1841 can route between tunnel GRE and IPSEC tunnel?

Hello everyone!

See the image below.

Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

Is there the way to establish the connection between the third and the main office through cisco 1841?

Is it possible to perform routing, perhaps with NAT?

In fact we need connection with a single server in the main office.

Thank you

Hello

It is possible to build this configuration.

the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

Steps to follow:

Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

Please rate if this helped.

Kind regards

Daniel

Tags: Cisco Security

Similar Questions

  • The GRE and IPSec

    We currently have several sites with ISAKMP/IPSec tunnels between routers 2800 and we need some of them migrate to the GRE with IPSec tunnels. Are there problems with endpoint tunnels GRE and IPsec on the same router and interface?

    I didn't know all the problems - apart from the router doing the encryption/decryption & GRE encapsulation/decapsulation, just be respect for traffic through the put.

    I have noted problems with traffic GRE and MTU problems. Cisco recommends a MTU of 1440 at Discretion, I would say that set 1400.

    HTH

  • GRE and IPSEC VPN tunnel over the same interface

    My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office.  As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router.  I thought that traffic could divide by identification of traffic 'interesting '.  Thanks for all the ideas, suggestions

    Ray

    Ray

    Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.

    -create a new access list (perhaps ACL 102 assuming that 102 is not already in use).

    -Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.

    -Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.

    This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.

    If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.

    HTH

    Rick

  • I can work between my Mac and iPad, but can not get my iphone to receive transfers?

    I can work on spreadsheets Numbers between my Mac and iPad, but can not get my iphone to receive transfers?  The numbers icon at bottom left of the screen, but none of my worksheets appear on my iPhone.

    Did you numbers is synchronization correctly via iCloud on your iPhone?  You could check that the connection of numbers to iCloud is turned on at two places:

    Settings > iCloud > iCloud Drive > numbers

    and,

    Settings > numbers > use iCloud

    SG

  • You can replicate between 5.1 and 5.5?

    Hello

    I have two sites we will install vSphere replication and SRM, we're completely 5.5 and the other is 5.1.  Is there any problem with replication & using MRS. between the two versions?

    Thanks in advance

    Unfortunately you will not be able to reproduce in this use case. The problem is that we do not support replication between 5.1 and 5.5, and vice versa.

    You must have identical versions on both sites.

    Kind regards

    -Martin

  • DMVPN/IPSEC, GRE and IPSEC Multi Point

    Hi all

    I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.

    my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.

    The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.

    Kind regards

    Satya.M

    Given your criteria, I would say THAT DMVPN would be best suited

    Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN

    Implementation in DMVPN GDOI

    Pete

  • I can swap between Alpha A100 and A77 lens

    I have an Alpha A100 and want to buy a Sony A77, are the compatible lens?

    Yes, the DSLR-A100 and SLT - A77 use the same type of Mount. You can switch lenses between the two boxes.

    If my post answered your question, please mark it as "accept as a Solution.

  • A license can float between a Mac and a PC?

    I have a Mac and a PC. Some projects are better made on each. A cloud license can be used on either? A bet of licenses later transferred from a PC to a Mac does

    Remove the license on a computer http://forums.adobe.com/thread/1442423?tstart=0 can help

    -http://helpx.adobe.com/x-productkb/policy-pricing/error-maxium-acitvation-exceeded.html

  • ENVY of HP dv7 Notebook PC: HP ENVY dv7 Notebook PC can pass between the Intel and Nvidia graphics processors

    I have a request when it runs I get an error as follows:

    "Display driver stopped responding and has recovered display Intel graphics driver Excelerator for Windows 7 (R) driver stopped responding and has successfully recovered."

    Is it possible to assign this application for Nvidia graphic card instead of 4000 GPU Intel. If yes how to do this assignment.

    Thank you

    Here's what I had to do to get the graphics Performance at a level that would allow the Surfcam CAM application traditional 2015 work correctly:

    Envy of HP dv7 - 7373ca required parameters for 2015 Surfcam traditional

    Right-click on it to office;

    Select the Nvidia Control Panel

    1. Setting the parameters of the Image: use the settings of the 3D Image.
    2. Manage 3D settings: NVIDIA High Performance processor
    3. Physx Config set: GeForce 650 M Graphics

    Select the graphic properties (it comes to GPU Intel HD 4000)

    1. Media: Preferred 3D Performance
    2. Power: Max Performance
  • Example of configuration, VPIM between the unity and Unity express

    I neet to configure the network of VPIM between unit w/Exchange and 3rd-party voice messaging system and want to familize functionality. That's the analogy between unity and unity express research. I can understand between the unit and Exchange, but do not know how it works between Exchange and the express unit. specually the requirement of the domain.

    Can I get the sample configuration for configuring VPIM between unit w/Exchange network and the express unit?

    Thanks in advance,

    Networking VPIM can be used for networking between Unity and Unity Express, just as it can be used for networking with a third-party system, however, each have their own implementation. Unity Express does not connect to the Exchange. I suggest you re-read the chapter ' using VPIM for Networking with Cisco Unity Express or other Cisco Unity Systems "to http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_feature_guide_chapter09186a0080449a39.html and Cisco Unity Express Networking guide at http://www.cisco.com/en/US/partner/products/sw/voicesw/ps5520/prod_configuration_basics09186a008035bbdb.html.

    A third-party system would have concepts comparable to the implementation of unity VPIM, but would not exactly be the same - see the documentation of that system for details.

  • IPSEC VPN between Pix 515E and 1841 router

    Hi all

    BACKGROUND

    We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

    PROBLEM

    The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

    Any help much appreciated.

    You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

    As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

    For a feature, it would be preferable to static IP addresses on both sides.

  • Can what comparison be made between time capsule and Smart RG s505 wireless modem router for wifi

    Can what comparison be made between time capsule and Smart RG s505 wireless modem router for wifi

    Superior...

    After all, the chip is mainly a modem.

    Wireless is there but not designed as the primary connection.

    Wireless 802.11n 300Mbps AP with 2 x 2 MIMO Wireless bridge, WDS multiple SSID, including isolated invited SSID WiFi QoS (WMM) and PowerSave wireless security: • Wi - Fi Protected Access (WPA, WPA2) • AES, TKIP, WEP encryptio

    It is the Wireless N standard.

    The TC is dual-band simultaneous AC1750... even if in fact apple never leaves anything use 300mbit on the 2.4 GHz is more like AC1450... It is also 3 streams on both bands not 2 x 2.

    The fact that aid.

    The only thing to note is that a router from Apple can join never a router wireless not apple... so, there must always be plugged in by ethernet.

  • Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

    Hi all!

    Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

    On our side as initiator:

    Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

    The site of the customer like an answering machine:

    14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

    14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

    14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

    Kind regards

    Johan

    From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

    I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

  • GRE over IPsec, ASA and NAT - t.

    I want to establish WILL IPsec tunnel between four branches and headquarters. In executive offices, I have router 1841 with the advanced security software. At Headquarters, I have a 7.2 ASA5510 as frontend with a IP address public and 1841 router behind him in the private address space. Given that the ASA does not support GRE tunnels, ASA may be endpoint for GRE over IPsec? If this isn't the case, ASA may pass through this tunnel to the router 1841 behind her, 1841 would be endpoint logic tunnel? What should I watch out for? The ASA and each 1841 support NAT - T, or just ASA?

    The ASA does not support GRE.

    The router would be the GRE tunnel endpoint.  The ASA would be endpoint for IPSEC VPN.  NAT - T should not be a matter of concern if the ASA and the remote routers directly connected to the internet.

    HTH.

  • GRE over IPSec tunnel cannot pass traffic through it

    I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

    Head office

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.89
    game of transformation-IPSec_PLC
    match address 100
    !
    !
    !
    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.94 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial0/1/0:0
    tunnel destination 167.134.216.89

    interface Serial0/1/0:0
    IP 167.134.216.90 255.255.255.252
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.90 host 167.134.216.8

    Router eigrp 100
    network 167.134.216.92 0.0.0.3

    Directorate-General of the

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.90
    game of transformation-IPSec_PLC
    match address 100

    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.93 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial1/0/0:1
    tunnel destination 167.134.216.90

    interface Serial1/0/0:1
    bandwidth 1984
    IP 167.134.216.89 255.255.255.252
    IP access-group 101 in
    load-interval 30
    no fair queue
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.89 host 167.134.216.90

    ER-7600 #sh crypto isakmp his
    conn-id State DST CBC slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0

    ER-3845 #sh crypto isakmp his
    status of DST CBC State conn-id slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

    ER-3845 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
    3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
    3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

    ER-7600 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
    2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
    2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

    I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

    Please help, it's so frustrating...

    Thanks in advance

    Oscar

    Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

    It may be useful

    Manish

Maybe you are looking for

  • How to restore recently "My Favorites"?

    'Bookmarks' to list "recently them bookmarked" as a choice. More. I want to come back. "about.config' in the address bar was not helpful.

  • HP Compaq 6000 Pro SFF Win 7 Pro 64-bit

    Need help installing RAM. 2 GB PC #-10600U 1333 Mhz supplied with computer. I try to install Crucial 8 GB DDR3 1333 mhz p/n ct102464ba1339.c16fedI put the new key in the black slot and the jury returns 5 beeps and a red front end light. I tried that,

  • El Capitan, mail server upgrade will not save sent mail

    Hello. I have a MacBook Air that I've recently updated to El Capitan 10.11.2. Since then, no mail my iCloud account disappears from my application sent a few minutes after that I have sent. I tried everything I read on the forums of discussion - unch

  • Why google/youtube videos download so slowly & then freeze during playback?

    YouTube videos have been download slowly and for a while, but now, Google videos, make too much freezing.  Videos on Hulu are a little better; they freeze, but after a few seconds to start up again.  I have deleted cookies, history, etc & freed disk

  • toner for laser jet 3800dtn locks

    I would like someone to give me some detailed information on how to fix the toner for the laserjet 3800dtn locks.  I ordered the locks, but I can't find instructions. Help, please