Impossible to route traffic through a tunnel "will" in a frame relay Center and spoke environment.

Similar Questions

• Impossible to pass traffic through the VPN tunnel

  I have an ASA 5505 9.1 running.   I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

  Here is my config

  LN-BLF-ASA5505 > en
  Password: *.
  ASA5505-BLF-LN # sho run
  : Saved
  :
  : Serial number: JMX1216Z0SM
  : Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
  :
  ASA 5,0000 Version 21
  !
  LN-BLF-ASA5505 hostname
  domain lopeznegrete.com
  activate the password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.116.254 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 50.201.218.69 255.255.255.224
  OSPF cost 10
  !
  boot system Disk0: / asa915-21 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain lopeznegrete.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  the LNC_Local_TX_Nets object-group network
  Description of internal networks Negrete Lopez (Texas)
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  object-network 192.168.3.0 255.255.255.0
  object-network 192.168.4.0 255.255.255.0
  object-network 192.168.5.0 255.255.255.0
  object-network 192.168.51.0 255.255.255.0
  object-network 192.168.55.0 255.255.255.0
  object-network 192.168.52.0 255.255.255.0
  object-network 192.168.20.0 255.255.255.0
  object-network 192.168.56.0 255.255.255.0
  object-network 192.168.59.0 255.255.255.0
  object-network 10.111.14.0 255.255.255.0
  object-network 10.111.19.0 255.255.255.0
  the LNC_Blueleaf_Nets object-group network
  object-network 192.168.116.0 255.255.255.0
  access outside the permitted scope icmp any4 any4 list
  extended outdoor access allowed icmp a whole list
  outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 741.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  outside access-group in external interface
  !
  router ospf 1
  255.255.255.255 network 192.168.116.254 area 0
  Journal-adj-changes
  default-information originate always
  !
  Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication enable LOCAL console
  Enable http server
  http 192.168.2.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.201.218.93
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  no use of validation
  Configure CRL
  trustpool crypto ca policy
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit smoking
  crypto isakmp identity address
  Crypto isakmp nat-traversal 1500
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  username
  username
  tunnel-group 50.201.218.93 type ipsec-l2l
  IPSec-attributes tunnel-group 50.201.218.93
  IKEv1 pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home service
  anonymous reporting remote call
  call-home
  contact-email-addr [email protected] / * /
  Profile of CiscoTAC-1
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e519f212867755f697101394f40d9ed7
  : end
  LN-BLF-ASA5505 #.

  Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:

   packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail

  (simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

• Although my laptop (Vostro 3550) can connect to a remote server through VPN server will not recognize my user password and name. She will work to laptop to the network administrator, also under Win7

  I had many problems to connect to remote servers, only set by trial and error. I forgot how I solved the problem last time (a year ago), but because the server was, I can access is more data - I suspect that this is a basic setting preventing laptop computer to interact with the service.

  Hello

  Thanks for posting your query in Microsoft Community.

  The Microsoft Answers community focuses on the context of use. Please reach out to the business community of COMPUTING in the TechNet forum below:

  http://social.technet.Microsoft.com/forums/en/category/w7itpro

• Send all traffic through the vpn tunnel

  Does anyone know how to send all traffic through the tunnel vpn on both sides?  I have a server EZVpn on one side and one EZVpn client on the other.  I'm not natting on each side.  I use the value default 'tunnelall' for the attributes of group policy.  On the client side all traffic, even if not intended for the subnet of the side server, seems to pass through the tunnel.  But if I ping the side server, the same rules don't seem to apply.  Traffic destined for rates aside customer through the tunnel, but the traffic that is not pumped on the external interface in the clear.  That's not cool.

  Hello

  Clinet traffic to server through tunnel, that's right, right?

  Traffic from server to client through tunnel, but the rest of the traffic is not, no?

  This works as expected because in ezvpn, politics of "tunnel all ' is for traffic is coming from the client., do not leave the server.

  Side server, customer traffic will pass through tunnel, the rest used.

  Sian

• WRT 1900 ACS - Impossible to carry web traffic through openvpn

  2.3.11 OpenVPN windows 7 X 86. Router information

  Firmware version:	1.0.0.169041
  Serial number:	18E1060B503339

  By default, OpenVPN only sends traffic over the VPN, which is intended for the VPN. Normal traffic to Web sites, for example, is not sent by the VPN. Which can be modified to send all traffic through the VPN?

  @alexdemon

  Router WRT1900ACS is a SOHO router. It doesn't have a feature of access rule where the web traffic can be managed and regulated. The tool of Parental control of your Linksys Smart Wi - Fi account is designed for local customers only.

  Note:

  OpenVPN can create the tunnel from the remote host to the main network and thus web traffic cannot be routed through the router firewall.

  Ann_18678
  Linksys technical support

• Hub topology and talk: can I traffic Internet road to PC at a radius of the site through the tunnel and NAT outside in the world on the 5520 hub?

  I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.

  I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.

  PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.

  I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.

  Is that what I want to accomplish even possible with the ASA?

  Hi Neal,

  Yes, it's quite possible! below is a loss of things you need to do:

  (1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.

  (2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.

  (3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:

  NAT (outside) 1 192.168.1.0 255.255.255.0

  NAT (outside) 1 192.168.2.0 255.255.255.0

  Global 1 interface (outside)

  Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.

  I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.

  Let me know if it helps!

  Thank you and best regards,

  Assia

• Problem passing traffic through the VPN tunnel

  With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?

  Check access lists and a static route

  Try these links: >

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1e4.html#wp999593

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

• Configuration of the router to allow VPN traffic through

  I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

  The network configuration is the following:

  Internet - Cisco 1721 - Cisco PIX 506th - LAN

  Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

  The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

  The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

  Cisco VPN clients receive an error indicating that the remote control is not responding.

  I have attached the router for reference, and any help would be greatly apreciated.

  Manual.

  Brian

  For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

  You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

  If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

  HTH

  Rick

• problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

  Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

  Some basic information:

  I work at a seller who needs from one site to the other tunnel.  There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system.  I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range.  So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator.  The hosts behind the tunnel use 20x.x.x.x public IP addresses.

  My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper.  The seller sees my packages and provider host meets them and sends them to the tunnel.  They never reach the external interface on my Cisco router.

  I'm from the external interface so that my endpoint and the peers are the same IP address.  (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.)  Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

  I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host.  Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel.   The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel.  The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

  The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

  Here is what we have done so far:

  (1) confirm the config with the help of Cisco 2811.  The tunnel is up.  SH cyrpto ipa wristwatch tunnel upward.
  (2) turn on Nat - T side of the tunnel VPN landscapers
  (3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
  (4) successfully, tunnel and reach a different configuration hosting
  (5) to confirm all the settings of tunnel with the seller
  (6) the seller confirmed that his side host has no way and that it points to the default gateway
  (7) to rebuild the tunnel from scratch
  8) confirm with our ISP that no way divert traffic elsewhere.  My gateway lSP sees my directly connected external address.
  (9) confirm that the ACL matches with the seller
  (10) I can't get the Juniper because he is in production and in constant use

  Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

  Options or ideas are welcome.  I had countless sessions with Cisco webex, but do not have access to the hub of the seller.  I can forward suggestions.

  Here's a code

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2

  Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

  Crypto-map dynamic dynmap 30
  Set transform-set RIGHT

  ISAKMP crypto key address No.-xauth

  interface FastEthernet0/0
  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
  IP 255.255.255.240
  IP access-group 107 to
  IP access-group out 106
  NAT outside IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  crypto mymap map

  logging of access lists (applied outside to get an idea of what will happen.  No esp traffic happens, he has never hits)

  allowed access list 106 esp host host newspaper
  106 ip access list allow a whole
  allowed access list 107 esp host host Journal
  access-list 107 permit ip host host Journal

  access-list 107 permit ip host host Journal
  107 ip access list allow a whole

  Crypto isa HS her
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
    QM_IDLE ASSETS 0 1010

  "Mymap" ipsec-isakmp crypto map 1
  Peer =.
  Extend the 116 IP access list
  access - list 116 permit ip host host (which is a public IP address))
  Current counterpart:
  Life safety association: 4608000 kilobytes / 2800 seconds
  PFS (Y/N): N
  Transform sets = {}
  myTrans,
  }

  OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

  (4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

  !
  (1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

  !
  IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

  !

  (6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

  !

  (2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

  (3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

  (1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

  !

  (5) crypto-nat route-map permit 5 <> condition for the specific required NAT
  corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

  (7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

  Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1).  When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2).  When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4).  We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

• Force traffic into the tunnel?

  No IPSEC applied anywhere yet.

  If you have 2 routers configured back to back with the physical interfaces tunnel interfaces - which way will be the traffic travels above?

  Answer - It will follow the path of the routing table that I guess. OSPF or static or other routes.

  Series enough.

  Now add one IPSEC.

  OSPF fails as IPSEC does not support multicast.

  Series enough.

  Now, add IPSEC and GRE to the mix. Apply card crypto both physical and tunnel interfaces.

  Included here is the common ACL associated with free WILL. That is: -.

  access-list 100 permit will host [address physical source] [address physical destination]

  It's the ACL that is supposed to define what traffic is 'interesting' and which must be encrypted.

  We will repeat the question: what should be the traffic?

  I guess it's the same answer. Refer to the routing table.

  But that traffic is encrypted? Answer - ONLY traffic destined to the IP tunnel interface.

  If you ping from physics to physics, it will be clear.

  Question - do you need to force ALL traffic to the bottom of the tunnel interface in the order so he could match the ACL and therefore get encrypted?

  How do accomplish us this?

  Discussion and debate would be greatly appreciated.

  He

  Only traffic with the source/destination of the tunnel interfaces - you just encapsulate & encrypt what happens / leaves the tunnel. If you have two sites connected through a VPN IPSEC, 'interesting' traffic for VPN is the source/destination on tunnel interfaces you need to LAN traffic in the tunnel interfaces. If you have either the static routes, or run you a dynamic routing such as OSPF or EIGRP Protocol.

  You may have a default route pointing to the firewall, a routing protocol dynamic running - so that all "internal" traffic will take place on the tunnel = encrypted vpn to a remote site, while all the 'internet' traffic routes to the firewall and leaves normally.

  HTH

• Is it still possible? Customer VPN traffic through a PIX for an another VPN?

  Hi, I just want to know if the following is actually technically possible? I'm starting to think I'm trying to implement a solution that is simply not possible.

  I have the following:

  VPN<->CiscoPix506e<->Cisco3000 Clients

  VPN clients running an IPSEC VPN for the 506th Cisco PIX and can access its "internal network" very well.

  The Cisco pix is running a VPN to another company where all network traffic is nat'ed to a single address IP RFC1918 before coming out of the tunnel (requirement of the other company to avoid the problems of overlap)

  and everyone on the "internal network" can access this great VPN.

  I want that people who use the VPN client to be able to access the other site-to-site VPN. I think that NAT forced to the external company VPN is a problem.

  All of the examples for VPN VPN cross-I see specify NAT should be disabled on the entire path. I can't do it in this situation. Is it possible to make this work?

  I guess with a good statement of ACL that all my problems will be solved.

  If you just get the users connect to the cisco 3000 rather than transversing my network. I don't have for the following reasons. I have no access to the cisco 3000 vpn concentrator and a very limited amount of the tunnels that they can open for my business. I was instructed to implement a solution to facilitate the life of employees (so that they only run a VPN tunnel at a time to do their work). For the moment, they need access to the systems within our corporate network and external society through the site to site VPN (it's actually a web application). They can do this at the office but obviously not home if they attempt to use remote access.

  I have attached a diagram of the network example PDF explaining the situation.

  Networks of each address is the following (change of the actual address of the innocents :))):

  CLIENTS_VPN

  192.168.10.0/24

  Internal network

  192.168.1.0/24

  External VPN end point

  192.168.20.0/24

  Address used for NAT on the VPN

  172.16.1.1/32

  the IOS config

  local IP pool - 192.168.10.1 VPN CLIENTS - 192.168.10.254

  inside ip access list allow a whole

  access-list allowed SHEEP ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

  access list permits EXTERNAL-ACL-VPN ip 172.16.1.1 host 192.168.20.0 255.255.255.0

  EXTERNAL-ACL-NAT of the list of permitted access ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

  IP address outside a.b.c.d 255.255.255.0

  IP address inside 192.168.10.1 255.255.255.0

  Global interface 2 (external)

  Global (outside) 1 172.16.1.1

  NAT (inside) 0 access-list SHEEP

  NAT (inside) - EXTERNAL-ACL-1 NAT access list 0 0

  NAT (inside) 2 0.0.0.0 0.0.0.0 0 0

  outside access-group in external interface

  Route outside 0.0.0.0 0.0.0.0 a.b.c.d 1

  Thank you

  Jason.

  I understand from your description of the scenario, you try to route traffic on the same interface on which it was received on the PIX. This is called pinning hair in traffic and is not currently supported in PIX (6.3).

• RV 320 won't internet traffic through the SMC modems

  We have recently installed a RV320 to use primarily as a gateway for FTP traffic. The router is installed power 2 60/10 circuits of our Internet service provider who provided 2 edge of the MSC devices and which have Wifi capabilities and router. When connect on modems in factory default state the RV320 connects but does not take advantage of the double connections in terms of speed. When disable us the wifi modems and router running the RV 320 connects but do not traffic through to the modems.

  Since the two modems are identical, we get the same news IP and gateway of each. I would prefer not to have the modem in router mode. Is there a setting on the RV that will connect and pass internet traffic with modems in mode 'dumbed down '.

  Graham Saywell

  Wanted to sound and image

  Toronto

  Hi Graham,

  The best scenario is to have both SMC routers on bridge mode and configure both on RV320 WAN interface with (PPPE, static IP, DHCP... He expense of your WAN connection)

  Can you please share with us what kind of WAN connection you use in the SMC routers?

  -Ensure the RV320 you have the latest firmware 1.1.0.09, otherwise you can download it from this link:

  http://software.Cisco.com/download/release.html?mdfid=284005929&softwareid=282465789&release=1.1.0.09&relind=available&rellifecycle=&RelType=latest

  -On RV320 under the management of the system--> Dual WAN and check Load Balance

  -After that, you set up the RV320 with the same type of WAN connection as a router SMC and SMC router mode Bridge and in this case, you should see the two public IP on RV320 of audit system summary

  If you do these steps and still you can not the public IP address RV320 and the SMC router in Bridge mode, please share with us the configuration file RV320 and screenshots of two CMS about the WAN configuration

  If in the case the SMC router does not have the option of working in Bridge mode, in this case, you will need to have the local of the SCM with subnet different e.g. 192.168.1.1/24 and other a 192.168.2.1/24

  on RV320 you can leave the configuration in DHCP on both WAN Ondaaah (if you have the DHCP Server enable SMC router) or you can configure the static IP address on the two wan

  * Please answer question mark or note the fact other users can benefit from the TI *.

  Thank you

  Mehdi

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• Impossible to achieve secondary with VPN tunnel

  Hello

  I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

  When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

  The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

  PIX from IP 10.1.0.254

  Router 10.1.10.254 IP address

  Secondary router IP address 10.2.10.254

  Secondary server IP address 10.2.0.1

  The default gateway on the local network is 10.1.10.254

  This router is a gre tunnel 3 of to 10.2.10.254

  On this router, there is a default route for the pix (for internet).

  Hello...

  Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

  You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

  on sheep access list, allow all traffic from the pool of secondary for the IP pool...

  I hope this helps... all the best...

• Site VPN to IPsec with PAT through the tunnel configuration example

  Hello

  as I read a lot about vpn connections site-2-site
  and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

  now, I got suite facility with two locations A and B.

  192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
  172.16.16.0/24 Site has

  ---------------------------------------------------------------------------

  Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  ---------------------------------------------------------------------------

  Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
  witch need to access a server terminal server on the SITE b.

  As I have no influence on where and when guests pop up in my Site.
  I would like to hide them behind a single ip address to SITE B.

  If in the event that a new hosts need access, or old hosts can be deleted,
  its as simple as the ACL or conviniently inlet remove the object from the network.

  so I guess that the acl looks like this:

  ---------------------------------------------------------------------------

  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

  ---------------------------------------------------------------------------

  But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
  address for the translation of PAT?

  something like this he will say, it must be treated according to the policy:

  NAT (1-access VPN INVOLVED-HOST internal list)

  Now how do I do that?
  The rest of the config, I guess that will be quite normal as follows:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of AA peers. ABM CC. DD
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

  ---------------------------------------------------------------------------

  On SITE B

  the config is pretty simple:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of peer SITE has IP
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  ---------------------------------------------------------------------------

  Thank you for you're extra eyes and precious time!

  Colin

  You want to PAT the traffic that goes through the tunnel?

  list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

  PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (inside) 1 access list PAT

  Global (outside) 1 192.168.0.3 255.255.255.255

  Then, the VPN ACL applied to the card encryption:

  list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

  Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

  The interesting thing is that traffic can only be activated from your end.

  The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

  Is that what you are looking for?

  Federico.