csico 2600 <-> checkpoint ipsec vpn tunnel ACL port based

Unanswered Question
May 1st, 2007

Dear All,


in this post i have two questions related to my vpn config.


* ipsec VPN1 to third party with pki/rsa

** Tunnel over Loopback and use of NAT

* ipsec VPN2 to third party with sharedkey

** No tunnel direct routing / no nat


my questions are based on the config below:


* for VPN2 is the direct ipsec routing properly configured? i do see it working but in most example configs i see the nonat section also applied. for me it also works without. do i need it?


* for VPN2 i have this acl sextion:

ip access-list extended vpn2add1

permit ip internalsource mask destination mask


this works. but when i try to do this


ip access-list extended vpn2add1

permit TCP internalsource mask destination mask eq www


then i dont get a vpn tunnel build up...!


thus trying to enable only one protocol (www) over the vpn tunnel. but when i do this, then the tunnel is not made. it only works when i do a permit IP, any attempt of filtering results in no vpn tunnel.


is this normal?, is there a way arround it? i tried searching many forums but dont really saw anyone with this problem.

and also use only permit IP.

this vpn tunnel is with a third party and i would like to block traffic from them and or only enable traffic from us over a certain port.


any help on this is greatly appriciated. i have been pulling my hairs out for a couple of days now.


Thanks



cisco config:

-------------

crypto isakmp policy 1

authentication rsa-encr

lifetime 900

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key (***REMOVED***) address (***REMOVED***)

crypto isakmp key (***REMOVED***) address (***REMOVED***)

crypto isakmp keepalive 30

!

!

crypto ipsec transform-set vpn1set1 esp-3des esp-sha-hmac

crypto ipsec transform-set vpn2set esp-3des esp-sha-hmac

!

crypto map cryptomap1 local-address FastEthernet0/0

crypto map cryptomap11 ipsec-isakmp

set peer (***REMOVED***)

set security-association lifetime seconds 900

set transform-set vpn1set1

match address cryptomap1

crypto map cryptomap110 ipsec-isakmp

set peer (***REMOVED***)

set transform-set vpn2set

set pfs group2

match address vpn2add1

crypto map cryptomap111 ipsec-isakmp

set peer (***REMOVED***)

set transform-set vpn2set

set pfs group2

match address vpn2add2

!

interface Loopback1

ip address (***TUNNELLOCALADDRESS***) 255.255.255.255

!

interface FastEthernet0/0

ip address (***OUTSIDEIP***) 255.255.255.248

no ip redirects

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map cryptomap1

!

interface FastEthernet0/1

ip address(***LOCALROUTERIP***) 255.255.252.0

ip nat inside

duplex auto

speed auto

no keepalive

!

ip nat inside source static (***LOCALADRESSOFSOURCESERVER***) (***DESTINATIONTUNNELNETWORK***)

ip classless

ip route 0.0.0.0 0.0.0.0 (***DEFAULTGW***)

ip route x.0.0.0 255.0.0.0 (***INSIDESUBNETGATEWAY***)


!

no ip http server

no ip http secure-server

!

ip access-list extended cryptomap1

permit ip (***DESTINATIONTUNNELNETWORK***) 0.0.0.255 (***INSIDEVPNNETWORK***) 0.0.0.255

ip access-list extended vpn2add1

permit ip (***INSIDENET1***) 0.0.0.255 (***remoteVPN2destinationet1) 0.0.0.31

permit ip (***INSIDENET2***) 0.0.0.255 (***remoteVPN2destinationet1) 0.0.0.31

permit ip host (***HOSTINSIDENET1***) (***remoteVPN2destinationet1) 0.0.0.31

permit ip host (***HOSTINSIDENET2***) (***remoteVPN2destinationet1) 0.0.0.31

ip access-list extended vpn2add2

permit ip (***INSIDENET1***) 0.0.0.255 (***remoteVPN2destinationet2)0.0.0.15

permit ip (***INSIDENET2***) 0.0.0.255 (***remoteVPN2destinationet2) 0.0.0.15

permit ip host (***HOSTINSIDENET1***) (***remoteVPN2destinationet2) 0.0.0.15

permit ip host (***HOSTINSIDENET2***) (***remoteVPN2destinationet2) 0.0.0.15

!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
soulshepard.wazzaap Wed, 05/02/2007 - 01:48

I found my solution yesterday afterall in a previous post.


Forum Topics > Conversations > outline >

VPN Service Architectures: alternative to permit-ipsec, not using PIX


http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455af2.html


these document reffere to IOS 12.4.x this version supports these commands on a crypto map. in the past i think you needed to open the ports on the outside interface. on 12.4.x this is not needed anymore.


crypto map (name) 1 ipsec-isakmp

set ip access-group (address1-in) in

set ip access-group (address1-out) out


normaly you would have:


ip access-list extended (address1)

permit local.mask remote/mask


and now you can add filtering before the ipsec tunnel with the above named access-group commands on the cryptomap for your vpn


ip accesslist extended (address1-in)

permit tcp remote/mask eq www local/mask

permit icmp remote/mask local/mask echo-reply

deny ip any any


ip accesslist extended (address1-out)

permit tcp local/mask remote/mask eq www

permit icmp local/mask remote/mask echo

deny ip any any





Actions

This Discussion