Announcement

Collapse
No announcement yet.

More than on crypto map on an interface

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • More than on crypto map on an interface

    Hi,

    Could someone please explain how we can merge the two crypto map to an interface? So the tunnel continues to work, and users can VPN in.

    The EXT_MAP is to allow remote VPN users to connect - Need to add this one
    The map CMAP (currently on f0/1 is a site to site tunnel)

    Confidential items have been replaced with xxxxxxxxxxxx


    Thanks you!

    Current config

    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Reading
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login VPN_CLIENT_LOGIN local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network VPN_CLIENT_GROUP local
    !
    !
    aaa session-id common
    clock timezone EST -5
    clock summer-time EDT recurring
    dot11 syslog
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.88.53.1
    ip dhcp excluded-address 10.88.53.2 10.88.53.49
    ip dhcp excluded-address 10.88.53.68
    ip dhcp excluded-address 10.88.53.102
    ip dhcp excluded-address 10.88.53.105
    ip dhcp excluded-address 10.88.53.53
    ip dhcp excluded-address 10.88.53.108
    !
    ip dhcp pool UK_LAN
    network 10.88.53.0 255.255.255.0
    domain-name xxxxxxxxxxxxx
    default-router 10.88.53.1
    dns-server 192.168.51.20 192.168.51.10
    lease 8
    !
    !
    no ip domain lookup
    ip domain name xxxxxxxxxxxx
    ip name-server 10.88.53.102
    login on-failure log
    login on-success log
    !
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-825856865
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-825856865
    revocation-check none
    rsakeypair TP-self-signed-825856865
    !
    !
    crypto pki certificate chain TP-self-signed-825856865
    certificate self-signed 01
    30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 38323538 35363836 35301E17 0D313230 39313431 33303932
    375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3832 35383536
    38363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    EA35B7D7 EFCE74AB F6676DAB CEFD2B59 FFCF9B21 F0107DAE 980D2329 0A952FF1
    69280D14 428F4CE3 9725AEC0 47311182 D624F3BD 509E7B68 E91213EE FD270EF2
    F4CC18F1 A7FAAF8F 4264AD6A 30C730E6 8E98CAC0 00EA3ECF 6987C5D7 EF445143
    FF5202C6 31AA6FCD EB094D7F 23A35790 A417EACE 7123E102 4E5103B1 51E426D9
    02030100 01A37B30 79300F06 03551D13 0101FF04 05300301 01FF3026 0603551D
    11041F30 1D821B52 65616469 6E672E61 6C706861 2E6B6170 6C616E69 6E632E63
    6F6D301F 0603551D 23041830 16801451 06564B1E 50CA1B30 74642ED0 A7D87862
    AC758B30 1D060355 1D0E0416 04145106 564B1E50 CA1B3074 642ED0A7 D87862AC
    758B300D 06092A86 4886F70D 01010405 00038181 000628AC 03E78361 778B82BC
    70A6DB5E 13ECAEEC 6F662F87 B8B51777 D85FC43F 7C57DC80 50003A41 F3CBAC34
    52F5A5E3 7354731A 6EB27001 7D50B8C6 C8E7CCEF 26E07B22 CD5E7445 3480B43E
    396971FE 6AF1C7C1 FF20E760 C7364B0A 24FBA385 658D66C7 D4BDEDD5 17BB4D53
    547A5C7E 564AB96B 4439DC71 40FEC885 8F46BF4B 12
    quit
    !
    !
    username xxxxxxxxxxx
    username xxxxxxxxxx
    username xxxxxxxxx
    username xxxxxxxxxxxx
    username xxxxxxxxxxx
    username xxxxxxxxxxxxxx
    archive
    log config
    hidekeys
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key xxxxxxxxxxxx address xx(remote site VPN IP)
    !
    crypto isakmp client configuration group VPN_CLIENTS
    key xxxxxxxxx
    dns 10.88.53.102
    pool VPN_CLIENT_POOL
    acl 110
    !
    !
    crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TS esp-3des esp-sha-hmac
    !
    crypto dynamic-map EXT_DYNAMIC_MAP 10
    set transform-set TRANS_3DES_SHA
    !
    !
    crypto map CMAP 10 ipsec-isakmp
    set peer xxx remote peer address
    set transform-set TS
    set pfs group2
    match address VPN-TUNNEL
    !
    crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
    crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map EXT_MAP client configuration address respond
    crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
    !
    !
    !
    !
    ip ftp username xxxxxxxxxxxxxxxxxx
    ip ftp password xxxxxxxxxxxxxxxxxx
    ip ssh source-interface FastEthernet0/1
    ip ssh logging events
    ip ssh version 2
    !
    !
    !
    interface FastEthernet0/0
    ip address 10.88.53.1 255.255.255.0
    ip access-group OUTBOUND_FILTER in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description To Internet
    ip address xxxxxxxxxx xxxxxxxxxxxxxxx
    ip access-group INBOUND_FILTER in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map CMAP
    !
    ip local pool VPN_CLIENT_POOL 192.168.240.20 192.168.240.50
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
    !
    !
    no ip http server
    ip http secure-server
    ip nat inside source list 101 interface FastEthernet0/1 overload
    !
    ip access-list standard SNMP-ACL
    permit 10.75.139.90
    deny any log
    ip access-list standard SSH-ACL
    permit xxxxxxxxxxxx

    !
    ip access-list extended INBOUND_FILTER
    permit udp any eq domain any
    permit tcp any eq domain any
    permit tcp any eq www any
    permit tcp any eq 563 any
    permit udp any eq 563 any
    permit tcp any eq 443 any
    permit udp any eq 443 any
    permit tcp any any eq 1723
    permit tcp any eq ftp any
    permit gre any any
    permit tcp any eq 3389 any
    permit tcp any eq ftp-data any
    permit tcp any any range 1023 65535
    permit icmp any any
    permit tcp any eq 1723 any
    permit tcp any eq smtp any
    permit tcp any eq pop3 any
    permit tcp any host xxxxxxxx
    permit tcp host xxxx host xxxxxx eq 22
    permit udp any host xxx.xxx.xxx.xxxxeq isakmp
    permit udp any host xxx.xxx.xxx.xxxxeq non500-isakmp
    permit esp any host xxxxxxxx
    permit ahp any host xxxxxxxxxx
    permit tcp host xxxxx host xxx.xxx.xxx.xxxxeq 22
    permit tcp host xxxxxx host xxx.xxx.xxx.xxxxeq 22
    permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
    permit tcp host xxxxxx host xxx.xxx.xxx.xxxxeq 22
    ip access-list extended OUTBOUND_FILTER
    deny tcp 10.88.53.0 0.0.0.255 any eq smtp
    permit ip any any
    permit icmp any any
    ip access-list extended VPN-TUNNEL
    permit ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255
    ip access-list extended ssh-acl
    permit ip host 24.197.168.10 any
    !
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
    access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
    access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255
    access-list 101 permit ip 10.88.53.0 0.0.0.255 any
    access-list 110 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    banner login 
    ************************************************** ****************
    * WARNING *

    IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY

    Unauthorised users are subject to criminal and civil penalties
    as well as company initiated disciplinary proceedings.
    By entry into this system you acknowledge that you are
    authorised to access it and have the level of privilege at which
    you subsequently operate on this system. You consent by entry
    into this system to the monitoring of your activities.
    ************************************************** ****************
    
    !
    line con 0
    exec-timeout 30 0
    logging synchronous
    line aux 0
    line vty 0 4
    exec-timeout 30 0
    logging synchronous
    transport input ssh
    !
    scheduler allocate 20000 1000
    ntp clock-period 17178065
    ntp server xxxx
    ntp server xxxxx
    ntp server xxxxxxx
    end

  • #2
    Re: More than on crypto map on an interface

    You can only have 1 crypto map assigned per interface so you need to make some changes:


    crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
    crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map EXT_MAP client configuration address respond
    crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

    Change to :

    crypto map CMAP client authentication list VPN_CLIENT_LOGIN
    crypto map CMAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map CMAP client configuration address respond
    crypto map CMAP 65535 ipsec-isakmp dynamic EXT_DYNAMIC_MAP


    You could also use ISAKMP profiles to make the config a little easier:


    Remove this:

    crypto map CMAP client authentication list VPN_CLIENT_LOGIN
    crypto map CMAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map CMAP client configuration address respond


    Replace with this:

    crypto isakmp profile VPNclient
    match identity group VPN_CLIENTS
    client authentication list VPN_CLIENT_LOGIN
    isakmp authorization list VPN_CLIENT_GROUP
    client configuration address respond

    crypto dynamic-map EXT_DYNAMIC_MAP 10
    set transform-set TRANS_3DES_SHA
    reverse-route
    set isakmp-profile VPNclient
    Last edited by auglan; 19th September 2012, 18:48.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: More than on crypto map on an interface

      Hi,

      Thank you! That worked, but one issue, the VPN client that connects cannot ping anything.


      Extended IP access list 110
      10 permit ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
      20 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

      or is this now using

      Extended IP access list VPN-TUNNEL
      10 permit ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255

      Thanks again for all your help!

      Comment


      • #4
        Re: More than on crypto map on an interface

        crypto isakmp client configuration group VPN_CLIENTS
        key xxxxxxxxx
        dns 10.88.53.102
        pool VPN_CLIENT_POOL
        acl 110


        Your isakmp client config is using acl 110 for split tunneling. So anything from:

        10.88.53.0 0.0.0.255 to 192.168.240.0 0.0.0.255 is encrypted and sent over the tunnel.

        If your using the cisco vpn client check the routing tab on the client. This will show what networks you are encrypting traffic for. It should say 10.88.53.0/24, meaning any traffic destined for a host in 10.88.53.0/24 should be encrypted and sent over the tunnel.


        Make sure your router has a route back to the client as well. There should be a /32 host route in the terminating routers routing table for the connecting host.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: More than on crypto map on an interface

          hi,

          Thanks that worked.

          Appreciate the quick response again! Thank you very much.
          Last edited by ITLondon; 21st September 2012, 13:48.

          Comment


          • #6
            Re: More than on crypto map on an interface

            Hi,

            Just a follow on for this, (hopefully you can still help)/

            The site to site link was down this am, after checking configs, error logs, etc, the only we could get this backup, was by removing the commands we added for the Client VPN

            crypto map CMAP client authentication list VPN_CLIENT_LOGIN
            crypto map CMAP isakmp authorization list VPN_CLIENT_GROUP
            crypto map CMAP client configuration address respond
            crypto map CMAP 65535 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

            Once the above were removed, the site to site started working again?

            Any idea? Since we still send client VPN as well

            Thanks for all help!!

            Comment


            • #7
              Re: More than on crypto map on an interface

              Both configurations should work fine on the router. Hard to say why it wouldnt work. Why did the site to site tunnel go down? Also what device is on the other end of the tunnel?
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: More than on crypto map on an interface

                Used your second suggested method of config, the crypto isakmp profile VPNclient one.

                Both the VPN and tunnel is now working!!

                Thanks!! Most helpful!!

                Comment


                • #9
                  Re: More than on crypto map on an interface

                  Excellent. Yeah using the profiles makes the config much easier. Depending on the platform you are running you may also be able to to use VTI based vpn's.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment

                  Working...
                  X