Topology Hub-and-spoke (between vpn´s of the site-to-site connections)?

Similar Questions

• Ask about hub and spoke VPN between several sites

  Hello

  I currently have a 'hub' ASA 5505 that connects to 4 sites running 877 routers.

  Since the network hub, I can connect to all the sites fine but what I would do is almost to compartmentalize the different VPN links in small groups.

  The ASA 5505 hub mainly provides IP telephony via the VPN from a PBX allowing users at the other end of the VPN to make outgoing calls and receive incoming calls. However, a couple of the sites would be able to call them internally through the hub. It must obviously be allowed between their different networks of traffic.

  Currently, when you try an internal call rings, but there is no audio data anyway. I guess that's due to restrictions of access list. I don't know yet if what I'm trying to achieve is possible as I'm a bit of a rookie, but any help would be appreciated. I have attached the hub and 2 rays below.

  The ideal final result would be the interconnectivity between the two rays through the hub, it seems reading as its possible, but I do not understand my head around it! It would involve using different subnet to the hub masks?

  Any help would be greatly appreciated!

  Thank you

  Jack

  ASA "hub" VPN config

  network of the OAKOW object
  255.255.255.0 subnet 192.168.12.0
  network of the OAKIV object
  subnet 192.168.11.0 255.255.255.0

  ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
  ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

  interface Vlan1

  nameif inside

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  Static NAT to destination for static LAN LAN OAKOW OAKOW source (indoor, outdoor)
  Static NAT to destination for static LAN LAN OAKIV OAKIV source (indoor, outdoor)

  network obj_any object
  NAT dynamic interface (indoor, outdoor)

  Access-group interface incoming outside

  Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS ikev1
  card crypto HOSTEDMAP 100 corresponds to the address ACL_OAKOW
  card crypto HOSTEDMAP 100 set pfs
  card crypto HOSTEDMAP 100 peer set 4.3.2.1

  card crypto HOSTEDMAP 100 set transform-set HOSTEDTS ikev1
  card crypto HOSTEDMAP 101 corresponds to the address ACL_OAKIV
  card crypto HOSTEDMAP 101 set pfs
  HOSTEDMAP 101 peer set 5.6.7.8 crypto card
  card crypto HOSTEDMAP 101 set transform-set HOSTEDTS ikev1

  HOSTEDMAP interface card crypto outside
  crypto isakmp identity address
  No encryption isakmp nat-traversal
  Crypto ikev1 allow outside
  Crypto ikev1 am - disable

  IKEv1 crypto policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  lifetime 28800

  internal TBOakOW group strategy
  attributes of Group Policy TBOakOW
  Ikev1 VPN-tunnel-Protocol

  internal TBOakIV group strategy
  attributes of Group Policy TBOakIV
  Ikev1 VPN-tunnel-Protocol

  tunnel-group 4.3.2.1 type ipsec-l2l
  tunnel-group 4.3.2.1 General attributes
  Group Policy - by default-TBOakOW

  4.3.2.1 tunnel-group ipsec-attributes
  IKEv1 pre-shared-key *.

  tunnel-group 5.6.7.8 type ipsec-l2l
  tunnel-group 5.6.7.8 General attributes
  Group Policy - by default-TBOakIV
  tunnel-group 5.6.7.8 ipsec-attributes
  IKEv1 pre-shared-key *.

  877 VPN "spoke 1' config '.

  VPDN enable

  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  lifetime 28800

  isakmp encryption key * address 1.2.3.4

  Crypto ipsec transform-set esp-3des esp-sha-hmac TB0ak

  map OakOW 10 ipsec-isakmp crypto
  defined peer 1.2.3.4
  game of transformation-TB0ak
  PFS group2 Set
  match address VPN

  interface Vlan1
  Description - LAN-
  192.168.12.1 IP address 255.255.255.0
  IP nat inside

  interface Dialer0
  card crypto OakOW

  overload of IP nat inside source list NAT interface Dialer0

  NAT extended IP access list
  refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255
  IP 192.168.12.0 allow 0.0.0.255 any
  list of IP - VPN access scope
  IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

  877 config VPN "talked about 2'.

  VPDN enable

  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  lifetime 28800

  isakmp encryption key * address 1.2.3.4

  Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS

  map TBVPNOak 10 ipsec-isakmp crypto
  defined peer 1.2.3.4

  game of transformation-HOSTEDTS
  PFS group2 Set
  match address ACL-VPN-to-ASA

  interface Vlan1
  Description internal LAN-
  192.168.11.1 IP address 255.255.255.0
  IP nat inside

  interface Dialer0
  card crypto TBVPNOak

  overload of IP nat inside source list NAT interface Dialer0

  IP extended ACL-VPN-to-ASA access list

  ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

  NAT extended IP access list
  deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
  ip licensing 192.168.11.0 0.0.0.255 any

  You must rewrite it ACL on spoke1:

  NAT extended IP access list

  refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255

  refuse the 192.168.12.0 ip 0.0.0.255 192.168.11.0 0.0.0.255

  IP 192.168.12.0 allow 0.0.0.255 any

  list of IP - VPN access scope

  IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

  IP 192.168.12.0 allow 0.0.0.255 192.168.11.0 0.0.0.255

  and talk 2:

  NAT extended IP access list

  deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

  ip licensing 192.168.11.0 0.0.0.255 any

  IP extended ACL-VPN-to-ASA access list

  ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

  ip licensing 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

  And ACL on SAA

  ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

  ACL_OAKOW to access extended list ip 192.168.11.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

  ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

  ACL_OAKIV to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

  You must allow the traffic of intra-interface:

  permit same-security-traffic intra-interface

  also, you can check the translation NAT nat debug command

  _____________________________________________________________________________

  Help seriously ill children all together. All information on this subject, is posted on my blog

• Cisco RV042 VPN hub and spokes, connecting spokes question

  Hello

  I have a few Cisco RV042 router and VPN links them with a hub and spoke topology.

  Each speaks VPN works, they manage to connect to the platform.

  The hub can see each VPN active rays.

  A computer under the hub can connect to a computer in any talks.

  A computer under any talks can connect to a computer running the hub.

  Which works very well.

  Now, what I really need, is to connect computers under a RADIUS to connect to computers under another spoke.

  It don't work.

  Current configuration of LAN:

  HUB IP / mask: 192.168.0.1 / 255.255.255.0

  Spoke1 IP / mask: 192.168.1.1 / 255.255.255.0

  Spoke2 IP / mask: 192.168.2.1 / 255.255.255.0

  I was wondering if the Cisco RV042 can be configured to allow that and HOW?

  If we can not do, should what other router I use as a hub? Should I change the rays as well?

  Thank you and have a nice day

  Hope that this document can point you the right direction.

  https://supportforums.Cisco.com/docs/doc-12534

• VPN Hub and Spoke with NAT

  Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

  Hub (MEAN): 10.1.6.x

  PIX 515e (HUB): 172.16.3.x

  RV042 (SPOKEN): 192.168.71.x

  PIX 515e (HUB):

  Outside - 12.34.56.78

  Interior - 172.16.1.1

  Hub (TALK):

  Outside - 87.65.43.21

  Interior - 10.1.6.1

  RV042 (SPOKEN):

  Outside - 150.150.150.150

  Interior - 192.168.71.1

  The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

  On PIX you need a static policy statement,

  NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

  public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

  And modify the ACL of appropriately crypto to include natted address.

• Whenever I do a search on the main page and get results, I click on a link and get diverted, I need to get out and re - click the link and then I usually get on the site I wanted to, it is a problem of computer or a problem of firefox or google?

  Whenever I do a search and click on a website search results, I am confused on some other Web site, usually a few ad-site.
  I then have to click the back button and click the link again and it usually takes me on the site that I wanted to. Is it a problem with my computer of viruses, or a problem with firefox or google?

  Download, install and update as much of the following as possible until your infections are cleaned.

  1. The free versions of these scanners will detect infections and clean your system; no need to buy
  2. Scanners different malware detect some malware that other scanners do not have.
  3. If you are unable to download malicious programs,
     • change the name of the Installer before you save the download on your hard drive, and
     • Once installed, go to the installation to the program folder and change the name of the executable file of the program (i.e. for Malwarebytes Anti-Malware, change mbam.exe to xyz - mb.exe), then update the program and run the scan.
     • You may need to download on a non infected computer, change the name of the Setup program, copy setup from a CD or USB and transport to your system for installation.
  4. Some stubborn malware should be deleted in Windows Safe Mode with setting network '. Warning: download all the tools first, then disconnect your modem before entering Mode Windows safe, as your firewall and AV/AS probably does not load mode Windows safe. See:
     • http://www.pbcomp.com.au/using-Windows-safe-mode.html
     • http://www.malwarehelp.org/restart-into-safe-mode-how-to-2010.html
  • Malwarebytes' Anti-Malware - http://www.malwarebytes.org/mbam.php
  • SuperAntispyware - http://www.superantispyware.com/
  • AdAware - http://www.lavasoftusa.com/software/adaware/
  • Spybot Search & Destroy - http://www.safer-networking.org/en/index.html
  • Windows Defender - http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
  • Dr Web Cureit - http://www.freedrweb.com/cureit/

  If they cannot find or cannot remove the infection (s), post it in one of these specialized forums using malware removal:

  1. Read and follow their rules for display
  2. Follow the instructions to the letter
  3. Be patient; you are put in a queue and you will get a response when they get to your message
  • http://bleepingcomputer.com
  • http://www.spywareinfoforum.com/
  • http://www.spywarewarrior.com/index.php
  • http://Forum.aumha.org/

  If this answer solved your problem, please click 'Solved It' next to this response when connected to the forum.

  Not related to your question, but...

  You may need to update some plug-ins. Check your plug-ins and update if necessary:

  • Plugin check: https://www-trunk.stage.mozilla.com/en-US/plugincheck/
  • Adobe Shockwave for Director Netscape plug-in: install (or update) the Shockwave with Firefox plugin
  • Adobe PDF plugin for Firefox and Netscape: Installation/update Adobe Reader in Firefox
  • Shockwave Flash (Adobe Flash or Flash): updated Flash in Firefox
  • Next-generation Java plug-in for the Mozilla browser: install or update Java in Firefox

• Silver payment plan "Photograph" has been removed from the account, but creative cloud changes were on the site for the products and also do not appear on the site as my payment was perfect (but money has been withdrawn) sorry for my English.

  Payment plan 'picture '.

  Money was withdrawn from the account, but creative cloud changes were products on the site and also does not appear on the site as my payment was perfect (but money was withdrawn)

  Sorry for my English.

  Hi Vladislav % 20parfyonov,

  I saw the Adobe ID (email address) you used to post here and can see that you have a plan of creative photography of cloud are recorded.

  Please make sure you use the same Adobe ID (email address) that you used to purchase the subscription to connect to the Web site.

  Adobe trial and purchased applications are the same, you can download the application once installed, creative cloud it invites you to connect, use the following link: Download Adobe Creative Cloud apps | Adobe Creative Cloud free trial

  Once logged in go to APP and tab install CC 2015 Photoshop and Lightroom CC 2015 from there.

  * NOTE: Please make sure that your firewall of your computer or security software firewall does not block Adobe, if you are not sure of it then just turn off the firewall for awhile disconnect you and you connect on the creative application of cloud and check.

  Let us know if that helps.

• How to access the software so that I just paid. I assigned to a user. The user connects and subscription is not found. The site seems to crash randomly and just sends me in circles. How can I get a refund is my next question.

  How to access the software so that I just paid. I assigned to a user. The user connects and subscription is not found. The site seems to crash randomly and just sends me in circles. How can I get a refund is my next question.

  [Profanity removed... MOD]

  Hello

  I just checked the details of your team, and the license that you have assigned intervenes as well on the same Adobe ID.

  Please see the below help documents:

  Applications creative Cloud back in test mode after an update until 2015 for CC

  Solutions to connection errors, activation and connection with creative Cloud applications and Creative Suite

  Kind regards

  Sheena

• I'm trying to upgrade a site from Muse and it keeps telling me that the site has been created with a different version of Muse. I have updated Muse and still can not access the site to make changes.

  I'm trying to upgrade a site from Muse and it keeps telling me that the site has been created with a different version of Muse. I have updated Muse and still can not access the site to make changes.

  Hi rgarden95,

  Can you please confirm the exact version of Muse, you open the file with?

  To check the version of Muse, please click Help-> on Adobe Muse CC.

  Kind regards

  Akshay

• Hub and spoke VPN network traffic between two points talked

  Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

  I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

  Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

  In doing so, I can avoide the tunnel between two offices (and B)

  See you soon

  Hello

  You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

  If the hub is an ASA you must authorize same-security-traffic intra-interface permits

  If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

  Federico.

• How to go back and forth between e-mail, other web sites from windows?

  I lost the function for my internet, e-mail and other files to be "separated", while I am able to come and go between them several times.

  ALT - tab

• Tunnel from site to Site - Customer VPN to access the site on the other.

  Hello

  How to make this work?

  I want to enable the VPN connection clientens in the Cisco ASA for access network the 10.50.50.0.

  Network information:

  I have a Site of a VPN IPSec Site the Zywall 5 and USG 100 makes (148.148.0.0 and 10.50.50.0). Works great both ways.

  I have the Cisco ASA for VPN clients, clients Gets a 24-address 10.210.210.0/ip and his fine work to access the 148.148.0.0/16 network.
  The 148.148.0.235 is the main firewall/router for the 148.148.0.0 network.
  I created a static route in the 148.148.0.235, saying that for access to the 10.210.210.0 goto 148.148.0.168 network.
  I created a static route in the 148.148.0.168, saying that for access to the 10.50.50.0 network goto 148.148.0.235(I pouvez ping 10.50.50.1 de la boîte de Cisco)
  I created a site for a second on the Zywall 5 and USG 100 which tunnelle the 10.50.50.0 and 10.210.210.0.

  In the splittunneling of Cisco ASA, I have authorized access to the 148.148.0.0/16 network and the network 10.50.50.0/24.

  

  When I open the VPN client and connects to the network and try to network ping the 10.50.50.0 I get the following error:

  (Here I am trying to ping 10.50.50.1)

  5 sep 11 2011 12:36:09 305013 10.50.50.1 NAT rules asymmetrical matching for flows forward and backward; Connection for icmp src, dst outside: 10.210.210.34 inside: 10.50.50.1 (type 8, code 0) rejected due to the failure of reverse path of NAT

  I try to make different NAT rules, but it does not change a thing.

  Help me, what to do, to make it work?

  Thank you.

  Simon

  Hello

  Add this:

  NAT (inside, outside) static source Vejle Vejle destination static obj - 10.210.210.0 obj - 10.210.210.0

  and let me know if it works

  HTH

  Mohammad.

• How to cancel a website than firefox said was unreliable and I told him to accept the site?

  I was trying to sign up for an account online to a local medical lab. It came as untrustworthy and asked if I wanted to go come and go on the website and replace the protection. I thought it was strange for a medical laboratory. After accepting the replacement I realized that I was not entered the address of the Web site correctly. I want the wrong site would not be allowed on my computer. Please help me to not approved.

  So when you open your home page, you must have a toolbar main above the page that displays the address of the page on the internet, is something something or xfinity comcast and bunch of icons. On the right end of the toolbar, locate the menu button, which has 3 horizontal bars. Alternatively, you can press the ALT key to activate the classic menu bar (File, Edit, View, etc.).

  "3-bar" menu button (or tools) > Options > advanced

  In the Advanced section in the Options page, click on mini - Certificates tab, click the view certificates"" button. That should open the Certificate Manager dialog box. Click on mini - servers tab and you should be able to find specific exceptions to the server that you have added.

  I think I just took more than 100 words say what cor - el said in 10 words, but hopefully this will give you enough context to find.

• Since upgrading to Firefox 10.0.2 my AVG extension had to be disabled, because key after typing in any web address in the address bar, had no effect and I couldn't go to the site without pressing the arrow of charging on the right.

  I've recently updated Firefox to the latest version 10.0.2. After that I could not enter any website address and press the Enter key and get on the site, neither could I select a Web site in the drop-down list of sites visited previously. The only way I could get there by pressing the arrow to the right of the address box (reload current page). Once I disabled the extension AVG, everything worked normally. As soon as I activated the extension AVG, it stopped working again.

  Known issue. See:

  • http://www.avgforums.com/viewtopic.php?f=4 & t = 1726 #p6050

  Try what sc123 suggested the link above. Send an email to [email protected] with your full license key and let them know. I'm sure his AVG question not related Firefox. :))

• How will I know if my Airport Extreme has the latest firmware?  And (not related) how to change the password used to connect to my network?

  I think I bought the latest version of Airport Extreme.  It is the unit which is rectangular, is about 6 to 7 w., etc.  I have some basic questions that I do not understand:

  1. How will I know if I have the latest firmware for this device?  I read a few posts that make it sound as if it was just automatically updates.  Is this true?

  2. can someone tell me how to change the password used to connect to my wireless network?

  Thank you very much!

  Chris

  If a firmware update is available, AirPort Extreme flashes orange.

  The most up-to-date version of the firmware is 7.7.3.

  You can see what version you currently have the following on your Mac...

  Open Finder > Applications > utilities > AirPort Utility

  Click on the image of the AirPort Extreme

  Look for the Version

  If the new firmware was available, you will see a button update here

  To change the wireless network password...

  Click on edit in the window smaller than you watched just to check the firmware version

  Click on the Wireless tab at the top of the next window

  Go back / change the wireless password and enter a new password

  Do the same thing to check

  Click Update at the bottom right of the window and give the airport a minute full for restart

• Had a virus, now when I click on a site to go to Google page appears and I can not go on the site, except if I click on "cache".

  I had a virus on my computer and now when I click on a site to access Google page appears and I can't go to the website of Norbert I click on 'cache '.  Help. Please, I beg you.

  * original title - frustrated *.

  Looks like that you always include parts of virus/malware (or some of the many friends who came along for the ride) or the damage they did is large enough.  If you notice symptoms like this now - there are probably other issues, you haven't noticed.  What I mean is that you're probably not clean and even if you are - the damage can be so vast, you should probably do a clean install and your stuff from restoring backups.

  This "virus" you have on your computer and how did you clean it?