Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

Hi All,

I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

2811 having C2800NM-ADVIPSERVICESK9-M

2811 router connects to the Internet SW then connects to the Internet router.

Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?

Below is router config for VPN & NAT

----------------------------------------------------------

crypto keyring ISR_Keyring
  pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
   keyring ISR_Keyring
   self-identity user-fqdn psk.hosted.00~16~9d~fb~8c~01@websense.com
   match identity user vpn-proxy.websense.net
!        
!
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
!
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
!

interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER

access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www

access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any

ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overload

Everyone's tags (7)
2 REPLIES
New Member

Need Help on Configuring the Site to Site VPN from Cisco 2811 to

Can somebody please help  me in this ?

Silver

Need Help on Configuring the Site to Site VPN from Cisco 2811 to

How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?

Check

show crypto isakmp sa

show crypto ipsec sa

show crypto session

You'd better remove the preshared key from your post.

523
Views
0
Helpful
2
Replies
CreatePlease to create content