Routing of traffic between two VPN Site-to-Site Tunnels

Similar Questions

• Routing between two remote sites connected over the VPN site to site

  I have a problem ping between remote sites.  Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked.  Any ideas?

  Main site:

  192.168.100.0 - call manager / phone VLAN

  192.168.1.0/24 - data VLAN

  Site 1:

  192.168.70.0/24 - phone VLAN

  192.168.4.0/24 - data VLAN

  Site 2:

  192.168.80.0/24 - phone VLAN

  192.168.3.0/24 - data VLAN

  Main router

  Expand the IP ACL5 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
  50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
  Expand the IP ACL6 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

  Expand the No. - NAT IP access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
  30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
  40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
  320 ip 192.168.1.0 allow 0.0.0.255 any
  IP 192.168.100.0 allow 330 0.0.0.255 any

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 any

  ip licensing 192.168.4.0 0.0.0.255 any

  Site 2:

  ACL6 extended IP access list
  IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
  No. - NAT extended IP access list
  deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 any
  ip licensing 192.168.3.0 0.0.0.255 any

  What should I do for these two sites can ping each other?  I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

  Thanks in advance!

  Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

  Main router

  Expand the IP ACL5 access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  Expand the IP ACL6 access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  Make sure you add these lines before the last permit

  Expand the No. - NAT IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  Make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 2:

  ACL6 extended IP access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

  I would like to know if this is what you need.

• Hub and spoke VPN network traffic between two points talked

  Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

  I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

  Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

  In doing so, I can avoide the tunnel between two offices (and B)

  See you soon

  Hello

  You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

  If the hub is an ASA you must authorize same-security-traffic intra-interface permits

  If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

  Federico.

• cannot ping between remote vpn site?

  vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  !
  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0
  !
  extended OUTSIDE allowed a whole icmp access list
  HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
  !
  destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
  !
  address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
  card crypto VPN-card 50 peers set *. *.56.250
  card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
  VPN-card interface card crypto outside
  !
  internal strategy group to DISTANCE-NETEXTENSION
  Remote CONTROL-NETEXTENSION group policy attributes
  value of DNS server *. *. *. *
  VPN-idle-timeout no
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value REMOTE-NET2
  value by default-field *.org
  allow to NEM
  !
  remote access of type tunnel-group to DISTANCE-NETEXTENSION
  Global DISTANCE-NETEXTENSION-attributes tunnel-group
  authentication-server-group (inside) LOCAL
  Group Policy - by default-remote CONTROL-NETEXTENSION
  IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
  IKEv1 pre-shared-key *.
  tunnel-group *. *.56.250 type ipsec-l2l
  tunnel-group *. *.56.250 ipsec-attributes
  IKEv1 pre-shared-key *.
  !

  !

  ASA - 5510 # display route. include the 192.168.42
  S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA - 5510 # display route. include the 192.168.46
  S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA-5510.

  !
  Username: Laporte-don't Index: 10
  Assigned IP: 192.168.46.0 public IP address: *. *.65.201
  Protocol: IKEv1 IPsecOverNatT
  License: Another VPN
  Encryption: 3DES hash: SHA1
  TX Bytes: bytes 11667685 Rx: 1604235
  Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
  Opening time: 08:19:12 IS Thursday, February 12, 2015
  Duration: 6 h: 53 m: 29 s
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no
  !
  ASA - 5510 # display l2l vpn-sessiondb

  Session type: LAN-to-LAN

  Connection: *. *.56.250
  Index: 6 IP Addr: *. *.56.250
  Protocol: IPsec IKEv1
  Encryption: AES256 3DES hash: SHA1
  TX Bytes: bytes 2931026707 Rx: 256715895
  Connect time: 02:00:41 GMT Thursday, February 12, 2015
  Duration: 13: 00: 10:00

  Hi Rico,

  You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

  example:

  Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0

  dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
  public static SITE SITE-B-B

  destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
  SITE static-SITE a

  Hope this helps

  Thank you

  Rizwan James

• This allows traffic between two interfaces ethernet on a PIX

  I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

  I enclose my config. Any help would be greatly appreciated!

  OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

  You have this in your config file:

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

  Adding:

  Global (WTS) 1 interface

  will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

  static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

  Hope that helps.

• routing of traffic between vpn tunnels

  Hello

  I have a scenario like that.

  There are two branch office vpn tunnels to the headquarters. I want to load balance the traffic on this two links using EIGRP.

  in this way, another branch offic is also connected to the head office. now, I want to ensure the communication between two branch of the office through seat over these vpn tunnels.

  Concerning

  skrao

  Hello

  Here is a great link that describes a similar setup to yours:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  Good reading and after return if there is anything that you are not clear.

  PLS, don't forget to rate messages.

  Paresh

• Tunnel of RV042 V3 that routes all traffic to the VPN

  Hi all

  I use Cisco Linksys RV-042 with V2 hardware to set up a VPN tunnel that route all traffic to the remote gateway (a Cisco ASA 5510). This configuration works very well, and I can access the local router and other resources to the central site.

  I'm doing the same thing with Cisco RV042 with version V3 of the material, but I can't access the local router until the VPN breaks down. I can ' ping, SNMP the local router, or access but I can access the central site. Very strange.

  Do you know what can I do to access the router local (for example, hardware V2) with connected VPN?

  Thank you

  Rafael

  Just a hunch, but in the remote network you agree with what the network and subnet?

  I've seen this symptom before.

  LAN on the RV series.

  10.10.2.0 255.255.255.0

  Trust remote networks

  10.10.1.0 255.255.248.0

  It is traffic destined to the router on the 10.10.2.1 ip address is through the tunnel forward. So, for this purpose, you can only access the router LAN interface when the tunnel is out of service. I'm not sure why ping works but it does. I'm looking into this symptom on a different device, but the device has a similar graphical interface.

  I would like to know if you have a similar setup.

  Cisco Small Business Support Center

  Randy Manthey

  CCNA, CCNA - security

• the traffic in a vpn site-to-site tunnel restrictions

  Hello

  I have install a VPN site-to site between an ASA 5550 7.2 (3) and the external network of the contractor. I have set up the VPN using the wizard and it worked fine. The wizard has created the cryptomap acl see below

  outside_2_cryptomap list extended access allowed object-group ip 10.0.0.0 LOCAL_IPS 255.255.255.0

  where LOCAL_IPS is a group of objects containing our local subnets to be dug and 10.0.0.0/24 is the network of the remote end.

  I'm trying to restrict the traffic tunnel at about 6 tcp ports, so I changed the acl (using the GUI as well from the CLI) to the following:-

  outside_2_cryptomap list extended access permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  where PERMITTED_TRAFFIC is a group of TCP services containing the ports we'd like to tunnel.

  As soon as I apply this acl (applied at the other end also) the tunnel down and or end it can re - open.

  My question is - how do you restrict what traffic (tcp ports) that you want to send in the tunnel on the SAA?

  Thank you

  Andy

  You have 2 options.

  VPN-filter

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

  Or something like that...

  No sysopt permi-vpn connection

  list of access vpn extended permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  list of vpn access deny ip 10.0.0.0 LOCAL_IPS object-group 255.255.255.0

  extended vpn allowed any one ip access list

  group-access vpn in interface inside

• Route between two VPN

  Hi all

  I have searched endlessly around things online and try on the firewall and can't seem to find an answer to this problem. Its probably something really simple under my nose!

  I use an ASA 5510, which currently has some site to site VPN of distinct connections configured, linking to other Cisco devices on customer networks.

  I work from home, so also connect to our network by using remote access VPN (anyconnect) to connect to the network in the data center.

  Just to be clear, here's my amazingly stretched; network diagram

  -------------- ----------------------------------------

  The problem I have is that I can't connect directly from my house to the customer network, I need to RDP in a server in the data center, then from there, I see network clients.

  It routes to be installed somewhere? between VPN? Ive looked in the routing on the firewall options and cand seem to find something that works.

  I have searched for this and cannot find answers, even some sources saying its impossible. Surely not?

  I have put all your remote LAN segment in a group of objects.

  object-group network in REMOTE LANS
  network-object 10.151.30.0 255.255.255.248
  network-object 212.9.3.72 255.255.255.248
  object-network 10.0.21.0 255.255.255.0
  network-object 212.9.20.240 255.255.255.248

  access extensive list ip 10.0.20.0 outside_nat0 allow 255.255.255.0 object-group REMOTE LANS
  access extensive ip list outside_nat0 allow REMOTE object-group-LANS 10.0.20.0 255.255.255.0

  permit same-security-traffic intra-interface

  NAT (outside) 0-list of access outside_nat0

  Let me know the result

  Thank you

• Split of static traffic between the VPN and NAT

  Hi all

  We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8.  It's for everything - including Internet traffic.  However, there is one exception (of course)...

  The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN.  BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

  I have the following Setup (tried to have just the neccessarry lines)...

  interface GigabitEthernet2

  address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

  address IP X.X.X.X 255.255.255.0 secondary

  NAT outside IP

  card crypto ipsec-map-S2S

  interface GigabitEthernet4.2020

  Description 2020

  encapsulation dot1Q 2020

  IP 10.160.8.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP nat inside source list interface NAT-output GigabitEthernet2 overload

  IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

  IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

  NAT-outgoing extended IP access list

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

  permit tcp host 10.160.8.5 all eq www

  permit tcp host 10.160.8.5 any eq 443

  No. - NAT extended IP access list

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

  allow an ip

  route No. - NAT allowed 10 map

  corresponds to the IP no. - NAT

  With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16).  If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

  How can I get both?  It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT.  It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT.  That's my theory anyway (maybe something is happening?)

  If this work like that or I understand something correctly?  It's on a router Cisco's Cloud Services (CSR 1000v).

  Thank you!

  Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

  NAT-outgoing extended IP access list

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

  ...

  No. - NAT extended IP access list

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

  allow an ip

  Doc:

  Router to router IPSec with NAT and Cisco Secure VPN Client overload

  Thank you

  Brendan

• Easy VPN between two ASA 9.5 - Split tunnel does not

  Hi guys,.

  We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

  Thank you and best regards,

  Arjun T P

  I have the same question and open a support case.

  It's a bug in the software 9.5.1. See the bug: CSCuw22886

• Order to check the ability or the bandwidth between the VPN Site-to-Site Tunnel

  Hello

  How can we verify capacity/bandwidth between the end of the B-end of the site-to-site VPN tunnel.

  You can't very easily. The capacity and bandwidth dependent not only on your devices, but on a lot of devices and paths between them that you have no control or visibility.

  You can "show traffic" or common report on the use of interface using any performance management tool (cactus, which is gold, SolarWinds NPM, Cisco first LMS, etc..). Those usually do not distinguish between overall traffic interface and that due to virtual private networks. If you export the ASA Netflow data, you can break it down by remote IP address and which derive the use VPN. NetFlow records must be exported in tool like ntop, SolarWinds NTA or first LMS or Infrastructure to be useful.

  Cisco Security Manager will query the VPN statistics periodically and you Beach individual VPN or users to gather a bunch of queries, as it does on an ongoing basis.

• Why apple card app does not show the routes and directions between two places in India in an iphone 6 s more?

  map does not show the routes and directions

  This feature is not yet supported in India.

  http://www.Apple.com/in/iOS/feature-availability/#maps-directions

  In addition, your phone may be overheating for a number of reasons. The most common of which is low service area.

  Your attributes from battery to the majority of the production of heat, then adjust settings to put less load on the farm in general will help some.

  http://www.Apple.com/batteries/maximizing-performance/#iOS

• Easy traffic between remote sites via Cisco VPN

  We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN.  Everything has been great to work until this problem has been discovered today:

  When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.

  Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.

  There is no need for DATA connection between the remote desktop, our only concern is the voice.

  By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).

  Thanks in advance.

  Thanks for your quick response.

  I am sorry, I assumed that the clients have been configured in client mode.

  No need to remove the SDM_POOL_1, given that customers already have configured NEM.

  But add:

  Configuration group customer isakmp crypto CliniEasyVPN

  network extension mode

  You are able to ping to talked to the other?

  Please make this change:

  105 extended IP access list

  Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

  * Of course free to do trafficking of translated on the shelves.

  Let me know if you have any questions.

  Thank you.

  Portu.

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni