3925, IPsec LAN - LAN VPN tunnel command unavailable

Similar Questions

• Conflict of IPSec between IPSec and business VPN tunnels

  I crushed a 2821 current c2800nm-adventerprisek9 - mz.124 - 22.YB8 at home with 2 gre IPSec tunnels for personal use, and my office will be held that a customer based IPSec VPN to connect to the corporate VPN.  My problem is that when I want to connect to the corporate VPN, I see packages being encrypted and sent, but I would have never received the return packets.  It seems that the IPSec VPN tunnels with IPSec from my office and router packages conflict trying to decrypt and gives this error.  (I removed the public addresses for anonymity)

  CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec would be package IPSEC a bad spi to destaddr = "myaddress", prot = 50, spi = 0xDB32344E (3677500494), port = "corpvpn".

  When I remove the card encryption off-side WAN router, my Office VPN works immediately.  I can change the configuration, either on the side of the IPSec GRE tunnels, but has no way for me to change any configuration on the corporate VPN.  Does anyone know of a workaround on the cisco router?  I can provide the running configs or view orders.

  The 2821 also performs NAT overload for internet access.

  Hello, Reed.

  1. try to remove the interface crypto map and add "protection... profile ipsec tunnel." "to your VTI:

  Crypto ipsec IPSEC profile

  solid Set trans

  int g0/0

  No crypto map card

  int tu1

  Ipsec IPSEC protection tunnel profile

  int tu2

  Ipsec IPSEC protection tunnel profile

  2. try to force your corpVPN to use encapsulation UDP instead of ESP.

• VPN IPSec in LAN-2LAN tunnel configuration

  Hi all!!

  I'll put up a tunnel between a cisco 1841 router and a VPN 3000 Concentrator LAN LAN 2 ipsec.

  Here is running for the router configuration and basically what I want to know is to ensure that I put everything in place to do this work. So can you please take a look and see if you find something a little odd and if so let me know!

  *****************************************

  NOTE:

  1 internal addressing behind the VPN concentrator: 172.4.4.0/24

  2 internal addressing behind the router CISCO 1841 172.16.20.0/24

  *****************************************

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname UACA-VPN

  !

  boot-start-marker

  boot-end-marker

  !

  !

  No aaa new-model

  !

  resources policy

  !

  no ip source route

  IP cef

  no ip bootp Server

  no ip domain search

  !

  !

  ! IKE policies

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  disable ISAKMP aggressive mode crypto

  !

  !

  ! IPSec policies

  Crypto ipsec transform-set ENLACE UACA BNCR esp-3des esp-sha-hmac

  !

  ENLACE-UACA-BNCR 10 ipsec-isakmp crypto map

  defined by peer 200.91.79.6

  defined by peer 200.122.146.38

  game of transformation-ENLACE-UACA-BNCR

  address of xxxxxxxxxxxx key cryptographic ipsec 200.91.79.6

  ! Traffic to encrypt according to ACL 101

  match address 101

  interface FastEthernet0/0

  WAN Interface Description VPN tunnel

  IP 201.196.33.30 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  card crypto ENLACE UACA BNCR

  !

  interface FastEthernet0/1

  LAN Interface Description

  IP 172.16.20.22 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  !

  no ip address of the http server

  no ip http secure server

  ! Pool VPN

  !

  nat pool IP VPN-pool 201.196.33.30 201.196.33.30 netmask 255.255.255.248

  IP nat inside source overload map route No. - NAT VPN-pool pool

  IP route 0.0.0.0 0.0.0.0 201.196.33.25

  ! Traffic is encrypted

  !

  access-list 101 permit ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

  access-list 101 permit tcp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000

  access-list 101 permit udp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000

  ! Traffic from the NAT process

  !

  access-list 102 deny ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

  !

  route No. - NAT allowed 10 map

  corresponds to the IP 102

  !

  !

  !

  !

  control plan

  !

  Line con 0

  Synchronous recording

  line to 0

  line vty 0 4

  opening of session

  !

  Scheduler allocate 20000 1000

  ****************END**********************

  Thank you very much in advance for your help

  Glenn

  Thanks for the configuration.

  So you're natting and then to encrypt traffic natted. Which is totally fine. The reason, your ping does not work after the application of cryptography is due to the ACL entries below:

  access-list 101 permit icmp any any echo

  access-list 101 permit icmp any any echo response

  The acl entries above are part of the traffic interesting Crypto. So once you apply the card encryption the router is supposed to encrypt all ICMP Echo and Echo-Reply, including traffic that is presented with the ip address of your 201.x.x.x. If you remove these two entries of the ACL 101 and apply only the below entries, then the ICMP should work with the applied crypto map.

  access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7

  access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000

  access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000

  After making the changes, make sure that crypto acl is images mirror on VPN3000 and router, or otherwise you will have problems in the implementation of the tunnel.

  I would like to know how the test goes without the ACL 101 ICMP entries.

  Kind regards

  Arul

• Use the client VPN tunnel to cross the LAN-to-LAN tunnel

  I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.

  The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.

  When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.

  Thank you for your help.

  try adding...

  permit same-security-traffic intra-interface

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114

• An easy - how bounce a VPN tunnel from the command line?

  I think I know the answer, but must ensure. Is - what the command to bounce a VPN?

  his clear crypto ipsec peer

  Just to check - this command does not delete the config, but simply bounces, right?

  For customers of IOS VPN...

  your order will only cause me to generate a new key when I send more traffic... just tried...

  For the ASA VPN Clients we have

  ASA - fw # vpn - sessiondb logoff?

  all the all sessions

  proxy email Email-Proxy sessions

  specific session to Index the index

  specific sessions address IP IPAddress

  IPsec LAN-to-LAN l2l sessions

  name user name specific sessions

  sessions specific Protocol

  remote access remote IPsec sessions

  sessions of customer VPN SSL SVC

  Group-Tunnel tunnel-group sessions

  Mgmt of VPN VPN - lb load balancing sessions

  WebVPN WebVPN sessions

• IPSEC VPN tunnel on issue of Zonebased Firewall

  Help, please!

  I'm trying to configure a router lab ISR1921 to build the VPN tunnel with vmware vshield edge. The configuration of the 1921 is pasted below. There is not a lot of adjustment on the side of vshield really and I'm sure both sides are adapting to phase 1 & 2.

  The question I have: the tunnel can be built correctly and I also see from show crypto ipsec release encap and decap counters. However the devices on each side can communicate. That said, I can ping from 1921 to the IP of the internal interface of the vshield with IP source specified. But just no communication part and other...

  I did debugs and only "error" messages are:

  01:58:03.193 20 February: ISAKMP: (1001): error suppression node 1656104565 FALSE reason 'informational (in) State d1.

  ...

  01:58:03.193 20 February: ISAKMP: (1001): purge the node-1657220080

  I hope that I did a stupid thing to configure error, but I spent too much time on it. It is supposed to be a really simple installation... Please help!

  !

  version 15.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  Lab-1900 host name

  !

  boot-start-marker

  boot system flash: c1900-universalk9-mz. Spa. 154 - 1.T1.bin

  boot system flash: c1900-universalk9-mz. Spa. 151 - 4.M7.bin

  boot system flash: c1900-universalk9-mz. Spa. 150 - 1.M4.bin

  boot-end-marker

  !

  AAA new-model

  !

  AAA authentication login default local

  authorization AAA console

  AAA authorization exec default local

  !

  AAA - the id of the joint session

  clock timezone AST - 4 0

  clock to summer time recurring ADT 3 Sun Mar 2 Sun Nov 02:00 02:00

  !

  DHCP excluded-address IP 192.168.100.1 192.168.100.40

  !

  dhcp DHCPPOOL IP pool

  import all

  network 192.168.100.0 255.255.255.0

  LAB domain name

  DNS 8.8.8.8 Server 4.2.2.2

  default router 192.168.100.1

  4 rental

  !

  Laboratory of IP domain name

  8.8.8.8 IP name-server

  IP-server names 4.2.2.2

  inspect the IP log drop-pkt

  IP cef

  No ipv6 cef

  !

  type of parameter-card inspect global

  Select a dropped packet newspapers

  Max-incomplete 18000 low

  20000 high Max-incomplete

  Authenticated MultiLink bundle-name Panel

  !

  redundancy

  !

  property intellectual ssh version 2

  !

  type of class-card inspect entire game ESP_CMAP

  match the name of group-access ESP_ACL

  type of class-card inspect the correspondence SDM_GRE_CMAP

  match the name of group-access GRE_ACL

  type of class-card inspect entire game PAC-cls-icmp-access

  match icmp Protocol

  tcp protocol match

  udp Protocol game

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-13

  game group-access 154

  class-card type check ALLOW-VPN-TRAFFIC-OUT match-all

  match the ALLOW-VPN-TRAFFIC-OUT access group name

  type of class-card inspect entire game PAC-cls-insp-traffic

  match Protocol pptp

  dns protocol game

  ftp protocol game

  https protocol game

  match icmp Protocol

  match the imap Protocol

  pop3 Protocol game

  netshow Protocol game

  Protocol shell game

  match Protocol realmedia

  match rtsp Protocol

  smtp Protocol game

  sql-net Protocol game

  streamworks Protocol game

  tftp Protocol game

  vdolive Protocol game

  tcp protocol match

  udp Protocol game

  http protocol game

  type of class-card inspect entire game AH_CMAP

  match the name of group-access AH_ACL

  inspect the class-map match ALLOW VPN TRAFFIC type

  match the ALLOW-VPN-TRAFFIC-OUT access group name

  type of class-card inspect correspondence ccp-invalid-src

  game group-access 126

  type of class-card inspect entire game PAC-insp-traffic

  corresponds to the class-map PAC-cls-insp-traffic

  type of class-card inspect entire game SDM_VPN_TRAFFIC

  match Protocol isakmp

  match Protocol ipsec-msft

  corresponds to the AH_CMAP class-map

  corresponds to the ESP_CMAP class-map

  type of class-card inspect correspondence ccp-icmp-access

  corresponds to the class-ccp-cls-icmp-access card

  type of class-card inspect the correspondence SDM_VPN_PT

  game group-access 137

  corresponds to the SDM_VPN_TRAFFIC class-map

  !

  type of policy-card inspect self-out-pmap

  class type inspect PCB-icmp-access

  inspect

  class class by default

  Pass

  policy-card type check out-self-pmap

  class type inspect SDM_VPN_PT

  Pass

  class class by default

  Drop newspaper

  policy-card type check out-pmap

  class type inspect PCB-invalid-src

  Drop newspaper

  class type inspect ALLOW VPN TRAFFIC OUT

  inspect

  class type inspect PCB-insp-traffic

  inspect

  class class by default

  Drop newspaper

  policy-card type check out in pmap

  class type inspect sdm-cls-VPNOutsideToInside-13

  inspect

  class class by default

  Drop newspaper

  !

  security of the area outside the area

  safety zone-to-zone

  safety zone-pair zp-self-out source destination outside zone auto

  type of service-strategy inspect self-out-pmap

  safety zone-pair zp-out-to source out-area destination in the area

  type of service-strategy check out in pmap

  safety zone-pair zp-in-out source in the area of destination outside the area

  type of service-strategy inspect outside-pmap

  source of zp-out-auto security area outside zone destination auto pair

  type of service-strategy check out-self-pmap

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key iL9rY483fF address 172.24.92.103

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  tunnel mode

  !

  IPSEC_MAP 1 ipsec-isakmp crypto map

  Tunnel Sandbox2 description

  defined by peer 172.24.92.103

  Set security-association second life 28800

  game of transformation-ESP-3DES-SHA

  PFS group2 Set

  match address 150

  !

  the Embedded-Service-Engine0/0 interface

  no ip address

  Shutdown

  !

  interface GigabitEthernet0/0

  WAN description

  IP 172.24.92.18 255.255.255.0

  NAT outside IP

  No virtual-reassembly in ip

  outside the area of security of Member's area

  automatic duplex

  automatic speed

  No mop enabled

  card crypto IPSEC_MAP

  Crypto ipsec df - bit clear

  !

  interface GigabitEthernet0/1

  LAN description

  IP 192.168.100.1 address 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  Security members in the box area

  automatic duplex

  automatic speed

  !

  IP forward-Protocol ND

  !

  IP http server

  access-class 2 IP http

  local IP http authentication

  IP http secure server

  !

  IP nat inside source map route RMAP_4_PAT interface GigabitEthernet0/0 overload

  IP route 0.0.0.0 0.0.0.0 172.24.92.254

  !

  AH_ACL extended IP access list

  allow a whole ahp

  ALLOW-VPN-TRAFFIC-OUT extended IP access list

  IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

  ESP_ACL extended IP access list

  allow an esp

  TELNET_ACL extended IP access list

  permit tcp any any eq telnet

  !

  allowed RMAP_4_PAT 1 route map

  corresponds to the IP 108

  !

  1snmp2use RO SNMP-server community

  access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 108 allow ip 192.168.100.0 0.0.0.255 any

  access-list 126 allow the ip 255.255.255.255 host everything

  access-list 126 allow ip 127.0.0.0 0.255.255.255 everything

  access-list 137 allow ip 172.24.92.0 0.0.0.255 any

  access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 154 allow ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

  !

  control plan

  !

  Line con 0

  exec-timeout 0 0

  Synchronous recording

  line to 0

  line 2

  no activation-character

  No exec

  preferred no transport

  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

  StopBits 1

  line vty 0 4

  access-class TELNET_ACL in

  exec-timeout 0 0

  Synchronous recording

  transport of entry all

  line vty 5 15

  access-class TELNET_ACL in

  exec-timeout 0 0

  Synchronous recording

  transport of entry all

  !

  Scheduler allocate 20000 1000

  0.ca.pool.ntp.org server NTP prefer

  1.ca.pool.ntp.org NTP server

  !

  end

  NAT looks fine.

  Please create an ACL with bidirecctional ACEs and add it as a group of access to the interface of penetration:

  IP access-list extended 180

  IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255 connect

  ip permit 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 connect

  allow an ip

  interface GigabitEthernet0/1

  IP access-group 180 to

  IP access-group out 180

  Generer generate traffic, then run the command display 180 access lists .

  Also, if possible activate debug ip icmp at the same time.

  Share the results.

  Thank you

• Using configuration for the 2nd link of lan to lan vpn

  Hello

  Successfully, I configured a connection of lan to lan vpn between two offices. I try to add another link to a 3rd office to my office at home, but have some difficulty. I have attached my setup and hope someone can help me solve my problem. Right now I have a working vpn to the 172.16.0.0/24 network and putting in place the link to 172.16.3.0/24 so. For the new vpn connection, I can ping the external interfaces, but can't ping anything in-house.

  Thanks for your time and help,

  Jason

  Jason

  There is a major mistake that's easy to fix. You have successfully created a second instance of the encryption card to create a VPN tunnel for the second site. But as currently configured two instances of the encryption card use the same access list:

  1 ipsec-isakmp crypto map clientmap

  match address 100

  5 ipsec-isakmp crypto map clientmap

  match address 100

  But each session/tunnel VPN needs its own access list. So, I suggest that you make the following changes:

  5 ipsec-isakmp crypto map clientmap

  match address 101

  no access list 100

  access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

  access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255

  This provides a list of separate for each session/tunnel access and should solve this problem. Try it and tell us the result.

  HTH

  Rick

• LAN to lan vpn between ASA and router 7200

  Hi friends,

  I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

  <7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

  I will have the following configuration:

  7200 router:

  crypto ISAKMP policy 80

  the enc

  AUTH pre-shared

  Group 1

  life 3600

  ISAKMP crypto key cisco123 address 192.168.12.2

  Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

  map VPNTunnel 80 ipsec-isakmp crypto

  defined by peer 192.168.12.2

  game of transformation-VPNtrans

  match address 110

  int fa0/0

  IP add 10.10.5.2 255.255.255.192

  IP virtual-reassembly

  no ip route cache

  Speed 100

  full duplex

  card crypto VPNTunnel

  access-list 110 permit ip any 192.135.5.0 0.0.0.255

  ASA:

  int e0/0

  nameif inside

  security-level 100

  192.135.5.254 Add IP 255.255.255.0

  int e0/1

  nameif outside

  security-level 0

  IP add 192.168.12.2 255.255.255.240

  access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

  Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

  "pre-shared key auth" ISAKMP policy 10

  ISAKMP policy 10-enc

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP duration strategy of life 10-3600

  Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

  card crypto VPN 10 matches the ACL address

  card crypto VPN 10 set peer 10.10.5.2

  card crypto VPN 10 the transform-set VPNtran value

  tunnel-group 10.10.5.2 type ipsec-l2l

  IPSec-attributes of type tunnel-group 10.10.5.2

  cisco123 pre-shared key

  card crypto VPN outside interface

  ISAKMP allows outside

  dhcpd address 192.135.5.1 - 192.135.5.250 inside

  dhcpd dns 172.15.4.5 172.15.4.6

  dhcpd wins 172.15.76.5 172.15.74.5

  dhcpd lease 14400

  dhcpd ping_timeout 500

  dhcpd allow inside

  Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

  Please advise...

  Thank you very much...

  Where it fails at the present time?

  Can you share out of after trying to establish the VPN tunnel:

  See the isa scream his

  See the ipsec scream his

  Please also run the following debug to see where it is a failure:

  debugging cry isa

  debugging ipsec cry

• LAN to Lan VPN on ASA - than a single public address...

  Hello, I need to find a way to work around this problem.

  We have an ASA 5510 8.3, we need to use to terminate a VPN IPSEC in LAN to LAN running.

  Problem is that we have only a single public address available for having set up the link between the ASA and the Internet router on private addresses.

  Is it possible to NAT the public facing the inside or to the outside interface of the ASA and terminate the VPN on this interface?

  If this isn't the case, I have other options?

  Thanks in advance!

  Rob

  No, you can't NAT, the IP address of the ASA on the SAA itself, which is not supported.

  You can also terminate the VPN tunnel through the interface on the ASA.

  How and where you currently do NAT for internet access? You cannot configure NAT on the same device where you are currently configuring your NAT?

• LAN-to-LAN VPN

  Hello

  I currently have a configuration of the PIX to the SiteA and SiteB 1720 router. There is a LAN-to-LAN tunnel between the 2 sites. I had to install a second tunnel to SiteB ending on the 1720 router, so it will be possible to configure tunnels SiteA has also access to the client VPN tunnel?

  I would also like to have VPN tunnels that end at the PIX (SiteA) are also accessible from SiteB.

  It would be just a case of the crypto ACL configuration s for traffic?

  Thank you

  Take a look at the following link will be very useful

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml

  Good luck

  If useful rates

• VPN to access LAN VPN clinet.

  We use a PIX 515 as the hub of a LAN to LAN VPN as well as to access VPN Clinet. Using a multipoint configuration sites speaks (all PIX 501) are able to communicate with each other. However, the VPN to access the 515 client are not able to access the VPN sites has talked about. I think that it is due to the fact that put an end to all tunnels on the same interface of the PIX 515. Is there a way to allow the VPN CLient to communicate with the LAN VPN spoke?

  Concerning

  PD

  Currently, it is not a good way to meet the requirements above. However, add us a new item (or rather, a restriction of relax) for the PIX 7.0 code (to be released in December/January) to allow clients VPN packets 'u-turn' on a Hub PIX to PIX spoke connected via Lan-to-Lan tunnels. The program 7.0 beta is about to begin (may have just begun) so if interested, please contact your local account engineer Cisco. Sorry for the news but help is on the way.

  Scott

• LAN to LAN VPN by MPLS

  

  We have 2 sites HQ and remote connected with MPLS as pictured above. There are applications in the DMZ s who need to talk to each other, but the communication goes through the remote local network (DMZ - LAN HQ - HQ DMZ) but we do not want the DMZ to communicate with each other via the local network. We want to configure a VPN tunnel between Headquarters and remote Firewalls so that all communications between the DMZ through a VPN MPLS tunnel via the LAN. Is this considered a Layer2 VPN or Layer 3 VPN model and also is there a special setup that needs to be done other than config normal site-to-site VPN Firewall.

  Thank you

  This is the layer 3 VPN and no special configuration required on the firewall other than the normal site-to-site VPN. Just activate the isakmp and apply crypto map to the LAN interface.

• VPN Remote LAN to LAN VPN issues

  The issue I'm having is that I have an ASA that provides Lan to Lan VPN and remote access VPN.  Lan to Lan VPN connects to another network where a remote server, and the remote vpn connects remote users to the LAN.  The two virtual private networks are currently working, however users remote connection via the remote access vpn can not connect to the server over the lan to lan vpn.  Here's our Installer.

  ASA - LAN to LAN VPN - ASA - LAN Local - Server

  |

  |

  Remote VPN access

  |

  |

  Remote users

  In this configuration remote users can access the local network, the server can access the local network, and the local network can access the server and remote users.  However, the server cannot access the remote users and remote users cannot access the server.  Any ideas on how to get this to work would be much appreciated.  I created the NAT rules I think were needed and added the necessary address so that the user remote vpn' client application lists the network on the otherside of the vpn as routable network LAN to LAN.  Also, I believe that all the rules of access are correct as tracers of package on both sides are successful.  However when you try to ping across the remote client on the server at the other end of the L2L it fails as other attempts to access the server like rdp.  Does anyone have a step by step on how to set up this type of vpn configuration remote and l2l configured on asa while leaving the two virtual private networks talk to each other.  By the way are two ASA 5505 that with two virtual private networks in this configuration is one on the other end of the l2l 7.2 and 8.2.  Any help would be appreciated, especially a tuturail or a list of commands needed to implement, because I think that I'm probably missing just a little extra configuration, I just can not understand.

  Use your favorite search engine "permit same-security-traffic intra-interface"

  Sent by Cisco Support technique iPad App

• Lan to lan VPN and VPNclient support at the same time?

  Hello I have a 2811 router.

  I put up as a VPN with Clients_vpn hub connect to it, and I used an IPSec on a stick configuration.

  At the same time, I would need to use the same Lan - to - Lan IPSec router to other different sites 2.

  I can't figure out how do it since I use already my 2811 as Concentrator VPN for Clients_vpn.

  Y at - it a trick?

  Thank you very much

  Riccardo

  Of course, here is an example of configuration of a router to be configured to stop static VPN LAN-to-LAN as customer VPN at the same time:

  http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a00809c7171.shtml

  And another one for the router be configured to terminate dynamic LAN - to - LAN VPN as VPN Client:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml

  Another example of setting right on the LAN-to-LAN VPN between 2 routers:

  http://www.Cisco.com/en/us/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

  Hope that helps.

• Tunnels of router that support s multiple VPN IPsec AND SSL VPN

  I have a main office and an office, each with a RVL200 connected via the IPSec VPN tunnel. We grow faster than we thought and add 2 more branches. Is there a router that is similar to the RVL200 can I put in my main office in support of multiple IPSec tunnels connected to RVL200 in branches, but also keep the SSL VPN?

  It seems that the Cisco ASA 5505 will do.