Site to site VPN with router IOS

I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

Thank you in advance.

Pete.

Pete

I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

I hope that your application is fine and that my suggestions could be useful.

[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

HTH

Rick

Tags: Cisco Security

Similar Questions

  • Site to site VPN (ASA-> router IOS, with two interfaces) help

    Dear,

    I need help to configure VPN from Site to Site of cisco ASA to the IOS router, the router has 2 WAN links, a primary and secondary backup.

    There was only a single week of link there is, now we have installed the second link as a backup, we use OSPF as the routing protocol.

    VPN with simple link worked fine, now, when the main link fails the network is down.

    Waiting for response.

    There is an easy solution.  On the router, you must terminate the VPN on the loopback interface.

    something like this:

    interface lo0

    IP x.x.x.x where x.x.x.x

    card crypto-address lo0

    interface wan_1

    vpn crypto card

    interface wan_2

    vpn crypto card

    One condition is that the loopback interface has accessible by the device of the SAA.

  • Is site to site VPN with sufficiently secure router?

    Hello

    I have a question about the site to site VPN with router.

    Internet <> router <> LAN

    If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

    Thank you

    Hi Amanda,.

    Assuming your L2L looks like this:

    LAN - router - INTERNET - Router_Remote - LAN

    |-------------------------------------------------------------------------------|

    L2L

    Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

    On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

    If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

    Design of the area Guide of Application and firewall policies

    If you consider that this is not enough, check the ASA5500 series.

    HTH.

    Portu.

    Please note all useful posts

  • question links to site 2 site VPN with authentication cert

    Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?

    Thank you very much!

    Hello

    You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

    Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".

    Please pass a note and mark as he corrected the post helpful!

    David Castro,

    Kind regards

  • Problems with site-to-site vpn with of the asa 2

    I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute.  I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong?  Im trying to configure a site to site vpn between:

    ASA_A

    external interface 5.179.17.66

    inside the interface 10.1.1.1

    ASA B

    external interface 5.81.57.19

    inside the 10.1.2.1 interface

    Frist why do you have two DGs on box -

    Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1

    Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1

    Attach the two end then it should work.

    Thank you

    Ajay

  • Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue

    Hello

    Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).

    The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.

    Please, what missing am me?

    A few exits:

    ISAKMP crypto to show her:

    isakmp crypto #show her

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    Crypto ipsec to show her:

    Interface: GigabitEthernet0/0

    Tag crypto map: QRIOSMAP, local addr 62.173.32.122

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

    current_peer 62.173.32.50 port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50

    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0

    current outbound SPI: 0x4D7E4817 (1300121623)

    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:

    SPI: 0xEACF9A (15388570)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP

    calendar of his: service life remaining (k/s) key: (4491222/1015)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    Please see my config:

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    encryption... isakmp key address 62.X.X... 50

    ISAKMP crypto keepalive 10 periodicals

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS

    !

    QRIOSMAP 10 ipsec-isakmp crypto map

    peer 62.X.X set... 50

    transformation-TS-QRIOS game

    PFS group2 Set

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    Description WAN CONNECTION

    62.X.X IP... 124 255.255.255.248 secondary

    62.X.X IP... 123 255.255.255.248 secondary

    62.X.X IP... 122 255.255.255.248

    NAT outside IP

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    card crypto QRIOSMAP

    !

    interface GigabitEthernet0/0.2

    !

    interface GigabitEthernet0/1

    LAN CONNECTION description $ES_LAN$

    address 192.168.20.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    !

    IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length

    IP nat inside source list 1 pool mypool overload

    overload of IP nat inside source list 100 interface GigabitEthernet0/0

    !

    access-list 1 permit 192.168.20.0 0.0.0.255

    access-list 2 allow 10.2.0.0 0.0.0.255

    Note access-list 100 category QRIOSVPNTRAFFIC = 4

    Note access-list 100 IPSec rule

    access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122

    access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122

    access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122

    access-list 101 deny ip any any newspaper

    access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 110 permit ip 192.168.20.0 0.0.0.255 any

    !

    !

    !

    !

    sheep allowed 10 route map

    corresponds to the IP 110

    The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?

    Here are the things I see in your config

    I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?

    IP route 0.0.0.0 0.0.0.0 62.X.X... 121

    IP route 0.0.0.0 0.0.0.0 62.172.32.121

    This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?

    IP route 10.2.0.0 255.255.255.0 192.168.20.2

    In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.

    IP route 172.17.0.0 255.255.0.0 Tunnel20

    IP route 172.17.2.0 255.255.255.0 Tunnel20

    And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?

    IP route 172.18.0.0 255.255.0.0 Tunnel20

    IP route 172.18.0.0 Tunnel20 255.255.255.252

    HTH

    Rick

  • site to site vpn with pix multiple tunnels

    Hello

    I have a vpn site-to-site between two PIX firewall tunnel.

    Is it possible to build on one side, another tunnel vpn site to site with the third PIX?

    Thank you

    Robert

    Robert

    You can use one card encryption on an interface, but you may have within your crypto card so your config sequence numbers

    The existing tunnel

    mykink1 card crypto ipsec isakmp 1

    correspondence address 1 card crypto mykink1 101

    mykink1 card crypto 1jeu peer 21.21.21.21

    mykink1 card crypto 1 set transform-set aesonly

    Your new tunnel

    mykink1 map ipsec-isakmp crypto 2

    card crypto mykink1 game 2 address "LCD number".

    mykink1 crypto map peer set 2 "new peer address.

    card crypto mykink1 2 the value transform-set "new transform set.

    card crypto mykink1 2 security association second life "number of seconds.

    You must complete the good values in the "" marks.

    Note that the sequence number is incremented by 1 in your first entry for 2 in the second entry.

    You can specify the duration of security association in the crypto map config that overrides the global settings.

    Add this config should not affect your existing tunnel.

    HTH

    Jon

  • site to site vpn with ASA 5500 series SSL?

    We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

    We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

    We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

    However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

    The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

    Thank you, Tom

    Hi Thomas,

    The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

    Federico.

  • Site to site VPN with the VPN Client for both sites access?

    Current situation:

    Scenario is remote to the main office. Site IPSEC tunnel site (netscreen) remote in hand (506th pix). Cisco VPN Client of main office of remote access to users.

    It's that everything works perfectly.

    Problem:

    Now we want remote users who connect to the seat to also be able to access resources in the remote offices.

    This seems like it would be easy to implement, but I can't understand it.

    Thanks in advance.

    Rollo

    ----------

    #10.10.10.0 = Network1

    #10.10.11.0 = Network2

    #172.16.1.0 = vpn pool

    6.3 (4) version PIX

    access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

    access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

    splitTunnel 10.10.10.0 ip access list allow 255.255.255.0 any

    splitTunnel ip 10.10.11.0 access list allow 255.255.255.0 any

    access-list 115 permit ip any 172.16.1.0 255.255.255.0

    access-list 116 allow ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

    IP access-list 116 allow all 10.10.11.0 255.255.255.0

    access-list 116 allow ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

    ICMP allow all outside

    ICMP allow any inside

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 209.x.x.x 255.255.255.224

    IP address inside 10.10.10.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool 172.16.1.0 vpnpool - 172.16.1.50

    Global 1 interface (outside)

    Global (outside) 10 209.x.x.x 255.255.255.224

    (Inside) NAT 0-list of access 101

    NAT (inside) 10 10.10.10.0 255.255.255.0 0 0

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

    Timeout xlate 01:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    crypto dynamic-map Clients_VPN-dynmap 10 transform-set RIGHT

    35 Myset1 ipsec-isakmp crypto map

    correspondence address 35 Myset1 map cryptographic 116

    card crypto Myset1 35 counterpart set x.x.x.x

    card crypto Myset1 35 set transform-set Myset1

    Myset1 card crypto ipsec 90-isakmp dynamic dynmap Clients_VPN

    client configuration address card crypto Myset1 launch

    client configuration address card crypto Myset1 answer

    interface Myset1 card crypto outside

    ISAKMP allows outside

    ISAKMP key * address x.x.x.x 255.255.255.255 netmask No.-xauth-no-config-mode

    ISAKMP identity address

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 15

    ISAKMP policy 15 3des encryption

    ISAKMP policy 15 sha hash

    15 1 ISAKMP policy group

    ISAKMP duration strategy of life 15 28800

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 3600

    part of pre authentication ISAKMP policy 25

    encryption of ISAKMP policy 25

    ISAKMP policy 25 md5 hash

    25 2 ISAKMP policy group

    ISAKMP living 25 3600 duration strategy

    part of pre authentication ISAKMP policy 30

    ISAKMP policy 30 aes-256 encryption

    ISAKMP policy 30 sha hash

    30 2 ISAKMP policy group

    ISAKMP duration strategy of life 30 86400

    vpngroup address vpnpool pool mygroup

    vpngroup dns-server dns1 dns2 mygroup

    vpngroup mygroup wins1 wins2 wins server

    vpngroup mygroup by default-domain mydomain

    vpngroup split splitTunnel tunnel mygroup

    vpngroup idle time 64000 mygroup

    mygroup vpngroup password *.

    Telnet timeout 5

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    Hi Rollo,

    You can not be implemented for a simple reason, it is not supported on the version 6.x PIX. It relies on the PIX 7.x worm but 7.x is not supported on PIX 506. Thus, in a Word, it can be reached on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or a hub as well, it can be reached.

    HTH,

    Please rate if this helps,

    Kind regards

    Kamal

  • multi-site VPN with just the cisco vpn client

    Hello everyone

    Please I need your help.

    We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

    My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

    It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

    Michael

    Please note all useful posts

  • 2 one-Site VPN Cisco 2801 and with crossing NAT

    Hi guys,.

    I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

    Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

    Here is a model of physics/IP configuration:

    LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

    Thank you

    Gonçalo

    Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

  • Site to Site VPN number

    Hello

    I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ

    First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets

    I have attached my configurations, I had to hide some information just for safety

    Help, please!

    Mostafa

    Hello Mustafa,

    Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.

     ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255

    In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.

    HTH

    "Please note useful posts.

  • Site to Site VPN using an interface to Peer and LAN

    Hello

    I have an ASA 5580 to the site to site VPN with our partner. VPN connection is through my external interface and Local for the VPN network comes from the external interface too. Is it possible to do? Thank you.

    The layout you describe is contrary to the concept of basic firewall of the approved facility and no approved interfaces (upper and lower security level).

    If your LAN is on the external interface, which is to stop remote users simply access it directly?

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • Client VPN router IOS, and site to site vpn

    Hello

    Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

    So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

    IM using a router 800 series with 12.4 ios

    Thank you very much

    Colin

    ReadersUK wrote:
    

    Hi
    

    Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
    

    So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
    

    im using a 800 series router with 12.4 ios
    

    Many thanks
    

    Colin

    Colin

    It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

    https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

    Jon

Maybe you are looking for

  • Advice needed on scanning and organization of large amounts of family photos

    I have about 4000 photos, I need to digitize and organize, and would appreciate information on the experiences of people with similar projects - specifically what scanners and software editing/organization work well (or not) and why. I am interested

  • Thank you to our volunteer Mozilla

    I asked for help and got it immediately. The answers have been useful and my problem is solved! Thank you!

  • HP5514 said duplexer installed

    Then... a new 5514 works perfectly, but I find under properties/device settings it appears: Duplex unit installed. Now, I know that this doesn't have a duplexer, so I guess it's just a bug.  Thoughts? Windows 7 Pro SP1.

  • Cannot scan HP Photosmart C4780, Mac OSX 10.9.4

    At the same time, I bought my MacBook Pro about 4 years ago and my HP Photosmart C4780. Recently I replaced my hard drive, so I now have the OS of Mac OSX version 10.9.4. I can always print to my RESUME, but I can scan is no longer. If I try to open

  • the external authentication server configuration

    What is the difference with option 'a' (compared to the 'b' option) what configuration of an external authentication server? a. configuration | System | Servers | Authentication b. configuration | User management | Groups | Authentication servers Is