HSRP Failover Cellular L2L IPSEC Tunnel to ASA

Unanswered Question
Mar 12th, 2010

I have a primary MPLS router doing HSRP with an 1841. The 1841 has an HWIC-3G-CDMA-V that I am using for the internet connection. I really only need to create a tunnel from the 1841 to the ASA at my Hub. The problem is that the cellular call is dropping as the VPN tunnel is establishing. This is due to a (I TERMREQ) termination request from Verizon as they say I am leaking 2 private IP addresses to them, a 192. that is the loopback of the MPLS router, and a 10.0.0.120 address that doesn't seem to be on my network anywhere. How do I block all other IPs trying to get out? I thought my access list should handle that how I have it.

chat-script cdma "" ATDT#777" TIMEOUT 60 CONNECT

crypto isakmp policy 35
encr 3des
authentication pre-share
group 2
crypto isakmp key greif address y.y.y.yno-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 35 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA
match address 120
!
!
!
!
!
!
interface FastEthernet0/0
description Eth to LAN Switch HSRP standby
ip address 192.1.3.10 255.255.255.0 secondary
ip address 10.104.33.253 255.255.248.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
standby 1 ip 192.1.3.1
standby 1 preempt
standby 2 ip 10.104.33.254
standby 2 preempt
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0/0/0
description Backup Link
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 3000
dialer string cdma
dialer-group 1
async mode interactive
no peer neighbor-route
no peer default ip address
ppp ipcp dns request
crypto map outside_map
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool branch x.x.x.x  x.x.x.x netmask 255.255.255.0
ip nat inside source route-map nonat pool branch overload
!
logging history debugging
access-list 120 permit ip 192.1.3.0 0.0.0.255 10.110.0.0 0.0.255.255
access-list 120 permit ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255
access-list 120 permit ip 192.1.3.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 120 permit ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255
access-list 120 deny   ip any any
access-list 130 deny   ip 192.1.3.0 0.0.0.255 10.110.0.0 0.0.255.255
access-list 130 deny   ip 192.1.3.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 130 permit ip 192.1.3.0 0.0.0.255 any
access-list 130 deny   ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255
access-list 130 deny   ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255
access-list 130 permit ip 10.104.32.0 0.0.7.255 any
access-list 130 deny   ip any any
!
!
!
!
route-map nonat permit 10
match ip address 130
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
helka Fri, 03/12/2010 - 08:23

Router(config)#ip access-list extended outbound_cellular
Router(config-ext-nacl)#permit esp host host
Router(config-ext-nacl)#permit udp host host eq 500
Router(config-ext-nacl)#permit udp host host ep 4500

I am going to try and block everything but VPN traffic leaving the cellular interface.

Actions

This Discussion