Is site to site VPN with sufficiently secure router?

Similar Questions

• question links to site 2 site VPN with authentication cert

  Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?

  Thank you very much!

  Hello

  You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

  Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".

  Please pass a note and mark as he corrected the post helpful!

  David Castro,

  Kind regards

• Site to site VPN with router IOS

  I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

  I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

  Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

  My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

  Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

  And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

  Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

  I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

  We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

  I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

  Thank you in advance.

  Pete.

  Pete

  I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

  -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

  -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

  -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

  -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

  -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

  -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

  -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

  -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

  I hope that your application is fine and that my suggestions could be useful.

  [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

  HTH

  Rick

• Problems with site-to-site vpn with of the asa 2

  I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute.  I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong?  Im trying to configure a site to site vpn between:

  ASA_A

  external interface 5.179.17.66

  inside the interface 10.1.1.1

  ASA B

  external interface 5.81.57.19

  inside the 10.1.2.1 interface

  Frist why do you have two DGs on box -

  Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1

  Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1

  Attach the two end then it should work.

  Thank you

  Ajay

• A Site VPN PIX501 and CISCO router

  Hello Experts,

  I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:

  www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...

  and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).

  Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.

  Hi Mark,

  I went in the Config of the ASA

  I see that the dispensation of Nat is stil missing there

  Please add the following

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

  inside NAT) 0 access-list sheep

  Then try it should work

  Thank you

  REDA

• IPsec site to Site VPN on Wi - Fi router

  Hello!

  Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

  I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

  See you soon!

  Michael

  I suspect that.

  Thank you very much for the reply.

  See you soon!

• site to site vpn with pix multiple tunnels

  Hello

  I have a vpn site-to-site between two PIX firewall tunnel.

  Is it possible to build on one side, another tunnel vpn site to site with the third PIX?

  Thank you

  Robert

  Robert

  You can use one card encryption on an interface, but you may have within your crypto card so your config sequence numbers

  The existing tunnel

  mykink1 card crypto ipsec isakmp 1

  correspondence address 1 card crypto mykink1 101

  mykink1 card crypto 1jeu peer 21.21.21.21

  mykink1 card crypto 1 set transform-set aesonly

  Your new tunnel

  mykink1 map ipsec-isakmp crypto 2

  card crypto mykink1 game 2 address "LCD number".

  mykink1 crypto map peer set 2 "new peer address.

  card crypto mykink1 2 the value transform-set "new transform set.

  card crypto mykink1 2 security association second life "number of seconds.

  You must complete the good values in the "" marks.

  Note that the sequence number is incremented by 1 in your first entry for 2 in the second entry.

  You can specify the duration of security association in the crypto map config that overrides the global settings.

  Add this config should not affect your existing tunnel.

  HTH

  Jon

• site to site vpn with ASA 5500 series SSL?

  We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

  We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

  We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

  However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

  The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

  Thank you, Tom

  Hi Thomas,

  The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

  Federico.

• Site to site VPN with the VPN Client for both sites access?

  Current situation:

  Scenario is remote to the main office. Site IPSEC tunnel site (netscreen) remote in hand (506th pix). Cisco VPN Client of main office of remote access to users.

  It's that everything works perfectly.

  Problem:

  Now we want remote users who connect to the seat to also be able to access resources in the remote offices.

  This seems like it would be easy to implement, but I can't understand it.

  Thanks in advance.

  Rollo

  ----------

  #10.10.10.0 = Network1

  #10.10.11.0 = Network2

  #172.16.1.0 = vpn pool

  6.3 (4) version PIX

  access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

  access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

  splitTunnel 10.10.10.0 ip access list allow 255.255.255.0 any

  splitTunnel ip 10.10.11.0 access list allow 255.255.255.0 any

  access-list 115 permit ip any 172.16.1.0 255.255.255.0

  access-list 116 allow ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

  IP access-list 116 allow all 10.10.11.0 255.255.255.0

  access-list 116 allow ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

  ICMP allow all outside

  ICMP allow any inside

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 209.x.x.x 255.255.255.224

  IP address inside 10.10.10.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool 172.16.1.0 vpnpool - 172.16.1.50

  Global 1 interface (outside)

  Global (outside) 10 209.x.x.x 255.255.255.224

  (Inside) NAT 0-list of access 101

  NAT (inside) 10 10.10.10.0 255.255.255.0 0 0

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

  Timeout xlate 01:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  crypto dynamic-map Clients_VPN-dynmap 10 transform-set RIGHT

  35 Myset1 ipsec-isakmp crypto map

  correspondence address 35 Myset1 map cryptographic 116

  card crypto Myset1 35 counterpart set x.x.x.x

  card crypto Myset1 35 set transform-set Myset1

  Myset1 card crypto ipsec 90-isakmp dynamic dynmap Clients_VPN

  client configuration address card crypto Myset1 launch

  client configuration address card crypto Myset1 answer

  interface Myset1 card crypto outside

  ISAKMP allows outside

  ISAKMP key * address x.x.x.x 255.255.255.255 netmask No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 15

  ISAKMP policy 15 3des encryption

  ISAKMP policy 15 sha hash

  15 1 ISAKMP policy group

  ISAKMP duration strategy of life 15 28800

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 3600

  part of pre authentication ISAKMP policy 25

  encryption of ISAKMP policy 25

  ISAKMP policy 25 md5 hash

  25 2 ISAKMP policy group

  ISAKMP living 25 3600 duration strategy

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 aes-256 encryption

  ISAKMP policy 30 sha hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  vpngroup address vpnpool pool mygroup

  vpngroup dns-server dns1 dns2 mygroup

  vpngroup mygroup wins1 wins2 wins server

  vpngroup mygroup by default-domain mydomain

  vpngroup split splitTunnel tunnel mygroup

  vpngroup idle time 64000 mygroup

  mygroup vpngroup password *.

  Telnet timeout 5

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  Hi Rollo,

  You can not be implemented for a simple reason, it is not supported on the version 6.x PIX. It relies on the PIX 7.x worm but 7.x is not supported on PIX 506. Thus, in a Word, it can be reached on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or a hub as well, it can be reached.

  HTH,

  Please rate if this helps,

  Kind regards

  Kamal

• multi-site VPN with just the cisco vpn client

  Hello everyone

  Please I need your help.

  We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

  My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

  It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

  Michael

  Please note all useful posts

• Site to Site VPN of IOS - impossible route after VPN + NAT

  Hello

  I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

  Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

  I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

  This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

  VPN endpoints: 10.20.1.2 and 10.10.1.2

  routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

  From 172.31.0.x to 192.168.1.x

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname INSIDEVPN

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 xxxxxxxxxxxxxxx

  !

  No aaa new-model

  !

  !

  dot11 syslog

  no ip cef

  !

  !

  !

  !

  IP domain name xxxx.xxxx

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  username root password 7 xxxxxxxxxxxxxx

  !

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

  !

  CRYPTOMAP 10 ipsec-isakmp crypto map

  defined by peer 10.20.1.2

  game of transformation-VPN-TRANSFORMATIONS

  match address 100

  !

  Archives

  The config log

  hidekeys

  !

  !

  LAN controller 0

  line-run cpe

  !

  !

  !

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0

  switchport access vlan 12

  No cdp enable

  card crypto CRYPTOMAP

  !

  interface FastEthernet1

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet2

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet3

  switchport access vlan 2

  No cdp enable

  !

  interface Vlan1

  no ip address

  !

  interface Vlan2

  IP 192.168.1.1 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  !

  interface Vlan12

  10.10.1.2 IP address 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  card crypto CRYPTOMAP

  !

  IP forward-Protocol ND

  IP route 192.168.2.0 255.255.255.0 192.168.1.254

  IP route 10.20.0.0 255.255.0.0 10.10.1.254

  Route IP 172.31.0.0 255.255.0.0 Vlan12

  !

  !

  no ip address of the http server

  no ip http secure server

  IP nat inside source static 172.31.0.2 192.168.1.11

  IP nat inside source 172.31.0.3 static 192.168.1.12

  !

  access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

  access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  password 7 xxxxxxxxx

  opening of session

  !

  max-task-time 5000 Planner

  end

  Hi Jürgen,

  First of all, when I went through your config, I saw these lines,

  !
  

  interface Vlan2
  

  IP 192.168.1.1 255.255.255.248
  

  !

  !

  IP route 192.168.2.0 255.255.255.0 192.168.1.254
  

  !

  With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

  Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

  Once this has been done. We will have to look at routing.

  You are 172.31.0.2-> 192.168.1.11 natting

  
  

  Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

  Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

  !

  IP route 192.168.1.8 255.255.255.248 192.168.1.1

  !

  If return packets will be correctly routed toward our local router.

  If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

  I hope I understood your scenario. Pleae make changes and let me know how you went with it.

  Also, please don't forget to rate this post so useful.

  Shamal

• Site to Site VPN - ASA 5510 / 851 router - no Sas?

  We have installed an ASA 5510, version 1.0000 software running.  In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e.  I try to open a backup between the 851 and ASA connection new, and I have a problem.  I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc..  I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.

  When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp.  When I do the same on the 851 router, I see only the existing connection to the PIX.  It seems that the tunnel does not run again.  I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.

  CCP has a VPN to test the tool built in to the router.  ASDM has a similar feature?  Here's the relevant configs (at least I think... the SAA is enough Greek to me):

  ASA 5510 (within the network of 10.20.0.0/16.  The perfectly functional PIX is also on this network, with a different public IP address)

   access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 ! 
  nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16 
  !
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside 
  !
  crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 
  !
  tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes 
  !
  
  851 router (within the 10.192.4.0/24 network)
  
  
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  !
  crypto isakmp policy 2
  encr 3des
  authentication pre-share
  group 2
  !
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key si9bw1u8woaz address 65.42.15.142
  crypto isakmp key 123 address 12.49.251.3
  !
  !
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
  !
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to65.42.15.142
  set peer 65.42.15.142
  set transform-set ESP-3DES-SHA1
  match address 102
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to12.49.251.3
  set peer 12.49.251.3
  set transform-set ESP_3DES_MD5
  match address 102
  !
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255
  			 
  Michael,
  Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.
  If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.
  Like this:
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to65.42.15.142
  set peer 65.42.15.142
  set peer 12.49.251.3
  game of transformation-ESP-3DES-SHA1
  
  match address 102
  
  The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.
  To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.
  I hope this helps.
  Raga
  		   

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• Site to Site VPN using an interface to Peer and LAN

  Hello

  I have an ASA 5580 to the site to site VPN with our partner. VPN connection is through my external interface and Local for the VPN network comes from the external interface too. Is it possible to do? Thank you.

  drawing2.jpg

  

  The layout you describe is contrary to the concept of basic firewall of the approved facility and no approved interfaces (upper and lower security level).

  If your LAN is on the external interface, which is to stop remote users simply access it directly?

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni