Tunnel of sIte establishing btn two routers cisco 1721

Hello

I need to establish IPSec site to site tunnel between cisco 1721 (version supports for IPSec). U can help me to set up the basic configuration.

The network diagram is standard. The objective of the implementation is to establsih a communication between two end counterparts.

IE LAN---> router---> Internet--->---> LAN router

Thanks in advance

Concerning

RAMU

Of course, here is an example configuration for VPN Site to Site tunnel between 2 IOS routers:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml

Hope that helps.

Tags: Cisco Security

Similar Questions

  • Public static IPsec tunnel between two routers cisco [VRF aware]

    Hi all

    I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

    Router R2 has two routing tables:

    * vrf INET - used for internet connectivity

    * global routing table - used for VPN connections

    Here are the basic configs:

    R1

    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
    invalid-spi-recovery crypto ISAKMP
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
    transport mode
    !
    Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
    game of transformation-TRSET_AES-256_SHA
    !
    interface Loopback0
    10.0.1.1 IP address 255.255.255.255
    IP ospf 1 zone 0
    !
    interface Tunnel0
    IP 192.168.255.34 255.255.255.252
    IP ospf 1 zone 0
    source of tunnel FastEthernet0/0
    tunnel destination 203.0.0.3
    ipv4 ipsec tunnel mode
    Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
    !
    interface FastEthernet0/0
    IP 102.0.0.1 255.255.255.0

    !

    IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

    #######################################################

    R2

    IP vrf INET
    RD 1:1
    !
    Keyring cryptographic test vrf INET
    address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
    !
    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    invalid-spi-recovery crypto ISAKMP
    crypto isakmp profile test
    door-key test
    function identity address 102.0.0.1 255.255.255.255
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
    transport mode
    !
    Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
    game of transformation-TRSET_AES-256_SHA
    Test Set isakmp-profile
    !
    interface Loopback0
    IP 10.0.2.2 255.255.255.255
    IP ospf 1 zone 0
    !
    interface Tunnel0
    IP 192.168.255.33 255.255.255.252
    IP ospf 1 zone 0
    source of tunnel FastEthernet0/0
    tunnel destination 102.0.0.1
    ipv4 ipsec tunnel mode
    tunnel vrf INET
    Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
    !
    interface FastEthernet0/0
    IP vrf forwarding INET
    IP 203.0.0.3 255.255.255.0

    !

    IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

    #######################################################

    There is a router between R1 and R2, it is used only for connectivity:

    interface FastEthernet0/0
    IP 102.0.0.2 255.255.255.0
    !
    interface FastEthernet0/1
    IP 203.0.0.2 255.255.255.0

    The problem that the tunnel is not coming, I can't pass through phase I.

    The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

    I joined ouptup #debug R2 crypto isakmp

    Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

    IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

    crypto isakmp profile test

    VRF INET

    door-key test
    function identity address 102.0.0.1 255.255.255.255

  • Question about encryption for a VPN established between two of our sites

    We have two routers Cisco 2951, one at our main location and one at a branch.  An engineer for a local company came and worked all the parameters, including the VPN between the two men.

    For an upcoming exam, the firm wanted to know what kind of security/encryption has been implemented between the two routers.  The engineer is no longer available, so I've went over our configuration files for each of the routers and will have questions about what to tell them (I'll be the first to admit that some of this stuff is over my head).

    I enclose the portions of the configs with "crypto" information he put in place.  If you see something wrong, or need something extra, let me know.

    Thanks in advance!

    That's what you use:

    Phase 1: 3DES, SHA1, PSK, Group2 DH (1024 bits), life time 86400 s

    Phase2: 3DES, SHA1

    Which is today considered legacy crypto, but probably nothing to worry. The crypto-config has always considered that there is "room for improvement"...

  • Tunnel VPN site to Site with 2 routers Cisco 1921

    Hi all

    So OK, I'm stumped. I create much s2s vpn tunnels before, but this one I just can't go there. It's just a tunnel VPN Site to Site simple using pre-shared keys. I would appreciate it if someone could take a look at our configs for both routers running and provide a comment. This is the configuration for both routers running. Thank you!

    Router 1

    =======

    Current configuration: 4009 bytes

    !

    ! Last configuration change at 19:01:31 UTC Wednesday, February 22, 2012 by asiuser

    !

    version 15.0

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    SJWHS-RTRSJ host name

    !

    boot-start-marker

    boot-end-marker

    !

    !

    No aaa new-model

    !

    !

    !

    !

    No ipv6 cef

    IP source-route

    IP cef

    !

    !

    DHCP excluded-address 192.168.200.1 IP 192.168.200.110

    DHCP excluded-address IP 192.168.200.200 192.168.200.255

    !

    IP dhcp POOL SJWHS pool

    network 192.168.200.0 255.255.255.0

    default router 192.168.200.1

    10.10.2.1 DNS server 10.10.2.2

    !

    !

    no ip domain search

    IP-name 10.10.2.1 Server

    IP-name 10.10.2.2 Server

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Crypto pki trustpoint TP-self-signed-236038042

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 236038042

    revocation checking no

    rsakeypair TP-self-signed-236038042

    !

    !

    TP-self-signed-236038042 crypto pki certificate chain

    certificate self-signed 01

    30820241 308201AA A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

    8B1E638A EC

    quit smoking

    license udi pid xxxxxxxxxx sn CISCO1921/K9

    !

    !

    !

    redundancy

    !

    !

    !

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key presharedkey address 112.221.44.18

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

    !

    map CryptoMap1 10 ipsec-isakmp crypto

    defined by peer 112.221.44.18

    game of transformation-IPSecTransformSet1

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    192.168.200.1 IP address 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface GigabitEthernet0/1

    Description wireless bridge

    IP 172.17.1.2 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface FastEthernet0/0/0

    Verizon DSL description for failover of VPN

    IP 171.108.63.159 255.255.255.0

    automatic duplex

    automatic speed

    card crypto CryptoMap1

    !

    !

    !

    Router eigrp 88

    network 172.17.1.0 0.0.0.255

    network 192.168.200.0

    redistribute static

    passive-interface GigabitEthernet0/0

    passive-interface FastEthernet0/0/0

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    local IP http authentication

    IP http secure server

    !

    IP route 0.0.0.0 0.0.0.0 172.17.1.1

    IP route 112.221.44.18 255.255.255.255 171.108.63.1

    !

    access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

    !

    !

    !

    !

    !

    !

    control plan

    !

    !

    !

    Line con 0

    Synchronous recording

    local connection

    line to 0

    line vty 0 4

    exec-timeout 30 0

    Synchronous recording

    local connection

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    end

    =======

    Router 2

    =======

    Current configuration: 3719 bytes

    !

    ! Last configuration change at 18:52:54 UTC Wednesday, February 22, 2012 by asiuser

    !

    version 15.0

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    SJWHS-RTRHQ host name

    !

    boot-start-marker

    boot-end-marker

    !

    logging buffered 1000000

    !

    No aaa new-model

    !

    !

    !

    !

    No ipv6 cef

    IP source-route

    IP cef

    !

    !

    !

    !

    no ip domain search

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Crypto pki trustpoint TP-self-signed-3490164941

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 3490164941

    revocation checking no

    rsakeypair TP-self-signed-3490164941

    !

    !

    TP-self-signed-3490164941 crypto pki certificate chain

    certificate self-signed 01

    30820243 308201AC A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

    EA1455E2 F061AA

    quit smoking

    license udi pid xxxxxxxxxx sn CISCO1921/K9

    !

    !

    !

    redundancy

    !

    !

    !

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key presharedkey address 171.108.63.159

    !

    86400 seconds, duration of life crypto ipsec security association

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

    !

    map CryptoMap1 10 ipsec-isakmp crypto

    defined by peer 171.108.63.159

    game of transformation-IPSecTransformSet1

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    no ip address

    automatic duplex

    automatic speed

    !

    !

    interface GigabitEthernet0/0.1

    encapsulation dot1Q 1 native

    IP 10.10.1.6 255.255.0.0

    !

    interface GigabitEthernet0/1

    IP 172.17.1.1 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface FastEthernet0/0/0

    IP 112.221.44.18 255.255.255.248

    automatic duplex

    automatic speed

    card crypto CryptoMap1

    !

    !

    !

    Router eigrp 88

    Network 10.10.0.0 0.0.255.255

    network 172.17.1.0 0.0.0.255

    redistribute static

    passive-interface GigabitEthernet0/0

    passive-interface GigabitEthernet0/0.1

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    local IP http authentication

    IP http secure server

    !

    IP route 0.0.0.0 0.0.0.0 112.221.44.17

    !

    access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

    !

    !

    !

    !

    !

    !

    control plan

    !

    !

    !

    Line con 0

    Synchronous recording

    local connection

    line to 0

    line vty 0 4

    exec-timeout 30 0

    Synchronous recording

    local connection

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    end

    When the GRE tunnel carries your traffic to private ip range, your ACL must contain address of the host of point to point the IPSec tunnel.

    Since then, both routers are running EIGRP in the corporate network, let the EIGRP Exchange routes via GRE tunnel, which is a good practice, rather than push the ip ranges private individual through the IPSec tunnel.

    Let me know, if that's what you want.

    Thank you

  • ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    I got error syslog 713902 and 713903, how to fix?

    I got the following, when I type "sh crypto isakmp his."

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2

    Hugo

    Hello

    This State is reached when the policies of the phase 1 do not correspond to the two ends.

    Please confirm that you have the same settings of phase 1 on both sides with the following commands:

    See the isakmp crypto race

    See the race ikev1 crypto

    Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

    Finally, make sure you have a route suitable for the remote VPN endpoint device.

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • How to install the VPN Client and the tunnel from site to site on Cisco 831

    How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator?  I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward.  I could only put on the side of the hub.  If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

    Thank you.

    The dynamic map is called clientmap
    The static map is called mymap

    You should have:

    no card crypto not outmap 10-isakmp ipsec dynamic dynmap
    map mymap 10-isakmp ipsec crypto dynamic clientmap

    interface Ethernet1
    crypto mymap map

    Federico.

  • No Ping response from Site to Site connection between 876 of Cisco and CheckPoint Firewall

    Hello!

    We try to create a Site-to-Site - connection IPSec between a Cisco 876 (local site) and a control-firewall station (remote site). Cisco 876 is not directly connected to the internet, but it is behind a router ADSL with port-forwarding, redirection of ports 500 and 4500. The configuration of the Cisco 876 running is attached to this thread. Unfortunately, I get no results when debugging the connection with the command "debug crypto isakmp" and "debug crypto ipsec".

    From the point of view of Checkpoint firewall the connection seems to be implemented, but there is no response from ping.

    The server in the local site to be achieved since the network behind the firewall Checkpoint has a routing entry "PEI route add [inside the ip-net Remote] 255.255.255.0 [inside the premises of intellectual property]" (see also annex current config name ip addresses).

    Establishing a VPN Cisco Client connection to the same router Cisco 876 works very well.

    Any help would be much appreciated!

    Jakob J. Blaette

    Hi Jakob,

    Add my two cents here.

    You should always verify that the following ports and Protocol are open:

    1 - UDP port 500--> ISAKMP

    2 - UDP port 4500--> NAT - T

    3-protocol 50---> ESP

    A LAN-to-LAN tunnel will never establish a TCP session, but it could use NAT - T (if behind a NAT). Remember that a single translation isn't a port forwarding, a LAN-to-LAN tunnel is not good unless you have a one-to-one translation of the NATted device, which I think, in your case the router is working.

    HTH.

    Portu.

    Please note all useful messages and mark this message as a response.

  • VPN between 2 routers Cisco 1841 (LAN to LAN)

    Hello

    I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

    Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

    Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

    I understand that I need IPSec Site to Site VPN (I think).

    Anyonce can you please advise.

    Kind regards.

    s.nasheet wrote:
    

    Hi ,
    

    I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
    

    Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
    

    Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
    

    I understand I need IPSec Site to Site VPN  ( i think).
    

    Can anyonce please advise.
    

    Regards.

    Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

    Jon

  • VoIP QoS for Tunnel from Site to Site

    Hi all

    I need help to configure QoS for VoIP between two Cisco ASA 5505 with VPN Site to Site.

    There is no need for bandwidth reservation, only 46 (EF) DSCP should be higher and DSCP 26 second queue higher and rules apply only to a site to site VPN.

    Usually, I try to configure the ASAs via ASDM and discovered in the documentation Cisco how configure QoS DSCP bits with a Service policy and how to configure QoS for a VPN from Site to Site (rule Service-> Match traffic strategy). But how to configure QoS for a bit DSCP applies to Tunnel from Site to Site? And how configure different priorities for both DSCP bits, this is defined by the order of political Service?

    The quality of service must be activated on the two ASAs to inside interface?

    Thanks in advance

    Tobias

    Like most-

    class-map voice_traffic
    match dscp ef
    match dscp 26

  • Difficult to complete phase 1 of the tunnel from site to site.

    I have a 1921 Cisco (config) and between an ASA 5505 (config) that I am trying to establish a tunnel from site to site.

    I think I should be able to see the tunnel when I type isakmp crypto to show its, but it is not at all.

    Cisco 1921 outside intellectual property:
    ASA 5505 outside intellectual property:

    I tried to ping from the inside network to the ASA, inside network on 1921. It is not bring up the tunnel.

    How is the tunnel is not complete the phase 1?

    Can you please send the information about the configuration?  Crypto maps, ACL, etc.

  • Problem setting up Port Forwarding with two routers.

    I can't set up by Linksys RT31P2 and routers port forwarding WRT160Nv3.

    My setup is Webstar Modem = RT31P2 = WRT160N = Mac OS 10.6.5. (No configurable modem and ISP do not prevent port forwarding. It comes with two Linksys routers).

    I had a Monty Python-going around with the support of Cisco cat; and follow up with telephone assistance in which the agent knew nothing about port forwarding and his supervisor expressed the view that it was not possible with two routers. Sigh.

    If anyone can help me with step by step specific and simple instructions to configure routers. I know that the basic procedures. I'm not clear, what exactly changes on routers.

    I read that portforward.com has to say and it does not work so I must be misunderstanding something.

    The ip address of my computer is 192.168.1.103.  Are the last three digits of this speech concluded the two routers in the area on the port forwarding page? What other changes should be done what router?

    I know the port numbers that I use are OK because I can implement successfully if I connect to one or other of the routers (but not both), and my software of p2p shows port are open.

    Any help and suggestions most welcome.

    If you set up as I have suggested that you have only a single LAN that will be using in your addresses * 192.168.15 case. So in your case:

    1. change the address LAN IP of 192.168.1.1 to 192.168.15.2 WRT.
    2 disable the DHCP server.
    3. connect the LAN of the WRT port to port LAN of the RT.

    That's all. Disable the DHCP server will not affect whatever it is that you're connected LAN - LAN and DHCP server on the RT is still operational.

    After the change, previously the WRT computers may require a reboot to get a new address 192.168.15. *.

    Your computer to which you are transferring must have an IP static and not dynamic (or variable). Check the current IP information on this computer. It must have an IP address like 192.168.15.103, mask 255.255.255.0, gateway 192.168.15.1 subnet and DNS 192.168.15.1 server or maybe two other IP addresses instead. Note DNS servers if you do not 192.168.15.1.

    Then configure a static IP address on the computer. Use something like 192.168.15.10, 255.255.255.0 gateway 192.168.15.1 and the DNS servers you found before.

    After this implement 192.168.15.10 port forwarding.

  • SRI-WAAS with two routers

    Hello!

    Is it possible to have two routers (including one with RSR-WAAS and the other without) on a remote site router without ISR-WAAS to use the ISR-WAAS of the other router? (I have only finddual router with dual WAAS SRI in the CVD).

    Concerning

    Michael

    Hi Michael,

    Yes it is possible.

    However, the Redirect method depends on what type of router without ISR-WAAS is:

    another report of research international-4000:

    You can use AppNav (the two routers in the same groups of Application Controller & the SRI-WAAS as the sole member af of the AV/Waas node group).

    almost any other router:

    You can use WCCP on both routers redirecting to the SRI-WAAS.

    Best regards

    Finn

  • VLAN between two routers

    Hello. I am trying to solve a practical problem and I can't seem to deliver the VLAN. The presentation is as follows:

    You have two two routers connected to each other. Each router has a switch and each switch has four related generic PC. Each PC on this switch belongs on its own VIRTUAL local network. Thus,.

    Switch 1 Switch 2
    • PC A - VLAN 10
    • PC E - VLAN 10
    • PC B - VLAN 20
    • PC F - VLAN 20
    • PC C - VLAN 30
    • PC G - VLAN 30
    • PC D - VLAN 40
    • PC H - VLAN 40

    So A PC on the router/switch 1 1 can ping ROUTER2/switch 2 E PC and it cannot ping all the others. So on and so forth.

    So I tried to adjust the C VLAN 10 PC to check if the configuration of my work, and it does. But then I tie my router and sub interfaces, set the fa0/1 interface on my switch such as trunk and permit VLAN 10, 20, 30 and 40. Now, all PC on the router can ping each other! That should not happen. Now I don't know what the problem is. Can someone help me?

    I have attached the docx and the tracer file package.

    Sorry that I just realized you don't want connectivity between all computers.

    Which is a relief, because watching your Setup, I didn't see why they wouldn't be able to :-)

    You must use the ACLs on your subinterfaces to allow only the traffic you want.

    If you want to allow any PC from any other PC on the same site to ping but only the PC in the same vlan on the other site, then use an outbound acl on the router serial interfaces.

    If you only want to allow ping between the PC in the same vlan ACL use traffic entering on the subinterfaces.

    Jon

  • ASA balancing to two routers

    Hi all

    Is there anyway that I can balance workloads on both routers.

    I have an ASA with two attached routers each router has two instances of HSRP runs on each with its own IP address, each router is the main for one of the instances of HSRP. If there was no ASA in the way that I would set DHCP to browse through all of the functions of server through another hey presto (of sort) load balancing. However, I can't do what the ASA has only a single internal IP address. Routers treat natting because they are on different IP ranges on different Internet service providers.

    I can't use GLBP as the external IP evolution would break VPN RDP and SMTP connections.

    Is it possible that I can make the road ASA based on the source IP address, or any other means to separate the traffic between two routers?

    Thanks in advance,

    Scott

    You cannot route based on ip source with only firewall with router possiable by ACB

    You can give each of them point to router deffrent with metric deffrent from the static routes

    in this case, it will make the topology as active standby, which is not good in your case

    but you can use sub interfaces on your case make the ASA NRTIs each subinterface in deffrent subnet and deffrent security level

    and let each subinterface use deffrent hsrp instance

    or there is another way

    IF you are not using VPN on your ASA you can reach in the context of multiple

    in the context of several you're going to separate your firewall virtually

    so if you have two VLAN in your network (two subnets deffrent)

    then each subnet use almost deffrent firewall

    goona u divide the internal interface to two subinterfaces

    and you can use a shred of interface between the context outside or separate for two subinterfaces

    and assign these interface for each context

    If you go to each context as firewall deffrent

    and you can use the HSRP deffrent on each context instance

    but the multiple context, you can use VPN on the firewall

    Use the following method *.

    The OTHER WAY THAT ALSO I have SUGIST YOU to TRY, this IS THE Transparent firewall

    in the case your firewall works in L2 mode

    so you can use routers in HSRP IPS AS there is no firewall in the path

    which i thnk useful for you case also

    in transperant mode the way to defaultgate for your customer will be the hsrp IP because the firewall will not have everything except IPs management

    the useres will also be in the same IP subnet as the gateway in your case HSRP VIP

    and also, you can control the security of the network through the firewall normally

    try this way and let me know

    See the following link for the configuration

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

    Please, note useful

  • Remote VPN users cannot access tunnel from site to site

    Cisco ASA5505.

    I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC.  I'm not a network engineer and have spent way too much time just to get to this point.

    It works very well since within the office, but users remote VPN can not access the tunnel from site to site.  All other remote access looks very good.

    The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

    Any help or advice would be greatly appreciated.  It is probably super simple for someone who knows what they're doing to see the question.

    Hi Paul.

    Looking at your configuration:

    Remote access:

    internal RA_GROUP group policy
    RA_GROUP group policy attributes
    value of server DNS 8.8.8.8 8.8.4.4
    Protocol-tunnel-VPN IPSec
    value of Split-tunnel-network-list Split_Tunnel_List

    permit same-security-traffic intra-interface
     
    type tunnel-group RA_GROUP remote access
    attributes global-tunnel-group RA_GROUP
    address RA_VPN_POOL pool
    Group Policy - by default-RA_GROUP
    IPSec-attributes tunnel-group RA_GROUP
    pre-shared key *.
     
    local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask

    Site to site:

      

    card crypto outside_map 1 match address acl-amzn
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
    card crypto outside_map 1 set of transformation transformation-amzn
     
     
    I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:
     
    NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0
     
    NAT (outside) 0-list of access NAT_EXEMPT
     
    Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.
     
    I would like to know how it works!
     
    Please don't forget to rate and score as correct the helpful post!
     
    Kind regards
     
    David Castro,
     
     

Maybe you are looking for

  • lost the recent history button

    How to recover recent history button located next to the right arrow or the back button?

  • XD - bit (CPU function) disabled/not available for Satellite A100-PSAA9

    Last week, I bought the laptop Toshiba Satellite A100-847 (Satellite A100-SPAA9) which has an Intel Core 2 Duo, model T7200. Specifications Intel, this processor (as all Core and Core 2 processors) has the particularity of XD - bit, known in Windows

  • Stock browser and Chrome issues

    I have two problems with browsers in my A1000-F. 1. in the stock browser, sites like MSN.com do not make completely and lead to rinsed text and photos. 2. Chrome, all sites are fragile when scrolling. I know these are problems of fragmentation are at

  • Windows 7 full screen mouse Bug?

    Hello. I got Windows Media Center to open full screen mode and the mouse is invisible no matter what I do. Same Minecraft, so this may be a problem for Windows. Do you know how to fix this? Everything I do in windowed mode.

  • SMART virtual TabletPC shows the duplicate entries in the Device Manager on Windows 7

    I realize, this is an old thread, but I hope someone is still reading.  We have the same problems since everyone upgrade to Windows 7.  However, when we disable or uninstall SMART virtual TabletPC and restart the computer, the device returns.  Not on