Tunnel traffic to a subnet
We have a tunnel vpn site-to-site that works well conecting the remote site 192.168.100.x/24 to our 10.27.x.x/16. We have however added a subnet on our end 172.16.100.x/24 with some portions to this topic. We would like the movement of the tunnel from the remote for this subnet. Behind the ASA (which ends the tunnel on our side), we also have a router that has the different subnets and how to route traffic to 172.16.100.x/24 in particular. The router is the default gateway for all devices on our local area network and its "is in turn the inside interface of the ASA gateway.
ASA <--->router<---> main LAN (10.27.x.x/16)
|
|
172.16.100.x/24
Basically, my question is how to address the issue and tunnel traffic from the remote site to this new subnet.
My assumtions are to:
1. define the traffic from the remote site - 192.168.100.x to 172.16.100.x as 'interesting' on the remote site router, so he gets in the tunnel.
2. set a static route on the SAA, he says that traffic to 172.16.100.x must go through our router... or
3. set a 'syringe (for VPN traffic tunnel default gateway)"as our router...
Would appreciate your comments on this. Thank you!
You have it. Just define your interesting traffic on both sides and make sure that the ASA main has a road to the new subnet. Depending on your configuration, you also need to add an entry to the No. - NAT rules on the two ASAs to this new traffic.
HTH,
Paul
--->--->
Tags: Cisco Security
Similar Questions
-
VPN Tunnel access to several subnets ASA 5505
Greetings,
We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets. Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0
Someone is about to review this setup running and indicate where we have gone wrong. When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem. But fail to reach the other two. Thank you very much.
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (5)
!
hostname BakerLofts
activate kn7RHw13Elw2W2eU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 74.204.54.4 255.255.255.248
!
interface Vlan12
nameif Inside2
security-level 100
IP address 192.168.10.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in of access allowed any ip an extended list
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0
Inside2_access_in of access allowed any ip an extended list
permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 Inside2
IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0 192.168.3.0 255.255.255.0 outside
NAT (Inside2) 0-list of access Inside2_nat0_outbound
NAT (Inside2) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Access-group Inside2_access_in in the interface Inside2
Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal vpn group policy
attributes of vpn group policy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_splitTunnelAcl
username, password samn aXJbUl92B77AGcc. encrypted privilege 0
samn attributes username
Strategy-Group-VPN vpn
username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa
username jmulwa attributes
Strategy-Group-VPN vpn
jangus Uixpk4uuyEDOu9eu username encrypted password
username jangus attributes
Strategy-Group-VPN vpn
vpn tunnel-group type remote access
VPN tunnel-group general attributes
vpn address pool
Group Policy - by default-vpn
Tunnel vpn ipsec-attributes group
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
I see two problems:
1. your ASA has not an interior road to the Incas inside networks. You must add:
Route inside 192.168.2.0 255.255.255.0
Route inside 192.168.10.0 255.255.255.0
.. .specifying your gateway address of these networks.
2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.
-
Tunnel traffic inside IPSEC tunnel
Hello world
Site has a Site B through ASA IP Sec Tunnel.
Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.
In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.
Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or
Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?
Thank you
MAhesh
Hello
I think that you will probably see GRE in the ASA connection table when the connection is in use.
You can try the command
Show conn | Volition Inc.
And see if this produceses matter what exit.
Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.
-Jouni
-
Tunnel traffic through the Access Point
I "tunnelenabled" in the parameters of Access Points of JSON: true;
And on the Access Point associated connection servers config guide recommends not allowing the tunneling.
The end result is that the traffic is going through the Access Point and not crossing does not connect to the server. The client wants to keep the absolute minimum for the ports open between the objects, so I want to tunnel traffic from the Access Points through the connection to the server, and then click the virtual and physical machines internal who installed the agent to view. Even when I check the options of tunnel on the login server it always appears as if traffic is bypassing the broker for the connections and go straight to the agents.
What the configuration change that I do have all the traffic goes through the access points and associated connection servers?
Thanks in advance for any help or suggestion-
J
After a lot of trial and error reduced us to certificates that we created for Access Points. HTML5 Blast Bridge did not have other names of the object in the cert. Once we gave them a cert that had the URL and not the SAN (subject alternative names) with the real access Point server names that Blast started working again.
-
ASA Site to not tunnel no transmission of traffic for some subnets after awhile
Hello
We have a question really strange tunnel from site to site on several ASAs.
We organize VPN tunnels between a small site and three largest.
The den has an ASA 5505, the other three principles are ASA 5510.
One of the tunnels working for months without problems.
Each tunnel has several class C network.
example Site:
-192.168.50.0/24 (named A1)
-192.168.51.0/24 (called A2)
Site b:
-192.168.60.0/24 (named B1)
-192.168.61.0/24 (called B2)
On two faulty tunnels, all is well at the beginning. After a few days (1-14) some networks to cease to work. So I can ping both A1 and A2 B1 network networks, but only from A2 B2 network. Pings from A1 to B2 doesn't expire. The ASA site showed tx = 0 traffic for <=>A1, B2, but progressive count rx traffic. ASA b it shows rx = 0 to B2<=>A1 and tx counties upward.
This happens unexpected after different periods. Sometimes he hits ASA on site B, where tx = 0, it is sometimes ASA on A site.
I tried to fix it as a result of orders:
ISAKMP crypto claire his
clear crypto ipsec his
clear xlatebut nothing has worked. The only solution for now is to restart the ASA where tx County indicates 0. After restarting, everything goes well for a while.
On one of the affected sites, we have a failover configuration - ASA. A failover of the active device also solves the problem. But if you change your prior back restart the old principal question will return immediately.
I think that there is no configuration because:
-All tunnels are configured in the same way, and one of them is running for moths without any problem
-Tunnels work for all combinations of subnet after a reboot
-The problem occurs after different and long periods of time. So I think that the period between failures is long to be caused by tunnel a.s.o. timeouts.
All ASA are running 9.1. (5) 21.
I updated the firmware of several releases these past few months and had the same problem with any version I tested.
So I hope that someone else has also had this problem and found a solution.
Christian Hey!
Hopefully, solve or find the root cause?
Thank you
=>=> -
Error of tunneling traffic to 2 networks on the same link?
Hi all
Here is my list of current access to bring up my VPN tunnel. Everything works fine with it, but I have several networks from the source router. How to encrypt traffic from the same source router going to the same router by peers. Do I have to create a different ACL or can just add another license to the current ACL statement?
INT_Traffic extended IP access list
IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255Can I change the ACL above to this? Every time I add the second permit States below, I get the error below.
INT_Traffic extended IP access list
IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255ip permit 172.30.3.0 0.0.0.255 172.30.3.0 ip 0.0.255 or permit 172.16.0.0 0.0.255.255 172.30.4.0 0.0.0.255
peer networks peer Destination source.
Mar 1 04:18:29.842: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 192.168.0.1, 192.168.0.2 = distance.
local_proxy = 172.16.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 172.30.4.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
* 04:18:29.850 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 04:18:29.850 Mar 1: ITS a exceptional applications (102.72.38.92 local port 500, 102.72.38.64 remote port 500)
* 1 Mar 04:18:29.854: ISAKMP: (1001): sitting IDLE. From QM immediately (QM_IDLE)
R2(config-ext-NaCl) #.
* 04:18:29.854 Mar 1: ISAKMP: (1001): start Quick Mode Exchange, M - ID of 623193098
* 04:18:29.858 Mar 1: ISAKMP: (1001): initiator QM gets spi
* 1 Mar 04:18:29.862: ISAKMP: (1001): send package to 192.168.0.2 my_port 500 peer_port 500 (I) QM_IDLE
* 04:18:29.862 Mar 1: ISAKMP: (1001): sending a packet IPv4 IKE.
* 04:18:29.866 Mar 1: ISAKMP: (1001): entrance, node-623193098 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 04:18:29.866 Mar 1: ISAKMP: (1001): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 04:18:30.422 Mar 1: ISAKMP (0:1001): received packet of 192.168.0.2 dport 500 sport Global 500 (I) QM_IDLE
* 04:18:30.426 Mar 1: ISAKMP: node set-1733728027 to QM_IDLE
* 1 Mar 04:18:30.430: ISAKMP: (1001): HASH payload processing. Message ID =-1733728027
* 1 Mar 04:18:30.430: ISAKMP: (1001): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 2018370628, message ID =-1733728027, his 664824F8 =
* 1 Mar 04:18:30.434: ISAKMP: (1001): delete message spi 2018370628
R2 (config-ext-nacl) #ID =-623193098
* 04:18:30.434 Mar 1: ISAKMP: (1001): node-623193098 error suppression REAL reason "remove larval.
* 04:18:30.434 Mar 1: ISAKMP: (1001): node-1733728027 error suppression FALSE reason 'informational (en) State 1.
* 04:18:30.438 Mar 1: ISAKMP: (1001): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 04:18:30.438 Mar 1: ISAKMP: (1001): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETEhostname R2
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
memory iomem size 5
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 50
BA aes 256
preshared authentication
Group 5
key cisco address 192.168.0.2 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac Cisco
!
VPN_MAP 10 ipsec-isakmp crypto map
defined peer 192.168.0.2
game of transformation-Cisco
match address INT_Traffic
!
!
!
!
!
!
!
interface FastEthernet0/0
IP 172.16.0.2 255.255.255.252
automatic duplex
automatic speed
!
interface Serial0/0
the IP 192.168.0.1 255.255.255.252
clock speed of 128000
card crypto VPN_MAP
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface Serial0/1
no ip address
Shutdown
2000000 clock frequency
!
router RIP
version 2
network 172.16.0.0
network 192.168.0.0
No Auto-resume
!
IP forward-Protocol ND
!
!
IP http server
no ip http secure server
!
INT_Traffic extended IP access list
IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255
IP address 172.16.0.0 allow 0.0.255.255 172.30.4.0 0.0.0.255
!
!
!
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
opening of session
!
!
endR2 #.
(1) you can not configure the same subnet for the subnet source and destination. Each end of the VPN must be unique. Therefore, you cannot add "ip 172.30.3.0 allow 0.0.0.255 172.30.3.0 0.0.255" to the ACL INT_Traffic.
(2) If you add another row of ACL under INT_Traffic, you also add the same image mirror ACL on the VPN peer device. You can not simply add the ACL on the router, because the other router wouldn't know the newly created ACL, so this will not work.
You can add the following line under INT_Traffic ACL:
IP address 172.16.0.0 allow 0.0.255.255 172.30.4.0 0.0.0.255
But you must also add the image mirror ACL on the device VPN peer as follows:
IP 172.30.4.0 allow 0.0.0.255 172.16.0.0 0.0.255.255
But, Yes, you can add several lines ACL under INT_Traffic if you want to encrypt via the VPN tunnel. Just make sure that the 2 points above.
Hope that helps.
-
IPSec tunnels between duplicate LAN subnets
Hi all
Please help to connect three sites with our Central site has all the resources for users, including internet access.
The three sites will be the ASA 5505 like their WAN device.
We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.
Central site two networks 192.168.1.x 24, 192.168.100.x 24
Distance a 24 192.168.1.x subnet
Two remote a subnet 192.168.100.x 24
If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.
We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.
We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.
We really need your expertise to do this in a laboratory and then in production.
Thank you
Hello Stephen,
You can check the following links for the subnets overlap talk to each other:-
1 LAN-to-LAN IPsec VPN with overlapping networks
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
2 IPsec between two IOS routers with overlapping of private networks
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Important point is local network must connect to the remote network via the translated addresses.
for example, you won't be ablt to use real IP of the communication.
For haripinning or turning U:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
Hope that helps.
Kind regards
Dinesh Moudgil
-
Multicast over GRE tunnel traffic
Hi guys,.
I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.
I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.
Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?
Hello
There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.
Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.
HTH.
Evaluate the useful ticket.
Kind regards
Terence
-
Internet through a RA IPSec VPN Tunnel traffic
Armed with an ASA 5505 Security Plus, I configure IPSec VPN for RA the VPN IP address pool is in the 192.168.2.0/28 network.
The Lan is 192.168.1.0/24 with inside interface a.254.
The VPN works great. What I would do is to route all internet through the firewall traffic when users are connected to the VPN. I put this gateway 192.168.1.254 tunnel, but I'm having no luck to get it works.
Any ideas?
Thanks in advance!
You are just going to route internet traffic to the remote vpn client to the ASA and backward on the Internet?
If the above statement is correct, you need not configure the tunnel default gateway.
But you need to configure NAT for the ip pool, so they can go to the internet, as well as the 'same-security-movement' command as follows:
NAT (outside) 1 192.168.2.0 255.255.255.0
permit same-security-traffic intra-interface
In addition, assuming that you have not have split configured tunnel.
-
VPN, Internet and a Split Tunnels traffic
Please attached photo because I hope that explains what I really want to do, but here's the break down.
When a VPN Client connects to remote access to 1-ASA5510 I want all Internet traffic to send to 2 - ASA5510 instead of back to the default route. When it comes out 2-ASA5510, it passes through the content filter. 2 - ASA5510 has Split Tunnel put in place and we are trying to do away with Tunnel from SPlit.
I hope this is clear enough.
Any ideas would be helpful
Dan
Dan,
Difficult but doable! First of all, there is a nice feature in the ASA that allows configuration of remote proxy based on VPN profile by: -.
Group Policy <> attributes
use a MSIE-proxy-server method
Internet Explorer-proxy server value x.x.x.x
activate Internet Explorer-proxy local-bypass
Well Yes you guessed it - works only on Microsoft Internet Explorer.
I don't think that any policy based routing would work for you - bad luck.
But you can try another feature - traffic through the tunnel, which is normally used in the topllogy of EasyVPN: -.
Configuration of the ASA at the bottom, I probably would test this with the IP address of the 2651 router!
HTH.
-
VRF Tunneling traffic question?
I have a network of switches of the series 6500 with SUP720s for my spine, and I want to separate the traffic for some users. The links between the basic devices are sent with the ip addresses of each side not to resources shared by using virtual LANs for routing. I can't drop routed links, or add additional links between the 6500 s, but I need to put in place the vrf on the kernel.
I thought that I could implement gre tunnel with ip vrf forwarding in the installation and the route through the existing links. Will be the links should be put in the vrf or can I tunnel through them? Hope it makes sense. One had to do this? Any other suggestions?
Yes it is supported, but you must ensure that you have appropriate operating system code.
I found on one of the thread, take a look - https://supportforums.cisco.com/thread/210125
Please note the useful messages.
Thank you
JD...
-
On Pix VPN tunnel to the same subnet
I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.
This can help
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
-
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
How to get to the VPN tunnel to the subnet 2/3
I have not yet tried something else a few years back I got on my back which head with an ASA firewall you cannot route traffic to a subnet of second or third (it's 2 or 3 jumps away) on a same VPN tunnel if you add routes to all LAN subnets in all required firewall and tunnels.
I know other manufacturers such as SonicWall, here you can do it, so the question is, is possible in the firewall Cisco ASA with version 7.07 and 7.2.4? If this is not the case, is it possible in a future release? and if this is not possible, how can I make it work? I can't work with a firewall router 1 LAN to LAN s 3?
Attached are also a network card for the visualization of all subnets.
Thanks in advance
Johan Mannerstrom
ICT technician
If the firewall HQ is already connected to LAN2 (way I mean), then you have even connect an interface on the firewall of HQ and in him giving an ip address that belongs to LAN2. As firewall HQ has a route to 192.168.20.0/24 and 18.0/24 and vice versa, that's enough.
And you're on the point on the rest of the steps you have provided regarding the config.
And of course, you must configure matching exemption to ACL and NAT image mirror on the remote VPN encryption too.
-
VPN3005 and GRE as interesting traffic (in tunnel)
Hello
is it possible to qualify the GRE or interesting traffic IPinIP tunnel traffic
(in the Tunnel LAN2LAN) on a VPN3005.
On router or PIX simply define you access-list with gre or IP, how
can you do that on a hub if possible?
Thanks in advance,
Kind regards
Stefan
Hello
Just set the Lists(based on interesting traffic) network and hub crypt GRE traffic as IP or ICMP protocol, so no specific configuration is necessary.
Thank you
AFAQ
Maybe you are looking for
-
I'm new to Firefox. Before, I used IE and I recorded a lot of favorites with 24 records each one having one or more subfolders.At the same time, I'm migrating from XP to W7 on another PC.I copied all my favorites in C:/USER/Jacques/Favorites (IE arch
-
When I launch Firefox 18 on one of my two laptops, it starts the download of 'something', I don't know what. 1. I have automatic updates turned off Firefox.2. I have automatic updates for plugins and addons turned off.3. I have the automatic updates
-
Time Machine: Do not back up available. I have a number of issues at hand today. I'll try to give a bit of history - so I apologize for the story. Replaced my drive HARD crashed in October 2015. I restored Mt upward, everything worked fine. Howeve
-
HP Pavilion s5-1234PC: hdmi video card
I want to install a video card to HDMI with integrated sound. Try to connect the PC to LG TV via a receiver Denon AVR-1712. Recommendations for a good choice of brand and adjustment? Thanks in advance.
-
Watch is not the right amount of RAM
When I look at the system information, it displays the correct amount. When I look at the Task Manager, it shows only 2.3 GB on my 4 GB. And Yes, the information system shows the 4 GB for some reason any. My problem is less than 3/4 GB barrier and mo