routing of multiple site-2-site VPN gateways

Similar Questions

• Routing issue to site VPN site

  Hello

  I have a VPN site-to site of SR520 at SFsence VPN, the tunnel is up, but I can't ping internal addresses of these two paths of layout of the site terminate my default gateway. Help, please

  Access list configuration:

  access-list 100 permit ip 10.0.43.0 0.0.0.255 10.10.10.0 0.0.0.255

  access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

  IP nat inside source map route SHEEP interface Dialer 0 overload

  access-list 110 deny ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

  access-list 110 permit ip 10.10.10.0 0.0.0.255 any

  SHEEP allowed 10 route map

  corresponds to the IP 110

  Note: remote site (SFsence) of 10.0.43.0/24

  local site router Cisco SR520 10.10.10.0/29

  Glad to know everything works now,

  Please check the question as answered so future users can learn on this basis.

  Kind regards

• Cannot ping sub interface from my remote site VPN gateways

  I can't ping my gateways to interface my remote vpn connection sub

  I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0

  When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.

  I think that something in my asa is misconfigured or not added

  ASA NAT rules:

  Exempt NAT Interface: inside

  Source 192.6.0.0/16

  Destination 192.6.10.96/27

  Static NAT interface: inside (it's for the local NAT of E0/0 out)

  Source 192.6.1.1/16

  Interface translated outside the Destination: 172.35.221.200

  Dynamic NAT interface: inside

  Source: no

  Destination: outside

  ASA access rules:

  Permit outside

  Source: no

  Destination: out

  Services: udp, tcp, tcp/http

  Static routes:

  Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)

  

  Some incorrect configuration:

  On the ASA:

  (1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:

  Route outside 0.0.0.0 0.0.0.0 172.35.221.x

  ---> where x must be the router internet ip address.

  existing routes need to be removed:

  No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255

  No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel

  (2) the following declaration of the static NAT is incorrect too and should be removed:

  static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255

  --> You can not NAT interface on the SAA itself.

  (3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.6.1.254 255.255.255.0

  (4) on the way to access these sub interfaces subnet on the SAA as follows:

  Route inside 192.6.2.0 255.255.255.0 192.6.1.235

  Route inside 192.6.3.0 255.255.255.0 192.6.1.235

  Route inside 192.6.4.0 255.255.255.0 192.6.1.235

  On the router, configure it by default route as follows:

  IP route 0.0.0.0 0.0.0.0 192.6.1.254

• Routing multiple subnets on a site to site VPN

  What is the recommended solution to deliver several subnets on a site to site vpn? Each subnet requires its own policy or a policy can be used for one or more subnets if the remote site has several subnets? In addition, if the remote router has only two fastethernet interfaces, it'll work if one of the interfaces of subinterface configuration or router on a stick?

  If you talk about static routing, you can simply add the routes and change the ACL for encrypted as a result traffic.

  If you want to run a dynamic routing. you will then need to IPSEC VTI.  Here is the link

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136

  and although I did not use of subinterfaces for IPSEC VTI. but according to me, it will work.

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• IPsec site to Site VPN on Wi - Fi router

  Hello!

  Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

  I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

  See you soon!

  Michael

  I suspect that.

  Thank you very much for the reply.

  See you soon!

• SA520w routing through site-to-site VPN tunnels

  I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

  A - the site 10.10.0.0/24

  Site B - 10.0.0.0/24

  Site of the C - 10.25.0.0/24

  Any help is greatly appreciated.

  So, that's what you have configured correctly?

  RTR_A

  ||

  _____________ || ___________

  ||                                            ||

  RTR_B                                RTR_C

  Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

  Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

  I hope this helps.

• Client VPN router IOS, and site to site vpn

  Hello

  Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

  So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

  IM using a router 800 series with 12.4 ios

  Thank you very much

  Colin

  ReadersUK wrote:
  Hi
  Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
  So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
  im using a 800 series router with 12.4 ios
  Many thanks
  Colin
  

  Colin

  It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

  https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

  Jon

• Site to site VPN with router IOS

  I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

  I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

  Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

  My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

  Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

  And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

  Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

  I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

  We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

  I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

  Thank you in advance.

  Pete.

  Pete

  I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

  -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

  -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

  -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

  -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

  -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

  -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

  -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

  -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

  I hope that your application is fine and that my suggestions could be useful.

  [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

  HTH

  Rick

• Site-to-Site VPN breaks after reset of the router

  Hi all

  I have a very difficult problem.  I have a CallManager server on one site (Site A) configuration and IP phones which connect you via tunneling IPSec VPN site-to site to Site B.  WAN link to Site B (cable ISP with IP static) can be a tad bit reliable at times.  Everything worked perfectly, except when the router resets or loses connection at site B, smashing everything.  I have the option tftp 150 defined on the server CUCM on Site (192.168.10.250).  The tunnel is NOT upward automatically after a router loses connection, and once this is the case, it seems that I can't help that can restore full connectivity.  I know I must be missing something, but have no idea what.  The nbar-Discovery Protocol on the external interface of the router on the Site B shows TFTP and Skinny packets go out, but nothing back in.  I can't ping all internal resources on the Site A of Site B.  I'm doing a "isakmp crypto to show his" on each router and it shows the tunnel as being upward.  In order to back up the tunnel, I need to access the router on the Site A with the SDM tool and do a 'test' of the VPN tunnel.  It shows it as inactive, and when I have SDM generate traffic, using the source IP address as 192.168.10.1 (inside the interface of the router on the Site A) and destination IP of 192.168.11.1 (inside the interface of the router on the Site B), the tunnel back to the top.  Yet, even if the tunnel is restored, nothing works as much as to be able to ping site starting tftp from Site A to Site B and Site B.  Any help on this is GREATLY appreciated.  Any suggestions on how to configure a VPN site-to-site-reliable so that if cnnection is lost on one end, the tunnel back upward and devices on Site B can access resources such as on Site A CallManager server.  Thanks in advance!

  Hello

  One way you can have the tunnel come back automatically even if it breaks down is configure SLA monitoring on one of the routers of the site so that it sends periodic pings inside the IP address of the router on the other site. For example, on the Siite to configure it for SLA monitoring of IP than his inside source 192.168.10.1 and making ping inside the interface of Site B interface regularly, 192.168.11.1. Configuration guide, please see the below page:

  http://www.Cisco.com/en/us/docs/iOS/12_4/ip_sla/configuration/guide/hsicmp.html#wp1027188

  About traffic has not managed, pouvez you please paste the result of ' show cry isa his ', ' cry ipsec to show his ' and the configuration of the two routers if possible?

  Kind regards

  Assia

• Site to Site VPN router

  I have worked with establishing a VPN from Site to Site and while I can get the configuration of the tunnel and I am able to ping across the tunnel. I'm unable to use the DNS server of the remote side of the tunnel. I can ping the server and otherwise access via TCP/IP but if I try to use nslookup our ping by name he will not resolve on the configuration of IPSEC. I tried to add the domain information to the DNS of the PC configuration and then I can ping the server by name, but NSlookup is still unusable. I also tried to use the easy VPN server / method of the Client on the routers. I am able to use VPN on a PC client and initiate a connection (Internet) and I get the DNS information on the main site and all right. But by using the client to router on the other side, I can't solve DNS via the connection. Here's a brief example of Config.

  Router A - Main Site

  Internal network - 172.16.1.x

  Router B - Site B

  Internal network - 172.16.3.x

  I was able to ping the subnets, but internal DNS resolution does not work for me. I can post if necessary more detailed configs.

  Thank you

  Dwane

  I did not go to the question of having two tunnels GRE and the VPN server easy at first because I did not only and cannot say with authority that the combination works or not. My opinion is that it should work. I don't quite know which would prevent the combination of work. Perhaps someone with experience with this or someone from Cisco can talk about it.

  HTH

  Rick

• A Site VPN PIX501 and CISCO router

  Hello Experts,

  I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:

  www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...

  and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).

  Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.

  Hi Mark,

  I went in the Config of the ASA

  I see that the dispensation of Nat is stil missing there

  Please add the following

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

  inside NAT) 0 access-list sheep

  Then try it should work

  Thank you

  REDA

• Is site to site VPN with sufficiently secure router?

  Hello

  I have a question about the site to site VPN with router.

  Internet <> router <> LAN

  If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

  Thank you

  Hi Amanda,.

  Assuming your L2L looks like this:

  LAN - router - INTERNET - Router_Remote - LAN

  |-------------------------------------------------------------------------------|

  L2L

  Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

  On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

  If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

  Design of the area Guide of Application and firewall policies

  If you consider that this is not enough, check the ASA5500 series.

  HTH.

  Portu.

  Please note all useful posts

• Multiple site to site VPN connections

  Hello.

  I've finally set up a site to site VPN connection and now wonder how I can configure multiple connections that are accessible by different VLAN.

  So that VLAN1 use a tunnel and VLAN2 another.

  Best regards Tommy Svensson

  Configuration up to now:

  crypto ISAKMP policy 10
  BA aes 256
  preshared authentication
  Group 5
  life 3600
  vpnkey crypto isakmp key address?. 206
  !
  !
  Crypto ipsec transform-set VPN aes - esp esp-sha-hmac
  !
  VPNMAP 10 ipsec-isakmp crypto map
  Site 2 site description
  defined by peers? 206
  security-association the value of life 4000 kilobytes
  game of transformation-VPN
  PFS Set group5
  match address 100

  access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

  Hi Tommy

  In order to complete their reviews of Marcin, something like this should help (obviously you need to change the IP addresses accordingly).

  VPNMAP 10 ipsec-isakmp crypto map
  Site 2 site description
  defined by peers? 206
  security-association the value of life 4000 kilobytes
  game of transformation-VPN
  PFS Set group5
  match address 100

  !

  VPNMAP 20 ipsec-isakmp crypto map
  Description site-2-site n ° 2
  defined by peers?
  security-association the value of life 4000 kilobytes
  game of transformation-VPN
  PFS Set group5
  match address 101

  access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

  access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255

  Barry

• Site to Site VPN - ASA 5510 / 851 router - no Sas?

  We have installed an ASA 5510, version 1.0000 software running.  In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e.  I try to open a backup between the 851 and ASA connection new, and I have a problem.  I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc..  I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.

  When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp.  When I do the same on the 851 router, I see only the existing connection to the PIX.  It seems that the tunnel does not run again.  I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.

  CCP has a VPN to test the tool built in to the router.  ASDM has a similar feature?  Here's the relevant configs (at least I think... the SAA is enough Greek to me):

  ASA 5510 (within the network of 10.20.0.0/16.  The perfectly functional PIX is also on this network, with a different public IP address)

   access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 ! 
  nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16 
  !
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside 
  !
  crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 
  !
  tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes 
  !
  
  851 router (within the 10.192.4.0/24 network)
  
  
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  !
  crypto isakmp policy 2
  encr 3des
  authentication pre-share
  group 2
  !
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key si9bw1u8woaz address 65.42.15.142
  crypto isakmp key 123 address 12.49.251.3
  !
  !
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
  !
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to65.42.15.142
  set peer 65.42.15.142
  set transform-set ESP-3DES-SHA1
  match address 102
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to12.49.251.3
  set peer 12.49.251.3
  set transform-set ESP_3DES_MD5
  match address 102
  !
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255
  access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255
  			 
  Michael,
  Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.
  If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.
  Like this:
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to65.42.15.142
  set peer 65.42.15.142
  set peer 12.49.251.3
  game of transformation-ESP-3DES-SHA1
  
  match address 102
  
  The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.
  To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.
  I hope this helps.
  Raga