Routing multiple subnets on a site to site VPN

What is the recommended solution to deliver several subnets on a site to site vpn? Each subnet requires its own policy or a policy can be used for one or more subnets if the remote site has several subnets? In addition, if the remote router has only two fastethernet interfaces, it'll work if one of the interfaces of subinterface configuration or router on a stick?

If you talk about static routing, you can simply add the routes and change the ACL for encrypted as a result traffic.

If you want to run a dynamic routing. you will then need to IPSEC VTI. Here is the link

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136

and although I did not use of subinterfaces for IPSEC VTI. but according to me, it will work.

Tags: Cisco Security

Similar Questions

Cisco ASA 5505 site for multiple subnet of the site.

Hello. I need help to configure my cisco asa 5505.

I set up a VPN between two ASA 5505 tunnel

Site 1:

Subnet 192.168.77.0

Site 2:

Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

What I need help:

Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

Vlan480 is used for phones. In vlan480, we have a PABX.

Is this possible to do?

Any help would be much appreciated!

Config site 2:

: Saved

:

ASA Version 7.2 (2)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

names of

name 192.168.1.250 DomeneServer

name of 192.168.1.10 NotesServer

name 192.168.1.90 Steadyily

name 192.168.1.97 TerminalServer

name 192.168.1.98 eyeshare w8

name 192.168.50.10 w8-print

name 192.168.1.94 w8 - app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

IP 192.168.200.100 255.255.255.0

OSPF cost 10

!

interface Vlan2

nameif outside

security-level 0

IP address 79.x.x.226 255.255.255.224

OSPF cost 10

!

interface Vlan400

nameif vlan400

security-level 100

IP 192.168.1.1 255.255.255.0

OSPF cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

IP 192.168.210.1 255.255.255.0

OSPF cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

IP 192.168.2.1 255.255.255.0

OSPF cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

address 192.168.3.1 IP 255.255.255.0

OSPF cost 10

!

interface Vlan462

Vlan462-Suldalsposten nameif

security-level 100

192.168.4.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

IP 192.168.202.1 255.255.255.0

OSPF cost 10

!

interface Vlan480

nameif vlan480 Telefoni

security-level 100

address 192.168.20.1 255.255.255.0

OSPF cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

IP 192.168.10.1 255.255.255.0

OSPF cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

192.168.30.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan510

Vlan510-IsTak nameif

security-level 100

192.168.40.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

192.168.50.1 IP address 255.255.255.0

OSPF cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted x

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain default.domain.invalid

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

Lotus_Notes_Utgaaande tcp service object-group

UT og Frim Notes Description til alle

area of port-object eq

port-object eq ftp

port-object eq www

EQ object of the https port

port-object eq lotusnotes

EQ Port pop3 object

EQ pptp Port object

EQ smtp port object

Lotus_Notes_inn tcp service object-group

Description of the inn og alle til Notes

port-object eq www

port-object eq lotusnotes

EQ Port pop3 object

EQ smtp port object

object-group service Reisebyraa tcp - udp

3702 3702 object-port Beach

5500 5500 object-port Beach

range of object-port 9876 9876

object-group service Remote_Desktop tcp - udp

Description Tilgang til Remote Desktop

3389 3389 port-object range

object-group service Sand_Servicenter_50000 tcp - udp

Description program tilgang til sand service AS

object-port range 50000 50000

VNC_Remote_Admin tcp service object-group

Description Fra ¥ oss til alle

5900 5900 port-object range

object-group service Printer_Accept tcp - udp

9100 9100 port-object range

port-object eq echo

ICMP-type of object-group Echo_Ping

echo ICMP-object

response to echo ICMP-object

object-group service Print tcp

9100 9100 port-object range

FTP_NADA tcp service object-group

Suldalsposten NADA tilgang description

port-object eq ftp

port-object eq ftp - data

Telefonsentral tcp service object-group

Hoftun description

port-object eq ftp

port-object eq ftp - data

port-object eq www

EQ object of the https port

port-object eq telnet

Printer_inn_800 tcp service object-group

Fra 800 thought-out og inn til 400 port 7777 description

range of object-port 7777 7777

Suldalsposten tcp service object-group

Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

EQ Port pop3 object

EQ smtp port object

http2 tcp service object-group

Beach of port-object 81 81

object-group service DMZ_FTP_PASSIVE tcp - udp

55536 56559 object-port Beach

object-group service DMZ_FTP tcp - udp

20 21 object-port Beach

object-group service DMZ_HTTPS tcp - udp

Beach of port-object 443 443

object-group service DMZ_HTTP tcp - udp

8080 8080 port-object range

DNS_Query tcp service object-group

of domain object from the beach

object-group service DUETT_SQL_PORT tcp - udp

Description for a mellom andre og duett Server nett

54659 54659 object-port Beach

outside_access_in of access allowed any ip an extended list

outside_access_out of access allowed any ip an extended list

vlan400_access_in list extended access deny ip any host 149.20.56.34

vlan400_access_in list extended access deny ip any host 149.20.56.32

vlan400_access_in of access allowed any ip an extended list

Vlan450_access_in list extended access deny ip any host 149.20.56.34

Vlan450_access_in list extended access deny ip any host 149.20.56.32

Vlan450_access_in of access allowed any ip an extended list

Vlan460_access_in list extended access deny ip any host 149.20.56.34

Vlan460_access_in list extended access deny ip any host 149.20.56.32

Vlan460_access_in of access allowed any ip an extended list

vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

Vlan500_access_in list extended access deny ip any host 149.20.56.34

Vlan500_access_in list extended access deny ip any host 149.20.56.32

Vlan500_access_in of access allowed any ip an extended list

vlan470_access_in list extended access deny ip any host 149.20.56.34

vlan470_access_in list extended access deny ip any host 149.20.56.32

vlan470_access_in of access allowed any ip an extended list

Vlan490_access_in list extended access deny ip any host 149.20.56.34

Vlan490_access_in list extended access deny ip any host 149.20.56.32

Vlan490_access_in of access allowed any ip an extended list

Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan1_access_out of access allowed any ip an extended list

Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan1_access_out deny ip extended access list a whole

Vlan1_access_out list extended access permit icmp any any echo response

Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

vlan480_access_out of access allowed any ip an extended list

Vlan510_access_in of access allowed any ip an extended list

Vlan600_access_in of access allowed any ip an extended list

Vlan600_access_out list extended access permit icmp any one

Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

Vlan600_access_in_1 of access allowed any ip an extended list

Vlan461_access_in of access allowed any ip an extended list

Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

pager lines 24

Enable logging

asdm of logging of information

MTU 1500 Vlan1

Outside 1500 MTU

vlan400 MTU 1500

MTU 1500 Vlan450

MTU 1500 Vlan460-SuldalHotell

MTU 1500 Vlan461-SuldalHotellGjest

vlan470-Kyrkjekontoret MTU 1500

MTU 1500 vlan480-Telefoni

MTU 1500 Vlan490-QNapBackup

MTU 1500 Vlan500-HellandBadlands

MTU 1500 Vlan510-IsTak

MTU 1500 Vlan600-SafeQ

MTU 1500 Vlan462-Suldalsposten

no failover

Monitor-interface Vlan1

interface of the monitor to the outside

the interface of the monitor vlan400

the interface of the monitor Vlan450

the interface of the Vlan460-SuldalHotell monitor

the interface of the Vlan461-SuldalHotellGjest monitor

the interface of the vlan470-Kyrkjekontoret monitor

Monitor-interface vlan480-Telefoni

the interface of the Vlan490-QNapBackup monitor

the interface of the Vlan500-HellandBadlands monitor

Monitor-interface Vlan510-IsTak

Monitor-interface Vlan600-SafeQ

the interface of the monitor Vlan462-Suldalsposten

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 522.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

vlan400_nat0_outbound (vlan400) NAT 0 access list

NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

(Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

(vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

Access-group interface Vlan1 Vlan1_access_out

Access-group outside_access_in in interface outside

Access-group outside_access_out outside interface

Access-group vlan400_access_in in the vlan400 interface

vlan400_access_out group access to the interface vlan400

Access-group Vlan450_access_in in the Vlan450 interface

Access-group interface Vlan450 Vlan450_access_out

Access-group interface Vlan460-SuldalHotell Vlan460_access_in

Access-group interface Vlan460-SuldalHotell Vlan460_access_out

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

access to the interface vlan480-Telefoni, vlan480_access_out group

Access-group interface Vlan490-QNapBackup Vlan490_access_in

Access-group interface Vlan490-QNapBackup Vlan490_access_out

Access-group interface Vlan500-HellandBadlands Vlan500_access_in

Access-group interface Vlan500-HellandBadlands Vlan500_access_out

Access-group interface Vlan510-IsTak Vlan510_access_in

Access-group interface Vlan510-IsTak Vlan510_access_out

Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

Access-group Vlan600_access_out interface Vlan600-SafeQ

Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

x x encrypted privilege 15 password username

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.210.0 255.255.255.0 Vlan450

http 192.168.200.0 255.255.255.0 Vlan1

http 192.168.1.0 255.255.255.0 vlan400

No snmp server location

No snmp Server contact

SNMP-Server Community public

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 20 match address outside_20_cryptomap_1

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 62.92.159.137

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

ISAKMP crypto enable vlan400

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

tunnel-group 62.92.159.137 type ipsec-l2l

IPSec-attributes tunnel-group 62.92.159.137

pre-shared-key *.

Telnet 192.168.200.0 255.255.255.0 Vlan1

Telnet 192.168.1.0 255.255.255.0 vlan400

Telnet timeout 5

SSH 171.68.225.216 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd update dns both

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

!

dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

dhcpd option 3 ip 192.168.1.1 interface vlan400

vlan400 enable dhcpd

!

dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

dhcpd ip interface 192.168.210.1 option 3 Vlan450

enable Vlan450 dhcpd

!

dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

dhcpd enable Vlan460-SuldalHotell

!

dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

dhcpd enable Vlan461-SuldalHotellGjest

!

dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

dhcpd enable vlan470-Kyrkjekontoret

!

dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

!

dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

!

dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

dhcpd enable Vlan500-HellandBadlands

!

dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

Vlan510-IsTak enable dhcpd

!

dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

Vlan600-SafeQ enable dhcpd

!

dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

Vlan462-Suldalsposten enable dhcpd

!

!

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

!

context of prompt hostname

Cryptochecksum:x

: end

Site 1 config:

: Saved

:

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

passwd encrypted x

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.77.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE Telenor customer vpdn group

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

DNS server-group DefaultDNS

domain default.domain.invalid

outside_access_in list extended access permit icmp any any disable log echo-reply

access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Access-group outside_access_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 192.168.77.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 79.160.252.226

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.77.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group Telenor request dialout pppoe

VPDN group Telenor localname x

VPDN group Telenor ppp authentication chap

VPDN x x local store password username

dhcpd outside auto_config

!

dhcpd address 192.168.77.100 - 192.168.77.130 inside

dhcpd dns 192.168.77.1 on the inside interface

dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

dhcpd allow inside

!

dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

!

tunnel-group 79.160.252.226 type ipsec-l2l

IPSec-attributes tunnel-group 79.160.252.226

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:x

: end

Hello

The addition of a new network to the existing VPN L2L should be a fairly simple process.

Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

Looking at your configurations above it would appear that you need to the following configurations

SITE 1
- We add the new network at the same time the crypto ACL and ACL NAT0
access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

SITE 2
- We add new ACL crypto network
- We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration
outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

Comment by VLAN480-NAT0 NAT0 for VPN access-list

access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

These configurations should pretty much do the trick.

Let me know if it worked

-Jouni

IPSec site to site VPN cisco VPN client routing problem and

Hello

I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

There are on the shelves, there is no material used cisco - routers DLINK.

Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

Can someone help me please?

Thank you

Peter

RAYS - not cisco devices / another provider

Cisco 1841 HSEC HUB:

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key x xx address no.-xauth

!

the group x crypto isakmp client configuration

x key

pool vpnclientpool

ACL 190

include-local-lan

!

86400 seconds, duration of life crypto ipsec security association

Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

!

Crypto-map dynamic dynmap 10

Set transform-set 1cisco

!

card crypto ETH0 client authentication list userauthen

card crypto isakmp authorization list groupauthor ETH0

client configuration address card crypto ETH0 answer

ETH0 1 ipsec-isakmp crypto map

set peer x

Set transform-set 1cisco

PFS group2 Set

match address 180

card ETH0 10-isakmp ipsec crypto dynamic dynmap

!

!

interface FastEthernet0/1

Description $ES_WAN$

card crypto ETH0

!

IP local pool vpnclientpool 192.168.200.100 192.168.200.150

!

!

overload of IP nat inside source list LOCAL interface FastEthernet0/1

!

IP access-list extended LOCAL

deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

IP 192.168.7.0 allow 0.0.0.255 any

!

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

!

How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

DE:

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Also change the ACL 190 split tunnel:

DE:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

Hope that helps.

SA520w routing through site-to-site VPN tunnels

I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

A - the site 10.10.0.0/24

Site B - 10.0.0.0/24

Site of the C - 10.25.0.0/24

Any help is greatly appreciated.

So, that's what you have configured correctly?

RTR_A

||

_____________ || ___________

|| ||

RTR_B RTR_C

Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

I hope this helps.

Site to site VPN with router IOS

I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

Thank you in advance.

Pete.

Pete

I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

I hope that your application is fine and that my suggestions could be useful.

[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

HTH

Rick

Several subnets in the site to Site VPN

Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:

(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0

(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0

object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0

the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0

the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0

object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0

object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0

ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American

(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400

(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256

(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcd

GroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol

(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN

/////////////////////////////////////////////////////////////////////

The router configuration:

(1) part SA

proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1

(2) Transformset

Crypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode

(3) access-list

IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255

(5) crypto card

crypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2

//////////////////////////////////////////////////////////////////////

This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.

192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0

Hello Jay,

I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:

(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:

address for correspondence card crypto 10 CM - STSVPN STSVPN-US

You must change this setting to avoid any problems with the negotiation of traffic:

no matching address card crypto 10 CM-STSVPN STSVPN-US

10 CM-STSVPN crypto card matches the address ACL_STSVPN-US

(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:

access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter value

Keep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.

(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.

ASA:

card crypto 10 CM-STSVPN set group14 pfs

Router:

crypto CM card. 30 VPN ipsec-isakmp

No group14 set pfs

Hope this help you to raise the tunnel,

Luis.

Routing between sites that use the site to site VPN

I'm running 7.2 (1) two 515 who have a VPN site-to-site set up a bit as follows:

subnets of the main site - router main site - PIX1___Public IP's___PIX2 - remote site

The main site router: CAT6506 with engine SUP1A

Subnets listed in motor SUP:

SUB1 VLAN

IP address 180.x.1.x.255.254.0

VLAN SUB2

IP address 180.x.2.x.255.254.0

VLAN SUB3

IP address 180.x.3.x.255.254.0

VLAN SUB4

IP address 180.x.4.x.255.255.240

PIX1 is the subnet SUB4 (180.20.4.2)

Remote site subnet: 192.168.1.0/24

Route the engine by default Overtime toward another router that reached the internet via another public IP subnet.

Any host on SUB4 can reach any host on the remote site as long as the SUB4 host default gateway is the inside int PIX1 (180.20.4.2).

No matter what SUB4 host that uses the 180.20.4.1 address (router) default gateway cannot communicate with a remote host, but can communicate with any host from any subnet of the main site.

All remote hosts can communicate with any host on SUB4, regardless of the gateway of the SUB4 host address.

All remote hosts can communicate with the router on SUB4 main site, but can not reach one of the other interfaces subnet configured on the router.

I've added a static route on the SUP engine:

router IP 192.168.1.0 255.255.255.0 180.20.4.2

That did not help.

The uses of motor SUP EIGRP to learn other subnets main site reached through routers, so I added the remote subnet to that:

Router eigrp 10

redistribute static

network 180.20.0.0

network 192.168.1.0

No Auto-resume

No log-neighbor-changes to eigrp

No chance, no more.

I can't help thinking that I'm missing something very basic.

Any help is really appreciated

Hello

PLS, find the changes that must be made and checked.

PIX remotely:

1. you only need a default route and that you can route your subnets via inside as they are outside, so remove these statements

2.i see Access-group configured to be applied to the external interface for traffic coming from the outside, make sure that all required subnets are allowed.

3. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)

Main PIX:

1. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)

2. is there an 'access-group outside_access_in' access list present in the pix the corresponding traffic - check - the pls

3. by nat (inside) 0 access-list inside_nat0_outbound, include all your inside subnets that must have access to the remote subnet

L3 switch:

1.I see a default route pointing to your router 3640, so pls add a static route to your remote subnet pointing to Pix

IP route 192.168.1.0 255.255.255.0 x.x.22.2

2. pls check in your L3 switch, wheter the appropriate subnets sub1, sub2 are learned properly via the conifugred Eigrp VLAN respective

for example .sub2 and sub3 learning with leap following 8.2, sub 5 via 30.3

Pls try to understand the topology and make configuration changes and let us know the results

concerning

k VB

Site to Site VPN of IOS - impossible route after VPN + NAT

Hello

I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

VPN endpoints: 10.20.1.2 and 10.10.1.2

routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

From 172.31.0.x to 192.168.1.x

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname INSIDEVPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

No aaa new-model

!

!

dot11 syslog

no ip cef

!

!

!

!

IP domain name xxxx.xxxx

!

Authenticated MultiLink bundle-name Panel

!

!

username root password 7 xxxxxxxxxxxxxx

!

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

!

CRYPTOMAP 10 ipsec-isakmp crypto map

defined by peer 10.20.1.2

game of transformation-VPN-TRANSFORMATIONS

match address 100

!

Archives

The config log

hidekeys

!

!

LAN controller 0

line-run cpe

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

!

interface FastEthernet0

switchport access vlan 12

No cdp enable

card crypto CRYPTOMAP

!

interface FastEthernet1

switchport access vlan 2

No cdp enable

!

interface FastEthernet2

switchport access vlan 2

No cdp enable

!

interface FastEthernet3

switchport access vlan 2

No cdp enable

!

interface Vlan1

no ip address

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

NAT outside IP

IP virtual-reassembly

!

interface Vlan12

10.10.1.2 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

card crypto CRYPTOMAP

!

IP forward-Protocol ND

IP route 192.168.2.0 255.255.255.0 192.168.1.254

IP route 10.20.0.0 255.255.0.0 10.10.1.254

Route IP 172.31.0.0 255.255.0.0 Vlan12

!

!

no ip address of the http server

no ip http secure server

IP nat inside source static 172.31.0.2 192.168.1.11

IP nat inside source 172.31.0.3 static 192.168.1.12

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password 7 xxxxxxxxx

opening of session

!

max-task-time 5000 Planner

end

Hi Jürgen,

First of all, when I went through your config, I saw these lines,

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

!

!

IP route 192.168.2.0 255.255.255.0 192.168.1.254

!

With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

Once this has been done. We will have to look at routing.

You are 172.31.0.2-> 192.168.1.11 natting

Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

!

IP route 192.168.1.8 255.255.255.248 192.168.1.1

!

If return packets will be correctly routed toward our local router.

If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

I hope I understood your scenario. Pleae make changes and let me know how you went with it.

Also, please don't forget to rate this post so useful.

Shamal

IPsec site to Site VPN on Wi - Fi router

Hello!

Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

See you soon!

Michael

I suspect that.

Thank you very much for the reply.

See you soon!

Multiple connections to Microsoft sites

I have multiple connections to microsoft sites on how to get online. I got (at the time) and I did not open my browser yet! I'd like to know why, and what function they serve. Thank you

192.88.99.1

207.46.75.254

65.55.37.62

64.4.59.173

213.199.161.77

65.55.53.156

newncsi.glbdns.Microsft.com

Hello

1. what browser do you use to go online?
2. don't you make changes before the show?
3. where exactly do you see these connections?

This can happen if you have set as the web browser home page www.microsoft.com . Whenever the browser is trying to connect to the Microsoft server, you will see a large number of established connections. But in the description of the problem, you mentioned that you see these connections when the web browser is not open. This leads to some confusion. We appreciate if you can provide us with more details on the issue, so that we can better help you.

Kind regards
Syed
Answers from Microsoft supports the engineer.

Client VPN router IOS, and site to site vpn

Hello

Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

IM using a router 800 series with 12.4 ios

Thank you very much

Colin
```
ReadersUK wrote:
Hi
Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
im using a 800 series router with 12.4 ios
Many thanks
Colin
```
Colin

It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

Jon

Site to Site VPN - cannot ping remote subnet

Hi all.

I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

Any suggestions?

I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

Thanks in advance.

5505 lack the command:

management-access inside

Federico.

A Site VPN PIX501 and CISCO router

Hello Experts,

I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:

www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...

and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).

Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.

Hi Mark,

I went in the Config of the ASA

I see that the dispensation of Nat is stil missing there

Please add the following

access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

inside NAT) 0 access-list sheep

Then try it should work

Thank you

REDA

Is site to site VPN with sufficiently secure router?

Hello

I have a question about the site to site VPN with router.

Internet <> router <> LAN

If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

Thank you

Hi Amanda,.

Assuming your L2L looks like this:

LAN - router - INTERNET - Router_Remote - LAN

|-------------------------------------------------------------------------------|

L2L

Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

Design of the area Guide of Application and firewall policies

If you consider that this is not enough, check the ASA5500 series.

HTH.

Portu.

Please note all useful posts

VPN - PC (vpn client) problem-> router-> (site to site vpn)-> local network

Hello

is it possible to install?

I have a pc and I want to connect to the Remote LAN.

PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site

How can I connect to a remote server? Is there an easy way?

I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).

Please advise! Thanks in advance.

Looks like I've not well explained.

On ROUTER1

===================

1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.

2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude

IP 192.168.133.0 allow 0.0.0.255 0.0.0.255

You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL

The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.

Routing multiple subnets on a site to site VPN

Similar Questions

Maybe you are looking for