Routing multiple subnets on a site to site VPN
What is the recommended solution to deliver several subnets on a site to site vpn? Each subnet requires its own policy or a policy can be used for one or more subnets if the remote site has several subnets? In addition, if the remote router has only two fastethernet interfaces, it'll work if one of the interfaces of subinterface configuration or router on a stick?
If you talk about static routing, you can simply add the routes and change the ACL for encrypted as a result traffic.
If you want to run a dynamic routing. you will then need to IPSEC VTI. Here is the link
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136
and although I did not use of subinterfaces for IPSEC VTI. but according to me, it will work.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5505 site for multiple subnet of the site.
Hello. I need help to configure my cisco asa 5505.
I set up a VPN between two ASA 5505 tunnel
Site 1:
Subnet 192.168.77.0
Site 2:
Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0
What I need help:
Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0
And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0
Vlan480 is used for phones. In vlan480, we have a PABX.
Is this possible to do?
Any help would be much appreciated!
Config site 2:
: Saved
:
ASA Version 7.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate the password encrypted x
names of
name 192.168.1.250 DomeneServer
name of 192.168.1.10 NotesServer
name 192.168.1.90 Steadyily
name 192.168.1.97 TerminalServer
name 192.168.1.98 eyeshare w8
name 192.168.50.10 w8-print
name 192.168.1.94 w8 - app
name 192.168.1.89 FonnaFlyMedia
!
interface Vlan1
nameif Vlan1
security-level 100
IP 192.168.200.100 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 79.x.x.226 255.255.255.224
OSPF cost 10
!
interface Vlan400
nameif vlan400
security-level 100
IP 192.168.1.1 255.255.255.0
OSPF cost 10
!
interface Vlan450
nameif Vlan450
security-level 100
IP 192.168.210.1 255.255.255.0
OSPF cost 10
!
interface Vlan460
nameif Vlan460-SuldalHotell
security-level 100
IP 192.168.2.1 255.255.255.0
OSPF cost 10
!
interface Vlan461
nameif Vlan461-SuldalHotellGjest
security-level 100
address 192.168.3.1 IP 255.255.255.0
OSPF cost 10
!
interface Vlan462
Vlan462-Suldalsposten nameif
security-level 100
192.168.4.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan470
nameif vlan470-Kyrkjekontoret
security-level 100
IP 192.168.202.1 255.255.255.0
OSPF cost 10
!
interface Vlan480
nameif vlan480 Telefoni
security-level 100
address 192.168.20.1 255.255.255.0
OSPF cost 10
!
interface Vlan490
nameif Vlan490-QNapBackup
security-level 100
IP 192.168.10.1 255.255.255.0
OSPF cost 10
!
interface Vlan500
nameif Vlan500-HellandBadlands
security-level 100
192.168.30.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan510
Vlan510-IsTak nameif
security-level 100
192.168.40.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan600
nameif Vlan600-SafeQ
security-level 100
192.168.50.1 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 500
switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 490
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted x
passive FTP mode
clock timezone WAT 1
DNS server-group DefaultDNS
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
Lotus_Notes_Utgaaande tcp service object-group
UT og Frim Notes Description til alle
area of port-object eq
port-object eq ftp
port-object eq www
EQ object of the https port
port-object eq lotusnotes
EQ Port pop3 object
EQ pptp Port object
EQ smtp port object
Lotus_Notes_inn tcp service object-group
Description of the inn og alle til Notes
port-object eq www
port-object eq lotusnotes
EQ Port pop3 object
EQ smtp port object
object-group service Reisebyraa tcp - udp
3702 3702 object-port Beach
5500 5500 object-port Beach
range of object-port 9876 9876
object-group service Remote_Desktop tcp - udp
Description Tilgang til Remote Desktop
3389 3389 port-object range
object-group service Sand_Servicenter_50000 tcp - udp
Description program tilgang til sand service AS
object-port range 50000 50000
VNC_Remote_Admin tcp service object-group
Description Fra ¥ oss til alle
5900 5900 port-object range
object-group service Printer_Accept tcp - udp
9100 9100 port-object range
port-object eq echo
ICMP-type of object-group Echo_Ping
echo ICMP-object
response to echo ICMP-object
object-group service Print tcp
9100 9100 port-object range
FTP_NADA tcp service object-group
Suldalsposten NADA tilgang description
port-object eq ftp
port-object eq ftp - data
Telefonsentral tcp service object-group
Hoftun description
port-object eq ftp
port-object eq ftp - data
port-object eq www
EQ object of the https port
port-object eq telnet
Printer_inn_800 tcp service object-group
Fra 800 thought-out og inn til 400 port 7777 description
range of object-port 7777 7777
Suldalsposten tcp service object-group
Description send av mail hav Mac Mail at - Ã ¥ nrep smtp
EQ Port pop3 object
EQ smtp port object
http2 tcp service object-group
Beach of port-object 81 81
object-group service DMZ_FTP_PASSIVE tcp - udp
55536 56559 object-port Beach
object-group service DMZ_FTP tcp - udp
20 21 object-port Beach
object-group service DMZ_HTTPS tcp - udp
Beach of port-object 443 443
object-group service DMZ_HTTP tcp - udp
8080 8080 port-object range
DNS_Query tcp service object-group
of domain object from the beach
object-group service DUETT_SQL_PORT tcp - udp
Description for a mellom andre og duett Server nett
54659 54659 object-port Beach
outside_access_in of access allowed any ip an extended list
outside_access_out of access allowed any ip an extended list
vlan400_access_in list extended access deny ip any host 149.20.56.34
vlan400_access_in list extended access deny ip any host 149.20.56.32
vlan400_access_in of access allowed any ip an extended list
Vlan450_access_in list extended access deny ip any host 149.20.56.34
Vlan450_access_in list extended access deny ip any host 149.20.56.32
Vlan450_access_in of access allowed any ip an extended list
Vlan460_access_in list extended access deny ip any host 149.20.56.34
Vlan460_access_in list extended access deny ip any host 149.20.56.32
Vlan460_access_in of access allowed any ip an extended list
vlan400_access_out list extended access permit icmp any any Echo_Ping object-group
vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop
vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop
vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily
vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn
vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop
vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop
vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop
vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600
vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range
vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer
vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT
Vlan500_access_in list extended access deny ip any host 149.20.56.34
Vlan500_access_in list extended access deny ip any host 149.20.56.32
Vlan500_access_in of access allowed any ip an extended list
vlan470_access_in list extended access deny ip any host 149.20.56.34
vlan470_access_in list extended access deny ip any host 149.20.56.32
vlan470_access_in of access allowed any ip an extended list
Vlan490_access_in list extended access deny ip any host 149.20.56.34
Vlan490_access_in list extended access deny ip any host 149.20.56.32
Vlan490_access_in of access allowed any ip an extended list
Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group
Vlan1_access_out of access allowed any ip an extended list
Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop
Vlan1_access_out deny ip extended access list a whole
Vlan1_access_out list extended access permit icmp any any echo response
Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group
Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group
Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP
Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP
Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group
vlan470_access_out list extended access permit icmp any any Echo_Ping object-group
vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object
Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group
vlan480_access_out of access allowed any ip an extended list
Vlan510_access_in of access allowed any ip an extended list
Vlan600_access_in of access allowed any ip an extended list
Vlan600_access_out list extended access permit icmp any one
Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop
Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www
Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www
Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www
Vlan600_access_in_1 of access allowed any ip an extended list
Vlan461_access_in of access allowed any ip an extended list
Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group
vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0
outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0
outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0
access-list Vlan462-Suldalsposten_access_in extended ip allowed any one
access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response
access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response
access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one
pager lines 24
Enable logging
asdm of logging of information
MTU 1500 Vlan1
Outside 1500 MTU
vlan400 MTU 1500
MTU 1500 Vlan450
MTU 1500 Vlan460-SuldalHotell
MTU 1500 Vlan461-SuldalHotellGjest
vlan470-Kyrkjekontoret MTU 1500
MTU 1500 vlan480-Telefoni
MTU 1500 Vlan490-QNapBackup
MTU 1500 Vlan500-HellandBadlands
MTU 1500 Vlan510-IsTak
MTU 1500 Vlan600-SafeQ
MTU 1500 Vlan462-Suldalsposten
no failover
Monitor-interface Vlan1
interface of the monitor to the outside
the interface of the monitor vlan400
the interface of the monitor Vlan450
the interface of the Vlan460-SuldalHotell monitor
the interface of the Vlan461-SuldalHotellGjest monitor
the interface of the vlan470-Kyrkjekontoret monitor
Monitor-interface vlan480-Telefoni
the interface of the Vlan490-QNapBackup monitor
the interface of the Vlan500-HellandBadlands monitor
Monitor-interface Vlan510-IsTak
Monitor-interface Vlan600-SafeQ
the interface of the monitor Vlan462-Suldalsposten
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
vlan400_nat0_outbound (vlan400) NAT 0 access list
NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns
NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns
NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255
static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns
static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer
static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255
static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232
static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255
static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236
static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
(Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0
(vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0
(vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
Access-group interface Vlan1 Vlan1_access_out
Access-group outside_access_in in interface outside
Access-group outside_access_out outside interface
Access-group vlan400_access_in in the vlan400 interface
vlan400_access_out group access to the interface vlan400
Access-group Vlan450_access_in in the Vlan450 interface
Access-group interface Vlan450 Vlan450_access_out
Access-group interface Vlan460-SuldalHotell Vlan460_access_in
Access-group interface Vlan460-SuldalHotell Vlan460_access_out
Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in
Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out
Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
vlan470_access_out access to the interface vlan470-Kyrkjekontoret group
access to the interface vlan480-Telefoni, vlan480_access_out group
Access-group interface Vlan490-QNapBackup Vlan490_access_in
Access-group interface Vlan490-QNapBackup Vlan490_access_out
Access-group interface Vlan500-HellandBadlands Vlan500_access_in
Access-group interface Vlan500-HellandBadlands Vlan500_access_out
Access-group interface Vlan510-IsTak Vlan510_access_in
Access-group interface Vlan510-IsTak Vlan510_access_out
Access-group Vlan600_access_in_1 interface Vlan600-SafeQ
Access-group Vlan600_access_out interface Vlan600-SafeQ
Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface
Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface
Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
x x encrypted privilege 15 password username
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.210.0 255.255.255.0 Vlan450
http 192.168.200.0 255.255.255.0 Vlan1
http 192.168.1.0 255.255.255.0 vlan400
No snmp server location
No snmp Server contact
SNMP-Server Community public
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 20 match address outside_20_cryptomap_1
card crypto outside_map 20 set pfs
peer set card crypto outside_map 20 62.92.159.137
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
ISAKMP crypto enable vlan400
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 62.92.159.137 type ipsec-l2l
IPSec-attributes tunnel-group 62.92.159.137
pre-shared-key *.
Telnet 192.168.200.0 255.255.255.0 Vlan1
Telnet 192.168.1.0 255.255.255.0 vlan400
Telnet timeout 5
SSH 171.68.225.216 255.255.255.255 outside
SSH timeout 5
Console timeout 0
dhcpd update dns both
!
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
!
dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface
!
dhcpd address 192.168.1.100 - 192.168.1.225 vlan400
dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400
dhcpd option 3 ip 192.168.1.1 interface vlan400
vlan400 enable dhcpd
!
dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
dhcpd ip interface 192.168.210.1 option 3 Vlan450
enable Vlan450 dhcpd
!
dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell
dhcpd enable Vlan460-SuldalHotell
!
dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest
dhcpd enable Vlan461-SuldalHotellGjest
!
dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret
interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
dhcpd enable vlan470-Kyrkjekontoret
!
dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
!
dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup
!
dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands
dhcpd enable Vlan500-HellandBadlands
!
dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface
Vlan510-IsTak enable dhcpd
!
dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
Vlan600-SafeQ enable dhcpd
!
dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten
interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd
interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1
Vlan462-Suldalsposten enable dhcpd
!
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:x
: end
Site 1 config:
: Saved
:
ASA Version 7.2 (4)
!
ciscoasa hostname
domain default.domain.invalid
activate the password encrypted x
passwd encrypted x
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.77.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
PPPoE Telenor customer vpdn group
IP address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 15
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
outside_access_in list extended access permit icmp any any disable log echo-reply
access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.77.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 79.160.252.226
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.77.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group Telenor request dialout pppoe
VPDN group Telenor localname x
VPDN group Telenor ppp authentication chap
VPDN x x local store password username
dhcpd outside auto_config
!
dhcpd address 192.168.77.100 - 192.168.77.130 inside
dhcpd dns 192.168.77.1 on the inside interface
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
dhcpd allow inside
!
dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface
!
tunnel-group 79.160.252.226 type ipsec-l2l
IPSec-attributes tunnel-group 79.160.252.226
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:x
: end
Hello
The addition of a new network to the existing VPN L2L should be a fairly simple process.
Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.
Looking at your configurations above it would appear that you need to the following configurations
SITE 1
- We add the new network at the same time the crypto ACL and ACL NAT0
access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0
access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0
SITE 2
- We add new ACL crypto network
- We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration
outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0
Comment by VLAN480-NAT0 NAT0 for VPN access-list
access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0
NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)
These configurations should pretty much do the trick.
Let me know if it worked
-Jouni
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
SA520w routing through site-to-site VPN tunnels
I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.
A - the site 10.10.0.0/24
Site B - 10.0.0.0/24
Site of the C - 10.25.0.0/24
Any help is greatly appreciated.
So, that's what you have configured correctly?
RTR_A
||
_____________ || ___________
|| ||
RTR_B RTR_C
Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.
Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.
I hope this helps.
-
Site to site VPN with router IOS
I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.
I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.
Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?
My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).
Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.
And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)
Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?
I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.
We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).
I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.
Thank you in advance.
Pete.
Pete
I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:
-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.
-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.
-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.
-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.
-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.
-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).
-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.
-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.
I hope that your application is fine and that my suggestions could be useful.
[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.
HTH
Rick
-
Several subnets in the site to Site VPN
Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American
(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcdGroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN
/////////////////////////////////////////////////////////////////////The router configuration:
(1) part SA
proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1
(2) TransformsetCrypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode(3) access-list
IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
(5) crypto cardcrypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2
//////////////////////////////////////////////////////////////////////This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.
192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0Hello Jay,
I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:
(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:
address for correspondence card crypto 10 CM - STSVPN STSVPN-US
You must change this setting to avoid any problems with the negotiation of traffic:
no matching address card crypto 10 CM-STSVPN STSVPN-US
10 CM-STSVPN crypto card matches the address ACL_STSVPN-US
(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter valueKeep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.
(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.
ASA:
card crypto 10 CM-STSVPN set group14 pfs
Router:
crypto CM card. 30 VPN ipsec-isakmp
No group14 set pfs
Hope this help you to raise the tunnel,
Luis.
-
Routing between sites that use the site to site VPN
I'm running 7.2 (1) two 515 who have a VPN site-to-site set up a bit as follows:
subnets of the main site - router main site - PIX1___Public IP's___PIX2 - remote site
The main site router: CAT6506 with engine SUP1A
Subnets listed in motor SUP:
SUB1 VLAN
IP address 180.x.1.x.255.254.0
VLAN SUB2
IP address 180.x.2.x.255.254.0
VLAN SUB3
IP address 180.x.3.x.255.254.0
VLAN SUB4
IP address 180.x.4.x.255.255.240
PIX1 is the subnet SUB4 (180.20.4.2)
Remote site subnet: 192.168.1.0/24
Route the engine by default Overtime toward another router that reached the internet via another public IP subnet.
Any host on SUB4 can reach any host on the remote site as long as the SUB4 host default gateway is the inside int PIX1 (180.20.4.2).
No matter what SUB4 host that uses the 180.20.4.1 address (router) default gateway cannot communicate with a remote host, but can communicate with any host from any subnet of the main site.
All remote hosts can communicate with any host on SUB4, regardless of the gateway of the SUB4 host address.
All remote hosts can communicate with the router on SUB4 main site, but can not reach one of the other interfaces subnet configured on the router.
I've added a static route on the SUP engine:
router IP 192.168.1.0 255.255.255.0 180.20.4.2
That did not help.
The uses of motor SUP EIGRP to learn other subnets main site reached through routers, so I added the remote subnet to that:
Router eigrp 10
redistribute static
network 180.20.0.0
network 192.168.1.0
No Auto-resume
No log-neighbor-changes to eigrp
No chance, no more.
I can't help thinking that I'm missing something very basic.
Any help is really appreciated
Hello
PLS, find the changes that must be made and checked.
PIX remotely:
1. you only need a default route and that you can route your subnets via inside as they are outside, so remove these statements
2.i see Access-group configured to be applied to the external interface for traffic coming from the outside, make sure that all required subnets are allowed.
3. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)
Main PIX:
1. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)
2. is there an 'access-group outside_access_in' access list present in the pix the corresponding traffic - check - the pls
3. by nat (inside) 0 access-list inside_nat0_outbound, include all your inside subnets that must have access to the remote subnet
L3 switch:
1.I see a default route pointing to your router 3640, so pls add a static route to your remote subnet pointing to Pix
IP route 192.168.1.0 255.255.255.0 x.x.22.2
2. pls check in your L3 switch, wheter the appropriate subnets sub1, sub2 are learned properly via the conifugred Eigrp VLAN respective
for example .sub2 and sub3 learning with leap following 8.2, sub 5 via 30.3
Pls try to understand the topology and make configuration changes and let us know the results
concerning
k VB
-
Site to Site VPN of IOS - impossible route after VPN + NAT
Hello
I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.
Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.
I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?
This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)
VPN endpoints: 10.20.1.2 and 10.10.1.2
routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254
From 172.31.0.x to 192.168.1.x
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname INSIDEVPN
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxx
!
No aaa new-model
!
!
dot11 syslog
no ip cef
!
!
!
!
IP domain name xxxx.xxxx
!
Authenticated MultiLink bundle-name Panel
!
!
username root password 7 xxxxxxxxxxxxxx
!
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS
!
CRYPTOMAP 10 ipsec-isakmp crypto map
defined by peer 10.20.1.2
game of transformation-VPN-TRANSFORMATIONS
match address 100
!
Archives
The config log
hidekeys
!
!
LAN controller 0
line-run cpe
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0
switchport access vlan 12
No cdp enable
card crypto CRYPTOMAP
!
interface FastEthernet1
switchport access vlan 2
No cdp enable
!
interface FastEthernet2
switchport access vlan 2
No cdp enable
!
interface FastEthernet3
switchport access vlan 2
No cdp enable
!
interface Vlan1
no ip address
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
NAT outside IP
IP virtual-reassembly
!
interface Vlan12
10.10.1.2 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
card crypto CRYPTOMAP
!
IP forward-Protocol ND
IP route 192.168.2.0 255.255.255.0 192.168.1.254
IP route 10.20.0.0 255.255.0.0 10.10.1.254
Route IP 172.31.0.0 255.255.0.0 Vlan12
!
!
no ip address of the http server
no ip http secure server
IP nat inside source static 172.31.0.2 192.168.1.11
IP nat inside source 172.31.0.3 static 192.168.1.12
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
password 7 xxxxxxxxx
opening of session
!
max-task-time 5000 Planner
end
Hi Jürgen,
First of all, when I went through your config, I saw these lines,
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
!
!
IP route 192.168.2.0 255.255.255.0 192.168.1.254
!
With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.
Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)
Once this has been done. We will have to look at routing.
You are 172.31.0.2-> 192.168.1.11 natting
Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.
Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,
!
IP route 192.168.1.8 255.255.255.248 192.168.1.1
!
If return packets will be correctly routed toward our local router.
If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire
I hope I understood your scenario. Pleae make changes and let me know how you went with it.
Also, please don't forget to rate this post so useful.
Shamal
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
Multiple connections to Microsoft sites
I have multiple connections to microsoft sites on how to get online. I got (at the time) and I did not open my browser yet! I'd like to know why, and what function they serve. Thank you
192.88.99.1
207.46.75.254
65.55.37.62
64.4.59.173
213.199.161.77
65.55.53.156
newncsi.glbdns.Microsft.com
Hello1. what browser do you use to go online?
2. don't you make changes before the show?
3. where exactly do you see these connections?This can happen if you have set as the web browser home page www.microsoft.com . Whenever the browser is trying to connect to the Microsoft server, you will see a large number of established connections. But in the description of the problem, you mentioned that you see these connections when the web browser is not open. This leads to some confusion. We appreciate if you can provide us with more details on the issue, so that we can better help you.Kind regards
Syed
Answers from Microsoft supports the engineer. -
Client VPN router IOS, and site to site vpn
Hello
Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.
So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.
IM using a router 800 series with 12.4 ios
Thank you very much
Colin
ReadersUK wrote:
Hi
Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
im using a 800 series router with 12.4 ios
Many thanks
Colin
Colin
It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection
Jon
-
Site to Site VPN - cannot ping remote subnet
Hi all.
I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.
Any suggestions?
I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.
Thanks in advance.
5505 lack the command:
management-access inside
Federico.
-
A Site VPN PIX501 and CISCO router
Hello Experts,
I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:
www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...
and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).
Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.
Hi Mark,
I went in the Config of the ASA
I see that the dispensation of Nat is stil missing there
Please add the following
access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0
inside NAT) 0 access-list sheep
Then try it should work
Thank you
REDA
-
Is site to site VPN with sufficiently secure router?
Hello
I have a question about the site to site VPN with router.
Internet <> router <> LAN
If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?
Thank you
Hi Amanda,.
Assuming your L2L looks like this:
LAN - router - INTERNET - Router_Remote - LAN
|-------------------------------------------------------------------------------|
L2L
Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.
On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.
If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:
Design of the area Guide of Application and firewall policies
If you consider that this is not enough, check the ASA5500 series.
HTH.
Portu.
Please note all useful posts
-
Hello
is it possible to install?
I have a pc and I want to connect to the Remote LAN.
PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site
How can I connect to a remote server? Is there an easy way?
I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).
Please advise! Thanks in advance.
Looks like I've not well explained.
On ROUTER1
===================
1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.
2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude
IP 192.168.133.0 allow 0.0.0.255 0.0.0.255
You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL
The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.
Maybe you are looking for
-
Pavilion: synaptics touchpad problems.
I currently have problems touchpad and mouse. I used my wireless mouse once and my trachpad has stopped working compltetely. I have seen that it is a common problem but Ive tried everything and nothing works. a hard reset worked once to get my mouse
-
CD/DVD drive does not work
Windows cannot start this hardware device because its information of configuration (in the registry) is incomplete or damaged. (Code 19)
-
Hello, I want to upgrade the CPU on my Satellite A60 celeron P345, what type of processors are supported?Thank you
-
Satellite C670 - Recovery Media Creator launch! Error link
(Google translation)Hello Recovery Media Creator will not start. Missing link, error 'TRMCLcher.exe '.I can't find the software on the Toshiba site!Here's what the file contains Toshiba Recovery Media Creator:http://hpics.Li/6dfd626 Where can I find
-
Primary (internal battery) error on HP Pavillion Sleekbook 15b006e 601
Hello.. Please help with the following. I'll try and give as much detail as possible. Model: HP Pavilion Sleekbook 15-b006ee - link Product number: C6K62EA Windows: 8 I get the main (internal) 601 battery error on my sleekbook. Some other positions,