Site to Site & Dialer Dual Wan VPN

Similar Questions

• RV082, Dual Wan, VPN + protocol bindings

  Hi all

  I have this kind of Setup and I can't figure out how to think this router.

  My Installer uses Dual Wan load balancing mode. I only need one VPN tunnel. High availability is my concern.

  Site 1 has fiber and Cable

  Site 2A cable and FTTN

  Each ISP provides a static IP

  VPN works very well in the event of failure. I am always disappointed that it works in the case where a single primary WAN breaks, but is not operational if primary WAN on Site 1 stops at the same time secondary Site WAN 2 stops. It is very rare but can happen.

  In any case, my problems are where I need binding protocol to ensure secure WEB (https, banking, portal provider) sessions.

  I bind, at the least, port 443 to my primary WAN. In this way, I can access the Web sites and keep me logged.

  So, if I browse a HTTPS across the VPN server, binding protocol always attempts to pass port 443 by the WAN1. He will not even consider the VPN as a valid route first.

  (Maybe) can problem I reduce Hop Count for Site 2 less than 35?     P.S. I replaced the addresses I don't think they are relevant.

  Destination IP Subnet mask Default gateway Number of hops Interface

  ADDR network WAN2 255.255.255.252 * 0 eth2 WAN1 network addr 255.255.255.248 * 0 eth1 Site 2 255.255.255.0 Site 1 fiber Gateway 35 eth1 Site 1 255.255.255.0 * 0 eth0 by default 0.0.0.0 Site 1 fiber WAN1 15 eth1 by default 0.0.0.0 Site 1 cable WAN2 40 eth2 by default 0.0.0.0 Site 1 fiber WAN1 40 eth1

  Thank you all,

  Bruno

  I would like to conclude this is a bug and requires further investigation. I wouldn't call it a limitation if it was my decision (not that I have so much importance in this regard)

  -Tom
  Please mark replied messages useful

• RV042 dual wan vpn

  Hi all

  I have the cisco RV042 vpn router. I have 1 mb lease line in my office and around 15 to 20 users. can I use this Rv042 vpn router to share internet in my office .i need not creat vpn and all. I want only internet share in my .will be only desktop support?

  Hi chandrakant,.

  Thanks for posting your question. You want to share internet with your employees? If so, yes it is supported. You can plug the switch into the router and plug your PC used in the switch. All users will have access to the internet.

• Tunnel VPN RV-042 for Dual WAN Failover backup function

  We have customers with dual WAN failover scenarios with site-to-site VPN tunnels.

  In the past, the VPN tunnel backup feature has been available in the RV-082.

  One of the new RV-042 firmware versions have the function of backup Tunnel VPN available?

  The feature is supported on the RV042 V3 hardware.

• IPSEC VPN on the dual WAN links

  Here's my situation. I have two identical sites ASA 5505 and each has the dual wan/ISP connection and are set to resume using the sla monitor followed. I would like to create a vpn between these two sites that remains active regardless of what ISP link is online. Just make two crytpo card statements10 and a 20 inside each of the asa to each of the other ASA STATIC PUBLIC IP? It works or cause problems?

  Configuration of SITE B

  card crypto Cox_Primary_map 10 corresponds to the address Cox_Primary_cryptomap_10

  crypto Cox_Primary_map 10 peer 72.X.X.X card game<== primary="" static="" isp="" at="" site="">

  10 Cox_Primary_map transform-set ESP-3DES-SHA crypto card game

  card crypto Qwest_Backup_map 20 corresponds to the address Qwest_Backup_cryptomap_20

  crypto Qwest_Backup_map 20 peer 98.X.X.X card game<== backup="" static="" isp="" at="" site="">

  Qwest_Backup_map 20 transform-set ESP-3DES-SHA crypto card game

  tunnel-group 72.X.X.X type ipsec-l2l

  IPSec-attributes tunnel-group 72.X.X.X

  pre-shared-key adadsfasdf

  tunnel-group 98.X.X.X type ipsec-l2l
  IPSec-attributes tunnel-group 98.X.X.X

  pre-shared-key adadsfasdf

  Thank you

  Jesse,

  One of the solutions to your problem is to apply the same for both interfaces crypto card and have the two counterparts mentioned under a crypto map entry.

  Since you're using track/IP SLA to activate a single link to a single IP address of time will be answers.

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2278871

  Have several inputs card crypto with the same statement in game will cause problems.

  Hope that makes sense.

  Marcin

• 2 VPN SITE to SITE with ACCESS REMOTE VPN

  Hello

  I have a 870 router c and I would like to put 2 different VPN SITE to SITE and access remote VPN (VPN CLIENTS) so is it possible to put 3 VPN in the router even if yes can u give me the steps or the sample configuration

  Concerning

  Thus, on the routers will be:

  

  Cisco 2611:

  LAN: 10.10.10.0/24

  access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
  

  access-list 100 permit ip 14.1.1.0 0.0.0.255 10.10.20.0 0.0.0.255--> VPNPOOL

  !

  10 ipsec-isakmp crypto map clientmap

  defined by peer 172.18.124.199

  match address 100

  !

  IP local pool ippool 14.1.1.1 14.1.1.254

  !

  access-list 120 allow ip 10.10.10.0 0.0.0.255 14.1.1.0 0.0.0.255
  

  access-list 120 allow ip 10.10.20.0 0.0.0.255 14.1.1.0 0.0.0.255 --> NETWORK REMOTE
  

  !

  crypto ISAKMP client configuration group ra-customer
  

      pool ippool

  ACL 120

  !

  Please note that the configuration is incomplete, I added that relevant changes, you should bring to the allow clients of RA through the LAN-to-LAN tunnel, of course, the LAN-to-LAN settings should match to the other side of the tunnel that is mirror of ACL, NAT and so on.

  HTH,

  Portu.

• Dual WAN router and protocol binding

  Hello! I'm trying to find a dual WAN router with support VPN, which allow me to redirect part of the traffic to a specific port WAN and balancing of this specific traffic in the case of this WAN failure (the latter is preferred but is not entirely necessary) load.

  RV042/G could help me with this? In this case, allow redirection Protocol only? What port/ip forwarding? Or some sort of filtering of packets to redirect to specific WAN ports?

  Maybe I need another router in the conduct of business?

  Thanks in advance!

  Hi Jose, RV0XX model (g) supports a protocol source LAN link to extended network destination set. It can be a host of high-end LAN or a single host LAN. It may be the customer service or all services. In the case of a failure of network SCOPE, all links in the Protocol are "ignored" and switch to the active WAN until normal operation is restored.

  -Tom
  Please mark replied messages useful

• INTERNET EXPLORER IS SHOWING MY CONNECTION SUCH AS DIAL-UP OR VPN, I CONNECT DSL

  INTERNET EXPLORER IS SHOWING MY CONNECTION SUCH AS DIAL-UP OR VPN, I CONNECT DSL

  Hello

  ·        Are you able to connect to the internet?

  I suggest you follow the steps mentioned below to configure a connection.

  a. open Internet Explorer and then click Tools.

  b. click Internet Options, and then click the connection tab.

  c. click on Setup and follow the instructions on the screen.

  Apart from that, I suggest you to return the items mentioned below.

  How to troubleshoot possible causes of Internet connection problems in Windows XP

  http://support.Microsoft.com/kb/314095

  Thanks and regards.

  Thahaseena M
  Microsoft Answers Support Engineer.
  Visit our Microsoft answers feedback Forum and let us know what you think.

• lrt224 dual wan router

  Hi im new in dual wan configuration. Help, please.
  Here is my problem

  1 dynamic globe telecom primary WAN
  WAN static pldt 2 telecom
  Link failover mode

  1 router is connect to lrt224 to serve wifi and my switch also plugin for wifi wireless
  1 cctv dvr connected to port 9000 webport lrt224 9100 with auto detection parameters parameters

  Now:
  Sometimes cctv camera released to public ip address when the wan2 switch but sometimes cannot show also
  All around, with 1 wan dynamic as primary

  Hi @engkanto.net,.

  I agree with the suggestions. It is best to connect the IP camera to one of the LRT224 router's Ethernet ports. Then you must configure the Port Forwarding or Port Address Translation If you have more than one camera using the same internal port.

  Thank you.

• Problem on site to site and between router vpn client series 2,800

  Hello

  I need a little help.

  I have 2 office of connection with a site to site vpn

  Each site has a dry - k9 router 800 series.

  Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.

  I added the lines for the vpn site to another, but the tunnel is still down.

  Here the sh run and sh encryption session 2 routers:

  OFFICE A

  version 15.3
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  OFFICE-A-DG host name
  !
  boot-start-marker
  boot-end-marker
  !
  AQM-registry-fnf
  !
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login xauthlist local
  AAA authorization exec default local
  AAA authorization exec vty group xauthlocal
  AAA authorization exec defaultlocal group bdbusers
  AAA authorization groupauthor LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-220561722
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 220561722
  revocation checking no
  rsakeypair TP-self-signed-220561722
  !
  !
  TP-self-signed-220561722 crypto pki certificate chain
  certificate self-signed 01
    
  quit smoking
  !
  !
  !
  !

  !
  !
  dhcp WIRED IP pool
  Network 10.0.0.0 255.255.255.0
  router by default - 10.0.0.254
  Server DNS 10.0.0.100
  !
  !
  !
  8.8.8.8 IP name-server
  no ip cef
  No ipv6 cef
  !
  !
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !

  !
  !
  !
  !
  !
  VDSL controller 0
  !
  property intellectual ssh rsa ssh key pair name
  property intellectual ssh version 2
  property intellectual ssh pubkey-string
   
  !
  !
  crypto ISAKMP policy 3
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 20
  md5 hash
  preshared authentication
  OFFICE-B-IP address ISAKMP crypto key XXXXX
  !
  ISAKMP crypto client configuration group remoteusers
  key XXXX
  DNS 10.0.0.100
  WINS 10.0.0.100
  domain.ofc field
  pool ippool
  ACL 101
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  tunnel mode
  Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
  tunnel mode
  !
  !
  !
  Crypto-map dynamic dynmap 10
  Set transform-set RIGHT
  Crypto-map dynamic dynmap 20
  Set transform-set RIGHT
  !
  !
  map clientmap client to authenticate crypto list userathen
  card crypto clientmap isakmp authorization list groupauthor
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  20 ipsec-isakmp crypto map clientmap
  defined OFFICE-B-IP peer
  Set transform-set RIGHT
  match address 115
  !
  !
  !
  !
  !
  !
  !
  ATM0 interface
  no ip address
  No atm ilmi-keepalive
  PVC 8/35
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface Ethernet0
  no ip address
  Shutdown
  !
  interface FastEthernet0
  INTERNAL description
  switchport access vlan 10
  no ip address
  !
  interface FastEthernet1
  no ip address
  Shutdown
  !
  interface FastEthernet2
  switchport access vlan 10
  no ip address
  !
  interface FastEthernet3
  switchport access vlan 10
  no ip address
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  interface Vlan10
  IP 10.0.0.254 255.255.255.0
  IP nat inside
  IP virtual-reassembly in
  !
  interface Dialer0
  the negotiated IP address
  NAT outside IP
  IP virtual-reassembly in
  encapsulation ppp
  Dialer pool 1
  Authentication callin PPP chap Protocol
  PPP pap sent-name of user password xxx xxx 0
  clientmap card crypto
  !
  router RIP
  version 2
  10.0.0.0 network
  network 192.168.1.0
  !
  IP local pool ippool 10.16.20.1 10.16.20.200
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  the IP nat inside source 1 interface Dialer0 overload list
  overload of IP nat inside source list 101 interface Dialer0
  IP route 0.0.0.0 0.0.0.0 Dialer0
  !
  !
  access-list 22 allow 10.16.20.0
  access-list 22 permit 10.16.20.0 0.0.0.255
  Note access-list 101 * ACL SHEEP *.
  access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
  access-list 101 permit ip 10.0.0.0 0.0.0.255 any
  access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
  !
  !
  control plan
  !
  !
  !
  MGCP behavior considered range tgcp only
  MGCP comedia-role behavior no
  disable the behavior MGCP comedia-check-media-src
  disable the behavior of MGCP comedia-sdp-force
  !
  profile MGCP default
  !
  !
  !
  !
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  exec-timeout 0 0
  preferred transport ssh
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  !
  end

  OFFICE B

  OFFICE-B-DG host name
  !
  boot-start-marker
  boot-end-marker
  !
  AQM-registry-fnf

  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login xauthlist local
  AAA authorization exec default local
  AAA authorization exec vty group xauthlocal
  AAA authorization exec defaultlocal group bdbusers
  AAA authorization groupauthor LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-1514396900
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1514396900
  revocation checking no
  rsakeypair TP-self-signed-1514396900
  !
  !
  TP-self-signed-1514396900 crypto pki certificate chain
  certificate self-signed 01
    
  quit smoking

  !
  !
  8.8.8.8 IP name-server
  no ip cef
  No ipv6 cef
  !
  !
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  license udi pid C887VAM-K9 sn FCZ191362Q7
  !
  !

  !
  !
  !
  !
  VDSL controller 0
  !
  property intellectual ssh rsa SSH key pair name
  !
  !
  crypto ISAKMP policy 1
  md5 hash
  preshared authentication
  !
  crypto ISAKMP policy 3
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 20
  md5 hash
  preshared authentication
  encryption XXXX isakmp key address IP-OFFICE-A

  !
  ISAKMP crypto client configuration group remoteusers
  key xxxx
  DNS 192.168.1.10
  WINS 192.168.1.10
  rete.loc field
  pool ippool
  ACL 101
  !
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  tunnel mode
  Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
  tunnel mode
  Crypto ipsec transform-set esp - esp-md5-hmac rtpset
  tunnel mode
  !
  !
  !
  Crypto-map dynamic dynmap 10
  Set transform-set RIGHT
  Crypto-map dynamic dynmap 20
  Set transform-set RIGHT
  !
  !
  map clientmap client to authenticate crypto list userathen
  card crypto clientmap isakmp authorization list groupauthor
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  20 ipsec-isakmp crypto map clientmap
  peer IP-OFFICE-A value
  Set transform-set RIGHT
  match address 115
  !
  !
  !
  !
  !
  !
  !
  interface Loopback1
  no ip address
  !
  ATM0 interface
  no ip address
  No atm ilmi-keepalive
  PVC 8/35
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface Ethernet0
  no ip address
  Shutdown
  !
  interface FastEthernet0
  switchport access vlan 30
  no ip address
  !
  interface FastEthernet1
  switchport access vlan 30
  no ip address
  !
  interface FastEthernet2
  switchport access vlan 20
  no ip address
  !
  interface FastEthernet3
  switchport access vlan 10
  no ip address
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  Vlan30 interface
  IP 192.168.1.254 255.255.255.0
  IP nat inside
  IP virtual-reassembly in
  !
  interface Dialer0
  the negotiated IP address
  NAT outside IP
  IP virtual-reassembly in
  encapsulation ppp
  Dialer pool 1
  Authentication callin PPP chap Protocol
  PPP pap sent-name to user
  clientmap card crypto
  !
  router RIP
  version 2
  10.0.0.0 network
  network 192.168.1.0
  !
  IP local pool ippool 10.16.20.201 10.16.20.250
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  the IP nat inside source 1 interface Dialer0 overload list
  overload of IP nat inside source list 101 interface Dialer0
  IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
  IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
  IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
  IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
  IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
  IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
  IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
  IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
  IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
  IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
  IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
  IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
  IP route 0.0.0.0 0.0.0.0 Dialer0
  !
  !
  sheep allowed 10 route map
  corresponds to the IP 150 101
  !
  access-list 22 allow 10.16.20.0
  access-list 22 permit 10.16.20.0 0.0.0.255
  access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
  ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
  access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
  !
  !
  !
  control plan
  !
  !
  !
  MGCP behavior considered range tgcp only
  MGCP comedia-role behavior no
  disable the behavior MGCP comedia-check-media-src
  disable the behavior of MGCP comedia-sdp-force
  !
  profile MGCP default
  !
  !
  !
  !
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  exec-timeout 0 0
  password Password02
  preferred transport ssh
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  !
  end

  Thanks in advance for any help :)

  the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address

  whenever you try to open the traffic from router A to router B, you must to the source of the traffic.

  for ex,.

  Router A-->10.1.1.1--fa0/0

  Router B - 172.168.1.100

  source of ping 172.168.1.100 router # 10.1.1.1

  After doing the pings, send the output of the show counterpart of its crypto ipsec at both ends

• A Site to remote access VPN behind the same public IP address

  Got a problem quite stupid.  We have a VPN from Site to Site configured for a new data center, which will be responsible for general traffic management.  In addition, some users need to use use a VPN client to access certain areas.  The firewall at the Office only has a public IP address, so the two will come to the Site to Site VPN for remote access from the same source.

  This seems a problem with legacy Cisco VPN clients because encryption card matches the entry VPN site-to-site, even if they use VPN clients.  A good/simple solution to solve this problem?

  Some newspapers (198.18.85.23) is the address public IP for the office and the tom.jones is the user.  192.168.1.0/24 is the pool of the VPN client.

  January 7, 2014 19:12:52 ASA5515: % 713130-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, transaction mode attribute unhandled received: 5

  January 7, 2014 19:12:52 ASA5515: % 737003-5-ASA: PISG: DHCP not configured, no viable servers found for tunnel-group "Corp-VPN.

  January 7, 2014 19:12:52 ASA5515: % 713119-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, PHASE 1 COMPLETED

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713061: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, IPSec tunnel rejecting: no entry for crypto for proxy card remote proxy 192.168.1.4/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, error QM WSF (P2 struct & 0x00007fff28dab560, mess id 0x37575f3c).

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, peer table correlator Removing failed, no match!

  January 7, 2014 19:12:52 ASA5515: % 713259-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, Session is be demolished. Reason: political crypto card not found

  January 7, 2014 19:12:52 ASA5515: % ASA-4-113019: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, disconnected Session. Session type: IKEv1, duration: 0 h: 00 m: 02s, xmt bytes: 0, RRs bytes: 0, right: not found card crypto policy

  January 7, 2014 19:12:53 ASA5515: % 713904-5-ASA: IP = 198.18.85.23, encrypted packet received with any HIS correspondent, drop

  Hello

  Don't know if this will work, but you can try the following configuration (with the rest of the VPN configuration)

  list-access CLIENT VPN ip enable any 192.168.1.0 255.255.255.0

  card crypto OUTSIDE_map 4 is the VPN CLIENT address

  card crypto OUTSIDE_map 4 set peer 198.18.85.23

  card crypto OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-SHA

  The idea would be to have the ACL matches the VPN full Tunnel that the Client attempts to establish. (destination "any" from the point of view of the customer, the ASAs view source)

  I tested briefly on my own SAA by connecting from an IP address to which the ASA offers free VPN in L2L. But as I don't have the operational L2L VPN, I can't really verify the VPN L2L at the moment. Thus, certain risks may be involved if you can afford it.

  -Jouni

• VPN site to Site with client access VPN

  I have a pix 500 series configured with access to the VPN client. When I set up a site to site vpn to a remote location, access to the customer no longer works. If I remove the vpn site to site, the vpn client works again. I tried the MDP and the CLI. Someone could look at my config and let me know what I'm missing. See the two configs attached.

  Thank you

  Lost in VPN

  Ah, I missed that. You can change the States of card crypto for virtual private networks to be on the same card encryption like this...

  mymap 20 ipsec-isakmp crypto map

  card crypto mymap 20 match address ipsecvpn

  card crypto mymap 20 peers set xxx.xxx.100.180

  transform-set set mymap 20 sha - crypto card game

  map mymap 65535-isakmp ipsec crypto dynamic outside_dyn_map

  client card crypto mymap RADIUS authentication

  mymap outside crypto map interface

  or

  outside_map 20 ipsec-isakmp crypto map

  card crypto outside_map 20 match address ipsecvpn

  card crypto outside_map 20 peers set xxx.xxx.100.180

  transform-set set sha - game card crypto outside_map 20

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map the RADIUS client authentication card crypto

  outside_map interface card crypto outside

• VPN site to site ASA and SSL VPN

  Hello

  Already configured vpn site to site for both sites. Now, I try to configure vpn remote access to one site.

  But I'm starting to config some command like below to access remote vpn, the existing site-to-site vpn disconnected auto.

  No crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  Please, help me to check.

  Thank you

  Ko Htwe

  Hello

  You can have a single card encryption for an interface, you must configure both tunnels (access site to & remote) in a single card with number of different sequesnce encryption. Please make sure that the sequence number for the remote access is higher than for the site to site.

  You can also get this back to the config command, why did you remove it.

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  If you still have a problem, please let us know the configuration.

  Kind regards

  Mohammad

• VPN site to site access via a VPN client

  Hi all

  From our headquarters, we use a vpn site-to-site to connect to another site and it works great.

  We have just configured the VPN client on our headquarters, remote VPN user can access the LAN in the seat.

  We need the remote user can also access the LAN on the other site, but it does not work.

  The site to site VPN and VPN client are configured on the same device, using even outside the interface.

  Vpn client address pool is already included in the address that is allowed to go through the site to site VPN.

  We would like to know if it is possible to access the site to site VPN, connecting to the VPN client and when the architecture is as above?

  in the case where we use different devices and different internet connection for client VPN and site to site VPN, we can access the other site by the remote user VPN LAN?

  Kind regards

  Since you already have 10.13.0.0/16 in your site to site crypto ACL, which already includes the pool vpn so you need not configure it specifically.

  You are missing the following command:

  permit same-security-traffic intra-interface

  ACL split tunnel should be standard ACL as follows:

  access list ACL-CL-VPN allow 10.13.0.0 255.255.0.0

  access list ACL-CL-VPN allow 10.14.0.0 255.255.248.0

• A Site at IOS IPSEC VPN and EIGRP

  Hello

  I have a connection of remote site to base via a VPN IPSEC router. I don't want to run EIGRP accoss VPN. Howerver I want adverstise the rest of the network from the router of core of the subnet to the remote site.

  The remote VPN subnet is managed as a route connected on the router base?

  Configuriguring a statement of network to the remote site on the router base will cause EIGRP announce the road?

  You are right.

  RRI (reverse Route Injection) is the correct way to announce remote routes as static routes on the HUB, and all what you need to do is redistribute static in EIGRP, so she is redistributed in your EIGRP.

  Here is an example configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809d07de.shtml

  (It's about OSPF and IPSec VPN dynamics, however, the concept is the same for ipsec site-to-site and redistribution in EIGRP)

  Hope that helps.