udp

 

138/udp

 

139/upd

 

389/tcp

 

389/udp

 

445/tcp

 

445/udp

 

464/tcp

 

464/udp

 

636/tcp

 

3268/tcp

 

3269/tcp

 

5722/tcp

 

9389/tcp

 

49152-65535/tcp

 

49152-65535/udp

 

 

 

SERVICE SCCM services

 

135/tcp

 

137/udp

 

138/udp

 

1433/tcp

 

1779/udp

 

2701/tcp

 

3268/tcp

 

445/tcp

 

445/udp

 

5080/tcp

 

5443/tcp

 

80/tcp

 

8530/tcp

 

 

 

 

DC server    10.2x.11.1x    

1024-65535/tcp

 

123/udp

 

135/tcp

 

135/udp

 

137/udp

 

138/udp

 

139/tcp

 

139/tcp

 

1688/tcp

 

3268/tcp

 

3269/tcp

 

389/tcp

 

389/udp

 

42/tcp

 

42/udp

 

445/tcp

 

445/udp

 

464/tcp

 

464/tcp

 

464/udp

 

464/udp

 

49152-65535/udp

 

53/tcp

 

53/udp

 

53248/tcp

 

5722/tcp

 

57344/tcp

 

636/tcp

 

636/udp

 

647/tcp

 

67/udp

 

88/tcp

 

88/udp

 

44/tcp

 

80/tcp

 

9389/tcp

 

object-group network FC-EGCAI01_local

description FC-NW

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

 

object-group network EGCAI01_remote

description EGY-LOCAL-NW

192.168.0.0/20

 

object-group network SAP-Servers

description SAP-SYSTEMS

host 10.1x2.3x.1xx

host 1x.21x.1x2.2x

host 10.220.1x.65

host 10.2x0.1x.80

host 1x.x2x.18x.1x

host 10.2x1.2x9.x

host 10.2x.35.71

host 10.38.0.2x

host 10.3x.1.2x8

host 10.x8.1.x

host 10.x1.x57.10x

host 10.x1.x8.8x

host 10.x.39.1x

host 10.8x.x.1x

 

 

object-group network DNS-Servers

description FC-DNS

host 1x.x8.0.1x

host 10.x8.x.21x

 

object-group network FC-Domain-Controller

description FC-DC

host 1x.x30.1x.x

 

object-group network Wipro-DC

description DWP-WIPRO-NW

1x.38.x.0/24

1x.x8.x.0/24

1x.3x.2.0/24

1x.x0.1x.0/24

 

object-group network Other-APPS

description MSTR-HFM-BASWARE-DSP

host 10.1x4.20.1x4

host 10.2x.12.xx

host 10.1x9.8.x

host 1x.x9.8.x

host 10.2x0.2x4.5

host 1x.1x.60.x

host 10.x0.x1.10x

host 1x.18x.8.4x

host 10.189.72.18x

host 1x.2x.1x9.5x

host 1x2.x0.39.x

host 1x.x.0.x

host 10.2x.x2.x

host 10.x.1.x

-------------------

object-group service SERVICE-LDAP

description FC-LDAP

tcp 389

ldap-389

 

object-group service AD-Services

description wipro-AD

TCP 25

tcp-udp 53

udp 67

udp 68

udp 88

udp 123

tcp 135

udp 137

udp 138

upd 139

tcp 389

udp 389

tcp 445

udp 445

tcp 464

udp 464

tcp 636

tcp 3268

tcp 3269

tcp 5722

tcp 9389

tcp-udp range 49152-65535

 

object-group service SCCM-Services

description wipro-SCCM

tcp 135

udp 137

udp 138

tcp 1433

udp 1779

tcp 2701

tcp 3268

tcp-udp 445

tcp 5080

tcp 5443

tcp 80

tcp 8530

 

object-group service FC-DC-SERVICES

description FC-DC-SERVICES

tcp range 1024-65535

udp 123

tcp-udp 135

udp 137

udp 138

tcp 139

tcp 1688

tcp 3268

tcp 3269

tcp-udp 389

tcp-udp 42

tcp-udp 445

tcp-udp 464

udp range 49152-65535

tcp-udp 53

tcp 53248

tcp 5722

tcp 57344

tcp-udp 636

tcp 647

udp 67

tcp-udp 88

tcp 44

tcp 80

tcp 9389

 

 

 

 

 

 

 



Once the VPN is established, if you wish to lock down access you can apply an ACL or implement Zone Based Firewall to restrict access over the VPN tunnel.

Didnā€™t get u ?

Also you've got "ip nat outside" defined on the outside interface, if you are using nat make sure you are not natting traffic from your local networks to the remote networks.

 

I already have more than 1 free public ip address so I specify 1 for nat traffic and the other one is configured on the wan interface for the vpn traffic

 

actually i have inter vlans but the main n.w id is 192.168.0.0/20 , so shall i add them one by one permit on each or its just give access to the all n.w id same as i did ??

 

Ihave 5 vlans configured and the network id is 192.168.0.0/24 so my question shall i add each subnet one by one on ACL with different type of ports or same as i did enough with mentioning the network id only and all subnets within this ID will have access to pass the traffic to Head office ?

 

amr alrazzaz

What I am saying is for the ACL, do not configure a complicated crypto ACL (the ACL used to define the interesting traffic for the VPN) using TCP or UDP ports, it's not recommended by Cisco and no guarantee the peer vendor hardware supports it either.

 

Your crypto ACL should use IP to define the interesting traffic to be encrypted, e.g.

 

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group SAP-Servers
 permit ip object-group EGCAI01_remote object-group Wipro-DC
 permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local

When creating the crypto ACL I would use a network object that covers all hosts, rather than multiple smaller networks or host objects. In doing so this improves the overall performance.

 

Once the VPN is established if you wish to filter the traffic by restricting access to certain ports/protocols (udp/53, tcp/389 etc), then this is when you would use an interface ACL (different ACL used to define interesting traffic for the VPN) or use Zone Based Firewall.

 

HTH

 

so no need to configure object-group service ?
and no need to specify th ports to the certain hosts or network to get access on it ? just use access network to network only ?
and the ports which opened on the other site (head office) enough to pass traffic from my side to the head office ?


so the acl easier to use permit ip between hosts and networks only ?

ip access-list extended VPN_ACL
permit ip object-group EGCAI01_remote object-group SAP-Servers
permit ip object-group EGCAI01_remote object-group Wipro-DC
permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local
permit ip object-group EGCAI01_remote object-group DNS-Servers
permit ip object-group EGCAI01_remote object-group Other-APPS

another thing which is the network id of my network is 192.168.0.0/20 and i have 5 vlans so shall i added these subnets
one by one or enough woth network id ?

 

Once the VPN is established if you wish to filter the traffic by restricting access to certain ports/protocols (udp/53, tcp/389 etc), then this is when you would use an interface ACL (different ACL used to define interesting traffic for the VPN) or use Zone Based Firewall.

and the ports which opened on the other site (head office) enough to pass traffic from my side to the head office ? and no need to configure it also on my ACL ? 

 

last think is my configuration is wrong or its just complicated but it will work ? or cisco router HW  not support ?

 

amr alrazzaz

Correct, don't define the services (object-group service).

 

You example ACL looks better. However I would suggest perhaps if possible looking at your objects and seeing if you could summarise them.

 

Whatever you define in your crypto ACL, just ensure that you mirror the same configuration on the peer firewall.....they need to be the same, otherwise you will have issues.

 

Are those 5 VLANS within the network 192.168.0.0/20? If not then you will need to add additional lines to the crypto ACL.

 

Your configuration just needs modifying, however a cisco router with complex ACL/firewall rules as you may require, would probably be easier to implement on an ASA or FTD.

 

HTH

Correct, don't define the services (object-group service).

okay fine ill do same what u said to me :) thanks

 

You example ACL looks better. However I would suggest perhaps if possible looking at your objects and seeing if you could summarise them.

ill share it with u sir for some help ... thanks in advance :) maybe i can sent to u in massage 

 

Whatever you define in your crypto ACL, just ensure that you mirror the same configuration on the peer firewall.....they need to be the same, otherwise you will have issues.

i will share with u the access list and port number that they should already opened for me ....

 

Are those 5 VLANS within the network 192.168.0.0/20? If not then you will need to add additional lines to the crypto ACL.

yes it is within the network 

Your configuration just needs modifying, however a cisco router with complex ACL/firewall rules as you may require, would probably be easier to implement on an ASA or FTD.

for now i dont have ASA or FTD thats why im using router and need license to configure it :) maybe later ill purchase one 

what kind of modifying i need please ... ill just share with u what i did and then if u have sometime for help would be appreciate :)

thanks

 

amr alrazzaz

Ok, send me the list of objects and I can summarise them for you.

Ok, if those 5 VLANS are within that /20 then no need to modify the crypto ACL.

Sorry, I was referring to modifying the configuration we had been discussing. So as long as you don't over complicate the crypto ACL using ports/protocols then establishing the VPN should be fine.

hello boss im sharing the config file that i prepared and need to paste on router after getting license 

please check the proposed acl from head office and my prepared config if need any modify and config are ok with these parameters parameters

 

check attached please :)

 

 

amr alrazzaz

Ok, if that IKEv2.txt file came from Head Office, then it looks like they have already defined the "Phase 2 Selectors"

 

Phase 2 selectors:

Local subnets:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Remote subnets:
192.168.0.0/20

I assume Local Subnets is the remote end to you, which you are referring to "EGCAI01_local" elsewhere in your configuration?

 

If correct, create an object-group containing those 3 subnets, use your existing "EGCAI01_remote "object-group and create the ACL using those 2 objects. The source will be your look networks (EGCAI01_remote) with the destination of the Head Office networks (EGCAI01_local).

 

object-group network EGCAI01_local 
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

object-group network EGCAI01_remote
description EGY-LOCAL-NW
192.168.0.0/20

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group EGCAI01_local

The example above will be used for the crypto ACL.

For testing establish the VPN tunnel, get that working first and then after you have confirmed the VPN is working, look to apply an interface ACL or Zone-Based Firewall to restrict access.

 

HTH

 

the proposed excel sheet ACl and the parameters came from head office but the ikve2 file is what i were prepared and need to check if its fine to go ahead and configure it on router :) 

 

i defined remote as my network ( 192.168.0.0/20)

local network is head office 

maybe confused but i assume  im the remote and the head office is the main 

 

object-group network EGCAI01_remote
description EGY-LOCAL-NW   (just to know this is my local network) 
192.168.0.0/20

 

object-group network FC-EGCAI01_local  (head office)
description FC-NW   ( FC refer to head office my company name )
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

amr alrazzaz

Ok, it's slightly confusing as referring to your local network as remote, but I understood.

If all you've changed is the name of the object group, then you just need to amend the ACL I provided to reflect the correct name.

so ill use only this ACL as it include all the networks and delete other created access list ??

if its like that so ill delete all ACL and keep what u mentioned ?  am i correct ?

 

ip access-list extended VPN_ACL
 permit ip object-group EGCAI01_remote object-group EGCAI01_local

 

after testing... shall back to add other access lists > ? like below and without putting the object-group service ???

permit ip object-group EGCAI01_remote object-group Other-APPS

permit ip object-group EGCAI01_remote object-group SAP-Servers

permit ip object-group EGCAI01_remote object-group Wipro-DC

amr alrazzaz

No, that VPN_ACL does not change.

I was referring to creating an additional interface ACL or Zone-Based Firewall to restrict access over the VPN tunnel. On that ACL you can define the services (ports/protocols) - you just don't define the services used for the crypto ACL (VPN_ACL), which is merely used to establish the VPN.

thanks for your help :)

 

can i ask u when u free for sure :) i had sent to u the config file already if u can modify it on the config file and then send to me so ill copy paste it directly to my router 

 

just little bit confused with the port numbers and acl list that i configured specially when u said no need for object-group service :)  also creating an additional interface ACL or Zone-Based Firewall to restrict access over the VPN tunnel so if u can help to add too 

 

here u are again the config file just when ever u free modify what use its perfect :) thanks  

 

please do it when u free only .. i do excuse you :) thanks sir

amr alrazzaz