Star VPN topology

Similar Questions

• Star - vpn clients cannot reach hub of rays

  I have two remote sites with exsisting site to site vpn conections.  I have no problem if I VPN in a particular site, reaching the services on this site.

  I can't reach services on other sites.

  my VPN address pool is 192.168.20.X 24-the hub

  the rays are 192.168.30.X/24 and 192.168.40.X/24 the respective shelves.

  My internal IP is 172.16.X.X/21

  each site is located on a different subnet in this range

  So, if I VPN in the VPN IP hub is 192.168.20.X/24 I can reach services to 172.16.8.X/21, but can not reach a hub at 172.16.56.X/21

  I am sure that this can be a routing problem, I tried to add static routes, but not joy.

  All sites are of ASA 5510

  The configuration you will need is:

  ASA local:

  L2L ip 192.168.40.0 access list allow 255.255.255.0 172.16.8.0 255.255.248.0

  list of allowed shared access ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

  permit same-security-traffic intra-interface

  ASA remote:

  L2L 172.16.8.0 ip access list allow 255.255.248.0 192.168.40.0 255.255.255.0

  access-list ip 172.16.8.0 sheep allow 255.255.248.0 192.168.40.0 255.255.255.0

  The ACLS names reflect where to configure.

  In addition, if there is a NAT rule that is configured on the external interface of the ASA, you should ignore NAT for this traffic.

  Let me know how it goes.

  Federico.

• Two LRT224 a connection using VPN

  What is the best way to connect two LRT224 between them, which are in two different cities?

  Open VPN or IPSec?

  I think gateway to gateway should be the correct mode, but I'm very unsure with the large number of parameters...

  Try the EasyLink VPN from LRT214/LRT224, which simplifies the site to site VPN configuration.

  http://KB.Linksys.com/Linksys/UKP.aspx?VW=1&docid=03cf456383fc4d958cf918110c7fcd42_How_to_configure _...

  EasyLink VPN works in the following way conceptually.

  1. on the main site, activate EasyLink VPN Server (tab incoming on the Web GUI) and create an account (name and password) for each remote site.

  2. at a remote site, activate EasyLink VPN Client (tab on the Web GUI) and between the identifiers of account for (name of user and password).

  3. the remote site will automatically reach the primary site to establish an IPsec tunnel.

  Note: LRT224 can support up to five peers EasyLink VPN in a star VPN topology.

• Hub and spoke VPN network traffic between two points talked

  Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

  I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

  Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

  In doing so, I can avoide the tunnel between two offices (and B)

  See you soon

  Hello

  You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

  If the hub is an ASA you must authorize same-security-traffic intra-interface permits

  If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

  Federico.

• ASA5505 can transfer clients to remote VPN access to the local network

  I have currently ASA 5505 and 2911-router and I am trying to configure the VPN topology.

  Can ASA5505 you transmit to remote VPN access clients LAN operated by another router?

  These two cases are possible? :

  (1) ASA 5505 and 2911-router are separate WAN interfaces, each connected directly to the ISP. But so can I connect an other interfaces LAN of ASA 5505 in a switch managed by 2911 router customers to distance-SSL-VPN to inject into the local network managed by the router?
  (2) ASA 5505 is behind router-2911. May 2911 router address public ip or public ip address VPN-access attempts have directly be sent to ASA 5505 when there is only a single public ip address address available?
  Long put short, ASA 5505 can inject its clients to remote-access-VPN as one of the hosts on the local network managed by 2911-router?
  Thank you.

  I could help you more if you can explain the purpose of this configuration and connectivity between the router and ASA.

  You can activate the reverse route on the dynamic plane on the SAA. The ASA will install a static route to the customer on the routing table. You can use a routing protocol to redistribute static routes to your switch on the side of LAN of the SAA.

• Restrictions of free WILL

  I want to use the GRE + IPSec on a x 25 infrastructure in a site to site VPN topology. Is this possible? Is it possible to use the GRE with x 25 or not? Are there restrictions?

  Thank you

  I don't see why it wouldn't work.

  All that requires that the GRE is IP layer connectivity. If the two ends can ping each other, then the GRE work.

  Similarly for IPSec.

• DMVPN getvpn or DVTI

  Hello

  in fact I situation as mentioned further and I am confused about design and implement what VPN topology, I choose DMVPN, GETVPN or DVTI

  I have 4 branch and 1 main site, branches have 2 connectivity to HQ a via INTERNET one another through MPLS, so I want to have Fail-over on the links and also secure two-way tunnel

  Best regards

  John Mayer

  GETVPN is not supposed to be used on the internet. If this isn't the solution.

  With this small amount of sites I set up static VTI on MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have the static IP, I re also these links with the stuffy VTI.

  DMVPN could also be used in this scenario, but the protocol overhead is not necessary in this small scale scenario.

• crypto - small issue PKI certificates

  Hey all, just a quick question regarding Cryptography certificate keys. I noticed on our routers DMVPN, appears a large hex key.

  For example:

  TP-self-signed-708137789 crypto pki certificate chain

  certificate self-signed 01

  308201B 6 A0030201 02020101 3082024D 300 D 0609 2A 864886 F70D0101 04050030

  2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30

  69666963 37303831 33373738 39301E17 313231 31313331 39323230 0D 6174652D

  375A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031

  532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3730 38313337

  06092A 86 4886F70D 01010105 37383930 819F300D 00308189 02818100 0003818D

  3412 D 002 B6C79947 025566ABF2C7A830...

  quit smoking

  What is the key? Is this related to the star VPN authentication?

  The self-signed certificate can be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure server it will cause a self-signed certificate to generate.

  HTH

  Rick

  Sent by Cisco Support technique iPad App

• Star topology to VPN, hub using two interfaces

  Hello

  I am facing a problem with Cisco ASA 5500 running 8.4 software.

  I know, I know, VPN concentrator and talks has already been discussed many times. But all these discussions are on a hub by using only a single interface, the interfcae outside/public.

  My topology is slightly different.

  LAN - A - VPN peer a (Internet) <--> <-->(off if) - ASA - B-(if inside) <-->(corporate network) <-->(if outside) - ASA - C-(if inside) <-->RL - C

  VPN communication must flow between LAN - A and LAN - C.

  Phase i and phase II work on the two tunnels (A - B, B - C). Cryptomaps should be good.

  IPsec security for A - B tunnel Association is explicit for LAN - A and LAN - C.

  For tunnel B - C IPsec security association connects with the LAN - C.

  What I can see on ASA - B is the traffic of LAN - A tunnel A - B.

  Which does not trigger a SA for tunnel B - C!

  Traffic launched c - LAN, I can see on ASA - B as incoming traffic, SA for LAN - A-LAN - C is encrusted tunnel b..

  The traffic seems to enter the tunnel A - B I can see outgoing traffic on ASA - B.

  Of course, exemption of NAT is configured for traffic between A - LAN and LAN - C.

  Why not traffic entering the tunnel B - C LAN - A Insider SA?

  It seems that the traffic of LAN - A between ASA-B and is abandoned or send anywhere but the right direction.

  I admit that I am naïve.

  Any help would be appreciated.

  Thank you people.

  Excellent. Thanks for the update. Pls kindly marks your message as answered while others may learn from it.

• Topology for the beginning RV082 VPN connection

  I have 4 RV082 routers, 1 at HQ and 1 in each of the 3 branches. (See attachment Diag.pdf Net). I have set up the VPN to each of the branches at HQ and I can access the subnet of HQ. However, I have to access from one branch to another.

  Is there a way to define a static route on router HQ or do I need to set up a private network virtual from one branch to another branch, as a mesh topology?

  Thank you

  Hi David, additional VPN tunnels will do, as a mesh. The configuration of the VPN tunnel is logical, you specify the subnets that are specifically on the creation of each tunnel.

  -Tom
  Please mark replied messages useful

• Topology Hub-and-spoke (between vpn´s of the site-to-site connections)?

  Hi all

  I have a friend who has in his company an ASA5505 to the central point and about 5 remote sites connected through site to site Vpn.

  All tunnels are up and reached the central network.

  The only traffic that goes throw that the tunnel's traffic with the destination of local network of ASA.

  My friend asked me what he should get from a remote Vpn site to another remote site Vpn, passing throw the central site ASA5505.

  The ASA5505 can reach all remote networks throw tunnels.

  Can someone give me a bit short what suits him for the SAA to carry traffic between the tunnels of VPN´s?

  Need static routes on remote sites to announce other remote sites?

  Best regards

  Hi Tiago,

  you will need to do 3 things primarily:

  On the hub, you need to configure:

  permit same-security-traffic intra-interface

  (this allows the traffic out of the same interface it came in the - in the traffic between the spokes of your case will come outside and return outside).

  Then, on the hub as well as on the rays, you need to add all traffic a spoke-to-spoke to the crypto ACL and ACL nat exemption.

  Depending on how your addressing scheme, you may be able to aggregate to avoid making very large ACL (to 5 rays I guess it's still manageable if).

  No way should be necessary on the rays or the hub (unless the vpn tunnels take a path different than your ordinary internet traffic, I assumed that this is not the case).

  Let me know if you need more details.

  HTH

  Herbert

• Connectivity to the remote VPN site adjacent networks

  Star topology with Corporate office which acts as hub (192.168.1.x) and remote sites connected by relay frames, except for another network (172.16.x.x) in the building served by 3560 switch company.

  On my remote site vpn (10.0.1.x) I can ping network 172.16.x.x, but not the 192.168.1.x network. What I'm trying to do is to allow the network traffic remote 10.0.1.x (which connects directly via the VPN network 172.16.x.x) to reach the network 192.168.1.x and vice versa.

  I'm sure its a combination of NAT/routing issue I forget.

  I'm new to PIX / ASA in general and it's the first vpn L2L I install. If someone can point me in the right direction, I would appreciate it.

  Thank you.

  It looks like this?

  10.0.1.x->-> Corp. ASA L2L tunnel - >->-> 192.168.1.x 3560 172.16.x.x

  and that you can currently communicate via the tunnel between 10.0 and 172.16? In order to communicate between 10.0 and 192.168.1, you will need to define this interesting traffic and add it to your crypto and nat exemption acl.

  Corp site

  extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

  extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

  NAT (inside) - 0 access list

  Remote site

  access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) - 0 access list

• Same subnet on all the VPN endpoints?

  Anyone know if it is possible to have the same subnet on all the endpoints of a VPN tunnel star topology?  I need to create tunnels ASA5505 18 back to an ASA5510.  Instead of having 18 subnets over there, it sounds more effective for my request just to have one.  Sort of a CLOUD (there is that Word) inquiry.

  I was wondering.

  Of course read below

  http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

• VPN Hub and Spoke with NAT

  Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

  Hub (MEAN): 10.1.6.x

  PIX 515e (HUB): 172.16.3.x

  RV042 (SPOKEN): 192.168.71.x

  PIX 515e (HUB):

  Outside - 12.34.56.78

  Interior - 172.16.1.1

  Hub (TALK):

  Outside - 87.65.43.21

  Interior - 10.1.6.1

  RV042 (SPOKEN):

  Outside - 150.150.150.150

  Interior - 192.168.71.1

  The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

  On PIX you need a static policy statement,

  NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

  public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

  And modify the ACL of appropriately crypto to include natted address.

• Topology line EtherCAT with fiber/fiber converters

  Hello

  I have a request where I will order several NI 9144 slave chassis in a line of a master cRIO topology. The chassis must be 10kV + isolation from each other and the captain so I'll use converters of fiber on the link ethernet between each frame. The lengths of links are relatively short)<>

  Fiber converters does meet a particular specification, and if so do you have any recommendations?

  I'd better be using using standard Ethernet with NI 9149? I can cope without the deterministic calendar.

  Thank you

  Richard.

  Hi Richard,

  The EtherCAT protocol normally works on 100BASE-TX and can also run on 100BASE-FX (Sources here and here). I'm guessing that you have seen the KB that explains that you need for different cheating / hubs for EtherCAT and makes you wonder if the optical converters fall into this same category?

  The need for special switches / hubs is because EtherCAT junctions stars work differently that normal Ethernet as the packages hubs need a particular routing. However, optical converters online and do not affect the sense go packages. They are just bit conversion of the tensions light pulses. The main thing to consider would be how much latency converters to introduce network - as this will eventually affect your EtherCAT minimum cycle time.

  That said, NEITHER does not test the optical converters, but I've heard customers who use optical converters before (link sorry, not turned to the audience of reference available). As I mentioned above, the EtherCAT protocol specify how 100BASE-TX and 100BASE-FX, so I'll make sure the converter is in conformity with these standards.