Hello,
I've been trying for some time now to make a tunnel between a cisco VPN 3005 concentrator and a SR520.
The tunnel is up when initiated by the 3005 but no data are transmitted by the SR520...
I have tried a lot of different configuration but now I'm lost and don't know what to try : whatever I do, no data are transmitted through the tunnel.
You'll find bellow the complete configuration.
I think only a little tweak is necessary to force the data to use the tunnel but I have no idea what this tweak is.
Current configuration : 6877 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yyy-IT-SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 SECRET
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-791055175
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-791055175
revocation-check none
rsakeypair TP-self-signed-791055175
!
!
crypto pki certificate chain TP-self-signed-SECRET
certificate self-signed 01
SECRET
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server xyz.xyz.1.19
ip name-server xyz.xyz.1.12
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 SECRET
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SECRET address xxx.xxx.xxx.xxx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-xxx-Map 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set 3DES-MD5
match address Crypto-list
!
archive
log config
hidekeys
!
!
ip ftp username cisco
ip ftp password qnfd1fel
ip ssh source-interface FastEthernet4
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface Tunnel1
description Line
no ip address
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address ttt.ttt.240.110 255.255.255.248
ip access-group public-interface-acl in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-xxx-Map
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
shutdown
!
interface Vlan75
description $FW_INSIDE$
ip address 172.16.15.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ttt.ttt.240.105
ip route xyz.xyz.0.0 255.255.0.0 Tunnel1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Crypto-list
permit ip 172.16.15.0 0.0.0.255 xyz.xyz.0.0 0.0.255.255
ip access-list extended no-nat
deny ip 172.16.15.0 0.0.0.255 xyz.xyz.0.0 0.0.255.255
permit ip 172.16.15.0 0.0.0.255 any
ip access-list extended public-interface-acl
permit udp host xxx.xxx.xxx.xxx any eq isakmp
permit esp host xxx.xxx.xxx.xxx any
permit tcp any any eq 22
permit tcp any eq 22 any
permit icmp any any
permit ip host a.b.c.d any
permit udp host xxx.xxx.xxx.xxx eq isakmp any
permit ip host xxx.xxx.xxx.xxx any
permit ip xyz.xyz.0.0 0.0.255.255 any
!
access-list 1 permit 172.16.15.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit icmp any any
!
!
!
!
route-map nonat permit 10
match ip address no-nat
!
!
control-plane
!
banner login ^CCCSR520 yyy IT VPN Concentrator - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 5 in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
I've been trying for some time now to make a tunnel between a cisco VPN 3005 concentrator and a SR520.
The tunnel is up when initiated by the 3005 but no data are transmitted by the SR520...
I have tried a lot of different configuration but now I'm lost and don't know what to try : whatever I do, no data are transmitted through the tunnel.
You'll find bellow the complete configuration.
I think only a little tweak is necessary to force the data to use the tunnel but I have no idea what this tweak is.
Current configuration : 6877 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yyy-IT-SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 SECRET
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-791055175
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-791055175
revocation-check none
rsakeypair TP-self-signed-791055175
!
!
crypto pki certificate chain TP-self-signed-SECRET
certificate self-signed 01
SECRET
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server xyz.xyz.1.19
ip name-server xyz.xyz.1.12
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 SECRET
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SECRET address xxx.xxx.xxx.xxx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-xxx-Map 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set 3DES-MD5
match address Crypto-list
!
archive
log config
hidekeys
!
!
ip ftp username cisco
ip ftp password qnfd1fel
ip ssh source-interface FastEthernet4
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface Tunnel1
description Line
no ip address
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address ttt.ttt.240.110 255.255.255.248
ip access-group public-interface-acl in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-xxx-Map
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
shutdown
!
interface Vlan75
description $FW_INSIDE$
ip address 172.16.15.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ttt.ttt.240.105
ip route xyz.xyz.0.0 255.255.0.0 Tunnel1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Crypto-list
permit ip 172.16.15.0 0.0.0.255 xyz.xyz.0.0 0.0.255.255
ip access-list extended no-nat
deny ip 172.16.15.0 0.0.0.255 xyz.xyz.0.0 0.0.255.255
permit ip 172.16.15.0 0.0.0.255 any
ip access-list extended public-interface-acl
permit udp host xxx.xxx.xxx.xxx any eq isakmp
permit esp host xxx.xxx.xxx.xxx any
permit tcp any any eq 22
permit tcp any eq 22 any
permit icmp any any
permit ip host a.b.c.d any
permit udp host xxx.xxx.xxx.xxx eq isakmp any
permit ip host xxx.xxx.xxx.xxx any
permit ip xyz.xyz.0.0 0.0.255.255 any
!
access-list 1 permit 172.16.15.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit icmp any any
!
!
!
!
route-map nonat permit 10
match ip address no-nat
!
!
control-plane
!
banner login ^CCCSR520 yyy IT VPN Concentrator - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 5 in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end