Problem using Security Manager to deploy VPN at Remote Office

Unanswered Question
Aug 24th, 2007
User Badges:

I am trying to use Security Manager v3.1 to deploy the following configuration.


Corporate Office with IOS Router - network 10.0.0.0/8

Remote Office with IOS Router - network 192.168.1.0/24


I setup the Remote Office with NAT so the users at the Remote Office can access the internet. They have a small pool of routable Internet IP addresses so I needed to setup a Dynamic Rule in the NAT settings to use Port Translation. Under Traffic Flow I created a simple Access List to permit the inside network 192.168.1.0/24 to any.


At this point the remote office was able to access the internet just fine.


I then created a DMVPN for the Remote Office and Corporate Office, this works fine as well. When the configuration is deployed, the Traffic Flow access list mentioned above has a deny added from 192.168.1.0/24 to 10.0.0.0/8 so that the DMVPN traffic is not NAT'ed.


Again this work fine, people can access the internet as well as accessing resources at the Corporate Office.


The Access List for the Traffic Flow of the NAT Dynamic Rules looks like the following, this is what is deployed to the router.

deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.1.0 0.0.0.255 any



The next piece that doesn't work so well is when I wanted to add a Remote Access VPN to the Remote Office router. I created a User Group Policy with an IP Address Pool of 172.16.10.0/24.

When I deploy this to the router the NAT access list does not get updated to include the 172.16.10.0/24 network for deny. Based on what I read in the manual I needed to add this manually to the NAT's Dynamic Rules Traffic Flow access list. I added a line to the access list of deny 192.168.1.0/24 to 172.16.10.0/24.


Regardless of moving this up or down the resulting access list that gets generated looks like the following


deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.1.0 0.0.0.255 any

deny ip 192.168.1.0 0.0.0.255 172.16.10.0 0.0.0.255


Like I mentioned I have tried to change the order in the Access List of the Dynamic Rules Traffic Flow and the generated access list does not appear to honor my ordering.


Any help on this would be greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwalchez Thu, 08/30/2007 - 09:39
User Badges:

I think it is very important to know that Security Manager allows you to import the configurations of remote access VPN policies during policy discovery. You can discover configurations on devices that are already deployed in your remote access VPN network, so that Security Manager can manage them. These configurations are imported into Security Manager as remote access VPN policies. for more information please click following URL:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00807e86ea.html#wp1156527


Actions

This Discussion