Rv110w IPSec Site-to-Site

Similar Questions

• IPsec site to Site VPN on Wi - Fi router

  Hello!

  Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

  I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

  See you soon!

  Michael

  I suspect that.

  Thank you very much for the reply.

  See you soon!

• IPSec Site to Site VPN Solution needed?

  Hi all

  I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.

  Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.

  Could you please give me the solution how is that possible?

  Concerning

  Uzair Hussain

  Hi uzair.infotech,

  Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:

  INFO - RITA - NIDA

  You can check this guide that explains step by step how to configure grouping:

  https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...

  Hope this info helps!

  Note If you help!

  -JP-

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• Failed to configure two AnyConnect & IPSEC site to site VPN

  I have established a VPN IPSEC site-to-site

  When I configure the AnyConnect (make it work) and I lose the tunnel from site to site and vice versa.

  I think that my NAT syatements are incorrect.

  Here is the config NAT when AnyConnect works properly...

  Overall (101 outside interface)
  NAT (inside) 0-list of access sslnonat
  NAT (inside) 101 0.0.0.0 0.0.0.0

  access extensive list ip 192.168.65.0 sslnonat allow 255.255.255.0 192.168.66.0 255.255.255.0

  When the IPSEC tunnel site-to-site work properly, here's the NAT config...

  Overall (101 outside interface)
  NAT (inside) 0-list of access Inside_nat0_outbound
  NAT (inside) 101 0.0.0.0 0.0.0.0

  Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group

  How do I get to the AnyConnect and the IPSEC Site to site both to work properly? I need not reach on the other.

  Network within 192.168.65.0/24

  AnyCOnnect address pool 192.168.66.0/24

  Any help would be appreciated.

  Hello

  Try this:

  Overall (101 outside interface)
  NAT (inside) 0-list of access Inside_nat0_outbound
  NAT (inside) 101 0.0.0.0 0.0.0.0

  Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
  Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 192.168.66.0 255.255.255.0

  The problem is that when you apply the IPsec NAT configuration, you remove the entry for the AnyConnect pool.
  Try the above and we will see if it works.

  Federico.

• IPsec Site to Site VPN multisession?

  Hi people.

  I recently faced a problem at work. Customers want to dismiss ipsec site to site vpn. I have 2 asa 5520 working in a stack. Is it possible to configure the vpn site to site in a redundant mode, as the first ip address is x.x.x.x and secondary is y.y.y.y (backup)?

  Thank you much in advance.

  Hello

  You can define several counterparts in the card encryption, see:

  http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090

  You can define several tunnels and leave the routing protocol to choose the best route.

  Hope this helps,

  Bastien.

• Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN

  Hello
  I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.

  At the end of the branch, I have the 192.168.244.0/24 subnet.
  At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
  The inside interface of the ASA at Headquarters is 172.16.0.15/22

  When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.

  I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
  The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.

  [HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

  I suspect it might have something to do with NAT?

  Help, please.

  Hello

  Peer VPN you do not accept the LAN between these two peers of vpn segment.

  On your ASA

  inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0

  and

  Router:

  access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

  access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

  Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.

  Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.

  outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0

  Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

  Let me know the result.

  Thank you

  Rizwan James

• 887VDSL2 IPSec site to site vpn does NOT use the easy vpn

  Much of community support.

  as I'm looking through the config Guide about 870 router series, only to find information about the config with eazy vpn.

  is there a classic way, about 870 Series site 2 site without eazy vpn IPSec configuration?

  Have a classic way if a tunnel? Have the 870 is not as a vpn client?

  Thank you

  Of course, here's example of Site to Site VPN configuration for your reference:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml

  http://www.Cisco.com/en/us/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

  Hope that helps.

• ATM E3 modules &amp; IPSEC site-to-site on 2811-sec/k9?

  Hi people,

  I plan for a pair of IOS Firewall of 2811 on data only links 34mbits/s and may also need to protect the IPSec connection.

  Is it achievable using this platform?

  If so, I am concerned about the performance... perhaps ASA5500 would be better?

  Scenario: LAN_a - 2811-a - E3_line - 2811b - LANB.

  As always, any suggestions gratefully received!

  Kind regards

  Andy.

  You can run VPN site to site in two 2811 and ASA 5500 but the Cisco ASA 5500 Series is richer in features of Cisco for SSL and IPsec for remote access, robust site to site connectivity support. The series offers greater scalability and a greater flow capacity than the widely deployed Cisco VPN 3000 series concentrators and can be easily integrated into any cluster load balancing Cisco VPN 3000 Series.

• EIGRP via IPSec site to site VPN

  having trouble getting to work through an IOS EIGRP (2ea. 2811 s) connection of the site to site VPN IPSec peer.  IPSec VPN works with route directions static tunnel.  By using the IPSec policy basis and VTI interface:

  crypto ISAKMP policy 1

  preshared authentication

  Group 2

  ISAKMP crypto key "" address 192.168.x.66

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac vpn

  Crypto ipsec df - game

  !

  static-crypt 6 map ipsec-isakmp crypto

  the value of 192.168.x.66 peer

  Set transform-set vpn

  match address 101

  !

  tunnel1 interface

  IP address 1xx.33.20.226 255.255.255.252

  no ip redirection

  IP 1400 MTU

  IP tcp adjust-mss 1360

  QoS before filing

  source of tunnel FastEthernet 0/0

  destination 192.168.x.66 tunnel

  crypto static crypto map

  !

  interface FastEthernet 0/0

  Add an IP...

  crypto static crypto map

  !

  Router eigrp 10

  passive-interface default

  no passive-interface FastEthernet 0/1

  no passive-interface Tunnel1

  network...

  network...

  No Auto-resume

  !

  IP route 0.0.0.0 0.0.0.0 Tunnel1

  IP route 0.0.0.0 0.0.0.0 146.33.20.225<-- peer's="" default-gateway="" is="" vpn="" peer="" router="" on="" other="" side="" of="" satelite="">

  must be something simple, but I can't.

  Thank you, kevin

  Unfamiliar with the VTI, but I think you are missing:

  ipv4 ipsec tunnel mode

  Profile of tunnel ipsec protection

  Also don't think that you need crypto card in the tunnel because it is already on fa0/0.  What looks like the access-list 101? Take a look at this doc:

  http://www.ciscosystems.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html

• IPsec Site to Site and the question of the IPsec remote access

  Our remote access IPsec 3DES 168 bit encrption has the value

  If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?

  This tunnel is currently defined by AES.

  If I understand your question the answer is this:

  The VPN client will connect to the ASA with any encryption method, he chose.

  If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.

  This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.

  When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.

  Hope I answered your question, if not please let me know.

  Federico.

• IPSEC site to site VPN

  Dear all,

  Can I use Cisco router address LAN IP as a website address to site IPSEC tunnel peer? because my ISP cannot route WAN IP address interface between two counterparts, only the LAN interface IP address can communiate between two counterparts. How to configure it and what I need to care?

  Best regards

  Jackson Ku

  You can use the command "crypto card address-local NAME. As long as the tunnel ends on the external interface, you should be OK. I would also look into IPSec over GRE for this configuration. You can configure static routes on each local peer for the remote peer.

  Enter configuration commands, one per line. End with CNTL/Z.

  XXXXX-rtr (config) #crypto map mymap?

  <1-65535>Sequence to be inserted into a crypto map

  Specify customer configuration settings

  ISAKMP specify configuration isakmp settings

  Interface local-address to use for local addresses for this encryption card

  XXXXX-rtr (config) #crypto map mymap local-address?

  Async Async interface

  BVI bridge-group virtual interface

  CTunnel CTunnel interface

  Dialer Dialer interface

  FastEthernet FastEthernet IEEE 802.3

  Interface Lex Lex

  Loopback-Loopback interface

  Multilink-group interface MultiLink Panel

  Null null interface

  Tunnel tunnel interface

  Bright multicast PGM host interface

  Virtual virtual-template interface

  Token Ring virtual Virtual Token-Ring

  XXXXX-rtr (config) #crypto map mymap-address

• Question of phase 2 in IPSEC site-to-site

  Hi all

  I had a problem when creating a VPN site-to site IPSEC between cisco2901 - 15.2 (4) M3---> cisco861 - 12.4

  The phase #1 is correctly updated, but when I am trying to order #show crypto ipsec his I can't see encry & decry packages.

  Here is the race-conifgs and see the output encryption for both sides

  cisco2901: -.

  Current configuration: 5668 bytes

  !

  ! Last configuration change to 17:08:59 PCTime on Monday, February 3, 2014 by ciscodxb

  version 15.2

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  DXB - CIT hostname

  !

  boot-start-marker

  boot-end-marker

  !

  !

  logging buffered 52000

  !

  AAA new-model

  !

  !

  AAA authentication login default local

  AAA authentication login ciscocp_vpn_xauth_ml_1 local

  AAA authorization exec default local

  AAA authorization ciscocp_vpn_group_ml_1 LAN

  !

  !

  !

  !

  !

  AAA - the id of the joint session

  clock timezone PCTime 4 0

  !

  IP cef

  !

  !

  !

  DHCP excluded-address IP 10.10.10.1

  DHCP excluded-address IP 192.168.10.1 192.168.10.9

  DHCP excluded-address IP 192.168.10.101 192.168.10.254

  !

  Dxb-IP dhcp pool pool

  network 192.168.10.0 255.255.255.0

  default router 192.168.10.1

  Server DNS 80.xxx.xx.xx 213.xxx.xxx.xx

  !

  !

  !

  IP domain name channelit

  name of the server IP 80.XX.XX.XX

  name of the server IP 213.XX.XX.XX

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  !

  !

  !

  !

  Crypto pki trustpoint TP-self-signed-1231038404

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 1231038404

  revocation checking no

  rsakeypair TP-self-signed-1231038404

  !

  !

  TP-self-signed-1231038404 crypto pki certificate chain

  certificate self-signed 01

  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 31323331 30333834 6174652D 3034301E 170 3134 30313331 31333230

  30375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32333130 65642D

  33383430 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244

  2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE

  1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A 1904 57898B3F

  F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1 HAS 982438

  63730203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

  551 2304 18301680 14546BDB F740F993 E0A596EF 93D4991E C 751 7F301D06 4240

  03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300 D 0609

  2A 864886 8181000E F70D0101 05050003 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B

  04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511

  08A 59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55

  6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328 38 DE9916AC CF

  FE4AD16D 316146 5 A960DB 1EA2CF64

  quit smoking

  voice-card 0

  !

  !

  !

  !

  !

  !

  !

  !

  license udi pid CISCO2901/K9 sn FCZ1716C4QT

  HW-module pvdm 0/0

  !

  !

  !

  username cisco

  0 username ciscodxb privilege 15 password Cisco

  username secret privilege 15 compumate 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2

  !

  redundancy

  !

  !

  !

  !

  !

  !

  Crypto ctcp

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key address 41.xxx.xx.xx xxxxxxxxx

  !

  Configuration group customer isakmp crypto CITDXB

  key xxxxxx

  pool SDM_POOL_1

  ISAKMP crypto ciscocp-ike-profile-1 profile

  correspond to identity group xxxxx

  client authentication list ciscocp_vpn_xauth_ml_1

  ISAKMP authorization list ciscocp_vpn_group_ml_1

  client configuration address respond

  virtual-model 1

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  tunnel mode

  Crypto ipsec transform-set-Dxb-Nigeria-esp-3des esp-md5-hmac

  tunnel mode

  !

  Profile of crypto ipsec CiscoCP_Profile1

  game of transformation-ESP-3DES-SHA

  set of isakmp - profile ciscocp-ike-profile-1

  !

  !

  !

  dynamic-map crypto hq - vpn 11

  86400 seconds, life of security association set

  game of transformation-CHANNEL-DUBAI

  !

  !

  card crypto ipsec Dxb-to-Nigeria 1 - isakmp

  defined by peer 41.xxx.xxx.xxx

  transformation-Dxb-to-Nigeria game

  match address 110

  !

  !

  !

  crypto map 1 VPN ipsec-isakmp dynamic hq - vpn

  !

  !

  !

  !

  !

  !

  the Embedded-Service-Engine0/0 interface

  no ip address

  Shutdown

  !

  interface GigabitEthernet0/0

  Description $ETH - SW - LAUNCH$ $INTF - INFO - GE $0/0 $ES_LAN$ $$ of ETH - WAN

  IP 192.168.10.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  !

  interface GigabitEthernet0/1

  Description $ES_WAN$

  IP address 80.xxx.xxx.xxx 255.255.255.252

  penetration of the IP stream

  stream IP output

  NAT outside IP

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  card crypto Dxb-to-Nigeria

  !

  type of interface virtual-Template1 tunnel

  IP unnumbered GigabitEthernet0/1

  ipv4 ipsec tunnel mode

  Tunnel CiscoCP_Profile1 ipsec protection profile

  !

  local IP SDM_POOL_1 192.168.20.20 pool 192.168.20.50

  IP forward-Protocol ND

  !

  IP http server

  local IP http authentication

  IP http secure server

  !

  IP nat source list 100 interface GigabitEthernet0/1 overload

  IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload

  IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

  !

  auto discovering IP sla

  Note category of access list 1 = 2 CCP_ACL

  access-list 1 permit 192.168.10.0 0.0.0.255

  access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

  access-list 101 permit ip 192.168.10.0 0.0.0.255 any

  access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

  !

  allowed SDM_RMAP_1 1 route map

  corresponds to the IP 101

  !

  !

  !

  !

  !

  control plan

  !

  !

  !

  !

  !

  !

  !

  profile MGCP default

  !

  !

  !

  !

  !

  access controller

  Shutdown

  !

  !

  !

  Line con 0

  Synchronous recording

  line to 0

  line 2

  no activation-character

  No exec

  preferred no transport

  transport of entry all

  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

  StopBits 1

  line vty 0 4

  transport input telnet ssh

  line vty 5 15

  access-class 23 in

  transport input telnet ssh

  !

  Scheduler allocate 20000 1000

  !

  end

  DXB - CIT #show cry

  DXB - CIT #show crypto isa

  DXB - CIT isakmp crypto #show her

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  41.xxx.xxx.XX 80.xxx.xx.xx QM_IDLE 1011 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  DXB - CIT #show cry

  DXB - CIT #show crypto ips

  DXB - CIT #show crypto ipsec his

  Interface: GigabitEthernet0/1

  Tag crypto map: addr Dxb to Nigeria, local 80.xxx.xx.xx

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (41.xxx.xx.xx/255.255.255.248/0/0)

  current_peer 41.xxx.xx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 1467, #recv errors 0

  local crypto endpt. : 80.xxx.xxx.xx, remote Start crypto. : 41.xxx.xx.xx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/1

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  cisco861: -.

  Crypto pki trustpoint TP-self-signed-2499926077

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 2499926077

  revocation checking no

  rsakeypair TP-self-signed-2499926077

  !

  Crypto pki trustpoint test_trustpoint_config_created_for_sdm

  name of the object [email protected] / * /

  crl revocation checking

  !

  !

  TP-self-signed-2499926077 crypto pki certificate chain

  certificate self-signed 01

  308201B 5 A0030201 02020101 3082024C 300 D 0609 2A 864886 F70D0101 04050030

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 32343939 39323630 6174652D 3737301E 170 3032 30333031 30303036

  32315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 34393939 65642D

  32363037 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64

  25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A

  4D83CDD3 4B9811B9 734D84AB EFD85F9D 4C2B580F E3302B67 97F93286 82541A 09

  6D908B49 D936A0D1 78AB3829 9008E8EC 56896990 0333B1F1 8AACD0B2 4BCE81E3

  010001A 3 74307230 1 130101 FF040530 030101FF 301F0603 0F060355 A4A10203

  551 1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06

  23 04183016 8014E7CE C4274196 DE068815 09907466 C9987EDF 4712301 D 03551D

  0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C 9 12300 06 987EDF47

  092A 8648 86F70D01 01040500 03818100 B546F76E B5A79129 95 HAS 37822 132F6685

  E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8

  ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3

  35CD 6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097

  DEE688A7 E04797CB 7ED73ED3 E9FFC8D0

  quit smoking

  for the crypto pki certificate chain test_trustpoint_config_created_for_sdm

  IP source-route

  DHCP excluded-address IP 10.10.10.1

  !

  !

  IP cef

  "yourdomain.com" of the IP domain name

  !

  !

  !

  !

  emma privilege 15 password username 0 PasemmaY

  username admin privilege 15 secret 5 GHAV $1$ $ CuyCKFpaEVCRcTX4jTNzp.

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 3

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 7

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key & dtej4$ 41.xxx.xx.xxx address

  ISAKMP crypto key [email protected] / * /#l! t address 41.xx.xx.xx

  ISAKMP crypto key [email protected]/ * / & mtn address 196.xx.xx.xx

  ISAKMP crypto key CITDENjan2014 address 80.xxx.xx.xx

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac MTN-TCWA

  Crypto ipsec transform-set esp-3des esp-md5-hmac channelit

  Crypto ipsec transform-set esp-3des esp-md5-hmac MTNG-TCWA

  Crypto ipsec transform-set esp-3des esp-md5-hmac CHANNEL-DUBAI

  !

  map CHANNEL-DUBAI 14 ipsec-isakmp crypto

  the value of 80.xxx.xx.xxx peer

  game of transformation-CHANNEL-DUBAI

  match address 160

  !

  card crypto MTNVPN address FastEthernet4

  MTNVPN 10 ipsec-isakmp crypto map

  the value of 41.xxx.xx.xx peer

  transformation-MTN-TCWA play

  match address 101

  MTNVPN 11 ipsec-isakmp crypto map

  the value of 41.xxx.xx.x peer

  Set transform-set channelit

  match address 150

  MTNVPN 12 ipsec-isakmp crypto map

  the value of 196.xxx.xx.xx peer

  transformation-MTNG-TCWA play

  match address MTNG

  !

  Archives

  The config log

  hidekeys

  !

  !

  synwait-time of tcp IP 5

  !

  !

  !

  interface FastEthernet0

  !

  interface FastEthernet1

  !

  interface FastEthernet2

  !

  interface FastEthernet3

  !

  interface FastEthernet4

  Description this connect MTN fiber interface

  IP address 41.206.xx.xxx 255.255.255.252

  automatic duplex

  automatic speed

  card crypto MTNVPN

  !

  interface Vlan1

  Description this interface connects to the local network of CIT

  IP address 41.xxx.xx.xxx 255.255.255.248

  IP tcp adjust-mss 1452

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 41.xxx.xx.xx

  IP route 10.93.128.128 255.255.255.224 41.xxx.xx.x

  IP route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx

  IP route 10.135.45.0 255.255.255.224 196.xxx.xx.xx

  IP route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx

  Route IP 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx

  IP http server

  23 class IP http access

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  !

  MTNG extended IP access list

  permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31

  !

  access-list 23 allow 10.10.10.0 0.0.0.7

  access-list 23 allow one

  access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75

  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15

  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7

  access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225

  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31

  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31

  access list 150 permit ip 41.206.13.193 host 10.197.212.224 0.0.0.31

  access list 150 permit ip 41.206.13.194 host 10.197.212.224 0.0.0.31

  access list 150 permit ip 41.206.13.195 host 10.197.212.224 0.0.0.31

  access list 150 permit ip 41.206.13.196 host 10.197.212.224 0.0.0.31

  access list 150 permit ip 41.206.13.197 host 10.197.212.224 0.0.0.31

  access list 150 permit ip 41.206.13.198 host 10.197.212.224 0.0.0.31

  access-list 160 allow 41.206.xx.xxx 0.0.0.7 ip 192.168.10.0 0.0.0.255

  not run cdp

  !

  control plan

  !

  exec banner ^ C

  % Warning of password expiration.

  -----------------------------------------------------------------------

  Professional configuration Cisco (Cisco CP) is installed on this device

  and it provides the default username "cisco" single use. If you have

  already used the username "cisco" to connect to the router and your IOS image

  supports the option "unique" user, that user name is already expired.

  You will not be able to connect to the router with the username when you leave

  This session.

  It is strongly recommended that you create a new user name with a privilege level

  15 using the following command.

  username secret privilege 15 0

  Replace and with the username and password you

  you want to use.

  -----------------------------------------------------------------------

  ^ C

  connection of the banner ^ C

  -----------------------------------------------------------------------

  Professional configuration Cisco (Cisco CP) is installed on this device.

  This feature requires the unique use of the user name "cisco" with the

  password "cisco". These default credentials have a privilege level of 15.

  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

  IDENTIFICATION INFORMATION PUBLICLY KNOWN

  Here are the Cisco IOS commands.

  username secret privilege 15 0

  No username cisco

  Replace and with the username and password

  to use.

  IF YOU DO NOT CHANGE THE IDENTIFICATION INFORMATION PUBLICLY KNOWN, YOU WILL HAVE

  NOT BE ABLE TO CONNECT TO THE DEVICE AGAIN ONCE YOU HAVE DISCONNECTED.

  For more information about Cisco CP, you follow the instructions of the

  Of your router's QUICK START GUIDE or go to http://www.cisco.com/go/ciscocp

  -----------------------------------------------------------------------

  ^ C

  !

  Line con 0

  local connection

  no activation of the modem

  line to 0

  line vty 0 4

  access-class 23 in

  privilege level 15

  local connection

  transport input telnet ssh

  !

  max-task-time 5000 Planner

  end

  CIT_2 cry #show

  CIT_2 #show crypto isa

  CIT_2 #show crypto isakmp his

  IPv4 Crypto ISAKMP Security Association

  status of DST CBC State conn-id slot

  41.xxx.XX.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  CIT_2 cry #show

  CIT_2 #show crypto ips

  CIT_2 #show crypto ipsec his

  Interface: FastEthernet4

  Tag crypto map: MTNVPN, local addr 41.xxx.xx.xx

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

  Remote ident (addr, mask, prot, port): (41.xxx.x.xx/255.255.255.255/0/0)

  current_peer 41.xxx.xx.xxxport 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xxx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

  Remote ident (addr, mask, prot, port): (10.109.95.120/255.255.255.248/0/0)

  current_peer 41.xxx.xx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  CHANNEL-DUBAI map crypto is not applied to any interface.

  How about you just to add a new entry to MTNVPN that is already applied to the F4.

• Tunnel of IPSec site to Site - port-based ACL

  I saw crypto that ACLs will be created but still allowing all (IP).

  What happens if I want to allow hosts on siteA to only access servers in siteB web. In this scenario, I only want to allow port 80 to reach hosts on the siteA. Is this possible? is based on the port ACL allow site to site tunnels?

  Hello.

  Seems to work for me very well:

  Opened up just port 80 - expecting encapsulation.
  R0#telnet 192.2.0.2 80
  
      Trying 192.2.0.2, 80 ... Open
  
      GET /
  
      HTTP/1.1 400 Bad Request
  
      Date: Fri, 01 Mar 2002 00:05:31 GMT
  
      Server: cisco-IOS
  
      Connection: close
  
      Accept-Ranges: none
  400 Bad Request
  [Connection to 192.2.0.2 closed by foreign host]
  
      R0#sh cry
  
      R0#sh crypto ipsec sa | i caps|ident
  
         local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
  
         remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)
  
          #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
  
          #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
  
      R0#
  Ping should not go over tunnel.
  R0#ping 192.2.0.2
  Type escape sequence to abort.
  
      Sending 5, 100-byte ICMP Echos to 192.2.0.2, timeout is 2 seconds:
  
      !!!!!
  
      Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
  
      R0#sh crypto ipsec sa | i caps|ident
  
         local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
  
         remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)
  
          #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
  
          #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
  

  Config:

  R0#sh run | s crypto
  
      crypto isakmp policy 10
  
      authentication pre-share
  
      crypto isakmp key cisco address 0.0.0.0 0.0.0.0
  
      crypto ipsec transform-set TRA esp-aes esp-sha-hmac
  
      crypto map MAP 10 ipsec-isakmp
  
      set peer 1.1.1.3
  
      set transform-set TRA
  
      match address PACL
  
      crypto map MAP
  
      R0#sh ip access-l PACL
  
      Extended IP access list PACL
  
          10 permit tcp any host 192.2.0.2 eq www (19 matches)
  

  Distance:

  R1#sh run | s crypto 
  
      crypto isakmp policy 10
  
      authentication pre-share
  
      crypto isakmp key cisco address 0.0.0.0 0.0.0.0
  
      crypto ipsec transform-set TRA esp-aes esp-sha-hmac
  
      crypto map MAP 10 ipsec-isakmp
  
      set peer 1.1.1.2
  
      set transform-set TRA
  
      match address PACL
  
      crypto map MAP
  
      R1#sh ip access-l PACL
  
      Extended IP access list PACL
  
          10 permit tcp host 192.2.0.2 eq www any (18 matches)
  

  This has been tested on the main road to 12.4.25.

  Note the ID of remote proxy:

     remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)

  192.2.0.2 is the IP address

  255.255.255.255 is the subnet mask

  6 is the number of IP - TCP protocol (ref: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml )

  80 is the destination port number.

  Marcin