Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel All IPSEC Traffic

G Day.

We're setting up a L2L VPN from a 837 to a ASA5510. The tunnel is working fine however i would like to have all traffic tunnel between the sites. We will have approximately 15 sites when done. I have tried to change the crypto ACL on the router to any any however the ASA reports that there is not match. Can anyone add some input? The reason for this is that we need to control all routing and connectivity from central site. Some sites are independent but passing all traffic through central site allows us to control security better.

Could this also be achieved by using a route map and just add all traffic to the ACL? I?d rather just tunnel everything. Router config below.

Thank you in advance

Current configuration : 3537 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service dhcp

!

hostname AAA

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret xxx

enable password xxx

!

no aaa new-model

!

resource policy

clock timezone GMT 2

no ip source-route

!

ip cef

no ip domain lookup

ip domain name local

no ip bootp server

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxx address XXX.XXX.XXX.XXX

crypto isakmp keepalive 60

!

crypto ipsec transform-set pix-set esp-3des esp-md5-hmac

!

crypto map pix 10 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set pix-set

match address 101

!

interface Ethernet0

ip address 190.99.x.x.255.255.0

ip nat inside

no ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed

!

interface Dialer1

ip address negotiated

ip access-group 102 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp pap sent-username online509526@xxx.net password xxx

crypto map pix

!

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 101 permit ip 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255

access-list 102 remark WAN

access-list 102 permit ip 192.99.99.0 0.0.0.255 190.99.99.0 0.0.0.255

access-list 102 deny ip 0.0.0.0 0.255.255.255 any

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip 169.254.0.0 0.0.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.0.2.0 0.0.0.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 198.18.0.0 0.1.255.255 any

access-list 102 deny ip 224.0.0.0 0.15.255.255 any

access-list 102 deny ip any host 255.255.255.255

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit icmp any any echo-reply

access-list 102 deny ip any any log

access-list 102 remark WAN

access-list 110 deny ip 190.99.99.0 0.0.0.255 192.99.99.0 0.0.0.255

access-list 110 permit ip 190.99.99.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 110

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

length 0

transport input telnet ssh

transport output none

!

end

1 REPLY
Cisco Employee

Re: Tunnel All IPSEC Traffic

Richard,

"Any Any" is not good when doing IPSEC Tunnels.

What you need to do is "Specific Network to Any".

For example, if the LAN side on the 837 is 190.99.99.0 255.255.255.0. Then you need to configure your IPSEC Interesting Traffic like,

access-list 101 permit ip 190.99.99.0 0.0.0.255 any.

This way, all traffic including internet is destined to the ASA. On the ASA, you need to mirror the ACL,

access-list 101 permit ip any 190.99.99.0 0.0.0.255

In the above case, since all traffic from 190.99.99.0/24 is destined to ASA, you may have to look into your design, routing and natting, so the users can have access to internet.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

121
Views
0
Helpful
1
Replies
CreatePlease to create content