VPN between 2 offices with VLAN

Hello

We have a remote desktop that is connected to our network with a bridge, this bridge transport several laser VLAN as a trunk.

One of the laser is now out of service and considerede that there really expensive we want to replace this with a virtual private network connection.

In our headquarters we have a cluster of asa cisco in failover and now we have bought a new asa cisco for the branch.

On remote desktop, we have several VLANs which must be connected with the VLANs to Headquarters, and we don't want to change the ip addressing.

To continue, I need to connect 2 offices who, for now, was connected to Layer2 with bridge trunk wireless with a new vpn on cisco ASA, without having to change the address ip addresses to the remote desktop so that a pc in the remote office on vlan10 with address 10.0.0.10 should be able to contact a server at Headquarters to vlan10 with the IP 10.0.0.1.

Is this possible scenario?

Thank you

Advertisement

Who is Ricardo?  ;-)

Remote Desktop:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

Branches:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

How to solve the problem that overlap, is to configure the NAT through the tunnel.
The idea is to NAT on both sides, so that the other think that the remote VIRTUAL LAN is a different subnet.

That is to say
Remote Desktop:
vlan10 10.10.0.0/24
vlan20 10.20.0.0/24
vlan30 10.30.0.0/24

Branches:
vlan10 10.40.0.0/24
vlan20 10.50.0.0/24
vlan30 10.60.0.0/24

In this way, you can have communication through the tunnel without problems that overlap.

Federico.

Tags: Cisco Security

Similar Questions

  • 'How to' set up a VPN between a UC540 and a SR520 with remote IP extension

    Hi all

    I need help in establishing a link between a head office UC540 and a distance SR520 I want to use a PC and an IP phone in. This remote site is the first of many.

    I found several examples of IPsec VPN site, but none with references to some VLAN voice and data, should I worry or the phone will only work.

    All the tips and suggestions accepted with gratitude,

    Jerry

    Here is an example of configuration LAN-to-LAN VPN between 2 IOS routers:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml

    Assuming that your example:

    VLAN 1 - data - 192.168.19.0/24

    VLAN 100 - voice - 10.1.1.0/24

    And on the other side:

    VLAN 1 - data - 192.168.20.0/24

    VLAN 100 - voice: 10.2.2.0/24

    The crypto ACL would be:

    access-list 150 permit ip 192.168.19.0 0.0.0.255 192.168.20.0 0.0.0.255

    access-list 150 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

    Crypto ACLs on the other side are the following:

    access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255

    access-list 150 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

  • Problem with IPsec VPN between ASA and router Cisco - ping is not response

    Hello

    I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

    my network topology data:

    LAN 1 connect ASA - 1 (inside the LAN)

    PC - 10.0.1.3 255.255.255.0 10.0.1.1

    ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

    -----------------------------------------------------------------

    ASA - 1 Connect (LAN outide) R1

    ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

    R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

    ---------------------------------------------------------------------

    R1 R2 to connect

    R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

    R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

    R2 for lan connection 2

    --------------------------------------------------------------------

    R2 to connect LAN2

    R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

    PC - 10.0.2.3 255.255.255.0 10.0.2.1

    ASA configuration:

    1 GigabitEthernet interface
    nameif inside
    security-level 100
    IP 10.0.1.1 255.255.255.0
    no downtime
    interface GigabitEthernet 0
    nameif outside
    security-level 0
    IP 172.30.1.2 255.255.255.252
    no downtime
    Route outside 0.0.0.0 0.0.0.0 172.30.1.1

    ------------------------------------------------------------

    access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
    object obj LAN
    subnet 10.0.1.0 255.255.255.0
    object obj remote network
    10.0.2.0 subnet 255.255.255.0
    NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

    -----------------------------------------------------------
    IKEv1 crypto policy 10
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 3600
    Crypto ikev1 allow outside
    crypto isakmp identity address

    ------------------------------------------------------------
    tunnel-group 172.30.2.2 type ipsec-l2l
    tunnel-group 172.30.2.2 ipsec-attributes
    IKEv1 pre-shared-key cisco123
    Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

    -------------------------------------------------------------
    card crypto ASA1VPN 10 is the LAN1 to LAN2 address
    card crypto ASA1VPN 10 set peer 172.30.2.2
    card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
    card crypto ASA1VPN set 10 security-association life seconds 3600
    ASA1VPN interface card crypto outside

    R2 configuration:

    interface fastEthernet 0/0
    IP 10.0.2.1 255.255.255.0
    no downtime
    interface fastEthernet 0/1
    IP 172.30.2.2 255.255.255.252
    no downtime

    -----------------------------------------------------

    router RIP
    version 2
    Network 10.0.2.0
    network 172.30.2.0

    ------------------------------------------------------
    access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
    access-list 102 permit esp 172.30.1.2 host 172.30.2.2
    access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
    interface fastEthernet 0/1
    IP access-group 102 to

    ------------------------------------------------------
    crypto ISAKMP policy 110
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 42300

    ------------------------------------------------------
    ISAKMP crypto key cisco123 address 172.30.1.2

    -----------------------------------------------------
    Crypto ipsec transform-set esp - aes 128 R2TS

    ------------------------------------------------------

    access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

    ------------------------------------------------------

    R2VPN 10 ipsec-isakmp crypto map
    match address 101
    defined by peer 172.30.1.2
    PFS Group1 Set
    R2TS transformation game
    86400 seconds, life of security association set
    interface fastEthernet 0/1
    card crypto R2VPN

    I don't know what the problem

    Thank you

    If the RIP is not absolutely necessary for you, try adding the default route to R2:

    IP route 0.0.0.0 0.0.0.0 172.16.2.1

    If you want to use RIP much, add permissions ACL 102:

    access-list 102 permit udp any any eq 520

  • L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

    Hi all

    My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

    I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

    company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

    where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

    I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

    ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
    crypto ISAKMP policy 5
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address no.-xauth y.y.y.y

    ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
    crymap extended IP access list
    IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
    card crypto 1 TUNNEL VPN ipsec-isakmp
    defined peer y.y.y.y
    game of transformation-ESP-3DES-SHA
    match the address crymap

    Gi0/2 interface
    card crypto VPN TUNNEL

    Hello

    debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

    What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

    So I suggest:

    no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

    Then try tunnel initiate.

    Kind regards

    Jan

  • VPN between PIX with dynamic IP

    Can I make a VPN over the Internet with PIX or IOS VPN in each IP address dynamic and extreme (DHCP client) in the two extremes?

    Thank you

    If siempre sepas than las direcciones los extremos back there sets in el momento iniciar el tunel in peripheral los.

    Distinto are TR UN extremo tiene IP fija y el otro dinamica (vpn easy for example you can help ahi)

    --

    Alexis Fidalgo

    Systems engineer

    AT & T Argentina

  • L2l VPN between two ASA5505 works not

    Let me start who I know a thing or two about networks.  VPN not so much.

    I am trying to configure a Site-toSite VPN between two ASA 5505.  I am building this in a laboratory of the Office before I deploy it to the end sites.  I are the indications on this very informative forum and think I have it set up correctly.  I can see the tunnel is being built and I see same incrementation of the traffic counters.  But the real user sessions do not seem to work.  For example, ping and telnet does not work.

    An excerpt from the syslog for a ping test on a computer on the remote end.

    (10.1.10.5 is the local computer, 10.1.11.5 is the remote computer.  10.1.11.1 is the interface of the ASA remote interior)

    6. January 20, 2012 | 01:04:12 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:10 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:04:07 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:05 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:04:02 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:00 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:03:57 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:03:55 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:03:48 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:46 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    6. January 20, 2012 | 01:03:43 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:41 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    6. January 20, 2012 | 01:03:38 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:36 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    5. January 20, 2012 | 01:03:32 | 713041 | IP = 192.168.24.211, initiator of IKE: New Phase 1, Intf inside, IKE Peer 192.168.24.211 address local proxy 10.1.10.0, address remote Proxy 10.1.11.0, Card Crypto (outside_map)

    This is the configuration for one of them.  The other is configured in the same way with the usual across settings.

    ASA Version 8.2 (1)
    !
    hostname ASATWDS
    !

    names of
    name 10.1.11.0 remote control-network
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 10.1.10.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 192.168.24.210 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    access extensive list ip 10.1.10.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 network-remote control
    access extensive list ip 10.1.10.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 network-remote control
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 192.168.24.1 1
    course outside remote control-network 255.255.255.0 192.168.24.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.1.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 192.168.24.211
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    card crypto outside_map 1 phase 1-mode of aggressive setting
    card crypto outside_map 1 the value reverse-road
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !
    dhcpd address 10.1.10.5 - 10.1.10.36 inside
    dhcpd dns 209.18.47.61 209.18.47.62 interface inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    tunnel-group 192.168.24.211 type ipsec-l2l
    IPSec-attributes tunnel-group 192.168.24.211
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:b4bea5393489da3aa83f281d3107a32e

    The Configuration looks good to me, but I think that you don't need next: -.

    card crypto outside_map 1 phase 1-mode of aggressive setting

    card crypto outside_map 1 the value reverse-road

    Anyway,.

    1 > can you please check if the computer you are trying to Ping or Telnet isn't the Machine based Firewall or anti-virus or iptables (Linux)?

    2 > dough out of the

    a > sh crypto ipsec his

    b > sh crypto isakmp his

    Manish

  • Routing over VPN between ISA550W and RV215W

    Hello all I have a problem with the VPN between my two office

    I have an ISA550W at the head office (chcnorth)

    I have a RV215W to the remote desktop (chcsouth)

    the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

    and vice versa however when client computers on the remote end are trying to connect to the

    Main office to access the database, they can't.

    the problem started last week I received a call from the remote desktop that they can connect to our database

    on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

    at the plant, including the firmware

    I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

    get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

    the remote desktop, however my remote clients still cannot access my server at the main office

    I realized after I have everything set up, I had a backup of my original installation and thinking I had

    just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

    RV215W I've had. still no dice

    So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

    are blurred,

    any ideas, workarounds for solutions would be greatly appreciated

    Thanks in advance

    John G

    John,

    It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

    If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

    http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

    In your case, it might look more at:

    192.168.1.200 sqlsvr

    Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

    Answer please if you have any questions.

    -Marty

  • VPN between RV120W and ISA550W

    Hi guys,.

    Wonder if you can shed some light on my problem until I loose all my hair!

    I'm trying to create a VPN between a RV120W at a remote site and our ISA500W in our offices... I can't it connect!

    I'll put up an IPsec tunnel between the sites, but it does not want to connect.

    Remote site - RV120W

    The IKE policy table

    Management / time type

    Main mode Exchange

    3DES encryption

    AUTH - SHA-1

    DH group 2

    Pre-Shared Key AUTH

    HIS life 28800

    Xauth no

    VPN

    Type Auto policy

    IP of remote endpoint address

    Local IP subnet

    Remote IP subnet

    Auto policy settings

    Life 3600 seconds

    Encryption algorithm 3DES

    SHA-1 integrity algorithm

    Key Enable PFS group

    DH-group 2 (1024 bits)

    Headquarters - ISA550W

    IPsec policy

    Static IP address of remote Type

    AUTH Type pre-shared Key

    Local ID (empty)

    Remote ID (empty)

    IKE

    SHA1 hash

    Pre-shared Key

    D0H group group 2 (1024 bits)

    Lifetime 8 hours

    Transform

    integrity ESP_MD5_HMAC

    Encryption ESP_3DES

    Errors, I'm getting in the newspapers

    Remote RV120W (note! I changed the external IP to protect the innocent!)

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: respond to the negotiation of the new phase 2: 69.193.0.0 [0]<=>80.4.0.0 [0]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: configuration using IPsec SA: 192.168.3.0/24<->192.168.1.0/24

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: setting encmode 3 (3)-> Tunnel peer (1)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal of the peer:

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = spi_p 8846693d = encmode = 00000000 Tunnel reqid = 0:0)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-md5)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: Local proposal:

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = 00000000 spi_p 00000000 encmode = Tunnel reqid = 5:5 =)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-sha)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal for Phase 2 of 80.4.0.0 [0] does not.

    2013-10-29 14:39:20: [rv120w] [IKE] ERROR: no adequate policy not found for 80.4.0.0 [0]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: sending of information Exchange: Notify payload [NON-PROPOSITION-SELECTED]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: purged-with proto_id = ISAKMP and spi = c8d68f74af9dfa9a:b4137fd6e0666914 ISAKMP Security Association.

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 80.4.0.0

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: Configuration found for 80.4.0.0

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: opening new phase 1 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [500]

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: Start Identity Protection mode.

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: DPD

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: RFC 3947

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: for 80.4.0.0 [500], version selected NAT - T: RFC 3947

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: payload NAT - D corresponds to 69.193.0.0 [500]

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT - D payload does not match for 80.4.0.0 [500]

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT detected: PEER

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: for debugging: change ports2013-10-29 14:39:30: [rv120w] [IKE] INFO: change port!

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: ISAKMP Security Association established for 69.193.0.0 [4500] - 80.4.0.0 [4500] with spi: 740e6a59f02eca3a:820460c448a5b74b

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: sending of information Exchange: prevent the load [INITIAL CONTACT]

    2013-10-29 14:39:31: [rv120w] [IKE] INFO: new phase 2 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [0]

    2013-10-29 14:39:31: [rv120w] [IKE] INFO: setting encryption mode to use UDP encapsulation

    2013-10-29 14:39:31: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:39:41: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:39:51: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:40:01: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:40:02: [rv120w] [IKE] ERROR: Phase 2 negotiation failed due to upward. c8d68f74af9dfa9a:b4137fd6e0666914:f6cdeead

    2013-10-29 14:40:02: [rv120w] [IKE] INFO: a calendar of undead has been removed: "quick_i1prep".

    Head Office ISA550

    2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:20:12 - WARNING - Firewall: type = ACL

    If someone could shed some light it would be fantastic!

    Configuration items you listed, it's what I see.  Transformations do not match between the AIS and the change integrity RV RV MD5 or change the game to transform ISA SHA1.  I would recommend changing the ISA in well SHA1As, you don't mention what is IKE ISA policy encryption, but there's 3DES in the RV, so you'll need to ensure its 3DES in ISA.  Also note that you are life spans SA do not match.  Technically, this should be ok, but it's really best to match as well.  The ISA is 8 hours and the RV is 1 hour (3600 seconds)

    Shawn Eftink
    CCNA/CCDA

    Please note all useful messages and mark the correct answers to help others looking for solutions in the community.

  • ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

    Hello

    I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

    1 Configure ASA-1 (host name, vlan 1 and vlan 2).

    2. configure a static route

    3. create object network (local and remote)

    4. create the access list

    5. create ikev1 crypto

    6. create tunnel-group

    7 Configure nat

    and I repeat the steps above with the ASA but another change IP.

    Are to correct the above steps?

    Why can I not create an IPSEC VPN between devices?.

    No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

  • Setting up a VPN between a WRVS4400N and ASA device

    I'm a newbie when it comes to Cisco devices and I have a problem setting a VPN between a local and a seat some distance away.

    Here, our local office, we have a device Cisco WRVS4400N Small Business.

    At Headquarters, they have a feature of Cisco ASA.

    We must set up a point to point VPN and I have no idea how to proceed with these devices.

    To compound things, resources, I'm at the other end in an unknown entity that also does not seem to have a lot of experience with this.

    Is there any type of step by step guide for such a configuration?

    If not, can someone please help with this?

    Hello William,.

    I would call 1866-606-1866 Support Center for assistance on the side the tunnel then the entire side of the ASA WRVS has to do is match the settings. If the side ASA needs support with which we can transfer more TAC.

    Cisco Small Business Support Center

    Randy Manthey

    CCNA, CCNA - security

  • VPN between 2 routers Cisco 1841 (LAN to LAN)

    Hello

    I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

    Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

    Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

    I understand that I need IPSec Site to Site VPN (I think).

    Anyonce can you please advise.

    Kind regards.

    s.nasheet wrote:

    Hi ,

    I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.

    Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).

    Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.

    I understand I need IPSec Site to Site VPN  ( i think).

    Can anyonce please advise.

    Regards.

    Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

    Jon

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • VPN site to Site with a side PAT

    Hi all

    I created a VPN site-to site between two ASA 5505 s, with one side having a static public IP address and one side behind a device with PAT. UDP 500 is sent to the ASA.

    The tunnel works very well if the launched of the side behind the PAT, but may not be brought after on the other side.

    Here's what I see in the system log during initialization of the 'wrong' side:

    Is it still a problem with PAT?

    Best regards

    Tobias

    Hello

    To be honest, these are sometimes a little hard the problems especially when you do not have access to actual devices.

    For me the newspapers you shared seem to indicate a problem with the negotiation of Phase 1 where this local line sends proposals of Phase 1 to the remote device until he returned their enough responsible for negotiating to complete.

    So, I would try to confirm the device to remote site that this traffic is indeed allowed. For example, you can check the remote via a management connection VPN device when the VPN is NOT upward and see if there is no sign of VPN negotiating taking place when you start the other site traffic. That said if he still sees the initial messages in the direction that has problems with the opening of the tunnel.

    When you launch the negotiation this site VPN, what you see with the release of

    ISAKMP crypto to show his

    or with the latest software

    See ikev1 crypto his

    Try to take out several times while you generate the traffic to the VPN

    If the remote device does not respond at all you would see probably something like MM_WAIT_MSG2, which means that the local VPN device awaits the first response (second message to trading) of the remote VPN device.

    Maybe this will help you narrow down the problem a bit.

    -Jouni

  • VPN router to router with overlapping of internal networks

    Hello Experts,

    A small question. How to configure a VPN router to router with overlap in internal networks?

    Two of my internal networks have ip address 192.168.10.0 and 192.168.10.0

    No link or config will be appreciated. I searched but no luck.

    Thank you

    Randall

    Randall,

    Please see the below URL for the configuration details:

    Configure an IPSec Tunnel between routers with duplicate LAN subnets

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

    Let me know if it helps.

    Kind regards

    Arul

    * Please note all useful messages *.

  • Dynamic VPN for a SAA with IP tunnel

    Hi community.

    Can someone please send a simple configuration for a SAA with dynamic IP connected to an ASA with a static IP address. I read some manuals and how to. But neither works with my ASA. All the how to are older versions of software, I use softwareversion 9.0.

    Do you need a config tunnel and political group for the ASA for dynamic IP and static IP ASA.

    Thanks in advance and greetings patrick

    Hello

    Maybe that this document could help or have you already had a look?

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

    It gives simple examples of HUB with a static public IP address and 2 sites of TALKING with dynamic public IP address. Cisco ASA and Cisco router:

    In my work I rarely run in the situation where I have to configure VPNS between sites, while the other site has a dynamic IP address. Although the situations that I met were conducted using an ASA5505 as a hardware network Extension Mode client.

    I should really lab installation documents a day before me also.

    -Jouni

Maybe you are looking for

  • How can I leave toolbars 2 (or more) share the same line?

    I would like to have 2 or more toolbars that do not have an entire line share the same line (such as MS Word or Acrobat Reader).Is this possible?

  • Cannot open several tabs. Help me

    in the window of the firefox + close to tab this section press shows.but he work.means not the button isn't open a new tab to pick up a new web page.

  • Adapter USB from Cisco at the HUB of Virgin?

    I think the upgrade on a faster fiber-optic broadband offered by Virgin Media. This new installation will include a combined modem and router known as the HUB of the Virgin. However, I currently have a separate Virgin modem connected to a Cisco route

  • MI computador no zip

    Tengo amigos is a problema don't con mi PC, al end todas las labores en INICIO - APAGAR mi PC of apago y "APAGANDO EQUIPO" is is pensando y no zip, el Círculo Québec is mueve cuando zip girar already y no zip.Tengo wont WINDOWS 7 HOME PREMIUM.Gracias

  • I need help to cancel my subscription

    I need help to cancel my subscription