GRE tunnels and no gre

Similar Questions

• L2TP max number of tunnels and sessions

  Hello

  hope this is relevant for this forum...

  There is some information about max L2TP tunnels and sessions here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6549/ps6587/prod_white_paper0900aecd8066d3f5.html

  But there is a note in table 1: "figures in the table are based on a session by L2TP tunnel.

  This means that with 1 tunnel we have 1199 sessions kai with for example 10 119 sessions by tunnel tunnels (assuming an even distribution)?

  What other models like 7200 and 7300 are you aware of any specs? (couldn't find them in the cisco site)...

  Thanks in advance,

  -Efthimios.

  In the URL you just sent this: -.

  "Session - a single tunnel PPP session. Also known as a call.

  "Tunnel - the virtual pipe between the LAKE and the LNS that can carry multiple PPP sessions".

  So, I think so.

• NAT VPN tunnel and still access Internet traffic

  Hello

  Thank you in advance for any help you can provide.

  I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

  We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

  I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

  access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

  NAT extended IP access list
  refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
  deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  ip permit 192.168.1.0 0.0.0.255 any

  route allowed ISP 10 map
  corresponds to the IP NAT

  IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
  IP nat inside source list 106 pool EMDVPN
  IP nat inside source map route ISP interface FastEthernet0/1 overload

  When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

  The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

  Once again, thank you for any help you can give.

  Alex

  Hello

  Rather than use a pool for NAT

  192.168.1.9 - 10.1.0.1 > 192.168.50.x

  ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

  RM-STATIC-NAT route map permit 10
  corresponds to the IP 102

  IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

  ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
  ACL 101 by ip 192.168.1.0 0.0.0.255 any
  overload of IP nat inside source list 101 interface FastEthernet0/1

  VPN access list will use the source as 10.1.0.1... *.

  Let me know if it works.

  Concerning

  M

• The phase 2 ends, but unusable tunnel and remains in place.

  I have two routers, an ASA 5505 and a 1921 Cisco.

  Here are the configs:
  ASA http://pastebin.com/raw.php?i=sNXw45Ci
  1921 http://pastebin.com/raw.php?i=mrPfdbnK

  SAA within the subnet is 10.45.0.0/16
  1921 within the subnet is 10.70.0.0/16

  Here's the debug output on the SAA, which lies immediately after I ping the ASA inside the subnet of the 1921 within the subnet: http://pastebin.com/raw.php?i=zpzN781b

  Note that "PHASE 1 is COMPLETED.

  My understanding of the rest of the production is only the phase 2 completed also.

  Now the weird part is that the output of Show crypto ipsec peer his on the 1921 shows the following: http://pastebin.com/raw.php?i=2zSxkmyT

  Notice how there are program 0-0 decaps for the tunnel.

  Also, if I don't isakmp crypto to show his on each router, I do not see the tunnel here.

  Why is the tunnel does not appear in the above command?

  Why the program show 0 tunnel and 0 decaps?

  Edit 1:

  squibby in the IRC channel #cisco (on freenode) seems to think that this may be a problem of "NAT Exemption". However, I see nothing wrong with the exemption of NAT here...

  Look at the debug output, I see that phase 1 is complete, but you fail to phase 2. That's why you see not all inbound/outbound sas on see the crypto ipsec his.

  Try to change the sequence of card crypto numbering for the dynamic encryption on your 1921 map or delete it if you don't need. The sequence for dynamic map number must be greater than your static maps.

• Hub topology and talk: can I traffic Internet road to PC at a radius of the site through the tunnel and NAT outside in the world on the 5520 hub?

  I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.

  I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.

  PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.

  I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.

  Is that what I want to accomplish even possible with the ASA?

  Hi Neal,

  Yes, it's quite possible! below is a loss of things you need to do:

  (1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.

  (2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.

  (3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:

  NAT (outside) 1 192.168.1.0 255.255.255.0

  NAT (outside) 1 192.168.2.0 255.255.255.0

  Global 1 interface (outside)

  Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.

  I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.

  Let me know if it helps!

  Thank you and best regards,

  Assia

• DMVPN Tunnel and EIGRP routing problem

  I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

  I'm under EIGRP to my process of routing protocol 100 for the two links.

  I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

  However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

  What I'm missing here?

  A tunnel0 to see the shows the following:

  Tunnel0 is up, line protocol is up
  Material is Tunnel
  The Internet address is 10.x.x.x/24
  MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  KeepAlive not set
  Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
  Tunnel/GRE/IP transport protocol
  Key 0x186A0, sequencing of the people with reduced mobility
  Disabled packages parity check
  TTL 255 tunnel
  Quick tunneling enabled
  Tunnel of transmission bandwidth 8000 (Kbps)
  Tunnel to receive 8000 (Kbps) bandwidth
  Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
  Last entry of 00:00:01, exit ever, blocking of output never
  Final cleaning of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
  Strategy of queues: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bps, 0 packets/s
  5 minute output rate 0 bps, 0 packets/s
  packages of 880, 63000 bytes, 0 no buffer entry
  Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
  errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
  output of 910 packages, 81315 bytes, 0 underruns
  0 output errors, 0 collisions, 0 resets interface
  unknown protocol 0 drops
  output buffer, the output buffers 0 permuted 0 failures

  Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

  Federico.

• Register to offset or solid square tunnel and DAQ support

  Hello

  There is little doubt, but I want to clarify here.

  I have a Subvi and I use it in my main VI.  Subvi is written with state machines and have up to 6 different States. In one State, I have a comparison function that must value a value to a terminal for the purposes of comparison. This value is constant and I always change. Currently, I pass these values to the Subvi my main VI. Moreover, I do not use any kind of change to go through the tunnel square rather just solid. The Subvi is continuous on its States when it runs. My doubt is the value which I send VI is still exist at the Terminal comparison Subvi or better using shift registers. I have 6 situations even like that.

  In addition, by using the DAQ Assistant is really forbidden due to bad results. May be, OR use them to show the clients easy programming. I have a finite acquisition loop for 12 times. Too long, I don't have any problem with the help of data acquisition. But I got a problem when it is in continuous mode (especially when my mode of Highlighted code execution). I changed it to finished now. Is it possible to keep to herself as write like that for an application usable 10 years or better write with DAQmx functions.

  Thank you people.

  shjukheter wrote:

  I have to wait until the 1VI running and I need to pass the output to 2Vi.

  None of the screw that you set call 1. VI or 2.vi. If 2. VI requires a power of 1(vi), it will automatically wait up to 1. VI ended until he could start. It is dependent on the data. No required sequence.

  DBL values will be read without having changed the tunnel entrance of the while loop and then go to the tunnel entrance to the structure of the case. The value of the tunnel will not change for the duration of the subVIs. You only need a registry change if one instance changes the value and you want the changed value in the subsequence of the while loop iterations.

• L2l tunnel and show connection addess

  Hello world

  ASA 5505 L2L 5520 tunnel a.

  The tunnel is running.

  5505 # sh crypto isakmp his

  IKEv1 SAs:

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 IKE Peer: 10.31.2.30
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  There are no SAs IKEv2

  SH crypto ipsec his
  Interface: Visitor_Edge
  Tag crypto map: D_Traffic_Crypto, seq num: 1, local addr: 10.31.2.20

  When I sh conn address 10.31.2.20 all the
  5 in use, most used 9316
  ESP visitor identity Ifc 10.31.2.20 NP 10.31.2.30, idle 0:00:00, 9912 bytes, flags - 1
  UDP 10.31.2.30:500 NP identity Ifc 10.31.2.20:500 visitor, slowed down to 0:00:09, 3365216, flags - 2 bytes
  ESP visitor identity Ifc 10.31.2.20 NP 10.31.2.30, idle 0:00:00, 3816 bytes, flags - 3

  Must understand the connections 1 and 3 are used for what purpose and why they have no port information?

  As 2 is tunnel connection using port 500. but the connections 1 and 3 have no port number, why?

  Concerning

  Mahesh

  Connection 1 and 3 represent the traffic going in and out, ESP that sit directly on the IP header, so there is no port information.

  Connection 2 represent IKE messages that are exchanging messages on port UDP 500.

• IPSec tunnel and NetFlow packets

  I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

  Thank you.

  Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

• Protection of IPSEC Tunnel and tunnel QOS shaping does no formatting.

  I have an implosion of the little brain as to why it won't work.

  I tried the QOS policy on tunnel interfaces and the ATM interface. No formatting occurs. Interfaces to transmit at their leisure.

  Please can someone have a better day me to tell me what I am doing wrong?

  Here is the config relevant (and standard). without the political order applied anywhere. Any help appreciated.

  ---------------------------------------------------------------------------------

  class-map correspondence-everything APPSERVEURS
  match the name of group-access TERMINALSERVERS
  class-map correspondence-any VOICE
  sip protocol game
  match Protocol rtp
  match dscp ef
  !
  !
  Policy-map QOSPOLICY
  class VOICE
  priority 100
  class APPSERVEURS
  33% of bandwidth
  class class by default
  Fair/salon-tail 16
  Policy-map of TUNNEL
  class class by default
  form average 350000
  QOSPOLICY service-policy
  !
  !
  interface Tunnel0
  bandwidth 350
  IP 172.20.58.2 255.255.255.0
  IP mtu 1420
  load-interval 30
  QoS before filing
  source of Dialer0 tunnel
  destination tunnel X.X.X.X
  ipv4 ipsec tunnel mode
  tunnel path-mtu-discovery
  Tunnel IPSECPROFILE ipsec protection profile
  !
  Tunnel1 interface
  bandwidth 350
  IP 172.21.58.2 255.255.255.0
  IP mtu 1420
  load-interval 30
  delay 58000
  QoS before filing
  source of Dialer0 tunnel
  destination tunnel Y.Y.Y.Y
  ipv4 ipsec tunnel mode
  tunnel path-mtu-discovery
  Tunnel IPSECPROFILE ipsec protection profile
  !
  !
  ATM0/0/0 interface
  no ip address
  load-interval 30
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 0/38
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface Dialer0
  bandwidth 400
  the negotiated IP address

  ---------------------------------------------------------------------------------------------------------

  Thank you

  Paul

  Paul,

  One of the reasons could be because of the VTI overload.

  That being said I don't know which is the way to go with your QoS:

  https://Tools.Cisco.com/bugsearch/bug/CSCsz63683/?reffering_site=dumpcr

  My suggestion: give it a try with 15.2 M/T and prosecute TAC with discount people rather than VPN QoS ;-)

  M.

• IPSec tunnel and join a LAN router

  I have to tunnel MikroTik IPSec Cisco ASA.

  Cisco WAN: xxx.xxx.xxx.xxx

  Cisco LAN: 172.27.0.0/20

  MikroTik WAN: .yyy

  MikroTik LAN: 172.27.128.0/20

  This acts to Cisco configuration:

  access extensive list ip 172.27.0.0 acl_encrypt allow 255.255.240.0 172.27.128.0 255.255.240.0

  access extensive list ip 172.27.0.0 acl_no_nat_inside allow 255.255.240.0 172.27.128.0 255.255.240.0

  NAT-control
  Global 1 interface (outside)
  NAT (inside) 0-list of access acl_no_nat_inside
  NAT (inside) 1 0.0.0.0 0.0.0.0

  Crypto ipsec transform-set esp-aes-256 ts_esp_aes_256_sha, esp-sha-hmac

  card crypto cm_outside 10 correspondence address acl_encrypt
  card crypto cm_outside pfs set 10 group5
  card crypto cm_outside 10 peers set.yyy
  card crypto cm_outside 10 transform-set ts_esp_aes_256_sha
  3600 seconds, duration of life card crypto cm_outside 10 set - the security association
  card crypto cm_outside 10 set security-association life 1048576 kilobytes

  cm_outside interface card crypto outside

  crypto ISAKMP policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 3600

  tunnel - group.yyy type ipsec-l2l
  tunnel - group.yyy ipsec-attributes
  pre-shared-key *.

  Tunnel works fine, when I try to ping from a PC behind Cisco to another PC behind MikroTik.

  (e.g. 172.27.1.1 to 172.27.129.1), it works fine (except the first two lost packages which is OK
  due to the delay of its ISAKMP/IPsec negotiation).

  But I need to be able to access a PC behind Cisco's MikroTik.

  If I try for example

  ping 172.27.129.1

  Cisco, all packets are lost.

  I guess that Cisco does not use its LAN interface but the WAN interface.

  What can I do to make it work?

  Not sure why you want to do.

  Yes, ASA use the IP address on the outgoing interface as source IP address. So when you ping the remote of the SAA, it will WAN IP.

  You can add the following entry in your ACL to see if it works

  access-list allowed acl_encrypt ip xxx.xxx.xxx.xxx host 172.27.129.1

  Make the changes to the ACL on the remote site as well.

  You may or may not add a NAT 0 as well. I don't know because this traffic is started from ASA itself. You can check the log to see what's happening and then make the decision.

• IPSEC tunnel and Routing Support protocols

  Hello world

  I read that IPSEC does not support routing with VPN's Site to the other protocols because both are Layer4.

  This means that if Site A must reach the B Site over a WAN link, we use static IP on the Site A and Site B router?

  In my lab at home I config Site to Site VPN systems and they work correctly using OSPF does that mean that IPSEC supports the routing protocol?

  IF someone can explain this please?

  OSPF config one side

  router ospf 1

  3.4.4.4 router ID

  Log-adjacency-changes

  area 10-link virtual 10.4.4.1

  passive-interface Vlan10

  passive-interface Vlan20

  3.4.4.4 to network 0.0.0.0 area 0

  network 192.168.4.0 0.0.0.255 area 10

  network 192.168.5.0 0.0.0.255 area 0

  network 192.168.10.0 0.0.0.255 area 0

  network 192.168.20.0 0.0.0.255 area 0

  network 192.168.30.0 0.0.0.255 area 0

  network 192.168.98.0 0.0.0.255 area 0

  network 192.168.99.0 0.0.0.255 area 0

  3550SMIA #sh ip route

  Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2

  i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

  -IS inter area, * - candidate failure, U - static route by user

  o - ODR, P - periodic downloaded route static

  Gateway of last resort is 192.168.5.3 to network 0.0.0.0

  192.168.12.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

  100.0.0.0/32 is divided into subnets, subnets 1

  O 100.100.100.100 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

  3.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

  O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  C 3.4.4.0/24 is directly connected, Loopback0

  C 192.168.30.0/24 is directly connected, Vlan30

  64.0.0.0/32 is divided into subnets, subnets 1

  O E2 64.59.135.150 [110/300] through 192.168.5.3, 1d09h, FastEthernet0/11

  4.0.0.0/32 is divided into subnets, subnets 1

  O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  C 192.168.10.0/24 is directly connected, Vlan10

  172.31.0.0/24 is divided into subnets, 4 subnets

  O E2 172.31.3.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.2.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.1.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.0.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O 192.168.11.0/24 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

  O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8

  C 192.168.99.0/24 is directly connected, FastEthernet0/8

  192.168.20.0/24 C is directly connected, Vlan20

  192.168.5.0/31 is divided into subnets, subnets 1

  C 192.168.5.2 is directly connected, FastEthernet0/11

  C 10.0.0.0/8 is directly connected, Tunnel0

  192.168.6.0/31 is divided into subnets, subnets 1

  O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  192.168.1.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

  O * E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11

  B side Config

  Side A

  router ospf 1

  Log-adjacency-changes

  network 192.168.97.0 0.0.0.255 area 0

  network 192.168.98.0 0.0.0.255 area 0

  network 192.168.99.0 0.0.0.255 area 0

  1811w # sh ip route

  Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2

  i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

  -IS inter area, * - candidate failure, U - static route by user

  o - ODR, P - periodic downloaded route static

  Gateway of last resort is 192.168.99.2 to network 0.0.0.0

  192.168.12.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

  100.0.0.0/32 is divided into subnets, subnets 1

  O 100.100.100.100 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

  3.0.0.0/32 is divided into subnets, 2 subnets

  O 3.3.3.3 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  64.0.0.0/32 is divided into subnets, subnets 1

  O E2 64.59.135.150 [110/300] through 192.168.99.2, 1d09h, FastEthernet0

  4.0.0.0/32 is divided into subnets, subnets 1

  O 4.4.4.4 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  172.31.0.0/24 is divided into subnets, 4 subnets

  O E2 172.31.3.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.2.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.1.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.0.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.11.0/24 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

  C 192.168.98.0/24 is directly connected, BVI98

  C 192.168.99.0/24 is directly connected, FastEthernet0

  O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  192.168.5.0/31 is divided into subnets, subnets 1

  O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  192.168.6.0/31 is divided into subnets, subnets 1

  O 192.168.6.2 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  192.168.1.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

  O * E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0

  Thank you

  Mahesh

  Mahesh.

  Indeed, solution based purely crypto-card are not compatible with a routing protocol.  Crypto card however is the legacy config we support on IOS. The best practice is to use the protection of tunnel. Any routing protocol would work then.

  for example

  https://learningnetwork.Cisco.com/docs/doc-2457

  It's the best solution we currenty have

• Default gateway of ASA 5520 8.4 (3) tunnel and different subnets

  Hello

  I fight on a problem for more than 2 weeks despite various searches.

  We have a Cisco router, then a 8.4 (3) ASA 5520.

  The ASA's private interface is connected to a switch and now connected to an interface of the router.

  The private interface is as follows: 129.88.63.253 255.255.248.0 (/ 21) =>

  It's in the 129.88.56.0/21 subnet

  Here is the part of the router configuration, that we are interested in:

  !

  interface Vlan32

  address IP 129.88.63.254 255.255.248.0 (it's the tunnel default gateway configured on the SAA - 129.88.56.0/21 subnet)

  IP 129.88.71.254 255.255.255.0 secondary

  IP 129.88.75.254 255.255.252.0 secondary

  IP access-group CVPN-since - 129.88.56 in

  IP access-group CVPN-to - out 129.88.56

  Check IP unicast accessible source - via rx allow - by default

  no ip redirection

  MLS-rp ip

  !

  On the SAA, there is a default route for traffic in tunnel mode:

  private road 0.0.0.0 0.0.0.0 129.88.63.254 in tunnel

  As you can see, it is on the same subnet as the main Vlan32 of interface IP address on the router.

  The scenario is as follows:

  -We can connect to the VPN with the appropriate alias (LDAP connection), then we get an IP address in the range (this is a local pool ASA)

  -the pool is: 129.88.71.0/24

  - but, once we are connected, we cannot do anything, because it looks like we have no access to the network

  My thoughts:

  For the moment, we give (for the alias/connection profile above based on the LDAP authentication)

  an IP address from a local pool of ASA (129.88.71.1 to 129.88.71.253). But this IP address is not on the same subnet as the

  tunnel default gateway (129.88.63.254).

  For example, if we give an IP address in the subnet 129.88.56.0/21 everything works perfectly.

  However, this IP address is still on the same subnet as one of the secondary IP address of the Vlan32 interface on the router:

  IP 129.88.71.254 255.255.255.0 secondary

  The strange problem is that this configuration has worked for a few days until we reboot the ASA, and now it's over.

  Currently, the configuration on the SAA is the same before the reboot.

  You have any ideas to make this type of configuration really works (multiple subnets but default gateway a single tunnel, which is the only way)

  'access' resources on the network)?

  Given the following...

  -We can only set one and only one tunnel gateway

  -We are unable to extend the 129.88.63.254 ' 255.255.248.0 "subnet

  -the problem is not the ACL (tested with and without and they are OK, they let the traffic of the pools above)

  Thank you!

  Here's an idea. If the secondary IP address is configured on the router just to be on the same subnet as the clients, it is not necessary. It is best to simply set a route in the score of the router

  129.88.71.0/24 to the private firewall interface (route ip 129.88.71.0 255.255.255.0 129.88.63.253). It's basically the difference between data is sent right to the firewall (good) versus the firewall with proxy-arp answer an arp broadcast (not as good).

  May or may not solve the problem, but it's a cleaner configuration.

• transmission tunnel (and receive) statements of bandwidth

  This command should be used on a multipoint DMVPN (3845 router) interface, where more than 100 rays generally have completed tunnels?  Because the default is 8 MB.  All our report tracking tools that tunnel mulitpoint interface is over used each day of work.

  I looked for information on this command and pasted what I found below (which supports my question).  But I found nothing about it in any documentation of DMPVN I've seen.

  bandwidth of tunnel

  {get |} pass} bandwidth

  receive

  Specifies the bandwidth to be used to receive packets through the tunnel.

  transmit

  Specifies the bandwidth to use to send packets through the tunnel.

  bandwidth

  Bandwidth, in Kbps. range is from 0 to 2147483647. Default value is 8000.

  http://www.Cisco.com/en/us/docs/iOS/interface/command/reference/ir_t2.PDF

  Chris,

  (1) bandwidth tunnel is used only with RBSCP - see the indications for use in documents that you send messages and you will see the word "satellite", which indicates that it is for RBSCP.  I'll see if I can get the fixed order reference documents.  Put the commands to change screen output, but in fact will not change the transmit/receive rate unless you use RBSCP.

  (2) the second part of my message about the 'band', was an effort o find a way to stop your reporting of your tunnel tool (which is a virtual interface that has no * real * bandwidth when using no rbscp restrictions) as being oversubscribed.

  You will need to work with your provider to follow tool to see where they draw the number of bandwidth/throughput band and how they determine that it is oversubscribed.  My best guess is they are looking at the width of band/command on the tunnel interface parameter, but as it is a tunnel interface, this number should not be used to determine if a tunnel is "places".

  -Jason

• IGP and GRE Tunnel

  GRE.png

  

  Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

  Case 1:

  We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

  • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
  • This will make the redundant paths between two routers
  • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
  • Or we can tunnel just for the exchange of traffic between two routers.

  My Question:

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

  Case 2:

  If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

  My Question:

  • I just want to know there is a valid case and also do we get this case in a review?

  What comments can you do on both cases freely, I just create these two cases to clear my mind.

  Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

  In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

  Answer to your question on my opinion are as below

  case 1

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

  Case 2

  • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

  Please always evaluate the useful post!

  Kind regards

  Pawan (CCIE # 52104)