Reverse Route injection

My PIX firewall's VPN headend device. It is located behind the router C1721. I customize remote access VPN split tunnel network. It's working OK if I try to connect to VPN client located between PIX and C1721. If I try to connect to external VPN client before C1721 then it work without access to internal resources. But it works OK if I use the option to split the tunnel network. I passed on the opportunity to reverse the Injection of the road. Help to locate an error, please. What's wrong?

If you're talking about access to internal LAN behind PIX of customers, there is no way it will NOT work without a split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and the relevant part of PIX and router config.

Tags: Cisco Security

Similar Questions

Reverse road injection for remote VPN Clients

Hello world

you will need to confirm if reverse road injection is used only for Site to site VPN?

Also to say that we have two sites using site-to-site vpn

Site A Site B

Private private IP IP

172.16.x.x 172.20.x.x

Now, as we VPN site to site, we can either activate the NAT - T option which will allow 172.16 IP reach site B as 172.16 only.

Do not change the IP address.

Option 2

IF we don't allow NAT - T and if we allow injection road Revese and we use say Protocol ospf on ASAs in site A and B.

In this case, we allow IPPS so that we can announce the private road 172.16. on the internet right of site B?

Concerning

MAhesh

Hello Mahesh,

"Reverse road injection (RRI) is used to fill in the routing table of an internal router that is running OSPF Open Shortest Path First () protocol or the RIP (Routing Information) protocol for Remote Clients VPN sessions or a local area network LAN."

Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

As a result, allowed RRI ASA learn routing information for connected peers and advertising via RIP or OSPF.

NAT - T is automatically detected and used when the local or the remote peer is behind NAT.

To answer your question:

If NAT - T is required and enabled, then it will automatically be used peer VPN. Then, with IPP in place, remote network will be added to the routing as static routes table, so they can be advertised by OSPF.

HTH.

Please note all useful messages.

circumstances for reverse road injection

Hello

Pretty well, I wonder under what circumstances an ASA installs static routes due to the command 'set reverse-road' in a static encryption card.

We have several tunnels where the road is not installed, while others appear. It seems that the route is displayed only if the local side of the tunnel

is directly connected.

So my questions are:

(a) is the local side must be directly connected

(b) is it enough to have the local side in the local routing table

(c) is the local side isn't matter at all

Thanks for your help!

See you soon,.

Heri

Hello

Thank you for the update.

I tried to look at all situations where the behavior you're seeing would normally happen but couldn't find a (or think the same).

-Jouni

VPN peers on old ASA, reverse routing as we migrate to the new ASA and new Internet

Hello

I'm migrating my old Internet/VPN connection. How can I ensure that even existing VPN are addressed to my old/curreent ASA

While my default gateway must get out of my new internet link

Very vague question, given the lack of topology ;/

In general redistribute you your range of IP addresses downstream pool to the nucleus.

Remote access VPN VPN Ping from ASA clients

I would like to know if it is normal to not being able to traceroute or ping for VPN clients connected from the ASA command line? The VPN client and the connection works well at the moment. I can't ping / connect to the VPN and vice versa internal hosts. I can't ping however the ASA VPN client IP address himself well. I'm so split tunnel but that seems to work correctly based on the determination of route I ran.

Can I have an IKEv1 and IKEv2 for VPN IPSEC configuration? I try to keep the IKEv1 VPN for the legacy Cisco VPN client while I began to roll on the AnyConnect IKEv2 client. Just end up creating a new configuration of VPN for the AnyConnect VPN (easier)?

What is the purpose of the injection of the route the other way around? It seems to be against intuitive. I was hoping it say for VPN DHCP pool 32 come to me so I would not add static routes on my heart to point to the ASA for these ranges. This ASA is reserved for the VPN firewall not this traffic is not normally head to it. Right now I have just the static route for the 24 I use in the DHCP pool on carrots. I have of course the possibility to redistribute the beach many other ways with EIGRP / OSPF / RIP it seems to me that RRI was a nice way to do, but it doesn't seem to be.

It probably all comes from me probably do not understand exactly how bits to pass through the firewall to the actual machine of the VPN client. You see only not an interface layer 3 for part of the ASA in the tunnel, according to me, is part of what confuses me.

Basically, I followed this guide and added split tunnel and aaa via RADIUS which seem to work well. I can't emphasize enough that for all intent and purposes, it seems that the VPN works as it should now. Wait for this time I broke it a few hours while I was playing with various other orders lol.

Thank you

Tim

Reference:
ASA 5505 (base right now, license #labgear) 9.2 (4) running

It is normal to not be able to ping remote VPN clients to the ASA's. To be able to do outside the ASA IP address must be included in the field of encryption, which is not normally.

Yes, you can use IKEv1 and IKEv2 at the same time. However if you change consider using SSL. It is best taken in charge and less painful.

If you choose to ignore this advice, then I would create a new IKEv2 VPN rather than modify the existing and then migrate users through him.

The reverse route injection does exactly what you describe. They appear as static routes on the SAA, you will then need to redistribute in any routing protocol you like. I wouldn't normally use for traffic of users, but for the traffic of a site when managing more complex failover scenarios.

I recommend to stick to the single 24 static road in your kernel.

L2l VPN using Dynamic IP - question

Dear all,

I have several sites with dynamic IP address.

HO, I have a cisco router with dynamic IP, in which internet VPN and terminated on SAA configured port forwarding.

I have 40 branches will be all dynamic ip. all L2L tunnels are running.

My problem is that of creates a branch to HO communication is perfect but to HO, I'm not able to access the ants of branch resources.

could someone help me solve this problem... Config is attached.

AHA!

I understand a little better Setup.

It seems that your routers are destination NAT, so all the tunnels seem to come from the subnet "172.16.40.0/23."

And indeed your hypothesis is correct problem seems to be related to the lack of correct roads pointing outward. (at least it seems that Yes for now).

However, reverse route injection should take care of it.

Speaking of which I noticed your field of tunnels on

Crypto dynamic-map alfa and not the default system.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not speak it, simply identify isakmp and ipsec for this session).

We'll see from there.

Marcin

Create crypto via several public interfaces

Hi guys,.

We have an easy no. 2851 being used as a VPN server router. It is connected to the Internet via a connection fiber on GI0/1 to isps1. Our remote sites to connect with success in the router and the cryptographic sessions are built successfully.

We have now an another fiber connection in the server that we want to use on a base ad-hoc to connect remote sites in our VPN, mainly under the new fiber is a connection high speed and we can thus obtain a "high speed" connection of the remote control through it.

Then, when I distance switch a site the new ISP connection I change his counterpart from x.x.x.y to m.m.m.n. Crypto by ISP2 connection requests come in the server. However it seems that the responses to these requests are returned to the remote control through isps1, and hence Cryptography is never created successfully.

My static routes are as follows:

IP route 0.0.0.0 0.0.0.0 x.x.x.x 30 permanent

IP route x_network 255.255.255.240 x.x.x.x 20 permanent

IP route m_network 255.255.255.248 m.m.m.m 20 permanent

Now, if I change the gateway of last resort to the "ip route 0.0.0.0 0.0.0.0 m.m.m.m 30" then cryptography is established, but after a minute or two of all the other crypto on x.x.x.x begins to die.

My question is though, how to keep the two fibers connected to the router at the same time and have some sites to connect via isps1, while another connect via ISP2.

A solution would be to use two routers, one for each ISP connection. With that you would have true redundancy for your hub. To make sure that traffic has reached the right exit point, you can use reverse-route-injection and a dynamic routing protocol.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Bring up the tunnel vpn crypto without interesting traffic map

Is it possible on ASA to bring up the tunnel vpn site to site static crypto map without generating interesting traffic? I want to reverse route injection generate road dynamic until traffic begins to flow.

Roman,

Unless something chnaged recently RRI inserts routes without present SAs, meaning that they are static (in contrast to current default behavior on IOS 12.4 (9) T-I_think leave).

But to answer the question, in more recent versions, you can bring up the tunnel using packet - trace CLI.

M.

Edit: request for improvement that will present the same features of IPP on ASA as on IOS:

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCsx67450

VPN remote access - no network connectivity internal!

Hi Experts,

I understand that it is a very common problem when considering the implementations of IPSec VPN for remote access using Cisco VPN Client. But for the last six months, I have tried to configure remote VPN access to as many sites customer and gets stuck to the top with the same question!

-The remote VPN Client connects, authenticates successfully to the local user database (to make things easier, I used the local user authentication), the tunnel is set up (I could see the exit of the isakmp #show her as a AM_ACTIVE ). So I think that the parameters of encryption and authentication for Phase 1 /Phase 2 should work because the tunnel is having successfully established

-Now comes the question, no connectivity to the internal network. I tried all the possible solutions, that I could find online.

1. the most common problem is NAT - Traversal not active

-Compatible NAT - T with the time default keepalive of 20

2. None of the configurations NAT to exempt remote VPN traffic

-A ensured that Nat configurations not present in configuration and internal network 192.168.1.X VPN traffic networks VPN 192.168.5.X /192.168.10.X being exempted NAT

3-Split tunnel configurations

-Reconfigured Split tunnel access list configuration Standard access list expanded (although not required as a Standard access list is more than enouugh, if I'm not mistaken) to allow traffic selected from 192.168.1.X for 192.168.5.X/192.168.10.X that will create routes on Client that allows users to simultaneously access VPN resources and access Internet VPN client. The Tunnel from Split network group was added again to the group policy.

4 enabled Perfect Forward Secrecy (PFS) /Disabled

. It may be an extra charge, it has been disabled / enabled

5. the road opposite Injection

-Ensured that a temporary reverse route has been injected to the routing table by allowing the reverse Route Injection to insert automatically the temporary static routes to the remote tunnel using the command set reverse road networks

A few more interesting things were noted:

Encrypted and Bypassed packages found when a continuous ping started the ASA inside the interface.

No decryption happens of the VPN Client, which means that there is no answer back from the network traffic statistics.

Decryption and packages are found be increasing when I try to ping of the IP address to the customer (192.168.0.10) has published the SAA. But on the SAA, I'm not back any response and showing as? . So that would mean that there is communication of ASA to the customer via the VPN tunnel while no communication is happening from the internal network to the customer

The entire configuration is shown below

ASA Version 8.2 (1)
!
ciscoasa hostname
activate the encrypted password of AS3P3A8i0l6.JxwD
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
access-list extended SHEEP allowed ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
ST1 list extended access permitted ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool testpool 192.168.0.10 - 192.168.0.15
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
Crypto-map dynamic dyn1 1jeu reverse-road
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
crypto ca server
SMTP address [email protected] / * /
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.10 - 192.168.1.132 inside
dhcpd dns 8.8.8.8 4.4.4.4 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RAVPN group policy
RAVPN group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value ST1
the address value testpool pools
dk Z6zukyDvwVjP7o24 encrypted privilege 15 password username
sv i1gRUVsEALixX3ei encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
Group Policy - by default-RAVPN
testgroup group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:48f0863a70b8f382c7b71db0b88620fe
: end

----

Could you please help me identify where I'm going wrong. Its been a long time I have trying to figure out but nothing seems to work! ;-(

Help, please!

Thank you

ANUP

(1) pls replace the tunnel ACL ACL standard split as follows:

no extended ST1 192.168.1.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

access-list allowed ST1 192.168.1.0 255.255.255.0

(2) add icmp inspection:

Policy-map global_policy

class inspection_default

inspect the icmp

(3) Finally, I add the following so that you can test the ASA inside the interface:

management-access inside

A Site at IOS IPSEC VPN and EIGRP

Hello

I have a connection of remote site to base via a VPN IPSEC router. I don't want to run EIGRP accoss VPN. Howerver I want adverstise the rest of the network from the router of core of the subnet to the remote site.

The remote VPN subnet is managed as a route connected on the router base?

Configuriguring a statement of network to the remote site on the router base will cause EIGRP announce the road?

You are right.

RRI (reverse Route Injection) is the correct way to announce remote routes as static routes on the HUB, and all what you need to do is redistribute static in EIGRP, so she is redistributed in your EIGRP.

Here is an example configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809d07de.shtml

(It's about OSPF and IPSec VPN dynamics, however, the concept is the same for ipsec site-to-site and redistribution in EIGRP)

Hope that helps.

Cisco ASA 5510 multiple dynamic config VPN L2L necessary

Hello

We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?

Oleg Kobelev

The config only you need in the ASA is: -.

(1) set of crypto processing

(2) political ISAKMP

(3) dynamic Crypto map

(4) default group L2L & PSK

(5) Config RRI (reverse Route Injection)

HTH >

Why no implicit route for traffic from IPSec-L2L tunnel?

In a hub-and-spoke IPSec environment, it is not difficult to implement routing by spoke to the hub.

But on the side of the hub of a tunnel, where the gateway of last resort for traffic by spoke it, it seems almost counterintuitive than the ACL instructions and even cryptographic doesn't implicitly create a route for the traffic of the station in the tunnel at the end (talk). It could always be replaced with a static if necessary.

There is probably a good reason for this, but I can't think of it. Or am I the only person who thinks it is strange... or maybe an opportunity to feature?

Hello

This feature exists and is called reverse road injection. The route is created dynamically (based on ACL Cryptography) and is only available when the SA is up.

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gt_rrie.html

HTH

Laurent.

Bad VPN ASA injection road on OSPF when using remote access

Has anyone ever seen the ASA by inserting a bad road in a connection that has been set up with it? I'll explain more below:

I'm using a reverse road Injection. When access remotely with IPSEC (CLIENT) connects to the camera ASA, ASA create a static route to the remote access to the closest router for the SAA to come to this remote access. This itinerary is distributed on OSPF. OK, it may be a normal situation. But, the problem is when I ask another participant of this OSPF area, which is the road to this remote access (CLIENT), the answer is the router closer to the ASA and don't have to ASA. Does anyone have a solution for this? I tried to create a roadmap but that you did not.

If I understand your question, my question for you is whether the OSPF route to the remote VPN client is source by ASA or another device?

Is the IP address in the space I wrote ASA_ROUTER_ID ASA router ID or it is the router from another device ID? What I've listed below are an example of the output of "show ip route. The value in bold must be ASA router ID, if she is from the road to the VPN client. Other OSPF routers will forward packets destined to VPN to ASA client.

#sh ip route 1.1.1.0
Routing for 1.1.1.0/24 entry
Known through the "ospf 1", metric 110, distance 310, type intra zone
Last updated on GigabitEthernet0 1.2.2.2, 2w there
Routing descriptor blocks:
* 1.2.2.2, ASA_ROUTER_ID, there is, through GigabitEthernet0 2w
Path metric is 310, number of shares of traffic 1

VPN/routing HELP!

I have an ASA 5505 can I VPN in, my problem is that I do not have access to my internal network. Right now, I have my cable modem enter my ASA and my ASA goes to my Cisco 3660 router. I think my problem is somewhere in the routing domain, but I don't really know what I'm doing... Help, please.

The ASA config:

: Saved : ASA Version 8.2(3) ! hostname ciscoasa domain-name wood.homeesrv.com enable password DQucN59Njn0OjpJL encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name wood.homeesrv.com access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm warnings mtu inside 1500 mtu outside 1500 ip local pool HomeVPN 192.168.3.0-192.168.3.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 174.56.139.1 1 route inside 192.168.1.0 255.255.255.0 192.168.2.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server VPN protocol radius http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 client-update enable telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable inside enable outside group-policy WoodVPN internal group-policy WoodVPN attributes dns-server value 192.168.1.14 8.8.8.8 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value WoodVPN_splitTunnelAcl default-domain value wood.homeserv.com username Jonathan password WsMCHUiqvEuA9Gmb encrypted privilege 15 tunnel-group WoodVPN type remote-access tunnel-group WoodVPN general-attributes address-pool HomeVPN default-group-policy WoodVPN tunnel-group WoodVPN ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:20c3b97b24f2fadeb1154024bd995f03 : end no asdm history enable

Cisco 3660 Router Config:

Building configuration...

Current configuration : 1096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4 192.168.1.14 192.168.1.13
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$FJyW$Ozgsn9oO0acvYSSeohvzX/
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

to do this: -.

attributes of Group Policy WoodVPN

no value in split-tunnel-network-list WoodVPN_splitTunnelACL

value of Split-tunnel-network-list Split_Tunnel_List

Add also: -.

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Let me know if that helps.
Manish

VPN 3000 RRI

Hi guys,.

I'm working on the creation of a vpn between a vpn 3000 and a

point of control, the problem I have on the vpn3000 is that if I do not have

Select "reverse road injection" it won't establish the vpn.

I thought she might have because the roads of local lan did not exist

on the vpn 3000, so I added static to match the list of the network, but it

still wouldn't go out, as soon as I activate the reverse road injection it

works very well.

any ideas?

Thank you

Adam Baxter.

Adam,

Take out the static routes and also injection Road opposite say-able.

Activate the logs on the hub of gravity 1-13 for IPSEC & IPSECDBG, IKE, AUTH, IKEDBG, AUTHDBG.

Try to send a ping to the interesting traffic. Capture logs and send them to this post, let me take a look and see if there is a question that jumps.

See you soon

Gilbert

Reverse Route injection

Similar Questions

Maybe you are looking for