Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
7
Replies

VPN ACL help

Andy White
Level 3
Level 3

‎09-10-2014 12:16 AM

Hello,

I have a VPN set up between a Cisco 887 DSL router and an ASA.  All the traffic from the 877 is encrypted and send to the ASA and it all works.  I've been ask to not encrypt the Internet traffic and send it over the VPN to th ASA which it does at the moment and uses the Internet gateway frojm there, can I use the local DSL Internet?

 

Config:

interface Dialer0
 ip address negotiated
 ip access-group inbound_acl in

ip access-list extended inbound_acl
 permit ahp host 81.170.156.1 any
 permit esp host 81.170.156.1 any
 permit udp host 81.170.156.1 any eq isakmp
 permit udp host 81.170.156.1 any eq non500-isakmp
 deny   icmp any any timestamp-request
 deny   icmp any any timestamp-reply
 permit icmp any any
 permit udp host 158.43.128.33 any eq ntp
 permit tcp host 81.170.156.1 any eq telnet log
 permit tcp host 81.170.156.1 any eq 22 log
 permit tcp host 81.170.156.1 any eq ftp-data log
 permit tcp host 81.170.156.1 any eq ftp log
 permit tcp host 81.170.156.1 any eq www log
 permit tcp host 81.170.156.1 any eq 443 log
 deny   ip any any log

ip route 0.0.0.0 0.0.0.0 Dialer0

Thanks

Labels:
0 Helpful
7 Replies 7

Raja Periyasamy
Level 1
Level 1

‎09-10-2014 12:32 AM

Hi,

  If you want to send only the local lan to remote lan traffic across the site to site tunnel and the internet traffic across the local isp circuit you will have to change the crypto ACL by removing the any from the acl and configure the LAN subnets on it.

By doing this you can make sure that only the local lan to remote lan traffic is encrypted and the rest go through the local ISP. 

Also Dynamic PAT has to be enabled so that the local lan can use the wan interface ip to go to internet.

Hope that helps.

0 Helpful

Andy White
Level 3
Level 3
In response to Raja Periyasamy

‎09-10-2014 01:48 AM

Hi,

 

Something like this:

PAT

 

interface Vlan1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip nat outside
 dialer pool 1
 dialer-group 1

 

ip nat inside source list 101 interface Dialer1 overload

 

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

 

Regarding the any statement in my ACL, which one are you reffering to that I remove?

 

Thanks

0 Helpful

Raja Periyasamy
Level 1
Level 1
In response to Andy White

‎09-10-2014 07:29 AM

Acl 101 is the NAT acl. It will depend on your complete VPN configuration. I could suggest the changes if you can share the entire VPN and NAT configuration.

0 Helpful

Andy White
Level 3
Level 3
In response to Raja Periyasamy

‎09-10-2014 07:38 AM

No problem.

 

!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname f1841
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 notifications
enable secret 5 $1$5MBpJoWpP0PTv0
!
no aaa new-model
clock timezone utc 0
clock summer-time bst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
ip nbar port-map citrix tcp 2598 
no ip dhcp use vrf connected
ip dhcp excluded-address 172.19.10.1 172.19.10.10
!
ip dhcp pool Client
   network 172.19.10.0 255.255.255.0
   dns-server 192.168.21.10 192.168.21.11 
   default-router 172.19.10.1 
   lease 0 2
!
!
ip domain name corpdomain.com
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login on-failure log
login on-success log
!
!
crypto pki trustpoint TP-self-signed-374463676
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-374463676
 revocation-check none
 rsakeypair TP-self-signed-374463676
!
  quit
archive
 log config
  logging enable
  logging size 200
  hidekeys
!
!
ip tftp source-interface FastEthernet0/0
ip ssh version 2

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key -------- address 80.171.156.*
!
!
crypto ipsec transform-set CBSO_T_Set esp-aes 256 esp-sha-hmac 
!
crypto map CBSO_Crypto_Map 10 ipsec-isakmp 
 set peer 80.171.156.*
 set security-association lifetime seconds 86400
 set transform-set CBSO_T_Set 
 set pfs group5
 match address 101
!
!
!
interface FastEthernet0/0
 ip address 172.19.10.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip inspect outbound in
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no ip unreachables
 ip nbar protocol-discovery
 ip route-cache flow
 no ip mroute-cache
 atm vc-per-vp 128
 atm restart timer 300
 no atm ilmi-keepalive
 dsl operating-mode auto 
 cdp enable
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dialer1
 ip address negotiated
 ip access-group inbound in
 no ip unreachables
 ip nbar protocol-discovery
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ---
 ppp chap password 7 ----
 ppp pap sent-username --- password 7 ---
 crypto map CBSO_Crypto_Map
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.28.136 9996
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 30000
!
no ip http server
no ip http secure-server
!
ip access-list extended inbound
 permit ahp host 80.171.156.* any
 permit esp host 80.171.156.* any
 permit udp host 80.171.156.* any eq isakmp
 permit udp host 80.171.156.* any eq non500-isakmp
 deny   icmp any any timestamp-request
 deny   icmp any any timestamp-reply
 permit icmp any any
 permit udp host 158.43.128.33 any eq ntp
 permit tcp host 80.171.156.* any eq telnet log
 permit tcp host 80.171.156.* any eq 22 log
 permit tcp host 80.171.156.* any eq ftp-data log
 permit tcp host 80.171.156.* any eq ftp log
 permit tcp host 80.171.156.* any eq www log
 permit tcp host 80.171.156.* any eq 443 log
 deny   ip any any log
!
logging history size 50
logging history informational
logging trap notifications
logging source-interface FastEthernet0/0
logging 192.168.21.19
logging 192.168.28.129
access-list 50 permit 80.171.156.*
access-list 50 permit 192.168.90.11
access-list 50 permit 192.168.60.11
access-list 50 permit 192.168.21.19
access-list 50 permit 172.19.15.9
access-list 50 permit 192.168.28.129
access-list 50 permit 192.168.28.131
access-list 50 deny   any log
access-list 101 permit ip 172.19.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community Nokia101 RO
snmp-server ifindex persist
snmp-server enable traps tty
snmp-server host 192.168.21.19 RO 
snmp-server host 192.168.28.129 RO 
!
!
!
control-plane
!
!
banner login ^C Authorised access only!  Disconnect IMMEDIATELY if you are not an authorised user! ^C
banner motd ^CC

         ################################################
         # Unauthorised access or use of this equipment #
         #   is prohibited and constitutes an offence   #
         #     under the Computer Misuse Act 1990.      #
         #    If you are not authorised to use this     #
         #     system, terminate this session now.      #
         ################################################

^C
!
line con 0
 logging synchronous
 transport output all
line aux 0
 transport output all
line vty 0 4
 access-class 50 in
 exec-timeout 0 0
 logging synchronous
 login local
 length 0
 transport input ssh
 transport output all
!
scheduler allocate 20000 1000
sntp server 158.43.128.33
event manager applet DailyReload 
 event timer cron name _EEMinternalname0 cron-entry "0 4 * * *"
 action 1.0 reload
!
end

0 Helpful

Raja Periyasamy
Level 1
Level 1

‎09-10-2014 08:00 AM

I am assuming that the subnet that you need to access across the tunnel is subnetA

It is not a good practice to use the same ACL for nat and for Crypto map.

so configure two different acls as below.

#access-list 102 deny ip 172.19.10.0 0.0.0.255 subnetA <wildcard mask> ---> Nat Exemption

#access-list 102 permit ip 172.19.10.0 0.0.0.255 any  

Remove the old nat configuration and configure

#ip nat inside source list 102 interface Dialer1 overload

Crypto ACL

#access-list 103 permit ip 172.19.10.0 0.0.0.255 subnetA <wildcard mask>

Remove the crypto ACL 101 from the crypto map and configure as below

#crypto map CBSO_Crypto_Map 10 ipsec-isakmp 

#no match address 101

#match address 103

Make sure that the ASAs crypto acl is also removed and reconfigured something like this.

access-list crypto-acl extended permit ip subnet A <mask> 172.19.10.0 255.255.255.0

If there are multiple subnets on the ASA side to which the routers local subnet needs access to then add those rules as deny statement on ACL 102 and permit statements  on ACL 103. 

Also make sure all the deny statements on ACL 102 are above the permit statement.

You will have to configure vice-versa on the ASA.

Hope that helps

0 Helpful

Andy White
Level 3
Level 3
In response to Raja Periyasamy

‎09-10-2014 11:34 PM

I am going to lab this up, thanks. I was just reading about setting up VPNs and it is more common to have an outbound ACL than an inbound one is that correct? It made me think how does my outbound traffic work as I don't have an outbound ACL?
0 Helpful

Raja Periyasamy
Level 1
Level 1
In response to Andy White

‎09-11-2014 12:19 AM

Which ACL are you referring to? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents