Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HSRP Failover Cellular L2L IPSEC Tunnel to ASA

I have a primary MPLS router doing HSRP with an 1841. The 1841 has an HWIC-3G-CDMA-V that I am using for the internet connection. I really only need to create a tunnel from the 1841 to the ASA at my Hub. The problem is that the cellular call is dropping as the VPN tunnel is establishing. This is due to a (I TERMREQ) termination request from Verizon as they say I am leaking 2 private IP addresses to them, a 192. that is the loopback of the MPLS router, and a 10.0.0.120 address that doesn't seem to be on my network anywhere. How do I block all other IPs trying to get out? I thought my access list should handle that how I have it.

chat-script cdma "" ATDT#777" TIMEOUT 60 CONNECT

crypto isakmp policy 35
encr 3des
authentication pre-share
group 2
crypto isakmp key greif address y.y.y.yno-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 35 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA
match address 120
!
!
!
!
!
!
interface FastEthernet0/0
description Eth to LAN Switch HSRP standby
ip address 192.1.3.10 255.255.255.0 secondary
ip address 10.104.33.253 255.255.248.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
standby 1 ip 192.1.3.1
standby 1 preempt
standby 2 ip 10.104.33.254
standby 2 preempt
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0/0/0
description Backup Link
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 3000
dialer string cdma
dialer-group 1
async mode interactive
no peer neighbor-route
no peer default ip address
ppp ipcp dns request
crypto map outside_map
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool branch x.x.x.x  x.x.x.x netmask 255.255.255.0
ip nat inside source route-map nonat pool branch overload
!
logging history debugging
access-list 120 permit ip 192.1.3.0 0.0.0.255 10.110.0.0 0.0.255.255
access-list 120 permit ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255
access-list 120 permit ip 192.1.3.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 120 permit ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255
access-list 120 deny   ip any any
access-list 130 deny   ip 192.1.3.0 0.0.0.255 10.110.0.0 0.0.255.255
access-list 130 deny   ip 192.1.3.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 130 permit ip 192.1.3.0 0.0.0.255 any
access-list 130 deny   ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255
access-list 130 deny   ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255
access-list 130 permit ip 10.104.32.0 0.0.7.255 any
access-list 130 deny   ip any any
!
!
!
!
route-map nonat permit 10
match ip address 130
!

Everyone's tags (3)
1 REPLY
New Member

Re: HSRP Failover Cellular L2L IPSEC Tunnel to ASA

Router(config)#ip access-list extended outbound_cellular
Router(config-ext-nacl)#permit esp host host
Router(config-ext-nacl)#permit udp host host eq 500
Router(config-ext-nacl)#permit udp host host ep 4500

I am going to try and block everything but VPN traffic leaving the cellular interface.

600
Views
0
Helpful
1
Replies