Traffic to the VPN router IOS NAT tunnel

I need to configure a VPN tunnel that NATs traffic above him. I have already established VPN tunnels and NAT traffic. I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is. For example, I use a Cisco 2801 router with 12.4(8a) and advanced security. This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly. Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration. Any help is greatly appreciated.

Hi James,

NAT VPN traffic, you can like you do with ASAs on IOS routers.

If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

Federico.

Tags: Cisco Security

Similar Questions

Go simple traffic over the VPN tunnel

Hi Pros,

We have a problem with the traffic through the VPN. Specific subnets is not able to reach a specific HOST in the HQ, however, the host in the HQ can reach this subent on the remote database. Interresting to traffic to the vpn are mirrored on the other. Here is the partial config of the remote vpn router.

crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key mypubkey9 address 210.199x.2xx.xx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn series
!
tunel_traffic 50 ipsec-isakmp crypto map
the value of 210.199x.2xx.xx peer
Set security-association second life 1440
transform-set vpn - Set
PFS group2 Set
match address remote-int-traffic
!
!
!
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 1.1.1.3 255.255.255.248
IP virtual-reassembly
route IP cache flow
Speed 100
full-duplex
No mop enabled
!
interface FastEthernet0/1
IP 10.25.24.2 255.255.255.0
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly
Speed 100
full-duplex
No mop enabled
tunel_traffic card crypto
!
IP route 0.0.0.0 0.0.0.0 10.25.24.2
IP route 1.0.10.0 255.255.255.0 210.199x.2xx.xx (public IP address of the router vpn HQ)
IP route 4.0.x.0 255.255.255.0 210.199x.2xx.xx
IP route 4.0.15.11 255.255.255.255 210.199x.2xx.xx (cannot reach this hot HQ)
IP route 10.254.0.0 255.255.255.0 210.199x.2xx.xx
IP route 10.254.254.56 255.255.255.255 210.199x.2xx.xx
!

distance-int-traffic extended IP access list
permit ip host 10.254.254.56 10.1x.200.0 0.0.3.255
Licensing ip to 10.1x.200.0 0.0.3.255 host 10.254.254.56
Licensing ip to 10.1x.20.0 0.0.3.255 host 10.254.254.5
permit host ip 4.0.x.11 10.1x.200.0 0.0.3.255
permit ip 10.1x.200.0 0.0.3.255 host 4.0.x.11
!

Thank you

You really set one of the following routes, and it seems wrong that it should really be directed to the jump to next to the router. It should just route through the default route if you have configured listed routes. PLS, delete them if those are all you have configured and left the default route in the configuration.

IP route 1.0.10.0 255.255.255.0 210.199x.2xx.xx (public IP address of the router vpn HQ)

IP route 4.0.x.0 255.255.255.0 210.199x.2xx.xx

IP route 4.0.15.11 255.255.255.255 210.199x.2xx.xx (cannot reach this hot HQ)

IP route 10.254.0.0 255.255.255.0 210.199x.2xx.xx

IP route 10.254.254.56 255.255.255.255 210.199x.2xx.xx

Also, if it works in a way, it is more likely an access-list or a firewall that blocks traffic in one direction.

Tunnel of RV042 V3 that routes all traffic to the VPN

Hi all

I use Cisco Linksys RV-042 with V2 hardware to set up a VPN tunnel that route all traffic to the remote gateway (a Cisco ASA 5510). This configuration works very well, and I can access the local router and other resources to the central site.

I'm doing the same thing with Cisco RV042 with version V3 of the material, but I can't access the local router until the VPN breaks down. I can ' ping, SNMP the local router, or access but I can access the central site. Very strange.

Do you know what can I do to access the router local (for example, hardware V2) with connected VPN?

Thank you

Rafael

Just a hunch, but in the remote network you agree with what the network and subnet?

I've seen this symptom before.

LAN on the RV series.

10.10.2.0 255.255.255.0

Trust remote networks

10.10.1.0 255.255.248.0

It is traffic destined to the router on the 10.10.2.1 ip address is through the tunnel forward. So, for this purpose, you can only access the router LAN interface when the tunnel is out of service. I'm not sure why ping works but it does. I'm looking into this symptom on a different device, but the device has a similar graphical interface.

I would like to know if you have a similar setup.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - security

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

Routing of traffic between two VPN Site-to-Site Tunnels

Hi people,

I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

Thank you very much.

Hello

Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

Site has

access-list NAT0 note NAT0 rule for SiteA SiteC traffic

access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB
Site B

access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

NAT (outside) 0-list of access OUTSIDE-NAT0

Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.
Site C

access-list NAT0 note NAT0 rule for SiteC SiteA traffic

NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB
To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

Hope this helps

-Jouni

Impossible to pass traffic through the VPN tunnel

I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

Here is my config

LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.

Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
```
 packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
```
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

Problem passing traffic through the VPN tunnel

With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?

Check access lists and a static route

Try these links: >

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1e4.html#wp999593

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

No traffic through the VPN tunnel but at the same time

Hey everybody,

Good enough at the end of my VPN configuration but I have a question. The VPN connection is established and the remote computer can set up a VPN with my router (phases 1 and 2 are ok) but I can't ping all devices on both sides. I think it might be something about the acl. I created an acl that I linked with my group of vpn, what should I do something with the card?

Here is the configuration of the router

AAA new-model

!

!

local AuthentVPN AAA authentication login

local AuthorizVPN AAA authorization network

!

AAA - the id of the joint session

clock timezone GMT 1 0

clock summer-time recurring GMT

!

IP cef

!

DHCP excluded-address IP 192.168.0.1 192.168.0.99

!

Authenticated MultiLink bundle-name Panel

!

VPDN enable

!

VPDN-group MyGroup

!

!

model virtual Network1

!

username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

redundancy

!

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 2

life 3600

!

ISAKMP crypto client configuration group myVPN

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key

DNS 192.168.0.254

pool IPPoolVPN

ACL 100

!

!

Crypto ipsec transform-set esp - aes esp-sha-hmac T1

tunnel mode

!

!

!

crypto dynamic-map 10 DynMap

game of transformation-T1

market arriere-route

!

!

list of authentication of crypto client myMap AuthentVPN map

card crypto myMap AuthorizVPN isakmp authorization list

client configuration address map myMap crypto answer

card crypto myMap 100-isakmp dynamic ipsec DynMap

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

no ip address

automatic duplex

automatic speed

PPPoE enable global group

PPPoE-client dial-pool-number 1

No mop enabled

!

interface GigabitEthernet0/1

LAN description

no ip address

automatic duplex

automatic speed

No mop enabled

!

interface GigabitEthernet0/1.1

LAN description

encapsulation dot1Q 1 native

IP 192.168.0.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

IP tcp adjust-mss 1452

!

interface Dialer1

MTU 1492

the negotiated IP address

IP access-group RESTRICT_ENTRY_INTERNET in

NAT outside IP

IP virtual-reassembly in

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP authentication pap callin

PPP chap hostname xxxx

PPP chap password 0 xxxx

PPP pap sent-name of user password xxxxx xxxx 0

crypto myMap map

!

IP pool local IPPoolVPN 192.168.10.0 192.168.10.100

IP forward-Protocol ND

!

IP http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

The dns server IP

IP dns primary GVA. SOA INTRA NS. GUAM INTRA [email protected] / * / 21600 900 7776000 86400

IP nat inside source list 10 interface Dialer1 overload

overload of IP nat inside source list 11 interface Dialer1

overload of IP nat inside source list 20 interface Dialer1

overload of IP nat inside source list 30 interface Dialer1

overload of IP nat inside source list 110 interface Dialer1

IP route 0.0.0.0 0.0.0.0 Dialer1

Route IP 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1

IP route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2

!

RESTRICT_ENTRY_INTERNET extended IP access list

TCP refuse any any eq telnet

TCP refuse any any eq 22

TCP refuse any any eq www

TCP refuse any any eq 443

TCP refuse any any eq field

allow udp any any eq 50

allow an ip

!

Dialer-list 1 ip protocol allow

!

!

SNMP - server RO G community

public RO SNMP-server community

entity-sensor threshold traps SNMP-server enable

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 11 permit 192.168.1.0 0.0.0.255

access-list 20 allow 192.168.2.0 0.0.0.255

access-list 30 allow 192.168.3.0 0.0.0.255

access-list 100 permit ip 0.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access ip-list 110 permit a whole

I don't know if it useful, but here is the view the crypto ipsec command his:

Interface: Dialer1

Tag crypto map: myMap, local addr 213.3.1.13

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.10.12/255.255.255.255/0/0)

current_peer 109.164.161.35 port 49170

LICENCE, flags is {}

#pkts program: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

local crypto endpt. : 213.3.1.13, remote Start crypto. : 109.164.161.35

Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

current outbound SPI: 0x54631F8B (1415782283)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

SPI: 0x8C432353 (2353210195)

transform: aes - esp esp-sha-hmac.

running parameters = {Tunnel UDP-program}

Conn ID: 2033, flow_id: VPN:33 on board, sibling_flags 80000040, crypto card: myMap

calendar of his: service life remaining (k/s) key: (4212355/1423)

Size IV: 16 bytes

support for replay detection: Y

Status: ACTIVE (ACTIVE)

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

SPI: 0x54631F8B (1415782283)

transform: aes - esp esp-sha-hmac.

running parameters = {Tunnel UDP-program}

Conn ID: 2034, flow_id: VPN:34 on board, sibling_flags 80000040, crypto card: myMap

calendar of his: service life remaining (k/s) key: (4212354/1423)

Size IV: 16 bytes

support for replay detection: Y

Status: ACTIVE (ACTIVE)

outgoing ah sas:

outgoing CFP sas:

And on the side of the customer, when I go to the status of--> statistics, all packages have been circumvented, nobody is encrypted

Thanks for your help!

Sylvain,

Let me explain again:

IP nat inside source list 10 interface Dialer1 overload

overload of IP nat inside source list 110 interface Dialer1

Here you are from two ACL, but they are the same with the difference, that NAT 10 110 also but WITHOUT user VPN and everything inside. Problem is that 10 matches first, if the connection will not work. You can disable entry NAT with 10 110 because that will also:

no nat ip inside the source list 10 interface Dialer1 overload

That should be enough.

Michael

Please note all useful posts

Send all traffic through the vpn tunnel

Does anyone know how to send all traffic through the tunnel vpn on both sides? I have a server EZVpn on one side and one EZVpn client on the other. I'm not natting on each side. I use the value default 'tunnelall' for the attributes of group policy. On the client side all traffic, even if not intended for the subnet of the side server, seems to pass through the tunnel. But if I ping the side server, the same rules don't seem to apply. Traffic destined for rates aside customer through the tunnel, but the traffic that is not pumped on the external interface in the clear. That's not cool.

Hello

Clinet traffic to server through tunnel, that's right, right?

Traffic from server to client through tunnel, but the rest of the traffic is not, no?

This works as expected because in ezvpn, politics of "tunnel all ' is for traffic is coming from the client., do not leave the server.

Side server, customer traffic will pass through tunnel, the rest used.

Sian

the traffic in a vpn site-to-site tunnel restrictions

Hello

I have install a VPN site-to site between an ASA 5550 7.2 (3) and the external network of the contractor. I have set up the VPN using the wizard and it worked fine. The wizard has created the cryptomap acl see below

outside_2_cryptomap list extended access allowed object-group ip 10.0.0.0 LOCAL_IPS 255.255.255.0

where LOCAL_IPS is a group of objects containing our local subnets to be dug and 10.0.0.0/24 is the network of the remote end.

I'm trying to restrict the traffic tunnel at about 6 tcp ports, so I changed the acl (using the GUI as well from the CLI) to the following:-

outside_2_cryptomap list extended access permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

where PERMITTED_TRAFFIC is a group of TCP services containing the ports we'd like to tunnel.

As soon as I apply this acl (applied at the other end also) the tunnel down and or end it can re - open.

My question is - how do you restrict what traffic (tcp ports) that you want to send in the tunnel on the SAA?

Thank you

Andy

You have 2 options.

VPN-filter

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or something like that...

No sysopt permi-vpn connection

list of access vpn extended permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

list of vpn access deny ip 10.0.0.0 LOCAL_IPS object-group 255.255.255.0

extended vpn allowed any one ip access list

group-access vpn in interface inside

How to send all traffic through the VPN, RV082 material v3

Hello

I found this guide to send all traffic to RV042 branch to the RV082 of central office:

https://supportforums.Cisco.com/servlet/JiveServlet/downloadBody/10261-102-1-22927/Small_Business_router_tunnel_Branch_to_Main.doc

But this guide is for the material of v2. I tried and did not work, so I wonder if there are new modules for hardware v3 (firmware v4.2)

I have a RV042 brach office connected through the VPN Tunnel work to a central office RV082. I want to route all traffic

Office of brach in the RV082 from the central office.

Thank you very much

Oliver

Hi Oliver, this is called esp wildcard forwarding (full tunnel).

Here are a few useful topics

https://supportforums.Cisco.com/message/3766661

https://supportforums.Cisco.com/message/3816181

-Tom
Please mark replied messages useful

L L VPN routing via alternative tunnel... mesh?

Hi all

We have a L - L IPSEC tunnel between our head office and a hosting company, everything works fine, solid as a rock. But we now have a requirement for one of our branches to also run a tunnel to the host, but for cost and control reasons, it was decided that the office will be forwarded via the head office...

We also have an IPSEC tunnel running between the head and branch if all we need to the whole running is to get the branch to move towards the hosting via the headquarters company and have been performed.

It would be like a mesh full, but with one of the deleted links (branch of accommodation), or a hybrid any? BTW both Headquarters and branch run Cisco ASA5550 and 5515 respectively and we have full control over these devices, the hosting company, I'm not sure but maybe an ASA...

Links to documentation or advice would be greatly appreciated...

Hello

Well I don't know how you have configured NAT configuration for traffic between the branch and accommodation.

It appears from the foregoing that you add is the real network of agencies for headquarters accommodation L2L VPN? If this is true, then need you a NAT configuration in the seat which is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My suggesting original was to PAT dynamic for the branch if you want to avoid changes of configuration on the hosting Site)

It would probably be something first of all, I would like to check.

If it is fine, then I would check the VPN counters

That both of the L2L VPN connections

Show crypto ipsec peer his

This should show you if the L2L VPN has negotiated for networks of branch and hosting on both connections from VPN L2L. It could also tell you if the packets are flowing in both directions.

If the problem is outside your network then headquarters you would see probably décapsulés/decrypted only packets for VPN L2L headquarters - L2L BOVPN and only encapsulated/encrypted packets for the headquarters - hosting Site

-Jouni

Client VPN router IOS does not connect

Hi all

I'm having some trouble of Client VPN connection over the internet to our Cisco IOS router. Some help would be very appreciated!

On the VPN client log I get the following error messages:

---------------------------

...

573 16:32:13.164 21/12/05 Sev = WARNING/2 IKE/0xE3000099

Size invalid SPI (PayloadNotify:116)

574 16:32:13.164 21/12/05 Sev = Info/4 IKE/0xE30000A4

Invalid payload: said length of payload, 568, not enough Notification:(PayloadList:149)

575 16:32:13.164 21/12/05 Sev = WARNING/3 IKE/0xA3000058

Received incorrect message or negotiation is no longer active (message id: 0x00000000)

---------------------------

We get debugging on the router that I'm trying to connect:

---------------------------

router #debug isakmp crypto

...

21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): received 203.153.196.1 packet dport 500 sport 500 SA NEW Global (N)

21 Dec 16:32:16.089 AEDT: ISAKMP: created a struct peer 203.153.196.1, peer port 500

21 Dec 16:32:16.089 AEDT: ISAKMP: new created position = 0x678939E0 peer_handle = 0 x 80000031

21 Dec 16:32:16.089 AEDT: ISAKMP: lock struct 0x678939E0, refcount IKE peer 1 for crypto_isakmp_process_block

21 Dec 16:32:16.089 AEDT: ISAKMP: 500 local port, remote port 500

21 Dec 16:32:16.089 AEDT: insert his with his 67B0AB34 = success

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): payload ID for treatment. Message ID = 0

21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): payload ID

next payload: 13

type: 11

ID of the Group: eggs

Protocol: 17

Port: 500

Length: 12

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): peer games * no * profiles

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 215

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is XAUTH

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is DPD

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 123

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is the unit

21 Dec 16:32:16.089 AEDT: ISAKMP: analysis of the profiles for xauth...

.....

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 12 against the policy of priority 3

21 Dec 16:32:16.093 AEDT: ISAKMP: 3DES-CBC encryption

21 Dec 16:32:16.093 AEDT: ISAKMP: MD5 hash

21 Dec 16:32:16.093 AEDT: ISAKMP: group by default 2

21 Dec 16:32:16.093 AEDT: ISAKMP: pre-shared key auth

21 Dec 16:32:16.093 AEDT: ISAKMP: type of life in seconds

21 Dec 16:32:16.093 AEDT: ISAKMP: life (IPV) 0x0 0 x 20 0xC4 0x9B

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): pre-shared authentication offered but does not match policy.

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3

---------------------------

You can apply the encryption the WAN interface card and check?

VPN connection OK but not soumana ping on the ROUTER before the VPN ROUTER

Hello

In my test harness, that I am able to connect my CISCO ROUTER with VPN CLIENT and I can ping it also, but when I try to ping something thing on the other router, don't worry, I may be an isue ACL?

Any help is welcome

Here below the script and configuration:

PC (VPN CLIENT)-> C2691 (IPSec VPN)-> C1841(IP 192.168.10.1)

Router ipsec crypto #sh her

Interface: FastEthernet0/0
Tag crypto map: clientmap, local addr 172.18.124.1

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (14.1.1.106/255.255.255.255/0/0)
current_peer 172.18.124.2 port 500
LICENCE, flags is {}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 59, #pkts decrypt: 59, #pkts check: 59
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 172.18.124.1, remote Start crypto. : 172.18.124.2
Path mtu 1500, ip mtu 1500
current outbound SPI: 0xE9640C2B (3915648043)

SAS of the esp on arrival:
SPI: 0xE23C352 (237224786)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2002, flow_id: SW:2, crypto card: clientmap
calendar of his: service life remaining (k/s) key: (4462659/3582)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xE9640C2B (3915648043)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: SW:3, crypto card: clientmap
calendar of his: service life remaining (k/s) key: (4462669/3579)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:
Router #.

Router #sh card crypto
"Clientmap" ipsec-isakmp crypto map 10
Dynamic map template tag: dynmap

"Clientmap" 65536 ipsec-isakmp crypto map
Peer = 172.18.124.2
Extended IP access list
ip access list allow any host 14.1.1.106
dynamic (created from dynamic dynmap/10 map)
Current counterpart: 172.18.124.2
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
RIGHT,
}
Interfaces using map clientmap crypto:
FastEthernet0/0

Router #.

Router #sh arp
Protocol of age (min) address Addr Type Interface equipment
Internet 192.168.10.1 37 ARPA FastEthernet0/1 0024.c4eb.6600
Internet 192.168.10.20 6 0024.2b4d.0c5a ARPA FastEthernet0/1
Internet 192.168.10.200 36 0025.9c39.57e2 ARPA FastEthernet0/1
Internet 172.18.124.2 1 0022.4135.3f5e ARPA FastEthernet0/0
Internet 172.18.124.1 - 0013.191f.ac00 ARPA FastEthernet0/0
Internet 192.168.10.166 - 0013.191f.ac01 ARPA FastEthernet0/1
Router #.

Current configuration: 2320 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot system flash: c2691-adventerprisek9 - mz.124 - 5a .bin
boot-end-marker
!
!
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
!
resources policy
!
IP cef
!
!
No dhcp use connected vrf ip
DHCP excluded-address IP 172.18.124.1
!
dhcp VPN IP pool
import all
network 172.18.124.0 255.255.255.0
router by default - 172.18.124.1
lease 5
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Fax fax-mail interface type
0 username cisco password Cisco
!
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
key cisco123
DNS 8.8.8.8
domain cisco.com
pool ippool
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
!
!
interface FastEthernet0/0
IP 172.18.124.1 255.255.255.0
automatic speed
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
IP 192.168.10.166 255.255.255.0
automatic speed
Half duplex
!
interface Serial1/0
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/1
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/2
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/3
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
IP local pool ippool 14.1.1.100 14.1.1.200
IP route 0.0.0.0 0.0.0.0 192.168.10.1
!
!
IP http server
no ip http secure server
!
TEST extended IP access list
allow an ip
TEST2 extended IP access list
allow an ip
!
!
!
!
!
control plan
!
!
!
!
!
!
Dial-peer cor custom
!
!
!
!
!
!
Line con 0
transportation out all
Speed 115200
line to 0
transportation out all
line vty 0 4
transport of entry all
transportation out all
!
!
end

Hello

You have this Setup:

PC (VPN CLIENT)-> C2691 (IPSec VPN)-> C1841(IP 192.168.10.1)

When it is connected with the VPN client, can you PING the LAN IP of the C2961?

This communication should go through the tunnel and you should see encrypted packets on the "sh cry ips its"

In order to do a PING of the C1841, the C1841 needs a route back to the C2961 when the traffic is for VPN client (assuming that there is not a default gateway in place).

Federico.

Client VPN router IOS, and site to site vpn

Hello

Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

IM using a router 800 series with 12.4 ios

Thank you very much

Colin
```
ReadersUK wrote:
Hi
Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
im using a 800 series router with 12.4 ios
Many thanks
Colin
```
Colin

It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

Jon

Traffic to the VPN router IOS NAT tunnel

Similar Questions

Maybe you are looking for