PIX: Dialin routing through a different VPN VPN

Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.

There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).

I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.

Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.

Is this possible? I would be grateful to anyone who helps with that. Thank you...

This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.

This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.

Tags: Cisco Security

Similar Questions

  • Routing access to Internet through an IPSec VPN Tunnel

    Hello

    I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

    I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

    Any help would be greatly appreciated.

    Thank you.

    Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

  • PPTP VPN Cisco IOS router through

    Hi all

    I was wondering if there is a trick to get PPTP to work through a Cisco router.  He was in fact at some point, but I don't remember what has been changed over time... However, it no longer works.

    Current configuration includes:

    * CBAC applied inbound and outbound on the Internet interface (I needed to add incoming to fix a problem with the mode passive FTP doesn't work is not on a FTP server hosted behind this router)

    * CBAC inspects, among other things, PPTP

    * ACL applied inbound on interface Internet, GRE and TCP 1723 admitted any intellectual property

    * No other ACL on the router

    * IOS 15.0 (1)

    * Inbound configuration NAT for TCP 1723 (currently using the WAN IP address)

    One thing I saw was so Troubleshooting "IKE Dispatcher: IKEv2 version detected 2, Dropping package! - but I think that it is a wrong journal (router as the Cisco VPN configuration example).

    The server is definitely okay - we are able to connect over PPTP VPN from the local network to the server.  So I think it's a sort of NAT problem, because I don't see anything dropped by the firewall.

    Anyone able to point me in the right direction?

    Thank you

    Hello

    Thanks for fix the "sh run". Could you change the following:

    IP nat inside source static tcp 10.77.99.11 1723 1723 road-map repeating sheep ccc.ccc.ccc.ccc

    to do this:

    IP nat inside source static tcp 10.77.99.11 1723 1723 extensible ccc.ccc.ccc.ccc

    It would be prudent to proceed with this change in the removal of the map of the route if no one connects to the server via the PPTP VPN.

    Let me know.

    Kind regards

    ANU

    P.S. Please mark this question as answered if it was resolved. Note the useful messages. Thank you!

  • Routing through a VPN.

    I was wondering if anyone knew a good article to explain via a VPN routing works.

    If you a SSL VPN with transatlantic lines in it are the routing table

    ----------------------------------------------------------------------------------------

    Route outside 0.0.0.0 0.0.0.0 204.90.21.1 1

    Route within xxxx 255.255.255.255 172.18.0.1 1

    Route inside 204.110.220.0 255.255.240.0 172.18.0.1 1

    Route inside 204.110.250.0 255.255.255.0 172.18.0.1 1

    The VPN works great, but I'm just wondeirng how it is possible to connect to the VPN

    and then with successful ping 192.168.1.1 or 204.110.210.0 when there is no route in the route

    table of the SAA.

    Maybe I just don't understand how routing works by the VPN through ASA so to speak.

    Well, basically once the VPN client creates a connection to the VPN server, if traffic matches to networks, pushed by the server, the traffic gets encrypted and sent to the peer it VPN using the default gateway to the client.

    The VPN server or peer receives the packet unencrypts he then sends it to the printer.

    The routing part works pretty all the only difference is that the package traverses encryped thruought Internet.

  • Routing issue after establish VPN

    Hello

    I have configure VPDN on router cisco very well, I can dila fine external windows vpn client vpn. but o cannot access all the servers behind my router. I can ping internal IP address of the router (10.2.1.1) only.

    I have two subnet 10.1.1.0 and 10.2.1.0 I need to get access via VPN

    Current configuration: 6253 bytes
    !
    version 12.4
    no service button
    tcp KeepAlive-component snap-in service
    a tcp-KeepAlive-quick service
    horodateurs service debug datetime localtime show-timezone msec
    Log service timestamps datetime localtime show-timezone msec
    encryption password service
    sequence numbers service
    !
    hostname wrmelgw
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    recording console critical
    enable secret 5 *.
    !
    No aaa new-model
    clock timezone PCTime 10
    PCTime of summer time clock day March 30, 2003 03:00 October 26, 2003 02:00
    !
    Crypto pki trustpoint TP-self-signed-860329787
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 860329787
    revocation checking no
    rsakeypair TP-self-signed-860329787
    !
    !
    TP-self-signed-860329787 crypto pki certificate chain
    certificate self-signed 01
    308201B 5 A0030201 02020101 3082024C 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
    69666963 38363033 32393738 37301E17 313031 31313130 32313934 0D 6174652D
    345A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
    532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3836 30333239 642D
    06092A 86 4886F70D 01010105 37383730 819F300D 00308189 02818100 0003818D
    B48727D9 C6678610 CF7A69F6 BFFE48F2 63EE0A8D BFD7B83A 50659F84 FF358CA5
    5AD0ED97 B7D8212F E99AB991 36D0B172 538D D68B8746 51650BAC 17256811 1639
    80AB4344 B40FCDD1 B64B7011 49F90515 E2AD7346 4B1F1E5D 20F7D5F5 6B0AC5A8
    CF 255 444 1C29392E 634F9611 CF5761ED B873C63F 95B04B0D 38760A1B F6A5667B
    02030100 01A 37630 03551 D 13 74300F06 0101FF04 05300301 01FF3021 0603551D
    11041A 30 726D656C 18821677 67772E79 6F757264 6F6D6169 6E2E636F 6D301F06
    03551 D 23 80145FE0 04183016 D5554371 95D2A995 956BBCB2 0686 C 313 A06B301D
    0603551D 0E041604 145FE0D5 D2A99595 55437195 6BBCB206 86C313A0 6B300D06
    092A 8648 01040500 03818100 245311 1 A9BBA0F4 66D3A9BA 6D8AF2FD 86F70D01
    45785 D 42 3496AF0B B5513CDE 3B3CBFB3 D258E2F9 581442 3 A73E063F E9B071E5
    21E5CF80 FA0D717F 8A6F5202 BB88C26C A6D3A559 BA520562 CA 9 08447 0DB28B33
    5BBDC1D4 86EA654F 3AFEA64D 8BA13738 14952C7A 0FB76D7A 2B47883A 27DCB43B
    7DA80B53 8D98010E A 451, 2949 CBCE63A7
    quit smoking
    dot11 syslog
    no ip source route
    IP cef
    DHCP excluded-address IP 10.2.1.1 10.2.1.99
    !
    !
    no ip bootp Server
    "yourdomain.com" of the IP domain name
    name of the IP-server 139.130.4.4
    name of the IP-server 203.50.2.71
    !
    VPDN enable
    !
    VPDN-Group 1
    ! PPTP by default VPDN group
    accept-dialin
    Pptp Protocol
    virtual-model 1
    !
    !
    !
    username * privilege 15 secret *.
    vpn username password *.
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    QnrpzdFI crypto isakmp key address *.
    ISAKMP crypto 5 30 keepalive
    !
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac vpn - ts
    !
    RTP 1 ipsec-isakmp crypto map
    set peer *.
    the value of the transform-set vpn - ts
    match the address sydLAN
    !
    Archives
    The config log
    hidekeys
    !
    !
    synwait-time of tcp IP 10
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    !
    !
    !
    ATM0 interface
    no ip address
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    route IP cache flow
    No atm ilmi-keepalive
    DSL-automatic operation mode
    !
    point-to-point interface ATM0.1
    Description $FW_OUTSIDE$ $ES_WAN$
    PVC 8/35
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    Inside description
    switchport access vlan 100
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface virtual-Template1
    IP unnumbered Vlan1
    peer default ip address pool vpn
    No keepalive
    PPP mppe auto encryption required
    PPP ms-chap for authentication ms-chap-v2
    !
    interface Vlan1
    Data VLAN description
    10.2.1.1 IP address 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly
    route IP cache flow
    IP tcp adjust-mss 1452
    !
    interface Vlan100
    Description VLAN VoIP
    no ip address
    !
    interface Dialer0
    203.* IP address. *. * 255.255.255.0
    IP access-group dry in
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    route IP cache flow
    Dialer pool 1
    Dialer-Group 1
    No cdp enable
    Authentication callin PPP chap Protocol
    PPP chap hostname *

    PPP chap password 7 *.
    crypto rtp map
    !
    VPN IP local pool 10.2.1.70 10.2.1.85
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 203.45.89.1
    IP route 10.1.0.0 255.255.0.0 10.2.1.254
    !
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP nat inside source static tcp 10.2.2.201 80 Dialer0 8001 interface
    IP nat inside source static tcp 10.2.2.200 80 Dialer0 8008 interface
    IP nat inside source map route VPN-sheep interface Dialer0 overload
    IP nat inside source static tcp 10.2.2.200 8000 203.45.89.182 8000 extensible
    !
    SHEEP extended IP access list
    deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
    IP 10.2.1.0 allow 0.0.0.255 any
    ip licensing 10.2.2.0 0.0.0.255 any
    dry extended IP access list
    permit tcp any any eq 1723
    allow icmp a whole
    allow tcp any a Workbench
    permit any any icmp echo response
    permit any any icmp echo
    allow icmp all once exceed
    ICMP all all ttl-exceeded allow it
    allow all all unreachable icmp
    permit tcp any any eq 22
    allow an esp
    permit any any eq non500-isakmp udp
    allow udp any any eq isakmp
    allow a gre
    allow a whole ahp
    allow any host 203.45.89.182 eq 8000 tcp
    permit tcp any host 203.45.89.182 eq 8001
    allow any host 203.45.89.182 eq 8008 tcp
    deny ip any any newspaper
    sydLAN extended IP access list
    IP 10.2.0.0 allow 0.0.255.255 10.1.0.0 0.0.255.255
    !
    recording of debug trap
    Dialer-list 1 ip protocol allow
    not run cdp
    !
    !
    route map VPN-sheep permit 1
    corresponds to the IP SHEEP
    !
    !
    control plan
    !
    connection of the banner ^ CAuthorized access only!
    Unplug IMMEDIATELY if you are not an authorized user. ^ C
    !
    Line con 0
    local connection
    no activation of the modem
    telnet output transport
    line to 0
    local connection
    telnet output transport
    line vty 0 4
    privilege level 15
    local connection
    transport input telnet ssh
    !
    max-task-time 5000 Planner
    Scheduler allocate 4000 1000
    Scheduler interval 500
    end

    You want to reach10.1.1.0 and 10.2.1.0

    The router has this route:
    IP route 10.1.0.0 255.255.0.0 10.2.1.254
    and this interface:
    interface Vlan1
    10.2.1.1 IP address 255.255.255.0

    This means that so that the VPN client reach 10.1.0.0/24, you need a route from the pool of VPN on the device 10.2.1.254 (guess another router).

    Also, please make sure that you have made the changes the ACL in my first post.

    I'm not sure I understand this: "

    just let you know that 10.2.1.0 is the direct network and there is between 10.2.1.0 and 10.1.1.0 ipsec tunnel (perhaps help) "

    So far I see 10.1.1.0 is accessible through 10.2.1.254, if you need a route to the router to reach the VPN pool.

    Example of route on 10.2.1.254:

    IP 10.2.1.x MASK 10.2.1.1--> road road to join the VPN pool inside the router IP

    Federico.

  • Remote monitoring Pix on IPSEC site to site VPN

    I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.

    You need on the 2800...

    access-list 131 permit ip host 172.16.30.19 24.172.234.126

  • Routing problem between the VPN Client and the router's Ethernet device

    Hello

    I have a Cisco 1721 in a test environment.

    A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

    The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

    The configuration was inspired form the sample Configuration

    "Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

    and the output of the ConfigMaker configuration.

    Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

    side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

    Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

    (customer has a correct route and return ICMP packets to the router).

    The question now is:

    How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

    conf of the router is attached - hope that's not too...

    Thanks & cordially

    Thomas Schmidt

    -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

    !

    version 12.2

    horodateurs service debug uptime

    Log service timestamps uptime

    encryption password service

    !

    !

    host name * moderator edit *.

    !

    enable secret 5 * moderator edit *.

    !

    !

    AAA new-model

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    !

    ! only for the test...

    !

    username cisco password 0 * moderator edit *.

    !

    IP subnet zero

    !

    audit of IP notify Journal

    Max-events of po verification IP 100

    !

    crypto ISAKMP policy 3

    3des encryption

    preshared authentication

    Group 2

    !

    ISAKMP crypto client configuration group 3000client

    key cisco123

    pool ippool

    !

    ! We do not want to divide the tunnel

    ! ACL 108

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    interface Ethernet0

    no downtime

    Description connected to VPN

    IP 192.168.1.1 255.255.255.0

    full-duplex

    IP access-group 101 in

    IP access-group 101 out

    KeepAlive 10

    No cdp enable

    !

    interface Ethernet1

    no downtime

    address 192.168.3.1 IP 255.255.255.0

    IP access-group 101 in

    IP access-group 101 out

    full-duplex

    KeepAlive 10

    No cdp enable

    !

    interface FastEthernet0

    no downtime

    Description connected to the Internet

    IP 172.16.12.20 255.255.224.0

    automatic speed

    KeepAlive 10

    No cdp enable

    !

    ! This access group is also only for test cases!

    !

    no access list 101

    access list 101 ip allow a whole

    !

    local pool IP 192.168.10.1 ippool 192.168.10.10

    IP classless

    IP route 0.0.0.0 0.0.0.0 172.16.12.20

    enable IP pim Bennett

    !

    Line con 0

    exec-timeout 0 0

    password 7 * edit from moderator *.

    line to 0

    line vty 0 4

    !

    end

    ^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

    Thomas,

    Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

    Kurtis Durrett

  • AAA authentication for external router through PIX 515

    I have been in vain, to get the authentication AAA works to my external router, through the PIX.

    When I connect the router directly within that network (bypassing the PIX) AAA works fine, so I know the configuration of the AAA works between the router and the ACS server.

    Initially, I got the PIX configured with a static map between a global external address 192.x.x.12 and a 10.200.1.187 for the ACS server local address, but that didn't work either. So, currently I am using NAT exemption for the ACS server, but it does not work either.

    If I activate the debug on the PIX package, I see the ACS authentication request and response between the router and GBA when I try to connect to the router, but it is not successful. After the three way TCP handshake, the router repeats it is last receipt, and then the ACS asked an RST.

    The attached diagram shows the simple connection that I'm trying to create.

    The configuration of the PIX is also attached. (too large messages size):

    Thanks in advance for your help. I tried EAC for two days and have not found solutions that look like this.

    Ron Buchalski

    What to do is:

    1 PIX:

    -static map the ACS/GANYMEDE to a public IP address

    static (inside, outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255

    -otherwise, if you have enough public IP, use the port forwarding for card IP ACS to PIX outside IP of the interface, IE x.x.x.2, via a specific TCP 49:

    public static tcp (indoor, outdoor) interface 49 10.1.1.25 49 netmask 255.255.255.255

    * allow ACS talk to external router via public IP

    Create/add entry for ACL applied to the outside interface to allow the GANYMEDE Protocol + switch router external to the ACS:

    access outside permit tcp host XXX1 host x.x.x.10 eq 49 list (Ganymede + use tcp 49)

    outside access-group in external interface

    * x.x.x.1 = outside the router

    2 ACS

    -Add the outside router IP (FastEthernet face PIX outside interface) interface as a client of the AAA

    -Making of course secret key is identical at ACS and router

    3. the outside router

    -Add the ACS as radius-server using its IP public, as mapped in PIX which is x.x.x.10.

    -check the key AAA statement is accurate.

    The test without saving the config is outside the router. Save ok once confirmed.

    I have similar facility before, and it worked very well.

    Pls note all useful message (s)

    AK

  • Need to create a different VPN S2S in same ASA5505

    Hi Experts,

    I need to create the second VPN in ASA5505 even, he already has a VPN in one of our customers. So he already have a transformset, of cryptomap, of politics.

    Now, I need to create a new. I like to create a separate transformset and card crypto for this 2nd VPN with a new name to the issues very easily.

    But I doubt as may it will affect the current VPN? because it has a different VPN with another tranformset and cryptomap...

    So, I have the following questions...

    (1) affect the current VPN?

    (2) do I need to create a separate tranformset and cryptomap? or with the same tranformset and cryptomap with different number...

    If it is possible to create several cryptomap, then I would like to stress that to create...

    concerning

    Vipin

    (1) you must use the same name of card crypto with a number of different order. You cannot use a new name for the crypto map. However, if you want to easily identify the new VPN, just name your game of transformation and crypto ACL with the new name of VPN.

    (2) you can use the same set of transformation if the second VPN has the same policy as the first VPN. You certainly have to use the name of cryptomap even with a different sequence number, such that you can not create a new name of cryptomap.

    Hope that answers your question.

  • Cannot access my router through the Explorer configuration page

    I need to do a port forwarding on my router. My internet connection works (even if she falls occasionally) and I can also connect to other computers on my network. However, I cannot access my router through IE page (I get a message saying: page not found). When I go see the map in the options Vista network, the router is not displayed and when I clikc on "See the whole map", I get a message saying that Windows cannot detect any computer or devices.

    My connection to the router is connected, and it is a WRT54G Lyinksys. Any ideas how I can see my router or go to its page layout? Another thing, I went to CMD and the ping command returns a default gateway 192.168.1.1, which is what I have my using the address of the webb page.

    Thanks for any help.

    Hi JBHPUser,

    (a) other router configuration page, you are able to access other Web sites?
     
    (b) what operating system and Internet Explorer version do you use?
     
    This article can be very useful.
     
    You receive an error message in Internet Explorer: "Internet Explorer cannot display the webpage".
    http://support.Microsoft.com/kb/956196
     
    You can also access these links, which is primarily for Windows Vista, but are also applies to Windows 7
     
     
     
     

    Aziz Nadeem - Microsoft Support

  • What happens if I am connected to the internet through two different sources or more?

    What happens if I am connected to the internet through two different sources or more?

    You get Internet from two sources. What did you expect to happen?

    This is not double the speed of anything...

  • PIX of routing and two router

    My scenario is My PIX to 5 five interface. Interface E0 connect "Main router" Interface E1 connect "Partner router" Interface E3 connect 'Server Zone' Interface E4 connect 'Client area '.

    My problem is 'Partner of router' care network 172.16.1.0/24 and they have used 10.0.1.0/24 service behind "Main router" and I configure default route of 'Router Partner' for PIX as same as "main router.

    I have config road for PIX

    "" main route 10.0.1.0 255.255.255.0 main router ""

    "partner of route 172.16.1.0 255.255.255.0 router partner."

    I can do? PIX can route?

    What you have listed above should be fine. The PIX you can route packets. However, the usual rules still apply to allow packets pass between 2 interfaces on the PIX. You should always create the xlates and access control so that the packets to pass. I hope this helps.

    Scott

  • router through comcast. When my laptop detects all networks, they are all together to connect automatically. It is causing me launch my own network. ?

    I have a router through comcast. When my laptop detects all networks, they are all together to connect automatically. It is causing me launch my own network. When I try to uncheck the other networks they remain just verified. I m not sure how to fix it

    You may contact Comcast or the manufacturer of your router support wireless.

  • burned by another router through vpn

    Hello

    Here's the deal:

    RV042G <--------VPN------->ROUTER1 ROUTER2<---lan1--><---lan2--->

    I have a RV042G connected to a router '1' (LAN1) via a VPN. I have another ('2' for LAN2) router behind the local '1' with another network router (no bridge, a different IP address).

    For now, I PING the IP wan router "2" of the RV042G, but the distant RV042G, I can't access the devices behind the router '2' on LAN2. The opposite is true, the LAN2 I can ping all devices on any LAN included behind the VPN LAN

    On the RV042G, I put a static route to indicate that the IP address of the LAN '2' was available router WAN '2', but a traceroute always shows that I don't use the VPN and ask my gateway provider instead. The static route list does not show the road, that I put.

    At this point, I'm a little lost. What can I do to tell the RV that route to ROUTER2 is via the vpn and not my provider gateway?

    Thanks for any help (and sorry for my bad English)

    After reading this guide:

    http://www.Cisco.com/c/dam/en/us/TD/docs/routers/CSBR/rv0xx/administrati...

    ... take a look on page 110. Group "remote control" is where you would list the subnets that are accessible through the VPN. Currently this group must contain "LAN1", so you'll need to add "LAN2.

    see you soon,

    SEB.

  • SA520w routing through site-to-site VPN tunnels

    I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

    A - the site 10.10.0.0/24

    Site B - 10.0.0.0/24

    Site of the C - 10.25.0.0/24

    Any help is greatly appreciated.

    So, that's what you have configured correctly?

    RTR_A

    ||

    _____________ || ___________

    ||                                            ||

    RTR_B                                RTR_C

    Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

    Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

    I hope this helps.

Maybe you are looking for