How to configure the vpn using two segments in a tunnel?

Hi guys,.

Please help me how to set up two segment in a vpn tunnel. Our client has two segments which is 10.15 and 192.168. We have already established VPN connectivity. We can ping the 10.15 segment, but we can not ping 192.168. Attached is the sample configuration.

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxxxxx address 11.11.11.11

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

!

map SDM_CMAP_1 1 ipsec-isakmp crypto

Tunnel description

defined peer 11.11.11.11

Set security-association second life 28800

game of transformation-ESP-3DES-SHA

match address 102

access-list 101 deny ip 192.168.202.0 0.0.0.255 host 10.15.0.177

access-list 101 deny ip 192.168.202.0 0.0.0.255 host 192.168.30.174

access-list 101 permit ip 192.168.202.0 0.0.0.255 any

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 10.15.0.178

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 192.168.30.174

Here is the extended ping.

Router #ping
Protocol [ip]:
Target IP address: 10.15.0.177
Number of repetitions [5]:
Size of datagram [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or the interface: 192.168.202.3
Type of service [0]:
Set the DF bit in the IP header? [None]:
Validate the response data? [None]:
Data model [0xABCD]:
In bulk, Strict, Record, Timestamp, Verbose [no]:
Scan the range of sizes [n]:
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.15.0.177, wait time is 2 seconds:
Packet sent with a source address of 192.168.202.3
.!!!!
Success rate is 80% (4/5), round-trip min/avg/max = 172/172/172 ms
Router #ping
Protocol [ip]:
Target IP address: 192.168.30.174
Number of repetitions [5]:
Size of datagram [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or the interface: 192.168.202.3
Type of service [0]:
Set the DF bit in the IP header? [None]:
Validate the response data
? [None]:
Data model [0xABCD]:
In bulk, Strict, Record, Timestamp, Verbose [no]:
Scan the range of sizes [n]:
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.30.174, wait time is 2 seconds:
Packet sent with a source address of 192.168.202.3
.....
Success rate is 0% (0/5)
And here is the result of its crypto isakmp.
Crypto ISAKMP router #show its
status of DST CBC State conn-id slot
11.11.11.11 22.22.22.22 QM_IDLE 1 0 ACTIVE
And here is the encryption session.
Router #show crypto sessio
Session encryption router #show
Current state of the session crypto
Interface: FastEthernet0/0
The session state: UP-ACTIVE
Peer: 11.11.11.11 port 500
FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174
Active sAs: 2, origin: card crypto
FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177
Active sAs: 2, origin: card crypto
And here are the details of the encryption session.
Router #show crypto session detail
Current state of the session crypto
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - KeepAlive, N - NAT-traversal, X - IKE extended authentication
Interface: FastEthernet0/0
The session state: UP-ACTIVE
Peer: 11.11.11.11 port fvrf 500: (none) ivrf: (none)
Phase1_id: 11.11.11.11
DESC: (none)
IKE SA: local 22.22.22.22/500 remote 11.11.11.11/500 Active
Capabilities: (None) connid:1 life time: 23:44:02
FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174
Active sAs: 2, origin: card crypto
On arrival: dec #pkts'ed drop 0 0 life (KB/s) 4568454/27867
Outbound: #pkts enc'ed 4 drop 1 life (KB/s) 4568453/27867
FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177
Active sAs: 2, origin: card crypto
On arrival: #pkts dec' 8 drop 0 ed life (KB/s) 4591368/27842
Outbound: #pkts enc'ed 8 drop 2 life (KB/s) 4591368/27842
 

Hello

Your side has 192.168.202.0/24 and you are trying to PING 10.15 successfully but not 192.168.30.174

Check that the ASA has a route to 192.168.30.174 pointing to the external interface.

Also check that the customer has defined the 192.168.30.174 as part of the VPN traffic correctly.

Federico.

Tags: Cisco Security

Similar Questions

  • How to configure the VPN for Xperia phones

    I know that this does not work for many after the upgrade to KitKat but I just wanted to know how other users were using previously.

    Could you give me the settings or help me how to use these settings.

    VPN does not of course for a lot, but I guess that Sony will do something so he can fix it. But tell me how you used earlier. I am interested in knowing. Never used because I found it difficult. People told me that it is a sort of proxy to surf the net anonymously.

    Sachin4u wrote:

    ... VPN works of course not for many...

    Where did you get this info? I had this problem a few weeks in this forum channel and no useful response has been posted.

    But anyway: on Android 4.3, I added a VPN connection with the 'IPSec Xauth PSK' type and the pre-shared key. At the opening of the connection, I entered username and password. A few secconds later than the VPN connection to my home network with router Fritz Box has been implemented.

    Hopefully, I could help you, Titus

  • How to configure the VPN LAN to access the internet from the remote network

    I have set up for our project site to another Office VPN. Please join.
    Now I have already configured Site to site vpn between ASA 5510 and 1841 router.

    HQ LAN

    Branch of the LAN
                     10.2.1.0/24 > ASA 5510 1841 > > INTERNET < 1841=""> <> 10.30.3.0/24
    ^
    ^
    ^
    ^
    Call Manager
    No. 2851
    Now access from branch LAN LAN of HQ each other.

    I face problems that are
    (1) in the direction of LAN, they can access HQ LAN & resource, but cannot access the internet. I did not configure NAT on the router PH
    (2) can I access internet BRANCH LAN via HQ LAN INTERNET. Where can I access the Internet of general management of the LAN of the PH router directly while access to the VPN to the local network of HQ?
    (3) in the Site of the Directorate, phone hard cannot work but phone on PC can call to Headquarters. Hard IP phone are same in remote network (172.16.1.0/24 ). What's the problem? How can I configure separately?

    Please give advise me how should I do.

    Hello

    (1) in the direction of LAN, they can access HQ LAN & resource, but cannot access the internet. I did not configure NAT on the router PH

    Answer:

    You must configure the NAT and crossed to the ASA HQ so that the VPN branch router provides LAN and u-Turn, access to Internet of the SAA.  You must first seup NAT for the branch on the SAA router subnet, then you must type the command:

    permit same-security-traffic intra-interface

    Here's a great example for VPN client hairpining.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    (2) can I access internet BRANCH LAN via HQ LAN INTERNET. Where can I access the Internet of general management of the LAN of the PH router directly while access to the VPN to the local network of HQ?

    Yes, you can

    (3) in the Site of the Directorate, phone hard cannot work but phone on PC can call to Headquarters. Hard IP phone are same in remote network (172.16.1.0/24 ). What's the problem? How can I configure separately?

    You must change your subnet VLANS to be different from the subnet HQ voice phone IP VOice VLAn, it should be fine.

    Kind regards

    Mohamed

  • Need a guide to configure the VPN Client

    Hello...

    I vpn in my 506th pix and I have ver.4.0.1 software vpn client installed on the other pc (on the outside). In the firewall, there are two types of vpn; VPN site to site and remote vpn access. We use vpn for remote access to allow the vpn client to access our server right?

    This is all new to me and could you give an example how to configure vpn inside my firewall in CLI or PDM command and how to configure the software vpn client.

    Please help us beginners cisco

    Tonny

    Tony,

    Try chanigng a cisco and see if it solves... but otherwise, since you changed the PIX outside IP now, you will be able to make VPN connections to the new public IP address now, if it is routed on the internet.

    can you please try to connect now and let us know what is happening?

  • How to configure the e-mail address of the form home and contact me form

    How to configure the e-mail address of the form at home and contact me form. I got two WARNING when exporting my muse as HTML file

    Muse will give the alert message if the e-mail address used is not on the same domain as hosting many platforms is not supports the emails from the external domain.

    You can check with your accommodation, where they take over other emails from field so it will not be a problem and you can ignore the warning message.

    Thank you

    Sanjit

  • How to configure the router Linksys DD - WRT for WVC54GCA E4200

    I don't know how to configure the router Linksys DD - WRT for WVC54GCA E4200. DD - WRT is very complcated. Help, please! Also, I used the TZO.com to the DDNS. Can I set up the DDNS for DD - WRT router? I used the DDNS to my old model router before. Thank you.

    I followed the TZO supporter last night. I can watch my WVC54GCA outside. All solution links:

    http://tzodns.com/support/tutorials/188

    http://tzodns.com/support/tutorials/190

    Hi Majekho,

    Your domain name has decided to 99.245.xx.x. If you go to www.test.tzo.com from the location of the host, you must see this IP address. If these numbers are the same, then all with TZO works correctly. I guess that it is a simple problem with ports (80, 1024) is not open in the router and forwarded to the right internal IP address of the device (for example. 192.168.1.xxx).

    In addition, if you have a DSL, you will need to call your ISP and ask them to show you how to put your modem in "bridge mode". This will disable the firewall in the modem that blocks incoming connections even if you open ports in your router.
    In addition, during the test, it is best to test on your device remotely, this is due to a common problem called loopback with most routers. For more information about looping, take a look at:

    http://helpdesk.TZO.com/cgi-bin/KB.cgi?view=140

  • How to compare the content of two Wordpad / documents notebook without reading them line by line?

    How to compare the content of two Wordpad / documents notebook without reading them line by line?

    Hello

    Without this feature is included in the operating system.

    However, you can use your favorite search engine to look for software that needs to perform these tasks.

    WARNING of THIRD PARTY SOFTWARE: Using third-party software, including hardware drivers can cause serious problems that may prevent your computer from starting properly. Microsoft cannot guarantee that problems resulting from the use of third-party software can be solved. Software using third party is at your own risk.

    Hope this information helps.

  • How to configure the settings of mail on HP Laserjet Enterprise 500 color MFP M575 printer/scanner?

    How to configure the settings of mail on HP Laserjet Enterprise 500 color MFP M575 printer/scanner?  The Office has 5 staff members each with ending with [email protected] for example e-mail addresses.  We have also created an email for option analysis as [email protected] (not sure if creating an e-mail address for the scan option is required).  We are not part of any domain, and there is no server in the office.  When you try to configure the email on the printer/scanner control panel it asks the host name.

    What host name that I can use?

    If you try to configure the browser by using the IP address of the printer, he asks as the SMTP server. The MS Outlook 2010 all our emails use mail.junior - albania.org incoming mail server and outgoing.  Other settings in MS Outlook 2010 are box My outgoing server (SMTP) requires authentication checked and use the same settings as my mail server entering selected.  On the Advanced tab: incoming server (Pop3): 110 (SSL encryption is not checked) and outgoing (SMTP) server: 465 use the type of encrypted connection (SSL) following.

    What server SMTP should I use in this case?

    I would appreciate your help in the configuration of the HP printer/Scanner for scanning and sending by electronic mail to the members of the office staff email addresses.

    Thank you...

    I'll link you to the product page with several documents which I hope will help you to configure your e-mail settings. Please look through them and see which ones fit your needs:

    Scan and send (e-mail, send to folder, digital sending, etc..)

    Here is another site that has some videos that will guide you through the entire upward (here I would try everything first )

    Simulations of MFP - digital send

    If these don't work, please let me know and I will continue to search it for you.

  • How to add images to my table and how to configure the Web site? Help, please

    I do not understand how to configure the Web site and add images to a table and make hyperlinks.

    First, set the folder of your Local Site saying DW where to save the files on your local hard drive.  Go to Site > new Site.

    I think it is easier to start with a page layout predefined by using one of the appropriate templates to bootstrap that comes with DW.

    Go to file > new > (Starter models > models Bootstrap). Select one:

    • Bootstrap-Agency
    • Bootstrap-eCommerce
    • Bootstrap-Portfolio
    • Bootstrap-product
    • Bootstrap-real estate
    • Bootstrap-curriculum vitae

    Press the button create.

    For pictures, go to insert > Image. Select an image and save it in the folder of your local site.

    Nancy O.

  • How to configure the network device agent

    I added a network device (router) in the new platform, its not to go for all of the alerts in tool Hyperic. How to configure the network device to get information to the Hyperic server. Do we need to do any configuration of SNMP.

    Can someone help me please.

    Hi Cyndhya,

    Do you mean you want to see traps SNMP generated by your device network at HQ? To do this, you need to configure one of the agent HQ to receive traps and configure the network device to send the trap to the agent. Once this operation is complete, you should be able to add the device network platform (you must use the agent HQ for the monitoring network device connection).

    Here is the step by step guide:
    http://support.Hyperic.com/display/DOCSHQ30/agent+SNMP+trap+receiver

    Koffi

  • How to configure rdm to use iscsi lun in a virtual machine using ms iscsi initiator?

    I have equallogic SAN attached to a cisco 3750

    switch. It comes to our storage network.

    Within the virtual machine for all readers of data other than my c:\ that has the operating system I would use iscsi data switch that has 4 network ports on four different nic cards already assigned.

    According to what I read a virtual machine can use only 4 nic so I have a Production network the other three that I would

    Use it for iSCSI data.

    Three ports of each virtual computer network for using ms iscsi with MPIO

    initiator.

    I have already attached the RDM using esxi 3.5 as a physical mapping of RDM.

    My question is how to configure the ports of the network adapter in the virtual machine?

    The VM network is on 172.19.2. * where iscsi is on 172.19.21. *.

    What would be the entrance on the network adapters in the virtual machine that is running ms win 2 k 3 r2 x 64.

    Thank you.

    ESX / Configuration / networking

    Propertties (near vSwtich3).

    On vSwitch object / change

    NIC Teaming tab.

    Menu of load balancing.

    André

    * If you found this device or any other answer useful please consider awarding points for correct or helpful answers

  • Hey Adobe, could I know how to configure the printer setting in Photoshop CS6 on the Lable print.

    Hey Adobe, could I know how to configure the printer setting in Photoshop CS6 on the Lable print.

    Hello

    Are you referring to the labels under brands of printing option when you open the print dialog window?

    If you check this option button, the name of the file you are editing will be printed on the top of the page, as shown below. You can change this label by changing the name of your file (go in file > save the to do)

    If you want to learn more about the print marks, take a look at this help document.

    If you try to print actual labels, you will need to use a pre-made template or create your own. Here is a template you can download free Adobe!

    If you have any other questions, feel free to post here again

    See you soon,.

    Kendall

  • How will I know if my Airport Extreme has the latest firmware?  And (not related) how to change the password used to connect to my network?

    I think I bought the latest version of Airport Extreme.  It is the unit which is rectangular, is about 6 to 7 w., etc.  I have some basic questions that I do not understand:

    1. How will I know if I have the latest firmware for this device?  I read a few posts that make it sound as if it was just automatically updates.  Is this true?

    2. can someone tell me how to change the password used to connect to my wireless network?

    Thank you very much!

    Chris

    If a firmware update is available, AirPort Extreme flashes orange.

    The most up-to-date version of the firmware is 7.7.3.

    You can see what version you currently have the following on your Mac...

    Open Finder > Applications > utilities > AirPort Utility

    Click on the image of the AirPort Extreme

    Look for the Version

    If the new firmware was available, you will see a button update here

    To change the wireless network password...

    Click on edit in the window smaller than you watched just to check the firmware version

    Click on the Wireless tab at the top of the next window

    Go back / change the wireless password and enter a new password

    Do the same thing to check

    Click Update at the bottom right of the window and give the airport a minute full for restart

  • How to configure the LDAP connector in windows server 2012 R2 Active Directory?

    How to configure the LDAP connector in windows server 2012 R2 Active Directory?

    Hello

    Please post your question in Server TechNet Forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • Get 810 error message when you try to connect to the VPN using L2TP protocol

    Original title: L2TP will not let me connect.

    I am in Workstation 9 and in each virtual machine, I have an AD - DC (2K8R2Enterprise), CA and RRAS (2K8R2Enterprise) and my last vm is a win7 (they are all tests).  All are not updated, but the PPTP, IKEv2 work without problem.  The second server that has the CAs and RRAS is a member of the AD - DC server.  The Win7 is not on the domain and I have Win7 a client certificate.  I have ensured that the CA root of trust is in the user store and computer Trusted Root CA.  I have also ensured that the Win7 client certificate is in the user store and personal computer.  I get a 810 error message when I try to connect to the VPN using the L2TP protocol.  I have exhaustively studied this problem and I can't find a solution to this problem.  I also raise the functional level of the domain to 2K8R2.

    I think this should be a simple and easy solution, but where can I find the answer?
    Please help me.
    Thank you for your time.
    Allan.

    Hi Allan,

    The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the Forum TechNet site:

    http://social.technet.Microsoft.com/forums/en/category/w7itpro

    If you need any other assistance, let know us and we would be happy to help you.

Maybe you are looking for