I have a router 2901 ISR in the main site. I want to build a site to site vpn using a SR520W-FE-K9 to the branch.

I want to know if the 2901 <--vpn--->vpn site to site SR520w is possible.

Thank you.

Yes, without a doubt is possible to establish VPN site to site between 2901 and SR520W routers.

Tags: Cisco Security

Similar Questions

  • 'How to' set up a VPN between a UC540 and a SR520 with remote IP extension

    Hi all

    I need help in establishing a link between a head office UC540 and a distance SR520 I want to use a PC and an IP phone in. This remote site is the first of many.

    I found several examples of IPsec VPN site, but none with references to some VLAN voice and data, should I worry or the phone will only work.

    All the tips and suggestions accepted with gratitude,


    Here is an example of configuration LAN-to-LAN VPN between 2 IOS routers:

    Assuming that your example:

    VLAN 1 - data -

    VLAN 100 - voice -

    And on the other side:

    VLAN 1 - data -

    VLAN 100 - voice:

    The crypto ACL would be:

    access-list 150 permit ip

    access-list 150 permit ip

    Crypto ACLs on the other side are the following:

    access-list 150 permit ip

    access-list 150 permit ip

  • By default the SR520 impossible

    I can't the router to work at all. I want to default. CCA leaves me no default configuration for this router for some reason any. The box reset config is missing.

    I backup upward configs using tftp and then copied the config to factory V9 to the router.

    I made a flash copy start then the new mem config then wr

    When I reload the router an automatic backup and copy the operation during the start-up

    So I did the process again and then made a copy start run and had all kinds of errors.

    What exactly is the default method of the router

    I'm really starting to think that you should go directly to the TAC. Looks like you had 3 separate issue with this SR520.

    Your other post, it seems that we have:

    (1) SSL VPN connectivity problems

    (2) port forwarding problems

    (3) Config reset problems

    I'm looking what whether in the common COUNTRY assessment that could contribute to the problem here, but I don't not nailed all the answers yet.  (and I hate the idea that you're waiting on something useful here and it does not come fast enough)

    I'm still digging.

  • Will there be improvements made to the features of VPN configuration and firewalls in the ACC?

    Future versions of CCA will have the ability to set up the VPN site-to site on UC520s, UC540s and SR520s without having to use the Multisite Manager or CLI? With non-SBCS Cisco VPN products have a Cisco's GUI to configure site-to-site VPNs. The UC520, UC540 and SR520 are the only Cisco products (with the exception of products that have reached end of life status) who do not have this capability in a sort of Cisco's GUI (apart from the Multisite Manager of CCA 2.1 and later versions).

    Future versions of CCA will allow you to modify the firewall on UC520s, UC540s and SR520s rules without having to resort to the CLI?

    Almost all Cisco products, except for UC520, UC540 and SR520 series products, have a Cisco's GUI to configure these features. The SA520 and SA540, these features can be configured in the web GUI. The Cisco ISR, these features can be configured through SDM or CCP. CCA has always had the ability to fix UC520 unit, but he had not the possibility to fine-tune the settings of firewall and security, unlike the web interface SA500, SDM or CCP.

    Reasons why having the skills to the CCA is important:

    • These characteristics are indicated on the data of UC520, UC540 and SR520 sheets
    • The opportunity to refine and verify access control lists in the ACC can accomplish the following:
      • Ability to comply with HIPAA, Sarbanes-Oxley, PCI, etc.
      • Improved troubleshooting
      • Eliminates the need to use CLI to refine or verify the firewall settings
    • VPN site to site can currently be configured via CLI or the CCA Multisite Manager
    • Multisite Manager CCA can be used for virtual private networks between UC500 or SR520s placed in front of UC500 units units
    • CCA Multisite Manager cannot be used for VPN between autonomous SR520 units, or between a unit UC500 and endpoint non-UC500 (with the exception of a placed in front of a UC500 unit SR520)
    • All images IOS Supportepar UC520 units, UC540 and SR520 routers have firewalls and VPN capabilities described here

    Hi John,.

    The ACC is a configuration tool for platforms that are part of the SBCS solutions. Multisite manager is the approach we take to configure a VPN site. Enchancements in customization of the firewall and access lists is something we plan to put on the roadmap. We will continue to improve the CCA to meet these requirements. We will schedule to get these features added in the 2010 calendar.

    Thank you


  • Routing issue to site VPN site


    I have a VPN site-to site of SR520 at SFsence VPN, the tunnel is up, but I can't ping internal addresses of these two paths of layout of the site terminate my default gateway. Help, please

    Access list configuration:

    access-list 100 permit ip

    access-list 100 permit ip

    IP nat inside source map route SHEEP interface Dialer 0 overload

    access-list 110 deny ip

    access-list 110 permit ip any

    SHEEP allowed 10 route map

    corresponds to the IP 110

    Note: remote site (SFsence) of

    local site router Cisco SR520

    Glad to know everything works now,

    Please check the question as answered so future users can learn on this basis.

    Kind regards

  • Several IPSEC VPN on SR 520


    I am new to Cisco routers and I have problems with the implementation of my VPN connections. I have 4 vpn of the SR 520 to the Linksys BEFVP41 Installer, but only the first will connect and allow traffic to traverse. I think it has to do with my access list entries, but I don't know enough about it to understand. I also think that I might need to use the xxx ip nat inside source list interface FastEthernet4 overload on my other tunnels, but I'm not sure. If someone could give me some advice it would be greatly appreciated. I've included some of my configuration below.  Thank you

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    lifetime 28800


    crypto ISAKMP policy 2

    BA 3des

    preshared authentication

    life 3600

    ISAKMP crypto key 'KEY' address

    ISAKMP crypto key 'KEY' address

    ISAKMP crypto key 'KEY' address

    ISAKMP crypto key 'KEY' address

    ISAKMP crypto keepalive 3600



    Crypto ipsec transform-set esp-sha-3des esp-3des esp-sha-hmac

    transport mode

    Crypto ipsec transform-set esp-des-sha esp - esp-sha-hmac


    BT 1 ipsec-isakmp crypto map

    defined peer

    the value of the transform-set esp-3des-sha

    PFS Group1 Set

    match address 110

    BT 2 ipsec-isakmp crypto map

    defined peer

    the value of the transform-set esp-3des-sha

    PFS Group1 Set

    match address 120

    BT 3 ipsec-isakmp crypto map

    defined peer

    the value of the transform-set esp-3des-sha

    PFS Group1 Set

    match address 130

    4 BT ipsec-isakmp crypto map

    defined peer

    the value of the transform-set esp-3des-sha

    PFS Group1 Set

    match address 140




    The config log





    interface FastEthernet0

    switchport access vlan 75


    interface FastEthernet1

    switchport access vlan 75


    interface FastEthernet2

    switchport access vlan 75


    interface FastEthernet3

    switchport access vlan 75


    interface FastEthernet4


    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    crypto BT card


    interface Vlan1

    no ip address



    interface Vlan75 IP address

    IP nat inside

    IP virtual-reassembly


    IP forward-Protocol ND

    IP route


    IP http server

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    IP nat inside source static 5060 tcp interface FastEthernet4 5060

    IP nat inside source static tcp 1720 interface FastEthernet4 1720

    overload of IP nat inside source list 115 interface FastEthernet4


    access-list 1 permit

    access-list 110 permit ip

    access-list 115 deny ip

    access-list 115 permit ip any

    access-list 120 allow ip

    access-list 125 deny ip

    access-list 125 allow ip any

    access-list 130 allow ip

    access-list 135 deny ip

    access-list 135 allow ip any

    access-list 140 allow ip

    access-list 145 deny ip

    access-list 145 allow ip any

    SR520 #.

    Hi Robert

    Try this:

    access-list 115 deny ip

    access-list 115 deny ip

    access-list 115 deny ip

    access-list 115 deny ip

    access-list 115 permit ip any

    and then remove access 125, 135 and 145 lists since they are not used.



  • Feature SR520 DMVPN problem

    Hello people,

    I have a serious problem with SR 520 and feature cisco router, what is written on the paper!

    On the cisco site, I found that SR 520 support DMVPN, I ordered the router and it came with IOS:

    (SR520-ADVIPSERVICESK9-M), Version 12.4 (20) T6. Later, I found that it does not support

    Protocol PNDH, which constitutes a basis for DMVPN feature and speak-to-speak of VPN tunnels.

    I guess that the problem is in the IOS version that comes with the router.

    Tell me please, if you know, is the problem and the IOS version which should choose?

    Should I take later (12.4.24T6) or some special release?

    Thanks in advance,


    Hi Vladimir

    Support DMVPN on SR520 was indeed only added 12.4 (24) T so I suggest you go for the last, which is 12.4 (24) T6.



  • VPN works with Sierra?

    I understand that the VPN does not yet, with the Sierra

    Is this a Bug? or, if this possibility has been deleted?

    Can we expect support once again with one of the 10.12. # updates?

    This is a very important feature to my office with it, we will not update for Sierra.

    Thank you

    VPNS work very well in Sierra as long as they don't use PPTP. Support for PPTP has been removed because it is not safe. By using a PPTP based VPN is useless. Your data is not safe.

  • Tips to add a VPN router to my current network configuration

    Dear all

    My apologies if the answer to this question already exists, however, I searched in many situations and none seem to match what I'm after.

    I currently have an ISP modem/router in Bridge mode connected to a TC of Apple which is my wireless router, I have 2 Express airport connected to this acting as the extensors of the range.  I have a VPN service through the MyPrivate network I activate on the desired device when required and everything works fine.

    What I want to do now is to be able to use my AppleTV and burning Amazon via the VPN as well so you need to add a VPN router in the configuration.  I want to finish with 2 wireless networks running together for these devices who need VPN and those who are not.  I don't want to lose the opportunity to extend the network to express it however airport.

    If someone could explain to me if this is possible and if so how do I set up the network.

    Thanks in advance


    Basically you would need a device that supports VPN-passthrough and VLANS for your goals of networking. MyPrivate network, seems to be a VPN SSL, which is a user-server configuration. In other words, you install a client VPN on your Mac and you connect to the VPN network MyPrivate server to establish a VPN tunnel.

    Networking two or more "separated", should be using a router that supports VLAN services. Each segment of VIRTUAL local area network, in essence, would be a separate, she either wired or wireless network or a combination of both. This would probably be the 'easiest' part for the installation program.

    Now how combining the two would be the question, and I don't know what would be the best way, or even if it is possible.

    A few thoughts:

    • Use a router that supports VLANS. Create at least two VIRTUAL LAN segments. One for Apple TV & Burns, one for Internet access in general. Connect the device to VPN client host on the first segment, and configure for Internet sharing.
    • Download a dedicated VPN network application that supports hosting of third-party VPN clients, like yours. You would still need a router that supports VLAN to provided separate network segments.
    • Hire a consultant network. Let them know what you the goals of networking and ask them to offer potential solutions.
  • Settings lost VPN - iOS 10.0.2

    I had stored in my iPad VPN settings. VPN connections worked well until the latest iOS update. Now ALL my VPN connections disappeared. To make it even worse-, I am unable to put once again, because there are new mandatory fields: VPN type and shared key. I don't have the slightest idea how to fill them because I never need them when connecting to the VPN through my iMac - please see the screenshot.

    It drives me crazy. I welcome any suggestion.

    Prepare for removal of PPTP VPN before upgrade you to iOS 10 and macOS Sierra

    Preparation for iOS system administrators 10 and macOS Sierra should stop using PPTP VPN connections. Learn about alternatives, you can use to protect your data.

    If you have configured a PPTP VPN server, 10 iOS and macOS users Sierra will not be able to connect to it. iOS 10 and macOS Sierra will remove any profile VPN PPTP connections when a user upgrades from their device.

    Even if the PPTP protocol is always available on iOS 9 or an earlier version or OS X El Capitan and earlier, we do not recommend that you use it for secure, private communication.

    Alternatives for PPTP VPN connections

    Try one of these other VPN protocols for authentication by user that are safer:

    • L2TP/IPSec
    • IKEv2/IPSec
    • Cisco IPSec
    • VPN SSL clients on the App Store, such as those of AirWatch, Aruba, Check Point, Cisco, F5 Networks, MobileIron, NetMotion, Open VPN, Palo Alto Networks, Pulse Secure and SonicWall
  • iPhone 6 s - how to remove hidden VPN Express app?

    A few days ago, I received a notification under the name of VPN Express app wanted access to my location information. I had never ordered or installed such an application and declined. The VPN Express App then retired to the background. I thought that I would remove just but discovered it was hidden somehow. If I ask Siri to open it, it opens. How can I find and remove hidden apps? Similar experiences? Anyone know what is happening with this app?

    Use the Spotlight search, it will show where the app.

  • a VPN client is necessary?

    Is a customer VPN as necessary Incognito on MacBook?

    I've recently updated Sierra

    Yes if yu to connect to public networks and you don't want your ISP know what sites you visit

  • Can't ssh on Mac OS VPN server

    I can connect to my VPN L2TP server with my iPhone running iOS 10 through my network of data carriers and passed to my home network from Comcast, but everything does not work;

    What works:

    Access default Web site running the macOS Server using its IP address

    Public Web surfing

    I can ping my phone of any system IP address on my network

    What does not (what I tried):

    SSH to any system macOS on my network

    Access screen sharing on any system macOS on my network

    Resolve the local hostname to an IP address

    More information

    my iphone is running iOS 10

    My computers are running macOS Sierra

    I use Mac OS as host VPN server

    I use the client VPN L2TP iOS 10.

    Firewalls in the system is disabled.

    Typical VPN connections, you use the DNS server of your iPhone and not the DNS server of the network corresponding to your server.  In addition, Hello services are only available on the LAN.  So you have no way to resolve names to IP adrdesses for the network, you are VPNing.

    The only easy solution from an iPhone is to make a list of IP addresses and use them to connect instead of host names.  using IPs will work as long as your ISP does not also use the same internal (like 192.168 or 10.0) IP address than the network that you connect to.

  • integrated macOS Sierra Cisco IPsec VPN does not work anymore (impossible to validate the server certificate)


    I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X.

    Please help me, I need my VPN Thx a lot

    I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra.

  • Cisco VPN does not work in the Sierra

    I just upgraded to OS Sierra and the Cisco VPN, I had the installer does connect more.  The Setup looks right into network preferences. When I click it looks like it is trying but stops without asking for a password.

    Cisco VPN client may need to update or re-installed. If she uses the PPTP Protocol, it will not work. Support for PPTP was ignored, because it is no longer considered as secure.

Maybe you are looking for