1721 router + 4esw, WIC + IOS firewall

Hello

I have a router (192.168.157.254) Cisco 1721 with a 4port10/100 wic installed.

Is it possible to filter using IOS Firewall if wic address and lan are similar? I know it's that they have different ip addresses is possible, but if they are in the same LAN?

For example:

A server (192.168.157.10) connected directly to the router FILTER wic and using the LAN interface.

Is possible?

Best regards

Yes, the IOS Firewall can filter even if the address LAN and wic are similar. The following link can help you

http://www.Cisco.com/en/us/docs/iOS/12_4/secure/configuration/guide/schfirwl.html

Tags: Cisco Security

Similar Questions

  • IOS Firewall

    Hello

    What devices can I find ios firewall services, ZBF and url filtering? is it only the routers or there are PIX too?

    Thank you

    PIX and ASA devices support ZBF, URL filtering and firewall services. However almost all high mid-range to routers have firewall/ios function (Cisco3640 router with firewall IOS version 12.2 media services), SRI series routers support ZBF and URL filtering.

  • Deployment IOS firewall feature set

    Hi all

    We strive to deploy the 2811 router firewalls with version 2.5 of SDM. We chose basic firewall configuration option. It has forced us to choose the approved and unapproved interfaces and we did the same. She said entering the trust interface access list and inspect the ip on the interface of the United Nations-trusetd command.

    Also, initially, we want to allow all traffic not reliable interface for the trust interface, so we manually ban ip allowed everything inside the network block? - is - right?

    We have another question, we would be having another interface on the router to connect to a different network and preference is not to configure this interface as approved or not approved, in this scenario, if all traffic from undefined interface can access the interface of confidence or also not approved interface?

    Any help would be really appreciated

    Thank you

    Concerning

    Anantha Subramanian Natarajan

    Hello André,

    "In addition, initially we want to allow all traffic to untrusted interface" which would completely break the idea of the deployment of the IOS Firewall. Nature of the statefull firewall that comes with the firewall option IOS is to block all traffic from an untrusted by default interface, then only allow the return circulation of connections, initiated from a reliable interface (inspection). And you can also allow a portion of the traffic you trust manually.

    "We have another question, we would be having another interface on the router to connect to a different network and preferably does not configure this interface as approved or not approved, in this scenario, if all traffic from undefined interface will be able to access the interface of confidence or also not approved interface?

    If the inspection rule is applied in the direction of untrusted interface oubound, do not hesitate to unplugged other interfaces as being approved.

    Concerning

  • Router Cisco 2610 - IOS

    Guys, need a little help, I am about to update flash on my 2610 router, but I don't know what IOS I take
    This is the specification of my router:
    Router #sh version
    Cisco Internetwork Operating System software
    (Tm) C2600 software IOS (C2600-IS-M), Version 12.0 (11), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2000 by cisco Systems, Inc.
    Updated Sunday 20 may 00 10:46 by htseng
    Image text-base: 0 x 80008088, database: 0x808F19F4

    ROM: System Bootstrap, Version 11.3 (2) XA4, RELEASE SOFTWARE (fc1)

    The availability of router is 1 hour, 42 minutes
    System restarted on
    System image file is "flash: c2600-is - mz.120 - 11.bin.

    processor of 2610 (MPC860) Cisco (revision 0 x 203) with 29696K / 3072K bytes of memory.
    Card processor ID JAD04200GSE (3945289899)
    M860 processor: Ref. 0, mask 49
    Connection software.
    X.25 software Version 3.0.0.
    Basic rate ISDN, Version 1.1 software.
    1 interfaces Ethernet/IEEE 802.3
    1 cel ISDN basic rate
    32 KB of non-volatile configuration memory.
    16384 bytes K processor onboard flash system (read/write)

    Configuration register is 0 x 2142 (will be 0 x 3962 at next reload)

    Thanks in advance! :)

    Hi Tomasz,

    You need not exact match on the DRAM and flash. As long as the DRAM or flash installed is greater than the amount indicated on the software download page, then you're OK. From those indicated on the page that you linked to, sets of features only shown that you will be able to run are those who have 32MB / 8 MB DRAM/flash requirement.

    Train you in the IOS 12.3 M should be able to run IP/IPX/Appletalk, IP or IP/FW/IDS feature sets. In the train of 12.2 M, you should be able to run IP/IPX/AppleTalk/DEC, IP/FW/IDS, IP/H323 or IP.

    Good luck with your studies.

    Concerning

  • IOS Firewall feature set and slow down access HTTP...

    Recently turned on the firewall, on a router, and often feature some

    Web sites are rather slow. I tweaked the ip inspect max-incomplete and

    one - minutes, but the problem persists - deletion of IP inspect and these

    command solves the problem.

    ANY ideas on how to fix?

    Sincerely,

    Daniel Melameth

    You inspect http traffic in particular? If Yes, I would like to remove this and just inspect other protocols and tcp and udp in general. Inspection of http is really useful if you want to stop the Java applets arrive, which to be honest, that almost person does. If you do not have something like this, remove the inspection of http as it slow down considerably.

    That said, 12.2 (8) T has had a lot of performance improvements put into it for the CBAC specifically, you can also try the upgrade than or later to see if it solves the problem also. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftfirewl.htm

  • IOS Firewall between network internal

    Does anyone have an example of configuration or a guideline for the implementation of a standard firewall between a group internal?

    The scenario is a 3640, with only 2 network interfaces to provide a firewall for a small network with only 3 customers on this subject who need access to internal LAN of business for an application only.

    I have loads of info on all other types of scenario, but not one like this where no internet access is required or used and 2 networks are connected by frame relay or ISDN.

    Any help would be greatly appreciated.

    Claiming that only TCP applications are used and a specific web server. In addition, this example assumes that the 3640 is at the remote site. If the other access is desired you will need to check other protocols. Don't forget that you will need directions on the local and remote router to the appropriate subnets. For security, it would also make sense to limit

    inspect the name fw tcp IP

    interface ethernet0/0

    customer group-access IP in

    interface serial0/0

    IP inspect fw in

    customer IP extended access list

    allow any host 192.168.1.2 eq 80

  • IOS Firewall (CBAC) + Path MTU Discovery

    I was reading just through the 12.2 T documentation CBAC and saw the section on the icmp inspection and how he wildcards outside IP because no matter what a leap could return it with the responses of time exceeded and inaccessible destination.

    See that made me wonder if this was true for TCP as well, especially in situations that involve Path MTU Discovery. If an internal system initiates an outgoing TCP connection that is inspected by the FW IOS, an external host responds with an ICMP Fragmentation needed but DF Bit set to message, the router will consider this part of the session and send it to the host internal?

    Thanks in advance.

    -Mason

    Mason,

    ICMP by CBAC inspection does not include packets 'package-too-great. Therefore, you must explicitly allow these packages in your ACL for PMTUD to work that the router would not consider these packages to be part of the TCP session and drop them.

    See the link below for the types of ICMP packets supported by CBAC.

    http://www.Cisco.com/en/us/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

    HTH,

    Sundar

  • Multi-tenant IOS Firewall and security even subinterfaces 9.0

    Hi all

    I'm so used to< 8.3="" and="" am="" having="" great="" difficulty="" getting="" an="" environment="" working="" properly="" so="" i'm="" now="" going="" to="" leverage="" the="" cisco="">

    We set up a network with clients behind a pair of 5510 s.  All of these clients will have their own dedicated sous-interface in their own VLAN.  Out the door, I got inter - allowed security-same interface and all networks communicate with each other.  I certainly don't want that, so I have disabled this command and now each network client is unable to communicate with each other, as expected.

    The problem now lies in networks where a customer have 2 VLANS separated (say a staging and a prod environment) where they need to communicate.  Is it feasible if they are of the same security level and even security allowed inter-interface is disabled?  I just need to create an ACL for the networks to talk?  Is there a better way to do this with the same security allowed active inter-interface?

    8.3 pre, I have same security allowed active inter-interface, but traffic could not speak to the other interface unless I created an exemption NAT and ACLs.  Always create a NAT exemption?

    Hello

    The basic problem that you run with different software levels is the parameter 'nat-control' that exists in 8.2 (or earlier version), but does not exist in version 8.3 (or subsequent version of the Software ASA).

    In the 8.2 and pre software you got with the nat configuration change 'control' of requiring a connection to have a NAT configuration to be able to pass traffic through the ASA. Of course this coupled with the 'security level' gave you more changes to control traffic without resorting to the ACL.

    However, in the new software of 8.3 and later the "nat-control" level no longer exists and that a connection has a NAT configuration that be applied or not ASA still allows the connection (subject other ASA controls allow) so basically you won't need NAT configurations between your local interface. The most common NAT configurations should be between your local interface and the "external" ASA interface.

    If you try to control traffic between interfaces with the global configuration commands you mention, you will eventually be 'juggling' with the 'security level' configurations autour constantly so that the correct rules for traffic is applied.

    This question came up on these forums every now and then, and I almost always offer the same approach which is to set up an ACL on EACH interface of the ASA.

    • Remember to leave the 'same-security-traffic"on the SAA configurations. It is because even if you have interface ACL allowing traffic, if they are for some reason any left with identical "security level"custom ACL be sufficient to allow the traffic. "
    • Configure each interface an ACL
    • Initially to configure the ACL to create a "object-group" that will contain EACH network behind your local interface of firewall (except the "outside" ofcourse)
    • Use this category 'object' at THE start of ACL interface to BLOCK ALL traffic behind this interface to these networks
    • After that allow or block different/Out Internet - linked as usual traffic
    • In the same networks 2 (or more) behind the need of different interfaces to communicate with each other, set up a statement that allows early each ACL. The already existing 'decline' exposed with the 'object' group already will ensure that other traffic between networks are blocked

    A very simple example, you might want to consider the following

    Networks:

    • LAN1: 10.10.10.0/24
    • LAN2: 10.10.20.0/24
    • DMZ1: 192.168.100.0/24
    • DMZ2: 192.168.200.0/24

    permit same-security-traffic inter-interface

    Interface GigabitEthernet0/0

    Description box

    interface GigabitEthernet0/0.10

    VLAN 10

    nameif LAN1

    security-level 100

    IP 10.10.10.1 255.255.255.0

    interface GigabitEthernet0/0.20

    VLAN 20

    nameif LAN2

    security-level 100

    IP 10.10.20.1 255.255.255.0

    interface GigabitEthernet0/0.100

    VLAN 100

    nameif DMZ1

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    interface GigabitEthernet0/0,200

    VLAN 200

    nameif DMZ2

    security-level 100

    192.168.200.1 IP address 255.255.255.0

    object-group network BLOCK-LOCAL-NETWORKS

    object-network 10.10.10.0 255.255.255.0

    object-network 10.10.20.0 255.255.255.0

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    access-list LAN1 - IN note allow HTTP / HTTPS in the DMZ1 Server

    access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq www

    access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq https

    LAN1-IN access-list note block traffic to another local network

    access-list LAN1 - deny ip any object-group NETWORK-LOCAL-BLOCK

    Note LAN1-IN access list allows any outbound

    access-list IN LAN1 ip 10.10.10.0 allow 255.255.255.0 any

    LAN1-IN group access to the LAN1 interface

    And of course all other ACL would follow the same model in one form or another. You would really have to worry about traffic is allowed between interfaces, but rather the most work would probably add "allowed" in the upper part of each ACL when required for communication inter-interface. But I guess that the amount of these additions would remain also to a manageable level for FW admins.

    Naturally in environments the biggest you would probably get a high-end ASA and virtualize it and separate each customer environment in their own security context where you would avoid this situation together. Naturally the biggest points against this solution usually can be fresh and the fact that virtualize the ASA multiple context mode disables some essential operational capability of the SAA, which the most important is probably the Client VPN connections (VPN L2L is supported in the software in multiple context Mode 9.x)

    Hope this helps

    Don't forget to mark the reply as the answer if it answered your question. And/or useful response rates

    Request more if needed

    -Jouni

  • Using Cisco IOS Firewall VPN clinet

    Hello

    I configured RTR1 to support VPN Clients. RTR1 has a site 2 RTR 2 site VPN tunnel.

    Customer VPN connected to RTR1 have RTR1 LAN IP connectivity. How can I get the VPN Client LAN to access the local network RTR2?

    I've included the VPN Client LAN to be ecrypted in the VPN tunnel to the LAN RTR2 and Vice Versa. I also tried a static router configured on RTR2 for the LAN of Client VPN IP WAN RTR1 serving of next hop.

    Still doesn't work is not for me. Any ideas?

    Thank you

    The other side added your remote VPN client pool to its configuration? The remote site must know its interesting traffic as well. Is RTR2 NAT'ing? Cleaned the configs for the two routers would help a lot.

  • IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

    I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

    So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

    Network diagram:

    http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

    Challenge:

    (1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

    (2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

    IKE Phase II: des-esp, hmac-md5, tunnel mode

    PSK: sitetositevpn

    Here is my setup for review:

    crypto ISAKMP policy 10

    the BA

    preshared authentication

    Group 1

    md5 hash

    ISAKMP crypto key sitetositevpn address 210.x.x.66

    !

    Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

    !

    infotelmap 10 ipsec-isakmp crypto map

    the value of 210.x.x.66 peer

    Set transform-set ciscoset

    match address 111

    !

    !

    interface Ethernet0

    3 LAN description

    IP 10.20.20.1 255.255.255.0

    IP nat inside

    servers-exit of service-policy policy

    Hold-queue 100 on

    !

    ATM0 interface

    no ip address

    ATM vc-per-vp 64

    No atm ilmi-keepalive

    DSL-automatic operation mode

    !

    point-to-point interface ATM0.1

    IP address 210.x.20.x.255.255.252

    no ip redirection<-- disable="">

    no ip unreachable<-- disable="" icmp="" host="" unreachable="">

    no ip proxy-arp<-- disables="" ip="" directed="">

    NAT outside IP

    PVC 8/35

    aal5snap encapsulation

    !

    !

    IP nat inside source list 102 interface ATM0.1 overload

    IP classless

    IP route 0.0.0.0 0.0.0.0 ATM0.1

    IP route 0.0.0.0 0.x.0.x.190.60.66

    no ip http secure server

    !

    Note access-list 102 NAT traffic

    access-list 102 permit ip 10.20.20.0 0.0.0.255 any

    !

    access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

    access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

    Kind regards

    Junhan

    Hello

    Three changes required in this configuration.

    (1) change the NAT-list access 102 as below:

    access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

    access-list 102 permit ip 10.20.20.0 0.0.0.255 any

    (2) place the card encryption on interface point-to-point ATM.

    (3) remote all of a default route.

    Thank you

    Mustafa

  • 2 IOS Firewall interface

    Hello - I have a 3640 that is segment 2 internal LAN. There are 2 ports fastethernet on the box. I can't ping a network to another and vice versa. Even with all the icmp access allowed in both directions. I can however ping insofar as the router on both sides. The router can ping all customers on each side.

    When I do a sh ip road, it shows the two directly connected networks even if it does not show 2 subnets divided into subnets. Also with controls different debugging, I see that the packages be droppped. Errors are no way of ip Routing, the udp port any source, ip address is our interface, there is even an error saying wrong cable type.

    Here is a copy of the configuration.

    !

    horodateurs service debug uptime

    Log service timestamps uptime

    encryption password service

    no service tcp-small-servers

    no service udp-small-servers

    !

    hostname 3640GW

    !

    Enable

    !

    IP source-route

    no ip-server name

    !

    IP subnet zero

    no ip domain-lookup

    IP routing

    !

    !

    no ip inspect the audit trail

    inspect the IP tcp synwait-time 30

    inspect the IP tcp, finwait-time 5

    inspect the IP tcp idle time 3600

    inspect the IP udp downtime 30

    inspect the IP dns-timeout 5

    IP inspect a minute 900 low

    IP inspect a high minute 1100

    IP inspect 900 low max-incomplete

    IP inspect high 1100 max-incomplete

    inspect the tcp host incomplete-max 50 IP block-time 0

    !

    FA 0/0 interface

    no downtime

    Connected wireless description

    IP 192.208.127.199 255.255.255.0

    IP access-group 101 in

    KeepAlive 10

    !

    FA 0/1 interface

    no downtime

    Connected to the CORP description

    IP 192.208.126.199 255.255.255.0

    IP access-group 100 to

    KeepAlive 10

    !

    ! Access control list 100

    !

    no access list 100

    access-list 100 deny ip 192.208.127.0 0.0.0.255 any

    access-list 100 permit udp any eq rip all rip eq

    access-list 100 permit icmp any 192.208.127.0 0.0.0.255

    !

    ! Access control list 101

    !

    no access list 101

    access-list 101 deny ip 192.208.126.0 0.0.0.255 any

    access-list 101 permit udp eq rip all rip eq

    access-list 101 permit icmp any 192.208.126.0 0.0.0.255

    !

    router RIP

    version 2

    network 192.208.127.0

    network 192.208.126.0

    No Auto-resume

    !

    !

    IP classless

    no ip address of the http server

    !

    Any help is appreciated.

    Gavin.

    What exactly are you trying make here? In an ACL, 'ip' includes 'icmp', so the first line of your ACL 100 and 101 deny ICMP packets. The following two lines are probably not do anything since the two RIP UDP and ICMP, as I said, are included in "deny IP" on the first line.

    In fact, your lst in each ACL line says allow packets in the interface with an IP address of the interface to other destination, will never happen.

    In fact, more I watch this, looks like you have the ACL applied to each interface. If you apply ACL 100 to 101 for the fa0/1 and fa0/0 then this will probably do what you have to do.

  • IOS firewall/Internet on DSL (PPPoE)

    I have a Cisco 2651XM laying around and I want to implement a NAT (inside) firewall and the external interface to dial a number using PPPoE (it would be connected to t a DSL modem). How can I do this?

    Thank you!

    Also, make sure that your user name and the password that you use for pap authentication are correct. It won't hurt delete this statement and configure it again just to make sure that you did not a character during the first extra space that you inadvertently configured.

  • Firewall router ios commands

    In order to solve problems that result from a problem with a vpn connection, where the router contains an ios firewall, knowing the correct controls are essential. What are the proper commands that should be used for the display of information related to vpn problems? For example, on a pix commands show conn, isa to show her, see the ipsec sa, sh help etc exlate in the determination of the issues. What are some commands which correspond to these and others can be used on a router with a firewall ios?

    Take a look at this link to learn more about the Cisco IOS Firewall.

    http://Cisco.com/en/us/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html

    HTH

  • VPN between a router from 1721 to a Juniper srx 240

    Hello

    Is it possible to set up a vpn tunnel on a 1721 router that uses the following ios:

    C1700-y7 - mz.124 - 13b .bin

    I thought I had read somewhere that the tunnels were not supported in the 1700s, but wanted to make sure. If they are I would like to know if they are supported in ios preceding.

    Thank you.

    Yes, 1721 supports the termination of VPN tunnels and you need IP/firewall and IPSec 56 or sets features IOS IP/firewall and IPSec 3DES.

    Here is the Cisco1721 router for your reference data sheet:

    http://www.Cisco.com/en/us/products/HW/routers/ps221/products_data_sheet09186a00800920ec.html

    However, please note that Cisco1721 has reached EOL:

    http://www.Cisco.com/en/us/prod/collateral/routers/ps221/prod_end-of-life_notice0900aecd8044473f.html

    In addition, the current ios you have: c1700-y7 - mz.124 - 13b .bin does not support IPSec. You need to download IOS with IP/firewall and IPSec 56 OR / IP/firewall and IPSec 3DES IOS feature sets to support IPSec.

    I hope this helps.

  • Site to site VPN with router IOS

    I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

    I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

    Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

    My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

    Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

    And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

    Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

    I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

    We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

    I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

    Thank you in advance.

    Pete.

    Pete

    I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

    -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

    -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

    -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

    -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

    -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

    -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

    -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

    -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

    I hope that your application is fine and that my suggestions could be useful.

    [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

    HTH

    Rick

Maybe you are looking for