05-11-2012 05:08 AM
Hi all,
I have an issue with a VPN tunnel which I am trying to solve in order to rollout across all our sites.
We have 70+ sites that are connected by VPN tunnel (all 1801 routers) back to our ASA firewalls. They are all setup in a similar way and allow the PC's at the remote sites to use our proxy for internet access and also access services hosted on our main site. We now have a requirement to link these remote sites, through the VPN tunnel, to a server hosted on the internet (the remote sites do not have direct internet access). I have made the changes on the ASA firewalls to allow this traffic out and, using Packet Tracer, this test ok. I now need to alter the config of the remote routers (and the ASA end of the VPN) to allow this traffic, but I am not sure how!! I have tried adding a few rules into the ACL's but it did not work so thought I would ask the experts (routers are not my forte!!)
I have attached an example Router config below (with passwords hashed out). We need to allow the clients on the other end of the VPN access to 81.20.94.54 on port 5080.
Can anybody help!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname #######
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.96.112.1 10.96.112.127
!
ip dhcp pool hangar1
network 10.96.112.0 255.255.255.0
default-router 10.96.112.1
dns-server 128.200.1.101 128.200.1.103
!
!
ip cef
no ip domain lookup
ip domain name ####.####.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ##########################################
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key ########## address ###.###.###.###
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto map flybe 10 ipsec-isakmp
set peer 212.24.93.25
set transform-set ESP-AES-256-SHA
set pfs group5
match address 101
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan1
ip ssh version 2
!
!
!
interface Loopback0
ip address 91.85.220.134 255.255.255.255
!
interface ATM0
bandwidth 448
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
hold-queue 224 in
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
ip address 10.96.112.1 255.255.252.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip unnumbered Loopback0
ip access-group 121 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp chap hostname #######@#######.#####.####
ppp chap password #####################
crypto map #####
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map nonat interface Loopback0 overload
!
access-list 99 remark SSH Inbound
access-list 99 permit 128.200.9.71 log
access-list 99 permit 128.200.9.23 log
access-list 99 permit 128.200.9.239 log
access-list 99 permit 10.205.1.0 0.0.0.255 log
access-list 101 remark VPN tunnel
access-list 101 permit ip 10.96.112.0 0.0.3.255 10.128.0.0 0.0.3.255
access-list 101 permit ip 10.96.112.0 0.0.3.255 10.205.0.0 0.0.255.255
access-list 101 permit ip 10.96.112.0 0.0.3.255 128.200.0.0 0.0.255.255
access-list 111 remark noNAT
access-list 111 deny ip 10.96.112.0 0.0.3.255 10.128.0.0 0.0.3.255
access-list 111 deny ip 10.96.112.0 0.0.3.255 10.205.0.0 0.0.255.255
access-list 111 deny ip 10.96.112.0 0.0.3.255 128.200.0.0 0.0.255.255
access-list 111 permit ip 10.96.112.0 0.0.3.255 any
access-list 121 remark Dialer in
access-list 121 deny ip 127.0.0.0 0.255.255.255 any
access-list 121 deny ip 224.0.0.0 31.255.255.255 any
access-list 121 permit udp host 212.24.93.25 eq isakmp any eq isakmp
access-list 121 permit esp host 212.24.93.25 any
access-list 121 permit icmp any any echo-reply
access-list 121 permit ip 10.128.0.0 0.0.3.255 10.96.112.0 0.0.3.255
access-list 121 permit ip 10.205.0.0 0.0.255.255 10.96.112.0 0.0.3.255
access-list 121 permit ip 128.200.0.0 0.0.255.255 10.96.112.0 0.0.3.255
!
!
!
!
route-map nonat permit 10
match ip address 111
!
!
snmp-server community ###########
!
control-plane
!
!
line con 0
exec-timeout 15 0
login local
stopbits 1
line aux 0
exec-timeout 15 0
login local
stopbits 1
line vty 0 4
access-class 99 in
exec-timeout 5 0
privilege level 15
login local
transport input ssh
!
end
05-11-2012 06:15 AM
Try removing this
access-list 121 permit udp host 212.24.93.25 eq isakmp any eq isakmp
and add
access-list 121 permit udp host 212.24.93.25 any eq isakmp
access-list 121 permit udp host 212.24.93.25 any eq 4500
Sent from Cisco Technical Support iPhone App
05-11-2012 06:34 AM
Have added those 2 lines, still no luck I am afraid!!
Tim
05-15-2012 12:45 AM
Still struggling with this if anyone has any ideas??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: