access list mi-match for vpn setup

[2020mobile]

Hi guys,

I have setup 2 remote sites to ipsec site-to-site vpn back to the UK central hub.

Remote site 1 - PIX515E 10.32.0.0/24
Remote site 2 - C1801/k9 10.32.4.0/24
UK - Cisco ASA5510 10.20.0.0/16 - 10.25.0.0/16 and 10.250.0.0/16

Both work fine but now I need to setup a vpn between the 2 remote sites. The VPN is showing as up but I dont know where to add access-lists to let the traffic know which tunnel to go out of or straight onto the internet. With regards to the 1800 series I thought i need to add an access-group to FE0 which is the connection to the internet and create a new ACL?

config for 1801 is attached.

Changes on Cisco 1801 i've made:

1. Created new crypto policy sequence number

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5

crypto isakmp key xxxx address 213.42.89.2

2. Created new transform set

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

3. Created new crypto map

crypto map Dubtower 2 ipsec-isakmp
description Tunnel to Dafza site
set peer 213.42.89.2
set transform-set ESP-AES128-SHA
match address 150

4. Denied it from Nat

ip access-list extended 140
100 deny ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255

5. created new ACL for new crypto map

access-list 150 remark Dafza Office to Arenco Tower
access-list 150 remark IPSec Rule
access-list 150 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255

6. from here do I create a new ACL for traffic to know which vpn tunnel to go down? i.e.

access-list 160 remark IPSec Rule
access-list 160 remark Interesting VPN Traffic
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255
access-list 160 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
access-list 160 permit udp host 212.140.247.20 any eq non500-isakmp
access-list 160 permit udp host 212.140.247.20 any eq isakmp
access-list 160 permit esp host 212.140.247.20 any
access-list 160 permit ahp host 212.140.247.20 any
access-list 160 remark IPSec Rule
access-list 160 permit ip 10.32.2.0 0.0.0.255 10.32.4.0 0.0.0.255
access-list 160 permit udp host 213.42.89.2 any eq non500-isakmp
access-list 160 permit udp host 213.42.89.2 any eq isakmp
access-list 160 permit esp host 213.42.89.2 any
access-list 160 permit ahp host 213.42.89.2 any

Then add access-group to FE 0? To permit ACL 160 or use an existing ACL?

Can anyone assist i'm totally stuck. I applied the above but didnt work and stopped internet access so removed acl from interface to start again.

I've also attached the config for PIX end which used to use just the implicit outbound any any rule.

 

[burtsbees]

Why not look into DMVPN, where all the spokes can tak to each other?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[2020mobile]

Hi,

Thanks for the reply.

unfortunately we have to make do with the resources that we have and its a live issue.

we are soon to be changing ISP with a view to having an MPLS network but it may not happen and we've got people waiting to move into the office but need the vpn between sites in order to access the file shares there.

Regards,

 

[burtsbees]

You would add all the other traffic to the same crypto acl (just one), so all to 150.

Also, what does the default route or any static routes look like?

Myself, I prefer GRE tunnels protected with IPSEC, and forcing the encrypted traffic through the tunnel with static routes.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[2020mobile]

As far as i'm aware the ipsec is IPSec/GRE as well.

so in my config i'd have both crypto maps using the same acl and have FE0 using it?

Then just have an ACL for NAT exemption?

Thanks

 

[burtsbees]

Yup.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[2020mobile]

Thanks for that. My next question is do I need to specify both the remote site's end point addresses in the ACL?

I changed both crypto maps to use ACL 130 and added the internal subnets in:

Extended IP access list 130
10 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255 (1681 matches)
20 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255 (75226 matches)
30 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255 (1099961 matches)
40 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255 (41333 matches)
50 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255 (6572 matches)
60 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
70 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
80 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255 (114 matches)
90 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255 (97921 matches)
110 permit icmp any any echo-reply
120 permit icmp any any time-exceeded
130 permit icmp any any unreachable (1 match)
140 deny ip any any log

Not worked so assuming i need to do more to the ACL but not sure what? I was thinking something like this:

permit udp host 212.140.247.20 any eq non500-isakmp
permit udp host 212.140.247.20 any eq isakmp
permit esp host 212.140.247.20 any
permit ahp host 212.140.247.20 any
permit ip 10.32.0.0 0.0.0.255 10.32.4.0 0.0.0.255
permit udp host 213.42.89.2 any eq non500-isakmp
permit udp host 213.42.89.2 any eq isakmp
permit esp host 213.42.89.2 any
permit ahp host 213.42.89.2 any

any help is gratefully received.

 

[burtsbees]

Let's see the config for both the PIX and the router, at least the router. I want to see something in front of me. I am very tired and can look tomorrow. Can you post a scrubbed config?

BTW, DMVPN is very doable in your situation---have you looked into it? Both the remote sites would talk to eachother by way of NHRP (Next Hop Routing Protocol), getting bounced off the hub. Think of it as frame relay, but it's all just vpn tunnels.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[2020mobile]

sorry thought i'd attached them already.

can you try this URL:

http://www.mediafire.com/2020mobile

in terms of DMVPN I only read an article on it after you suggested it and as my knowledge is limited I wanted to not go off track yet.

When I have more time I would look into it more as it does sound good.

Thanks again for all the help.