Soon I will have to setup a T1 with 2 1841 routers each with a CSU/DSU module. I have a back-to-back test setup here, and I have that part working. The next step was to establish a VPN tunnel between the 2 routers. That step is also working.
Here is the network diagram:
Host (10.10.20.20) | (LAN IP: 10.10.20.1) Cisco 1841 (WAN IP: 192.168.60.1) | (WAN IP: 192.168.40.1) Cisco 1841 (LAN IP: 10.10.10.1) | Host (10.10.10.10)
Host 10.10.10.10 can ping anybody on the 10.10.20.0/24 network. Great. My problem is that 192.168.40.1 can also ping anybody on the 10.10.20.0/24 network.
I know that I need to setup an ACL, but I want to make sure that I do this right. I only want VPN traffic to be able to pass through, and I want to deny any other traffic coming into each router. I currently have an extended ACL matched to each crypto map, and I'm about 99.99999% sure that it's correct. However, if I add a deny any any ACL to my serial interface, then nobody and ping anybody anymore. This makes sense to me, but I want the extended ACL match to my cypto maps to take precedence over that ACL and let VPN traffic through.
What's the correct way to do this? Thanks.
-- John
RouterA: !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!hostname RouterA
!boot-start-marker
boot-end-marker
!logging buffered 51200 warnings
!no aaa new-model
ip cef
! ! ! !ip domain name yourdomain.com
!password encryption aes
! !username cisco privilege 15 secret 5 $1$uF6w$fMy7xMIp2BRaJMSi214EM/
! ! ! !crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key 6 LQVHTdLaGEbPEb^]bPAiKbISUPXEP^QVZAAB address
192.168.60.1crypto isakmp keepalive 60 3 periodic
! !crypto ipsec transform-set L2LTransform esp-aes 256
!crypto map L2LMap 1 ipsec-isakmp
set peer 192.168.60.1
set security-association level per-host
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set L2LTransform
set pfs group5
match address L2LAccess
! ! !interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!interface Serial0/0/0
ip address 192.168.40.1 255.255.255.0
encapsulation ppp
service-module t1 timeslots 1-24
crypto map L2LMap
!ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!ip access-list extended L2LAccess
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
! ! !control-plane
!banner login
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to
-----------------------------------------------------------------------
!line con 0
exec-timeout 0 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!scheduler allocate 20000 1000
end
Router B:
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!hostname RouterB
!boot-start-marker
boot-end-marker
!logging buffered 51200 warnings
!no aaa new-model
ip cef
! ! ! !ip domain name yourdomain.com
!password encryption aes
! !username cisco privilege 15 secret 5 $1$nAL8$hheCXtA4rN6.RosXTheFz0
! ! ! !crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key 6 FMi^gCO^`\\EGMaeIVfUECJLD_dMWJZCNVAAB address
192.168.40.1crypto isakmp keepalive 60 3 periodic
! !crypto ipsec transform-set L2LTransform esp-aes 256
!crypto map L2LMap 1 ipsec-isakmp
set peer 192.168.40.1
set security-association level per-host
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set L2LTransform
set pfs group5
match address L2LAccess
! ! !interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$
ip address 10.10.20.1 255.255.255.0
duplex auto
speed auto
!interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!interface Serial0/0/0
ip address 192.168.60.1 255.255.255.0
encapsulation ppp
service-module t1 clock source internal
service-module t1 timeslots 1-24
crypto map L2LMap
!ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!ip access-list extended L2LAccess
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
! ! !control-plane
!banner login
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to
-----------------------------------------------------------------------
!line con 0
exec-timeout 0 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!scheduler allocate 20000 1000
end