Ask about hub and spoke VPN between several sites

Similar Questions

• Hub and spoke VPN network traffic between two points talked

  Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

  I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

  Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

  In doing so, I can avoide the tunnel between two offices (and B)

  See you soon

  Hello

  You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

  If the hub is an ASA you must authorize same-security-traffic intra-interface permits

  If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

  Federico.

• Cisco RV042 VPN hub and spokes, connecting spokes question

  Hello

  I have a few Cisco RV042 router and VPN links them with a hub and spoke topology.

  Each speaks VPN works, they manage to connect to the platform.

  The hub can see each VPN active rays.

  A computer under the hub can connect to a computer in any talks.

  A computer under any talks can connect to a computer running the hub.

  Which works very well.

  Now, what I really need, is to connect computers under a RADIUS to connect to computers under another spoke.

  It don't work.

  Current configuration of LAN:

  HUB IP / mask: 192.168.0.1 / 255.255.255.0

  Spoke1 IP / mask: 192.168.1.1 / 255.255.255.0

  Spoke2 IP / mask: 192.168.2.1 / 255.255.255.0

  I was wondering if the Cisco RV042 can be configured to allow that and HOW?

  If we can not do, should what other router I use as a hub? Should I change the rays as well?

  Thank you and have a nice day

  Hope that this document can point you the right direction.

  https://supportforums.Cisco.com/docs/doc-12534

• Topology Hub-and-spoke (between vpn´s of the site-to-site connections)?

  Hi all

  I have a friend who has in his company an ASA5505 to the central point and about 5 remote sites connected through site to site Vpn.

  All tunnels are up and reached the central network.

  The only traffic that goes throw that the tunnel's traffic with the destination of local network of ASA.

  My friend asked me what he should get from a remote Vpn site to another remote site Vpn, passing throw the central site ASA5505.

  The ASA5505 can reach all remote networks throw tunnels.

  Can someone give me a bit short what suits him for the SAA to carry traffic between the tunnels of VPN´s?

  Need static routes on remote sites to announce other remote sites?

  Best regards

  Hi Tiago,

  you will need to do 3 things primarily:

  On the hub, you need to configure:

  permit same-security-traffic intra-interface

  (this allows the traffic out of the same interface it came in the - in the traffic between the spokes of your case will come outside and return outside).

  Then, on the hub as well as on the rays, you need to add all traffic a spoke-to-spoke to the crypto ACL and ACL nat exemption.

  Depending on how your addressing scheme, you may be able to aggregate to avoid making very large ACL (to 5 rays I guess it's still manageable if).

  No way should be necessary on the rays or the hub (unless the vpn tunnels take a path different than your ordinary internet traffic, I assumed that this is not the case).

  Let me know if you need more details.

  HTH

  Herbert

• VPN Hub and Spoke with NAT

  Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

  Hub (MEAN): 10.1.6.x

  PIX 515e (HUB): 172.16.3.x

  RV042 (SPOKEN): 192.168.71.x

  PIX 515e (HUB):

  Outside - 12.34.56.78

  Interior - 172.16.1.1

  Hub (TALK):

  Outside - 87.65.43.21

  Interior - 10.1.6.1

  RV042 (SPOKEN):

  Outside - 150.150.150.150

  Interior - 192.168.71.1

  The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

  On PIX you need a static policy statement,

  NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

  public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

  And modify the ACL of appropriately crypto to include natted address.

• I downloaded 'shopping assistant' addon and I went to several sites to see if it works. But I can't tell if its working or not. What I would see.

  I downloaded the addon "assistant purchases" and I shopped several sites. I can't tell if the addon works. Everything looks like before I got to the bottom of the wizard for your responsible shopping. What should I see?
  Thank you

  There is a link of test on this page, as well as instructions of the image.
  
  https://addons.Mozilla.org/en-us/Firefox/addon/shopping-Assistant/

  Test link:
  
  http://www.Newegg.com/product/ProductList.aspx?submit=Ene & Description = TomTom

  Note: The module developers are responsible for supporting their add-on. This forum is for the support of Firefox, but we do not help with the most common Add-ons Firefox users, if we happen to use the extension in question. Not so in this case, at least for me.

• Simple IOS VPN IPsec HUB and Spoke failover HUB

  Hi all

  I have a nd architecture VPN Hub spoke with Asit, IKEv1 and IPsec.

  My hub is connected to a single service provider.

  I wish I had a hardware redundancy for my hub.

  Instead of creating a double tunnel in each Department, I would like to use my router 4000ISR failover protocol.

  Is it possible to simply achieve?

  If I use IOS IPsec failover that I need to deploy my changes on the two router or (such as ASA) I can set the active router and allow the watch to receive the chenges?

  Thanks to you all.

  Johnny

  If your ISP connection is one that has a routed block and you can connect two routers same in it, you can then configure HSRP.

  The source of the Tunnel becomes the HSRP address.  Rays may not know that there are two routers.

  Easy failover.

  Alternatively, you can have a single tunnel with hubs double (if you do not use HSRP).  You don't have to borrow the double tunnels.

• 2 one-Site VPN between HQ, Site A and Site B

  Dear brothers,

  Really I need your kindly help on Site 2 Site VPN.

  We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

  HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

  Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

  Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

  So my questions are:

  1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

  2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

  Thank you

  Hello

  I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

  Kind regards

  Averroès.

• Copy and paste into a Word document loses its format (chips, colored tex, etc.) where Firefox is open. When I close Firefox it's fine again. I'm not talking about copying and pasting text between MS Word and Firefox. It is in MS Word itself.

  Firefox 11.0
  MS Word 2003 Basic Edition SP3

  Can be caused by the click of Skype to the extension of the appeal.

  • [923158/questions/923158]
  • https://support.Mozilla.org/KB/troubleshooting+extensions+and+themes

  Start Firefox in Firefox to solve the issues in Safe Mode to check if one of the extensions or if hardware acceleration is the cause of the problem (switch to the DEFAULT theme: Firefox/tools > Modules > appearance/themes).

  • Makes no changes on the start safe mode window.
  • https://support.Mozilla.org/KB/safe+mode

• VPN high availability: double 3 k in the hub and the PIX as rays

  Hi Experts.

  In my scenario, I need routing between the rays and, above all, high availability (HA).

  On the shelves, I have Pix 501/506E, OS ver 6.3. In the hub, I have a couple of redundant VPN3k.

  What mechanism is the best:

  1 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "load balancing" feature of the VPN3k?

  2 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "backup server" feature of the VPN3k?

  3 any-to-any topology (an IPSEC tunnel between any pair of sites) - for HA, I can take advantage of the 'LAN-to-LAN backup' feature of the VPN3k?

  Thank you

  Michele

  I'd go with NLB on the backup server. With load balancing your connections will be spread over the two hubs. If a hub dies, then at least it will only affect half of your connections, rather than each of them in case of death of your primary and backup servers using.

  If a hub dies, your PIX connections will be de-energized for a short period, but they will be able to reconnect back automatically without making you no change.

• Impossible to route traffic through a tunnel "will" in a frame relay Center and spoke environment.

  Hello

  I have a network star frames environment.

  Headquarters (hub) and around seven remote branch offices.

  I'm trying to encrypt all data between the hub-and-spoke is borrowing point gre tunnels to point of the hub-spoke.

  I made the necessary set up on all routers and using SDM and all tunnels appeared.

  The problem when I tried to redirect all traffic to the respective subnet through the tunnel s assigned

  nothing is happen.

  I decided to do a bit of troubleshooting with a radius of one and test the connection to the hub.

  Ping from Headquarters to the tunnel endpoint

  Router01 #ping ppp.168.140.14

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to ppp.168.140.14, wait time is 2 seconds:

  .....

  Success rate is 0% (0/5)

  Ping of speaks to the tunnel endpoint

  router04 #ping ppp.168.140.4

  Send 5, echoes ICMP 100 bytes to ppp.168.140.4, wait time is 2 seconds:

  .....

  See nearby networking is learned by talking about following the eigrp process

  router04 #sh ip eigrp not

  Neighbors of the EIGRP intellectual property to process 10

  H address Interface Hold Uptime SRTT RTO Q Seq

  (s) (ms) NTC Num

  14 40 2280 0 2493678 2d21h Se0/0/0.1 0 10.x.x.1

  See nearby networking learned by Hub following the eigrp process

  H address Interface Hold Uptime SRTT RTO Q Seq

  (s) (ms) NTC Num

  8 ppp.168.160.16 Tu2 31 00:00:26 1 5000 1 0

  7 ppp.168.150.15 Tu1 13 00:00:47 1 5000 1 0

  3 ppp.168.170.17 Tu3 14 00:00:59 1 5000 1 0

  2 ppp.192.168.190.19 Tu4 13 00:01:05 1 5000 1 0

  0 ppp.168.140.14 Tu0 31 00:01:18 1 5000 1 0

  11 10.x.0.6 Se0/0/0.4 12 02:40:20 53 318 0 399684

  1 10.x.x.9 Se0/0/0.7 11 02:41:20 1380 5000 0 377427

  9 10.x.x.5 Se0/0/0.3 11 02:44:28 47 1426 0 370651

  4 10.x.x.7 Se0/0/0.5 12 51 306 0 363006 1d23h

  5 10.x.x.8 Se0/0/0.1 12 77 462 0 1210492 2d06h

  12 11 51 306 0 395295 2d21h Se0/0/0.8 10.x.x.11

  6 10.x.x.4 Se0/0/0.2 14 53 318 0 284379 2d21h

  Router01 #.

  I have a closed configurations of the hub and one of the RADIUS (the problem as outline above that happens for all the rays).

  There is also the pre-shared keys were Strip and IP set up for security reasons.

  Concerning

  Jomo

  Sure no problem.

  Have a good holiday.

• PIX - PIX VPN and Client VPN - cannot access core network

  I hub and spoke PIX and a VPN Client that connects to speak it PIX, much the same as the example configuration here: -.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

  This example shows the client VPN access to the network behind PIX RADIUS. I want the client to also be able to access the central network, i.e. the client connects to the pix speaks via vpn, and traffic is routed through the vpn to PIX - PIX to the central site.

  How this would change the configuration contained in the example?

  See you soon,.

  Jon

  You can not do this, the PIX cannot route a package back on the same interface, it is entered in the. The only way to do that is to have the client connect to the hub PIX, but then they would not be able to get to the network behind PIX distance either.

  Or that the customer would connect on a different interface in the PIX of distance, but this would mean another connection ISP on this PIX. Example of config is here: http://www.cisco.com/warp/public/110/client-pixhub.html

• VPN between 2 routers Cisco 1841 (LAN to LAN)

  Hello

  I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

  Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

  Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

  I understand that I need IPSec Site to Site VPN (I think).

  Anyonce can you please advise.

  Kind regards.

  s.nasheet wrote:
  Hi ,
  I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
  Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
  Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
  I understand I need IPSec Site to Site VPN  ( i think).
  Can anyonce please advise.
  Regards.
  

  Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

  Jon

• Routing over VPN between ISA550W and RV215W

  Hello all I have a problem with the VPN between my two office

  I have an ISA550W at the head office (chcnorth)

  I have a RV215W to the remote desktop (chcsouth)

  the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

  and vice versa however when client computers on the remote end are trying to connect to the

  Main office to access the database, they can't.

  the problem started last week I received a call from the remote desktop that they can connect to our database

  on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

  at the plant, including the firmware

  I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

  get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

  the remote desktop, however my remote clients still cannot access my server at the main office

  I realized after I have everything set up, I had a backup of my original installation and thinking I had

  just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

  RV215W I've had. still no dice

  So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

  are blurred,

  any ideas, workarounds for solutions would be greatly appreciated

  Thanks in advance

  John G

  John,

  It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

  If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

  http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

  In your case, it might look more at:

  192.168.1.200 sqlsvr

  Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

  Answer please if you have any questions.

  -Marty

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.