Hi, I'm trying to configure a LAN-to-LAN VPN on a Cisco VPN 3020, I need to configure it so that the access to the local and remote networks is restricted to 3389 only when Phase 2 is negotiated, e.g Source (Local network) 10.1.1.1 Dest (Remote Network) 10.2.2.2 tcp 3389.
I believe this need to be setup via filters but can't find any similar configuration examples, has anyone configured a similar set up or can confirm the correct was this should be configured?
That's great I'll give it go, do you know if the filters are used during phase 2 negotiation? The issues i have is a 3rd Party Firewall, the remote end of the VPN, has the local/remote networks ties down to a port and phase 2 is failing because of this so I need to ensure they're being sent during phase 2 negotiations.
Honestly, I don;t think so. I think the rules and filters as I have described them to you will work as an ACL applied to a proxy ID of 0.0.0.0/0:0
I've never tried it the way you're suggesting, but there is an option in the rules where instead of 'drop' or 'pass' you can use apply IPSec.
I think that's your best bet.
Have the far end set up logging or debug when you try to connect and they should be able to tell you what proxy ID you are supplying when you try to connect, which will in turn tell you if you're on the right track.
You may even be able to tell from the logging on the 3020 as well, so it's worth looking there too.
I've tried applying the filter and the VPN still won't come up, it fails at phase two still, with the port blocking removed at the remote end it works ok. Anyone know of any cisco docs which advise if this is supported or not?
It may not describe exactly what you are doing, but it has a good troubleshooting section and describes how you can turn on debugging for IKE on the concentrator. This *should* help you to isolate exactly what is causing the failure.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :