Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
10
Helpful
5
Replies

vpn site to site vpn example how to configure and how to add all dest. ip and pot numbers to get access on it

amralrazzaz
Level 5
Level 5

‎04-19-2020 03:24 AM - edited ‎04-19-2020 04:15 AM

need example to configure site to site vpn and after configure on router 2911 isr site to site vpn i need to add all these access list (destination ip)
and ports ( how to configure this on router because i dont have firewall for now ) to allow traffic from my location (remote) to main H.O

10.33.0.217
10.37.1.248
10.34.1.7
10.81.157.101
10.81.28.82
10.88.39.152
10.88.39.154
10.89.31.147
172.37.105.30
172.38.108.233
172.30.177.20
172.28.49.229
192.168.235.125
10.55.0.0/24
10.27.1.0/24
10.27.7.0/24
10.50.190.0/24
10.80.60.0/25
10.20.17.10
10.60.17.22

-----------------------------------
ports

389/tpc

389/ldap

25/tcp
53/tcp
53/udp
67/udp
68/udp
88/udp
123/udp
135/tcp
137/udp
138/udp
139/upd
389/tcp
389/udp
445/tcp
445/udp
464/tcp
464/udp
636/tcp
3268/tcp
3269/tcp
5722/tcp
9389/tcp
49152-65535/tcp
49152-65535/udp
135/tcp
137/udp
138/udp
1433/tcp
1779/udp
2701/tcp
3268/tcp
445/tcp
445/udp
5080/tcp
5443/tcp
80/tpc
8530/tcp

also if i have from these dest. ip addresses ( 4 ip for one server for example sap server) 

10.33.0.217
10.37.1.248
10.34.1.7
10.81.157.101

so can i put them on one group then assign my local network to access this group 

just for more organization and minimize the command lines ? with these ports 

 

3200-3399/tcp
3600-3699/tcp
8000-8099/tcp
50000-59900/tcp

how to configure site to site vpn + configure all these dest. ip addreses(hosts) and network id + ports numbers

amr alrazzaz
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎04-19-2020 08:23 AM

here is the standard IOS based Router VPN config.

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html

 

you can have ACL to control what port to allow in the VPN tunnel by mentioning the Group of Services.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amralrazzaz
Level 5
Level 5
In response to balaji.bandi

‎04-19-2020 01:12 PM - edited ‎04-19-2020 01:57 PM

CAN U  GIVE ME AN EXAMPLE OF HOW TO CONFIGURE THE FOLLOWING inputs so i can do the rest same or similar :

 

how to configure extended ACLs for these below ip dest, with port numbers to allow traffic from my remote location to H.O location to access sap server

 

my remote location network id 19.168.0.0/20 

destination ip addresses for sap server for example that need to access on HO 

10.102.70.19
10.102.40.156
10.10.94.3
10.102.24.37
10.174.68.16
10.17.18.46
PORT NUMBER 
3200-3399/tcp
3600-3699/tcp
8000-8099/tcp
50000-59900/tcp

 

also need to have another line with same but with one ip host which is 

10.38.1.75 

636/tcp
636/udp
647/tcp

 

 

thanks

amr alrazzaz
0 Helpful

amralrazzaz
Level 5
Level 5
In response to amralrazzaz

‎04-20-2020 10:37 AM - edited ‎04-20-2020 12:31 PM

actually i have destinations ip addresses with ports numbers and it need ACL to provide allowing the ipsec vpn traffic between remote location and H.O 

if u can give example and how to create this please 

configuration on my router isr 2911

note: my side (remote location) is router and HO side is firewall

so if they configured all ip addresses and ports numbers from there side to allowing traffic to my site 

so shall i add all these ip with ports in my router or just ip addresses on acl ?

please check attached with informations 

amr alrazzaz
Preview file
4 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎04-21-2020 01:16 PM

we have provided the example config for you to build ACL, once you build that configuration any issue please post to look, so we can help further.

 

here is another good configuration : VPN Filter

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/15-mt/sec-ipsec-data-plane-15-mt-book/sec-crypto-ac-clrtxt.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amralrazzaz
Level 5
Level 5
In response to balaji.bandi

‎04-22-2020 02:48 AM

can u please check the attached file 

i need the same configuration but in router because what im sharing is for frewall!!

so if i need to make same config exactly but in router how that ?

 

 

object network remotesite_LOCAL
subnet 10.245.160.0 255.255.224.0

object network NET-172.16
subnet 172.16.0.0 255.240.0.0

object network NET-192.168
subnet 192.168.0.0 255.255.0.0

object network NET-10
subnet 10.0.0.0 255.0.0.0

object network any-ipv4
subnet 0.0.0.0 0.0.0.0

object network |10.102.44.37
host 10.102.44.37
object network |10.102.40.156
host 10.102.40.156
object network |10.102.40.129
host 10.102.40.129
object network |10.102.44.23
host 10.102.44.23
object network |10.102.36.154
host 10.102.36.154
object network |10.174.168.46
host 10.174.168.46
object network |10.174.168.16
host 10.174.168.16
object network |10.220.189.171
host 10.220.189.171
object network |10.245.35.71
host 10.245.35.71
object network |10.215.12.21
host 10.215.12.21
object network |10.215.12.22
host 10.215.12.22
object network |10.215.12.23
host 10.215.12.23
object network |10.231.229.11
host 10.231.229.11
object network |10.81.157.101
host 10.81.157.101
object network |10.38.0.217
host 10.38.0.217
object network |10.38.0.162
host 10.38.0.162
object network |10.38.0.151
host 10.38.0.151
object network |10.39.0.21
host 10.39.0.21
object network |10.38.1.175
host 10.38.1.175
object network |10.89.31.140
host 10.89.31.140
object network |10.38.1.248
host 10.38.1.248
object network |10.207.224.5
host 10.207.224.5
object network |10.207.96.5
host 10.207.96.5
object network |10.232.199.57
host 10.232.199.57
object network |10.206.160.5
host 10.206.160.5
object network |10.81.28.82
host 10.81.28.82
object network |10.88.39.154
host 10.88.39.154
object network |10.88.39.152
host 10.88.39.152
object network |10.38.1.7
host 10.38.1.7
object network |10.207.111.2
host 10.207.111.2
object network |172.30.105.30
host 172.30.105.30
object network |172.30.108.207
host 172.30.108.207
object network |172.30.39.200
host 172.30.39.200
object network |172.30.197.20
host 172.30.197.20
object network |192.168.235.125
host 192.168.235.125
object network |10.102.0.0
subnet 10.102.0.0 255.255.0.0
----------
object-group network RFC1918-NETS
network-object object NET-10
network-object object NET-192.168
network-object object NET-172.16

object-group network DNS-Servers
network-object object |10.39.0.21
network-object object |10.39.0.11

object-group network SAP-Servers
network-object object |10.102.36.154
network-object object |10.102.40.129
network-object object |10.102.40.156
network-object object |10.102.44.23
network-object object |10.102.44.37
network-object object |10.174.168.16
network-object object |10.174.168.46
network-object object |10.207.111.2
network-object object |10.215.12.21
network-object object |10.220.189.171
network-object object |10.231.229.11
network-object object |10.245.35.71
network-object object |10.38.0.217
network-object object |10.38.1.248
network-object object |10.38.1.7
network-object object |10.81.157.101
network-object object |10.81.28.82
network-object object |10.88.39.152
network-object object |10.88.39.154
network-object object |10.89.31.140
network-object object |172.30.105.30
network-object object |172.30.108.207
network-object object |172.30.197.20
network-object object |172.30.39.200
network-object object |192.168.235.125
network-object object |10.207.224.5
network-object object |10.207.96.5
network-object object |10.215.12.22
network-object object |10.215.12.23
network-object object |10.232.199.57
network-object object |10.38.1.175

object-group network |s2sAclSrcNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055
network-object object remotesite_LOCAL
object-group network |s2sAclDestNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055
network-object object NET-10
network-object object NET-192.168
network-object object NET-172.16
---------------------------
access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: Allow SAP access

access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 3200 3399 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 8000 8099 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 50000 59900 rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group SAP-Servers range 3600 3699 rule-id 268435472

access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Allow DNS Access
access-list NGFW_ONBOX_ACL advanced permit tcp object remotesite_LOCAL ifc outside object-group DNS-Servers eq domain rule-id 268435463
access-list NGFW_ONBOX_ACL advanced permit udp object remotesite_LOCAL ifc outside object-group DNS-Servers eq domain rule-id 268435463

access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Any-Test
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 268435459


access-list |s2sAcl|ffdca9e5-034c-11e9-8ca8-f51c2173f055 extended permit ip object-group |s2sAclSrcNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055 object-group |s2sAclDestNwgV4|ffdca9e5-034c-11e9-8ca8-f51c2173f055

---------------------------------------------------------------------

nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-10 NET-10
nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-172.16 NET-172.16
nat (any,outside) source static remotesite_LOCAL remotesite_LOCAL destination static NET-192.168 NET-192.168
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global

amr alrazzaz
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents