Network layer 2 via VPN

It is possible to extend the subnet (same broadcast domain) through a VPN tunnel? For example, we have 10.1.100.X in VLAN 100 to Headquarters can we use the same VLAN and same range of IP addresses on a remote site across the VPN tunnel, if so they can forward broadcast traffic?

Siddhartha

You must look in L2 tunneling (L2TP possibly being the choice includes ipsec L2tp ovet).

Both SSL and IPsec are solutions of L3, you can share the same subnet as a LAN interface, but you may have problems with emissions depending on your configuration and the actual needs.

Tags: Cisco Security

Similar Questions

If a PC with a DHCP server is connected via VPN, with her serve IP addresses on the tunnel?

Situation: we have a few portable computers test Ubuntu running DHCP servers. We need get the updates and other changes in corporate network sometimes. Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.

Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.

Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?

Thanks for reading.

N ° DHCP uses layer 2 broadcasts to disseminate IP addresses. Because your clients are connected via VPN, there is no contiguity of layer 2. The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.

Customer remote cannot access the server LAN via VPN

Hi friends,

I'm a new palyer in ASA.

My business is small. We need to the LAN via VPN remote client access server.

I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

Who can help me?

Thank you very much.

The following configuration:

ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10

username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3

no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5

ssh timeout 10
console timeout 0

: end

Topology as follows:

Hello

Configure the split for the VPN tunneling.

Create the access list that defines the network behind the ASA.

ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

Mode of configuration of group policy for the policy you want to change.

ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
```
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 
```

Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

Type this command:

ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes

Associate the group with the tunnel group policy

ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn

Leave the two configuration modes.

ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

Kind regards
Abhishek Purohit
CCIE-S-35269

Help blocking smart devices of via VPN

Hello

I am looking for a solution block smart devices to connect to our network via VPN. Our VPN solution today is ASA5520, and we use Cisco ACS to authenticate the user. We use Cisco VPN client only, no anyconnect or SSL VPN.

Managment is looking for a way that we can stop the smart devices of using VPN clients to connect and allow only desktop computers laptops to connect.

Someone at - there a way we can do this through association or another method?

Worring - I block iPhones & iPad around my overall networkwith 100% accuracy with a few simple lines of config: -.

Group Policy <> attributes

client-access-rule 1 deny version of type 'iPhone OS. "

2-client-access rule allow type * version *.

As it actually works on the OS - not the version of the Cisco VPN Client device.

Financial reports - 11.1.2.1 client - connects via VPN only?
Hello

When I'm directly connected to the network or connected via their intranet wireless, I can connect to fin reports customer of Studio. However, if I train via VPN (Juniper), he returns with a message: you are not authorized to access. Please contact your system administrator. It is a mistake to end too many reports? Any ideas why/how this could happen?
It is possible that your VPN is not open ports that you can use EN Studio.

See you soon

John
http://John-Goodwin.blogspot.com/

Cannot connect remotely via VPN since installing the new modem/router

Can anyone help please. Since the acquisition of a new router / modem I can no longer connect via VPN to my work PC remotely. It comes in I receive the error message. Can someone tell me if I need to change the settings for the new modem / router to access?

Hello Joanna,

Here are the steps you need to do first:
1. Off static IP for my server and let the router assign IP address and changed the IP address of the port forward.
2. Check the IP address because obviously, that changed when you plugged into the router again.
3. Updated to the latest firmware for the router and NIC.
For more detailed troubleshooting you can refer to this link: troubleshooting common VPN related errors.

Let us know how it goes.

Programmatic access to remote files via VPN on Playbook

Hello

It is technically possible to download remote files via VPN programmatically?

I can't find any documentation on this topic.

Thank you

Oh, not... I don't think it's possible.

Check sensor SFR with FireSight via VPN - does not work

Hello security experts.

I have an ASA5515-X with SFR installed 5.4.0 and manage with 5.4 FireSight installed on the virtual machine on LAN and I record the sensor without any problem but when I try to register the sensor to FireSight via VPN I can't do. The interface on the ASA management has no intellectual property nor nameif configured and the interface is connected to the switch, SFR has the IP even configured as LAN addressing. I can see traffic being exchanged between the sensor and the FireSight but I can't save the sensor.

Has anyone managed to register the sensor via VPN? Is there something else to be configured in order to save the sensor with the MC via the VPN?

The delay between the Firesight and the sensor (on WAN and VPN) I get between 80 and 100 ms, what could be the problem?

Thank you very much!

Remi

Hello

If you are unable to telnet from DC to the sensor on the port 8305 delivers connectivity then.

Can try you to ping from sensor to DC:
```
ping -M do -c 20 -s 1572 
```
By default, the MTU is 1500 on eth0, if the ping does not work I will suggest to lower the MTU on the interface and see if it works. See also: / var/log/messages | grep sftunnel and see the error messages on DC and sensor and send it to me everywhere. Best regards, Aastha Bhardwaj rate if this is useful!

ASA5505 management via VPN/Anyconnect without group

I have 2 questions about the configuration of the SAA.

The first is related to the SSL VPN configuration. Just one group of users to which you connect to our main office via remote access. Is there a way to configure SSL VPN to not display a group selection?

I have the omission of the list of the groups-tunnel-enable command and configuration group on user accounts locking, but neither work.

Secondly, I am at a loss on how to configure ssh to allow users connected via VPN connections. I guess:

SSH 172.16.1.0 255.255.255.0 inside

with 172.16.1.0 24 is the ip pool assigned to remote access vpn users would do so, however, it's a no go. How can users of remote access (which are for the most part, all technicians) granted the possibility to connect to the device?

Thanks for your help.

To be able to manage the ASA via SSH via a VPN tunnel, you will need to enter the configuration command "in man".

Is VLAN via VPN possible with any of the Small Business routers?

A tagged VLAN (for voice) will be routed through a VPN gateway to gateway on any of the Small Business routers, such as the SA520? This router is equipped

Parameters of VLAN Trunking.

No, it is not possible to send traffic to vlan via VPN on a series of SA500, but you can create a tunnel for each subnet, you need to pass traffic.

hope this helps,

Jasbryan

How to allow access to a local area network behind the cisco vpn client

Hi, my question is about how to allow access to a local area network behind the cisco vpn client

With the help of:
- Cisco 5500 Series Adaptive Security Appliance (ASA) that is running version 8.2 software
- Cisco VPN Client version 5.0 software
Cisco VPN client allows to inject a local routes in the routing table Cisco ASA?

Thank you.

Hi Vladimir,.

Unfortunately this is not a supported feature if you connect through the VPN Client. With VPN Client, that the VPN Client can access the VPN Client LAN host/local machine, not host from the local network to business as customer VPN is not designed for access from the local company network, but to the local corporate network.

If you want to access from your local business to your LAN network, you need to configure LAN-to-LAN tunnel.

Unable to access company LAN via VPN

Hello

I have an ASA 5505 that I used to test run them the IPSec VPN connection after having studied the different configs and crossing the ASDM I get the same question that I can not receive any traffic.

The company LAN is on a 10.8.0.0 255.255.0.0 network, I placed the VPN clients in 192.168.10.0 255.255.255.0 network, 192 clients may not speak on the 10.8 network.

On the Cisco VPN client, I see a lot of packets sent but no receipt.

I think it could be to do with NAT, but the examples I've seen I think it should work.

I have attached the complete running-config, I might well have missed something.

Thanks a lot for all the help on this...

FWBKH (config) # show running-config

: Saved

:

ASA Version 8.2 (2)

!

hostname FWBKH

test.local domain name

activate the encrypted password of XXXXXXXXXXXXXXX

passwd encrypted XXXXXXXXXXXXXXXX

names of

name 9.9.9.9 zscaler-uk-network

name 10.8.50.0 Interior-network-it

Interior-nameservers 10.8.112.0

name 17.7.9.10 fwbkh-output

name 10.8.127.200 fwbkh - in

name 192.168.10.0 bkh-vpn-pool

!

interface Vlan1

nameif inside

security-level 100

IP fwbkh 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

IP fwbkh-out 255.255.255.248

!

interface Vlan3

nameif vpn

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

banner intruder connection will be shot, survivors will be prosecuted!

Banner motd intruder will be Shot, survivors will be prosecuted!

banner intruder asdm will be Shot, survivors will be prosecuted!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

test.local domain name

DM_INLINE_TCP_2 tcp service object-group

port-object eq www

EQ object of the https port

DM_INLINE_UDP_1 udp service object-group

port-object eq 4500

port-object eq isakmp

object-group Protocol DM_INLINE_PROTOCOL_1

ip protocol object

icmp protocol object

object-protocol udp

inside_access_in list extended access permitted tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 journal of inactive warnings

inside_access_in list allowed extended access computer-network-inside ip 255.255.255.0 any idle state

inside_access_in list extended access permitted tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www

inside_access_in list extended access allowed inside-servers ip 255.255.255.0 log warnings

list of access USER-ACL extended permitted tcp 10.8.0.0 255.255.0.0 any eq www

list of access USER-ACL extended permitted tcp 10.8.0.0 255.255.0.0 any https eq

outside_nat0_outbound list allowed extended access bkh-vpn-pool ip 255.255.255.0 10.8.0.0 255.255.0.0

outside_access_in list extended access permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 errors in the inactive log

inside_nat0_outbound list extended access allowed object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any

inside_nat0_outbound_1 to access extended list ip 10.8.0.0 allow 255.255.0.0 255.255.255.0 bkh-vpn-pool

UK-VPN-USERS_splitTunnel of the access list extended ip 10.8.0.0 allow 255.255.0.0 255.255.255.0 bkh-vpn-pool

UK-VPN-USERS_splitTunnel to the list of allowed extensive access inside-servers 255.255.255.0 bkh-vpn-pool ip 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 VPN

mask UK-VPN-POOL 192.168.10.10 - 192.168.10.60 255.255.255.0 IP local pool

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 631.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global (inside) 1 interface

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 1 10.8.0.0 255.255.0.0 dns

NAT (0 outside_nat0_outbound list of outdoor outdoor access)

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 17.7.9.10 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 10.8.0.0 255.255.0.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint BKHFW

registration auto

name of the object CN = FWBKH

Configure CRL

encryption BKHFW ca certificate chain

certificate fc968750

308201dd a0030201 30820146 020204fc 96875030 0d06092a 864886f7 0d 010105

310e300c b 05003033 06035504 03130546 57424, 48 3121301f 06092 has 86 4886f70d

ccc6f3cb 977029d 5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb

7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c 53 f2

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 10.8.0.0 255.255.0.0 inside

SSH timeout 30

SSH version 2

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

strategy of UK-VPN-USERS group internal

UK-VPN-USERS group policy attributes

value of 10.8.112.1 DNS server 10.8.112.2

Protocol-tunnel-VPN IPSec svc

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value UK-VPN-USERS_splitTunnel

test.local value by default-field

the address value UK-VPN-POOL pools

attributes of Group Policy DfltGrpPolicy

VPN-tunnel-Protocol webvpn

username admin encrypted XXXXXXXXXXXXXXXXX privilege 15 password

karl encrypted XXXXXXXXXXXXXXX privilege 15 password username

type tunnel-group UK-VPN-USERS remote access

attributes global-tunnel-group UK-VPN-USERS

Address UK-VPN-POOL-pool

Group Policy - by default-UK-VPN-USERS

tunnel-group USERS of the UK VPN-ipsec-attributes

pre-shared key *.

type tunnel-group IT - VPN remote access

General attributes of IT - VPN Tunnel-group

Address UK-VPN-POOL-pool

Group Policy - by default-UK-VPN-USERS

tunnel-group IT - VPN ipsec-attributes

pre-shared key *.

!

ALLOW-USER-CLASS of the class-map

corresponds to the USER-ACL access list

type of class-card inspect all http ALLOW-URL-CLASS match

match without the regex ZSGATEWAY ALLOW request headers

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

type of policy-card inspect http ALLOW-URL-POLICY

parameters

ALLOW-URL-class

drop connection

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

Review the ip options

Policy-map ALLOW-USER-URL-POLICY

ALLOW-USER-class

inspect the http

!

global service-policy global_policy

USER-URL-POLICY-ALLOW service-policy inside interface

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:00725d3158adc23e6a2664addb24fce1

: end

Hi Karl,

Please, make the following changes:

local IP VPN_POOL_UK_USERS 192.168.254.1 pool - 192.168.254.254

access extensive list 10.8.0.0 ip inside_nat0_outbound_1 255.255.0.0 allow 192.168.254.0 255.255.255.0

!

no nat (0 outside_nat0_outbound list of outdoor outdoor access)

!

UK-VPN-USERS_SPLIT of the allowed access list 10.8.0.0 255.255.0.0

!

UK-VPN-USERS group policy attributes

Split-tunnel-network-list value UK-VPN-USERS_SPLIT

!

No UK-VPN-USERS_splitTunnel scope 10.8.0.0 ip access list do not allow 255.255.0.0 255.255.255.0 bkh-vpn-pool

No list of UK-VPN-USERS_splitTunnel extended access not allowed inside-servers 255.255.255.0 bkh-vpn-pool ip 255.255.255.0

!

inside_access_in to access extended list ip 10.8.0.0 allow 255.255.255.0 192.168.254.0 255.255.255.0

!

management-access inside

******'

As you can see, I have create a new pool, since you already have an interface in the 192.168.10.0/24 network, which affects VPN clients.

Once you have finished, connect the client and try:

Ping 10.8.127.200

It work?

Try to ping so another internal IP.

Let me know how it goes.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

How to implement a local SOA/BPM project using remote resources via VPN

Hello world
Sorry for the dummy question, but I am a beginner and I'm in trouble with this problem.
This is the scenario: I have to carry a BPM project using JDev 11.1.1.7 on my local environment and then deploy them on remote servers via VPN where a development environment is configured.
All services are on remote servers.
My question is: what I put up in my local environment?
1 DB connection (distance connettion)
2 configuration of MDS to share components?
3 WebLogic server?
3. what else?
Any link o idea to share?
Thank you.
Fairlie

Hello

If you need to deploy and test in your front room to deploy remotely, then you will need to set up all the people in your premises + SOA Suite... If you need to do is put on your local, but can check remotely, you only JDev and connections...

See you soon,.

Vlad

Network layer stops working randomly

Hi all
We have a very strange problem since upgrade to a fromESXi of Fujitsu ground RX300 S5 Server (48 GB of RAM) 5.1 to 6.0.
Almost every morning from 7 to 20:00 the network layer of the machine stops working. That is the whole network of physics
Server is off, no link with possible virtual machine either.
Restarting the console network does not help, but I guess that the virtual machine is always high and online since the clanking of the virtual machine
the hypervisor console works.
Newspapers are not very complete, we are now trying to find out what exactly causes the network layer to stop working.
There is another ESXi Server works perfectly (so far) with 6.0 in our network, material is mostly the same, running the
same network switch.
Here, someone has an idea what might in fact cause this behavior?

So I put the new NETWORK card in the machine on Friday, we'll see what happens.

/ e: Okay, it's now a week since the latest incident and the installation of a new network card. With all caution I'll declare this as resolved, the new map seems to work.

Cannot access remote network via VPN

Hello

I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.

I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

I'm quite puzzled as to why it does not work. Please could someone help.

The results of tests and the router configuration are listed below. Please let me know if you need additional information.

Thank you and best regards,
Simon

1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 2102

6. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!

Simon,

Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

I hope this helps.

Luis Raga

Network layer 2 via VPN

Similar Questions

Maybe you are looking for