Easy traffic between remote sites via Cisco VPN

We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN.  Everything has been great to work until this problem has been discovered today:

When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.

Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.

There is no need for DATA connection between the remote desktop, our only concern is the voice.

By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).

Thanks in advance.

Thanks for your quick response.

I am sorry, I assumed that the clients have been configured in client mode.

No need to remove the SDM_POOL_1, given that customers already have configured NEM.

But add:

Configuration group customer isakmp crypto CliniEasyVPN

network extension mode

You are able to ping to talked to the other?

Please make this change:

105 extended IP access list

Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

* Of course free to do trafficking of translated on the shelves.

Let me know if you have any questions.

Thank you.

Portu.

Tags: Cisco Security

Similar Questions

  • Windows 2003 cannot access remote network via Cisco VPN

    I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?

    tale of 2003 routing.

    Active routes:

    Network Destination gateway metric Interface subnet mask

    0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40

    x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

    192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40

    192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40

    192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40

    192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10

    192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10

    192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10

    224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40

    224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10

    255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1

    255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1

    Default gateway: 192.168.10.1

    ===========================================================================

    Persistent routes:

    None

    VPN client has not been tested on Win2003. Customer requirements are described here:

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664

    and the show to competition of WinXP is supported.

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • Access to the DMZ to remote sites via VPN S2S

    We have an ASA 5520 and two remote site ASA 5505 that connect to each other through tunnels VPN S2S. They are doing tunneling split, while local traffic passes over the tunnel. We are local LAN (10.0.0.0/16) and our network to the DMZ (10.3.0.0/24) on the main site. The DMZ hosts our external sharepoint, but we access it internally

    The problem is site A (10.1.0.0/24) and B (10.2.0.0/24) have no idea of it, and when you try to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you're an intern.

    That I'm stuck on is even when we had all sent traffic from Site A to our Senior Center, would find it yet. I do a separate vpn purely tunnel that traffic to DMZ?

    Yes. So if you do this in ASDM under Edit Site profile connection Site, it will look like this.

    Local network: 10.0.0/16, 10.3.0.0/24

    Distance: 10.1.0.0/24

  • PIX-Sonicwall Site-to-Site and Cisco VPN Client

    I have a firewall 506th PIX with a VPN site-to site for a firewall Sonicwall 330 Pro which works perfectly. I would like to add the functionality of remote users connecting to the network using the client VPN from Cisco PIX. I'm under the question of having only a single card encryption applied to the external interface. I need the feature to have the tunnel between the site to site VPN can be undertaken on other, so I can't use a dynamic encryption card. Does anyone have suggestions or knowledge on how to achieve this?

    Thank you.

    You don't need to add another card encryption to the external interface. You simply add customer information to your existing card for example:

    Crypto ipsec transform-set esp-3des esp-sha-hmac YOURSET

    YOURMAP 10 ipsec-isakmp crypto map

    card crypto YOURMAP 10 corresponds to 100 address

    card crypto YOURMAP 10 set counterpart x.x.x.x

    crypto YOURMAP 10 the transform-set YOURSET value card

    set of 10 CUSTOMERS crypto dynamic-map transform-set YOURSET

    card crypto YOURMAP 90-isakmp dynamic ipsec CLIENTS

  • Routing between remote sites

    My question is on remote sites and routing for vSphere. I have two geographically separated sites connected by a fiber 80Mbit connection. Each site has it of own SAN, SAN switches dedicated and will have its own guests. I use vSphere 5 Standard.

    I created my first site and everything works fine. At the beginning I put in place all hosts that I have on the first site to make sure everything was working correctly. Now, I'm ready to spend half of the guests at my second site.

    I want to manage two sites from my server from vSphere existing on the first site.

    What is the best way to set up my second site? Inbetween the websites traffic *is* routed, so I know that limits my options. I went into this project knowing that the link between my sites 80Mbit was not good enough for vMotion.

    I used to Paul Kelly (thanks!) suggestions to set up my sites, they look like:

    http://3.BP.blogspot.com/-3z1mWR6wSkc/TopCRUzgSsI/AAAAAAAAAEU/gnLZoExAWRc/S1600/vSphere+5+-+6+NIC+IsolatedStorage+and+NoFT+design+v1.0.jpg

    What is my best option here? My original CD thought I want to road traffic for network management only (VLAN 10 on the diagram) between my sites. Is that all that is needed for the server vCenter on my first site to see my second site? With this configuration I would be able to vMotion between hosts located on my second site? is there no other angle miss me here?

    On a separate note - this time I have a Datacenter with a group inside (for my first site). My second site is a second group, or a whole new data center? I've read some threads on the forum and some people say to keep a data center, unless you have naming problems. Of course, the fact that you can cluster inbetween vMotion and not data centers isn't really make a difference in my scenario.


    Welcome to the community - as long as your vCenter server is able to reach the management port on the ESXi hosts in the second, you'll be able to manage hosts with the single instance. I agree that you should route traffic in all of the privatelkink between the sites - management

    In doing so the single instance of vCenetr that you can manage ESSXi host computers at each site and be able to trigger vmotion on each site.

  • two links to remote sites (an eigrp, vpn)

    I have an eigrp existing link to the remote site, now I'm going to set up a tunnel using ASA vpn to ASA. Website allows full access to site B, Site B allows access to site a. If my link down EIGRP, can take the VPN link?

    How to start the VPN connection?

    Paul

    I am attaching a schema for you please take a look. That's what I would have done it. Don't know if it reflects what your management. Keep things simple and not very complicated. If a site has multiple internet connection uses one. First step get up the network and stable using a connection once your sites are converted burn in during a few weeks before you do add vpn double gre tunnels

    I can't really say what would be best in your case, as I don't know your business is or how things effect users. Everything so I can give a suggestion that you may have to change as a result of your needs and objectives

    Thank you

    NH

  • Remote access via NAT VPN client

    I currently have a PIX506e configured to provide access to the Cisco VPN Clients remote vpn. A single client can connect successfully and have access to the planned network. However, as soon as I connect an additional client to the firewall from the same place (the two addresses are translated under the same address) the two tunnels will stop working or could not connect.

    Is the problem that I face, because two customers have the same address public after NAT, or is - it something else? Is there a way to get around this?

    Hello

    A lot of THAT NAT will not work if you use ESP.

    The solution for this is to allow NAT - t on PIX and VPN client.

    PIX:

    The following command active NAT - T (for codes plus late 6.3)

    ISAKMP nat-traversal

    The VPN Client:

    On the Transport tab, under the tab "Enable Transport Tunneling" & select "IPSec over UDP (NAT/PAT).

    HTH

    Kind regards

    GE.

  • SSLVPN via Cisco VPN Client (simultaneous use)

    Hi, I'm working on a new show: 1) connect to the first network with Cisco VPN client. (2) to leave this connection, road to another Cisco SSLVPN device and perform a SSL - VPN connection. Has anyone tried this before? Are there problems, workarounds? Thanks in advance!

    I do it all the time without any problems.

    HTH >

  • NAT via LAN-to-LAN configuration between router IOS and Cisco VPN 3000

    Hello

    I have the following document on the creation of a virtual LAN2LAN including NAT private network.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

    It? s easily do this with the hub. Now, I have to set it up on the IOS router, and for this purpose, I can? t find any information. NAT, I have my private network to a single IP address that must be by tunnel as my local network official.

    Anyone have documentation on this szenario? I can? t is not on the OCC.

    Thanks for the support

    Hello.

    Concentrators are very friendly units (IMHO) to VPN with NAT and VPN.

    You build an acl defined traffic over the vpn (110) based on the nat wouldn't

    You create an acl to set what is NAT had (111) and create a NAT statement accordingly

    Here is an example configuration.

    !

    crypto ISAKMP policy 10

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    vpnsrock crypto isakmp key! address x.x.x.x

    !

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    !

    10 VPN ipsec-isakmp crypto map

    defined peer x.x.x.x

    game of transformation-ESP-3DES-SHA

    match address 110

    !

    interface Fa0

    NAT outside IP

    VPN crypto card

    !

    !

    interface fa1

    IP nat inside

    !

    IP nat inside source list 111 interface fa0 overload

    IP route 0.0.0.0 0.0.0.0 y.y.y.y

    access-list 110 permit ip fa0 - ip network-remote control-generic generic-mask

    access-list 111 allow local-network ip network-remote control-generic generic-mask

    !

  • Redirect a part of the vrf traffic between 2 sites over a redundant link

    Hey guys,.

    We have one customer (in the vrf) with 2 sites in different States and the execution of our soul of mpls... Our main link in our heart is affected by the degradation of service and want to route the client on our redundant link while retaining all other clients going on our primary link - is it possible?

    The customer in question has its own vrf (L3VPN) on both sites and running on mpls between sites. We would like to re - route this particular customer to take our backup path, while keeping everyone between sites through the primary. We do not use, rather LDP to build the SPLM.

    I don't think it's possible to only re - route a customer, but I thought I would ask the question.

    We cannot failover to secondary link for everyone between sites because the link doesn't have the capability.

    Thanks in advance.

    Hello

    Using MPLS YOU would certainly be an option. You must configure MPLS TE LS during the backup. You must also set up a separate look-back on each PE interface and use this address of the loopback interface as the next hop for the specific VRF

    IP vrf X

    BGP jump next loopback 999

    Route IP 255.255.255.255 Tu1

    In this way make you sure that only the traffic for this specific VRF would be above the tunnel of TE.

    Concerning

  • Routing between two remote sites connected over the VPN site to site

    I have a problem ping between remote sites.  Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked.  Any ideas?

    Main site:

    192.168.100.0 - call manager / phone VLAN

    192.168.1.0/24 - data VLAN

    Site 1:

    192.168.70.0/24 - phone VLAN

    192.168.4.0/24 - data VLAN

    Site 2:

    192.168.80.0/24 - phone VLAN

    192.168.3.0/24 - data VLAN

    Main router

    Expand the IP ACL5 access list
    10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
    30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
    IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
    50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
    Expand the IP ACL6 access list
    10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
    30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
    IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

    Expand the No. - NAT IP access list
    10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
    30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
    40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
    320 ip 192.168.1.0 allow 0.0.0.255 any
    IP 192.168.100.0 allow 330 0.0.0.255 any

    Site 1:

    ACL5 extended IP access list

    IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

    IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

    IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

    No. - NAT extended IP access list

    deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

    IP 192.168.70.0 allow 0.0.0.255 any

    ip licensing 192.168.4.0 0.0.0.255 any

    Site 2:

    ACL6 extended IP access list
    IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
    ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
    IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
    ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
    No. - NAT extended IP access list
    deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
    deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
    deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
    deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
    IP 192.168.80.0 allow 0.0.0.255 any
    ip licensing 192.168.3.0 0.0.0.255 any

    What should I do for these two sites can ping each other?  I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

    Thanks in advance!

    Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

    Main router

    Expand the IP ACL5 access list

    IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

    IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    Expand the IP ACL6 access list

    IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

    IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

    Make sure you add these lines before the last permit

    Expand the No. - NAT IP access list

    deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

    Site 1:

    ACL5 extended IP access list

    IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

    IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

    ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

    Make sure that these lines are added before the last permit

    No. - NAT extended IP access list

    deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

    Site 2:

    ACL6 extended IP access list

    IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    So make sure that these lines are added before the last permit

    No. - NAT extended IP access list

    deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

    I would like to know if this is what you need.

  • Use the remote website via VPN site-to-site

    Hi all

    We have two sites, the site has and B. At site A, we have a Web site we want to share with all of site B. Currently, site B can access the site via the VPN site-to site on X 0, which is their LAN. Nothing outside X 0 cannot access or ping to the address.

    We added access rules to allow access from the DMZ to this interface, but again, no ping and no communication at all. The other strange thing is that we see that no trip package for these access rules either.

    Any help is appreciated. Thank you.

    It seems that the demilitarized zone is not part of the VPN tunnel.

    Can you confirm that the DMZ subnet is part of local destinations on the site B and a part of the local destinations on site?

    Kevin

  • IPSec site to site VPN cisco VPN client routing problem and

    Hello

    I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

    The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

    There are on the shelves, there is no material used cisco - routers DLINK.

    Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

    Can someone help me please?

    Thank you

    Peter

    RAYS - not cisco devices / another provider

    Cisco 1841 HSEC HUB:

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto key x xx address no.-xauth

    !

    the group x crypto isakmp client configuration

    x key

    pool vpnclientpool

    ACL 190

    include-local-lan

    !

    86400 seconds, duration of life crypto ipsec security association

    Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

    !

    Crypto-map dynamic dynmap 10

    Set transform-set 1cisco

    !

    card crypto ETH0 client authentication list userauthen

    card crypto isakmp authorization list groupauthor ETH0

    client configuration address card crypto ETH0 answer

    ETH0 1 ipsec-isakmp crypto map

    set peer x

    Set transform-set 1cisco

    PFS group2 Set

    match address 180

    card ETH0 10-isakmp ipsec crypto dynamic dynmap

    !

    !

    interface FastEthernet0/1

    Description $ES_WAN$

    card crypto ETH0

    !

    IP local pool vpnclientpool 192.168.200.100 192.168.200.150

    !

    !

    overload of IP nat inside source list LOCAL interface FastEthernet0/1

    !

    IP access-list extended LOCAL

    deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    IP 192.168.7.0 allow 0.0.0.255 any

    !

    access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    !

    How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

    Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

    DE:

    access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

    TO:

    access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

    Also change the ACL 190 split tunnel:

    DE:

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

    TO:

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

    access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

    Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

    Hope that helps.

  • How to copy tftp on remote site VPN

    I know that by the definition of ASA management interface can ping or telnet/SSH to the inside interface of the ASA remote VPN. But it does not work for TFTP. Is it possible to copy config TFP server in a remote site via VPN and using the source as a local within the interface interface?

    Your home, remember messages useful rate.

    Concerning

Maybe you are looking for