Petri.co.il forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Networking > Cisco Security PIX/ASA/VPN
Petri.co.il is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

IPSEC s2s ACLs

IPSEC s2s ACLs

this thread has 3 replies and has been viewed 934 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 27th January 2012, 18:47
angelusofkl angelusofkl is offline
Casual
Casual
 
 Join Date: Jan 2012
  6 month star 12 month star
 Posts: 2
 Reputation: angelusofkl is on a distinguished road (10)
Default IPSEC s2s ACLs

I have two sites i need to create s2s between them, problem is:

site A is the HQ that has MPLS connections and routes OSPF over to other branches so its encryption domain is the whole 192.168.x.x/16 network
site B is the branch that will need to access HQ and other branch resources by S2S with the HQ and its local networks are 192.168.20.0/24 through 192.168.24.0/24 meaning they fall under the general ACL for the HQ. The HQ has no 192.168.20-24/24 subnets on its side as those reserved for siteB.
My question is...
can i use the general ACL for site A to include 192.168.x.x/16 and 192.168.20-24.0/24 on site B to build a properly working tunnel that will allow site B to reach all other branches connected to site A (HQ) (see example bellow) ?


topology:

siteB(192.168.20.0/22)=====IPSEC s2s=====siteA(192.168.10.0/24) -------OSPF-------siteC(192.168.11.0/24)
--------OSPF------.......
--------OSPF------siteZ(192.168.45.0/24)
vpn acl on site B :

#
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.252.0 192.168.0.0 255.255.0.0
  #2  
Old 28th January 2012, 04:41
auglan's Avatar
auglan auglan is offline
Moderator
 
 Join Date: Apr 2010
  6 month star 12 month star
 Location: Raleigh, NC
 Posts: 1,214
 Reputation: auglan has a spectacular aura aboutauglan has a spectacular aura aboutauglan has a spectacular aura about (219)
Default Re: IPSEC s2s ACLs

You could create s2s ipsec tunnels to HQ and then to each branch but that would be a ton of configuration . Why not create a DMVPN .You could use Phase 1 which will give you reachability to HQ and the branches but any branch to branch goes through the "hub" or use Phase 2 DMVPN which creates dynamic tunnels from branch to branch. The configuration requires GRE and ipsec tunnels. Using DMVPN you can exchange routes with the hub as well as with the spokes using EIGRP, OSPF etc. The benefit of using DMVPN is that once the "hub" is configured you dont need any other configuration on the hub for other branch offices that come on line. There will be some configuration on the branches though.

I have never set this up in the field but I have configured it in my lab and with GNS3 and the config isn't that bad.
  #3  
Old 28th January 2012, 05:13
angelusofkl angelusofkl is offline
Casual
Casual
 
 Join Date: Jan 2012
  6 month star 12 month star
 Posts: 2
 Reputation: angelusofkl is on a distinguished road (10)
Default Re: IPSEC s2s ACLs

yup, i keep dreading i might need to do it....
Thanks
  #4  
Old 28th January 2012, 17:24
auglan's Avatar
auglan auglan is offline
Moderator
 
 Join Date: Apr 2010
  6 month star 12 month star
 Location: Raleigh, NC
 Posts: 1,214
 Reputation: auglan has a spectacular aura aboutauglan has a spectacular aura aboutauglan has a spectacular aura about (219)
Default Re: IPSEC s2s ACLs

Here is a link that explains it very well for Phase 1. The only difference really between
Phase 1 and Phase 2 is Phase 1 uses p2p gre tunnels on the branches and Phase 2 is mGRE all the way around.

http://blog.ine.com/2008/08/02/dmvpn-explained/
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ACLs on child folder do not match ACLs on parent folder? JDMils Windows Server 2000 / 2003 / 2003 R2 2 12th November 2010 08:28
Zone-based firewall - why do I still need ACLs? jimwillsher Cisco Routers & Switches How-to 0 31st October 2010 14:37
Novell Trustee ACLs to NTFS gepeto General Scripting 9 15th April 2008 17:33
GPO with IPSEC will.ton GPO 2 8th February 2008 21:07
IPSEC what do I do ? wazzie General Security 2 14th August 2007 11:13


All times are GMT +3. The time now is 01:35.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri