Cisco 1801 VPN to ASA 5550

Tim Hamblin · ‎05-11-2012

Hi all,

I have an issue with a VPN tunnel which I am trying to solve in order to rollout across all our sites.

We have 70+ sites that are connected by VPN tunnel (all 1801 routers) back to our ASA firewalls. They are all setup in a similar way and allow the PC's at the remote sites to use our proxy for internet access and also access services hosted on our main site. We now have a requirement to link these remote sites, through the VPN tunnel, to a server hosted on the internet (the remote sites do not have direct internet access). I have made the changes on the ASA firewalls to allow this traffic out and, using Packet Tracer, this test ok. I now need to alter the config of the remote routers (and the ASA end of the VPN) to allow this traffic, but I am not sure how!! I have tried adding a few rules into the ACL's but it did not work so thought I would ask the experts (routers are not my forte!!)

I have attached an example Router config below (with passwords hashed out). We need to allow the clients on the other end of the VPN access to 81.20.94.54 on port 5080.

Can anybody help!!!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname #######

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip dhcp excluded-address 10.96.112.1 10.96.112.127

!

ip dhcp pool hangar1

network 10.96.112.0 255.255.255.0

default-router 10.96.112.1

dns-server 128.200.1.101 128.200.1.103

!

ip cef

no ip domain lookup

ip domain name ####.####.com

no ipv6 cef

!

multilink bundle-name authenticated

!

username ##########################################

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ########## address ###.###.###.###

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac

!

crypto map flybe 10 ipsec-isakmp

set peer 212.24.93.25

set transform-set ESP-AES-256-SHA

set pfs group5

match address 101

!

archive

log config

hidekeys

!

ip tftp source-interface Vlan1

ip ssh version 2

!

interface Loopback0

ip address 91.85.220.134 255.255.255.255

!

interface ATM0

bandwidth 448

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

hold-queue 224 in

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface Vlan1

ip address 10.96.112.1 255.255.252.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

ip unnumbered Loopback0

ip access-group 121 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

ppp chap hostname #######@#######.#####.####

ppp chap password #####################

crypto map #####

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source route-map nonat interface Loopback0 overload

!

access-list 99 remark SSH Inbound

access-list 99 permit 128.200.9.71 log

access-list 99 permit 128.200.9.23 log

access-list 99 permit 128.200.9.239 log

access-list 99 permit 10.205.1.0 0.0.0.255 log

access-list 101 remark VPN tunnel

access-list 101 permit ip 10.96.112.0 0.0.3.255 10.128.0.0 0.0.3.255

access-list 101 permit ip 10.96.112.0 0.0.3.255 10.205.0.0 0.0.255.255

access-list 101 permit ip 10.96.112.0 0.0.3.255 128.200.0.0 0.0.255.255

access-list 111 remark noNAT

access-list 111 deny ip 10.96.112.0 0.0.3.255 10.128.0.0 0.0.3.255

access-list 111 deny ip 10.96.112.0 0.0.3.255 10.205.0.0 0.0.255.255

access-list 111 deny ip 10.96.112.0 0.0.3.255 128.200.0.0 0.0.255.255

access-list 111 permit ip 10.96.112.0 0.0.3.255 any

access-list 121 remark Dialer in

access-list 121 deny ip 127.0.0.0 0.255.255.255 any

access-list 121 deny ip 224.0.0.0 31.255.255.255 any

access-list 121 permit udp host 212.24.93.25 eq isakmp any eq isakmp

access-list 121 permit esp host 212.24.93.25 any

access-list 121 permit icmp any any echo-reply

access-list 121 permit ip 10.128.0.0 0.0.3.255 10.96.112.0 0.0.3.255

access-list 121 permit ip 10.205.0.0 0.0.255.255 10.96.112.0 0.0.3.255

access-list 121 permit ip 128.200.0.0 0.0.255.255 10.96.112.0 0.0.3.255

!

route-map nonat permit 10

match ip address 111

!

snmp-server community ###########

!

control-plane

!

line con 0

exec-timeout 15 0

login local

stopbits 1

line aux 0

exec-timeout 15 0

login local

stopbits 1

line vty 0 4

access-class 99 in

exec-timeout 5 0

privilege level 15

login local

transport input ssh

!

end

Punit Jethva · ‎05-11-2012

Try removing this

access-list 121 permit udp host 212.24.93.25 eq isakmp any eq isakmp

and add

access-list 121 permit udp host 212.24.93.25 any eq isakmp

access-list 121 permit udp host 212.24.93.25 any eq 4500

Sent from Cisco Technical Support iPhone App

Tim Hamblin · ‎05-11-2012

Have added those 2 lines, still no luck I am afraid!!

Tim

Tim Hamblin · ‎05-15-2012

Still struggling with this if anyone has any ideas??