VPN traffic routed not when ATM / Dialer interface is up

I have a 1841 router using a serial port for the T1 and a WIC ATM to ADSL. I want all traffic to the data center of my company to go out to the T1 and all other traffic out of the ADSL connection. There is a VPN connection to the data center which works fine until the ATM/Dialer interface is enabled. The VPN tunnel is created, but no traffic is routed over the VPN. I have attached the router config.

Jason,

You can try configurations and make the new test below.

IP route datacenterLAN 255.255.255.0 serial0/0/0

IP route datacenterLAN2 255.255.0.0 serial0/0/0

IP route datacenterLAN3 255.255.255.0 serial0/0/0

IP route datacenterLAN 255.255.255.0 Dialer1 5

IP route datacenterLAN2 255.255.0.0 Dialer1 5

IP route datacenterLAN3 255.255.255.0 Dialer1 5

Kind regards

Arul

* Please note all useful messages *.

Tags: Cisco Security

Similar Questions

Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue

Hello

Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).

The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.

Please, what missing am me?

A few exits:

ISAKMP crypto to show her:

isakmp crypto #show her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE

IPv6 Crypto ISAKMP Security Association

Crypto ipsec to show her:

Interface: GigabitEthernet0/0

Tag crypto map: QRIOSMAP, local addr 62.173.32.122

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

current_peer 62.173.32.50 port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0

current outbound SPI: 0x4D7E4817 (1300121623)

PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:

SPI: 0xEACF9A (15388570)

transform: esp-3des esp-md5-hmac.

running parameters = {Tunnel}

Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP

calendar of his: service life remaining (k/s) key: (4491222/1015)

Size IV: 8 bytes

support for replay detection: Y

Status: ACTIVE

Please see my config:

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

encryption... isakmp key address 62.X.X... 50

ISAKMP crypto keepalive 10 periodicals

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS

!

QRIOSMAP 10 ipsec-isakmp crypto map

peer 62.X.X set... 50

transformation-TS-QRIOS game

PFS group2 Set

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

Description WAN CONNECTION

62.X.X IP... 124 255.255.255.248 secondary

62.X.X IP... 123 255.255.255.248 secondary

62.X.X IP... 122 255.255.255.248

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

card crypto QRIOSMAP

!

interface GigabitEthernet0/0.2

!

interface GigabitEthernet0/1

LAN CONNECTION description $ES_LAN$

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly in

automatic duplex

automatic speed

!

IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length

IP nat inside source list 1 pool mypool overload

overload of IP nat inside source list 100 interface GigabitEthernet0/0

!

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 2 allow 10.2.0.0 0.0.0.255

Note access-list 100 category QRIOSVPNTRAFFIC = 4

Note access-list 100 IPSec rule

access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122

access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122

access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122

access-list 101 deny ip any any newspaper

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

!

!

!

!

sheep allowed 10 route map

corresponds to the IP 110

The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?

Here are the things I see in your config

I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?

IP route 0.0.0.0 0.0.0.0 62.X.X... 121

IP route 0.0.0.0 0.0.0.0 62.172.32.121

This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?

IP route 10.2.0.0 255.255.255.0 192.168.20.2

In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.

IP route 172.17.0.0 255.255.0.0 Tunnel20

IP route 172.17.2.0 255.255.255.0 Tunnel20

And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?

IP route 172.18.0.0 255.255.0.0 Tunnel20

IP route 172.18.0.0 Tunnel20 255.255.255.252

HTH

Rick

VPN traffice is not going outside network

I can connect to my home virtual private network and access to trade, share network, ect, however, when I open a Web page or anything that needs and outside the intellectual property that I can't get out. As soon as I log out of the excellent work VPN client of web pages. Any suggestions?

Cisco PIX Firewall Version 6.3 (3)

Material: PIX - 515, 32 MB RAM, Pentium 200 MHz processor

Thanks in advance... Mike

I would try using a different acl for your tunnel of split, it is always advisable to separate your ACL.

vpngroup split tunnel 102 touavpn

access-list 102 permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list 102 permit ip 10.10.14.0 255.255.255.0 10.10.15.0 255.255.255.0

I would also get rid of what you don't need...

IP 10.10.15.0 doesn't allow any access list 101 255.255.255.0 10.10.12.0 255.255.255.0

Return VPN traffic flows do not on the tunnel

Hello.

I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

Here is the version of cisco:

version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_team

ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processor

Configuration register is 0 x 2102

And here is the cisco configuration (IP address, etc. changed of course):

Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
end

Any help would be appreciated.

Thank you very much.

Ciao,.

Eric

Hi Eric,.

(Sorry for the late reply - needed some holidays)

So I see that you have a few steps away now. I think that there are 2 things we can try:

1)

I guess you have provided that:

IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

Access-list 100 category SDM_ACL = 2 Note

access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole

Which should prevent the source udp 4500 to 1029 changing port

OR

2)

If you prefer to use a different ip address for VPN,

Then, you can use a loop like this:

loopback interface 0

123.12.12.187 the IP 255.255.255.255

No tap

map SDM_CMAP_1 crypto local-address loopback 0

I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

HTH

Herbert

Static route disappears when the interface down

Can someone please help me on this:

I have the static route on a router to a remote network, remote network interface was in a line down to the low State and static entry has disappeared from the routing table, I could see the entrance to the road, static in the config but it possible? It's a router 3745 with a Diginet 128 K link to remote network.

It is perfectly normal behavior. If the static route would remain in the routing table, the router might be transfer traffic to an interface that is not working properly.

An exception is a dialer interface, which connects to the application. The router must be able to transfer the traffic through a dialer, even when there is no call in progress. In this case, the router will be "spoof" the connection as being upward. You can see with ' show the Dialer interface... '

HTH

Configuration of the router to allow VPN traffic through

I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

The network configuration is the following:

Internet - Cisco 1721 - Cisco PIX 506th - LAN

Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

Cisco VPN clients receive an error indicating that the remote control is not responding.

I have attached the router for reference, and any help would be greatly apreciated.

Manual.

Brian

For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

HTH

Rick

Why not a dialer interface must a 'chain of Dialer?

Hi guys, when linking an ISP using xDSL why does not need a "Dialer string"? The dialer interface is not supposed to make a call or dial or something like that? Thank you.

Hello

DSL technologies do any calls in all of your telephone network. They use just the cables from your home or office to the nearest telephone switch (the so-called local loop) for transmitting data on the frequencies significantly higher than that which would be allowed to go through the switchboard. These DSL signals is forks before the central telephone and diverted to a DSL access Multiplexer (DSLAM), while speech signals continue to be treated by the telephone. On the DSLAM, DSL signals are treated as data and then routed on the provider's data network.

So because DSL signals do not actually lead the telephone exchanges, no calls are made, and therefore, there is no necessary dialer string. DSL is a technology always - on - as soon as you plug your DSL modem or router to the telephone line, he started talking immediately on the line for the closest DSLAM.

Please feel welcome to ask for more!

Best regards

Peter

traffic Windows 7 not out on the interface of traffic as it is assumed

Hi experts

I got this company of Win7. I want to install two network interfaces on it. A network interface will be for the management of the machine itself. and another interface for application traffic. I had an application that I run and which consumes a lot of bandwidth to the point that if I put everything on an interface I could lose the RDP connection.

Also, I have set up my IP of mgmt interface. and it works. I can RDP into it. But when I configure the 2nd interface with its IP address, the auto road which becomes forces added traffic to pass by my mgmt interface/IP, which is not what I want.

These two survey periods are two different subnets and they go to different switches. I did a simple sketch of my installation below to show what I'm trying to accomplish.

Under linux, I would just like to add a static route and who takes care of this, but how do I do that on Windows?

I follow this guide but still have the same problem:

http://Windows.Microsoft.com/en-CA/Windows/configuring-multiple-network-gateways#1TC=Windows-7

Hello

I understand the inconvenience caused.

For assistance, I suggest you to post the question on the link below. The link below is the link of support for TechNet Support forums. They are experts in your field of investigation and would be in a better position to answer your concerns.

https://social.technet.Microsoft.com/forums/en-us/home?category=w7itpro&filter=AllTypes&sort=lastpostdesc

Hope this Information is useful.

RV180W of WLAN traffic is not routed to WAN

My WIFI traffic is not routed to WAN.

I can access LAN and plug to NIR all on the local network. But internet access is not possible. WAN LAN access is allowed.

I have reset the RV180w to factory settings and also reflashed the firmware to make sure.

To configure a static route to wlan to wan?

The routing of the generated RV180 table

Destination	Entry door	Genmask	Metric	REF	Use	Interface	Type	Flags
127.0.0.1	127.0.0.1	255.255.255.255	1	0	0	Lo	Static	Upward, gateway, host
172.16.0.0	0.0.0.0	255.255.254.0	0	0	0	BDG1	Dynamics	UPWARD
85.0.84.0	0.0.0.0	255.255.252.0	0	0	0	eth1	Dynamics	UPWARD
127.0.0.0	0.0.0.0	255.0.0.0	0	0	0	Lo	Dynamics	UPWARD
0.0.0.0	85.0.84.1	0.0.0.0	0	0	0	eth1	Dynamics	Upward, gateway

Hi Pete,.

I read your case, it seems that the problem is not related. What I am referring is an external AP connected to the RV180W when the wireless is enabled on the RV180W. Devices that connect to the AP will not be able to access the internet. If the radio on the RV180W is turned off, the devices that connect to the AP can connect to internet.

-Marty

VPN; list of access on the external interface allowing encrypted traffic

Hi, I have a question about the access list on the external interface of a router 836. We have several routers on our clients site, some are lan2lan, some are client2router vpn.

My question is; Why should I explicitly put the ip addresses of the client vpn or tunnel lan to the access list. Because the encrypted traffic to already allowing ESPs & isakmp.

The access list is set to the outgoing interface with: ip access-group 102 to

Note access-list 102 incoming Internet via ATM0.1

Note access-list 102 permit IP VPN range

access-list 102 permit ip 192.123.32.0 0.0.0.255 192.123.33.0 0.0.0.255

access-list 102 permit ip 14.1.1.0 0.0.0.255 any

access-list 102 permit esp a whole

Note access-list 102 Open VPN Ports and other

access-list 102 permit udp any host x.x.x.x eq isakmp newspaper

I have to explicitly allow 192.123.32.0 (range of lan on the other side) & 14.1.1.0 (range of vpn client) because if I'm not I won't be able to reach the network.

The vpn connection is not the problem, all traffic going through it.

As far as I know, allowing ESPs & isakmp should be sufficient.

Can anyone clarify this for me please?

TNX

Sebastian

This has been previously answered on this forum. See http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.ee9f970/0#selected_message for more details.

VPN tunnel is up, but traffic will not travel

Does not include why it does not work. I perform extended ping but no ping at all when before he did. I made a few changes since a new T1 has been installed. Any who take a quick look at this config...

------------------------------

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key MYKEY address YYY. YYY. YYY. YYY

!

Crypto ipsec transform-set esp-3des esp-md5-hmac TUNNELSET

!

crypto map ipsec-isakmp TUNNEL 1

defined peer YYY. YYY. YYY. YYY

game of transformation-TUNNELSET

match address BIZ - hq

!

interface Loopback1

address IP XXX.XXX. XXX.9 255.255.255.248

NAT outside IP

IP virtual-reassembly

card crypto TUNNEL

Crypto ipsec df - bit clear

!

interface FastEthernet0/0/3

Description LOCAL_LAN_INTERFACE

!

interface Serial0/1/0

address IP XXX.XXX. XXX.2 255.255.255.252

NAT outside IP

IP virtual-reassembly

encapsulation ppp

!

interface Vlan1

IP 192.168.150.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

IP route 0.0.0.0 0.0.0.0 XXX.XXX. XXX.1

!

nat T1 XXX.XXX IP pool. XXX.9 XXX.XXX. XXX.9 netmask 255.255.255.248

IP nat inside source overload map route sheep pool T1

!

DONOTNAT extended IP access list

deny ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255

deny ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 192.168.150.0 allow 0.0.0.255 any

BIZ - hq extended IP access list

IP 192.168.150.0 allow 0.0.0.255 192.100.100.0 0.0.0.255

IP 192.168.150.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 20 allow NN. NN.162.160 0.0.0.31

access-list 20 allow NN. NN.197.192 0.0.0.31

access-list 20 permit 192.168.150.0 0.0.0.255

access-list 20 allow 192.168.9.0 0.0.0.255

!

sheep allowed 10 route map

corresponds to the IP DONOTNAT

You must ensure that the peer set x.x.x.x and isakmp crypto key xxxx address x.x.x.x on the other router point effectively to the new ip address of your router...

Yes, you can finish on the loopback interface is the command to do this:

crypto map-name-address-id of interface card

When you the interface id is your loopback interface...

For more information on this command, please see the following link:

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7b6.html#wp1018189

Please rate this message if it helps!

Kind regards

"Gateway router not found" error when you try to connect the TiVO DVR with DLink router.

Original title: gateway router not found

try to connect the tivo series 2 to the internet with dlink router that he used to work with previous tivo but not with tivo now, it says gateway router not found
However, my laptop works fine with the router, I tried tivo support nothing helps, too, if I use the phone line works of tivo, but do not store a lot and is running out of room so it will not work fo rme, helllpppppppp thanks

Hello

Where exactly you get this error message?

See the troubleshooting suggested in "Network error message N07 or C107" steps from this link.

If you try to connect the tivo series 2 to the internet with dlink router then check out the link below:

http://support.TiVo.com/app/answers/detail/A_ID/400

Please contact the manufacturer.

SonicWall VPN PIX - does not, could someone help?

Hi all

I'm trying to set up an a 506th PIX VPN tunnel (firmware 6.3 (2)), a firewall SonicWall Pro. It does not at the moment. Phase 1 is ok but the phase 2 is not, the VPN tunnel has not been established, and the security association is removed after a minute or two. I enclose below the PIX config and an attempt to create VPN tunnel debugging output (slightly modified and cut for reasons of confidentiality). The PIX already has other two VPN configured which work perfectly.

I would be very grateful to anyone who could help me answer the following questions about this VPN configuration:

1. to debug output, which means the next?

ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

2. in the config, I don't know if the 3 static controls are necessary and how it might interact... What do you think?

3. in what order things happen in the PIX when traffic is from the local network to remote network by VPN? What is NAT then treatment then setting up VPN to access list? or or treatment, then NAT and VPN to access list? or another possibility?

4. How can I get it work?

Thank you very much in advance for any help provided,

A.G.

########### NAMING #################################

vpnpix1 - is the local cisco PIX

remotevpnpeer - is the Sonicwall firewall remote

Intranet - is the local network behind PIX

remotevpnLAN - is the remote network behind the SonicWall

################ CONFIG #############################

6.3 (2) version PIX

interface ethernet0 10full

interface ethernet1 10full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

.../...

hostname vpnpix1

.../...

names of

name A.B.C.D vpnpix1-e1

name X.Y.Z.T vpnpix1-e0

name E.F.G.H defaultgw

intranet name 10.0.0.0

name 192.168.250.0 nat-intranet

name J.K.L.M internetgw

name 10.M.N.P server1

name Server2 10.M.N.Q

name 10.M.N.R server3

name 192.168.252.0 remotevpnLAN

name 10.1.71.0 nat-remotevpnLAN

.../...

object-group network server-group

description servers used by conencted to users remote LAN through a VPN tunnel

network-host server1 object

host Server2 network-object

network-host server3 object

.../...

access allowed INCOMING tcp nat-remotevpnLAN 255.255.255.0 list object-group server-eq - ica citrix

.../...

OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0

access list permits INTRANET-to-remotevpnLAN-VPN ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN

access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN

.../...

IP address outside the vpnpix1-e0 255.255.255.240

IP address inside the vpnpix1-e1 255.255.252.0

.../...

Global 192.168.250.1 1 (outside)

NAT (inside) 0 access-list SHEEP-to-remotevpnLAN

NAT (inside) 1 intranet 255.0.0.0 0 0

.../...

static (inside, outside) server1 server1 netmask 255.255.255.255 0 0

public static server2 (indoor, outdoor) server2 netmask 255.255.255.255 0 0

public static server3 (indoor, outdoor) server3 netmask 255.255.255.255 0 0

static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0

.../...

Access-group ENTERING into the interface outside

Access-group OUTGOING in the interface inside

Route outside 0.0.0.0 0.0.0.0 internetgw 1

Route inside the intranet 255.0.0.0 defaultgw 1

.../...

Permitted connection ipsec sysopt

.../...

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS1

.../...

map BusinessPartners 30 ipsec-isakmp crypto

card crypto BusinessPartners 30 matches the INTRANET-to-remotevpnLAN-VPN address

card crypto BusinessPartners 30 set peer remotevpnpeer

card crypto BusinessPartners 30 game of transformation-VPN-TS1

BusinessPartners outside crypto map interface

ISAKMP allows outside

.../...

ISAKMP key * address remotevpnpeer netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 28800

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 28800

part of pre authentication ISAKMP policy 30

ISAKMP policy 30 3des encryption

ISAKMP policy 30 md5 hash

30 1 ISAKMP policy group

ISAKMP duration strategy of life 30 28800

.../...

: end

################## DEBUG ############################

vpnpix1 # debug crypto isakmp

vpnpix1 #.

ISAKMP (0): early changes of Main Mode

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

Exchange OAK_MM

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: duration of life (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

Exchange OAK_MM

ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): ID payload

next payload: 8

type: 1

Protocol: 17

Port: 500

Length: 8

ISAKMP (0): the total payload length: 12

to return to the State is IKMP_NO_ERROR

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

Exchange OAK_MM

ISAKMP (0): processing ID payload. Message ID = 0

ISAKMP (0): HASH payload processing. Message ID = 0

ISAKMP (0): SA has been authenticated.

ISAKMP (0): start Quick Mode Exchange, M - ID - 1346336108:afc08a94

to return to the State is IKMP_NO_ERROR

ISAKMP (0): send to notify INITIAL_CONTACT

ISAKMP (0): sending message 24578 NOTIFY 1 protocol

Peer VPN: ISAKMP: approved new addition: ip:remotevpnpeer / 500 Total VPN peer: 3

Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt incremented: 1 Total VPN peer: 3

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP (0): processing NOTIFY payload Protocol 14 1

SPI 0, message ID = 476084314

to return to the State is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): start Quick Mode Exchange, M - ID 1919346690:7266e802

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): retransmission of the phase 2 (1: 1)... mess_id 0xafc08a94

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): retransmission of the phase 2 (0/2)... mess_id 0x7266e802

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): retransmission of the phase 2 (2/3)... mess_id 0xafc08a94

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): retransmission of the phase 2 (1/4)... mess_id 0x7266e802

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: error msg not encrypted

ISAKMP (0): start Quick Mode Exchange, M - ID - 1475513565:a80d7323

ISAKMP (0): delete SA: CBC vpnpix1-e0, dst remotevpnpeer

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: drop msg deleted his

ISADB: Reaper checking HIS 0x10ff1ac, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt decremented for: 0 Total of VPN peer: 3

Peer VPN: ISAKMP: deleted peer: ip:remotevpnpeer / 500 Total VPN peers: 2

ISADB: Reaper checking HIS 0 x 1100984, id_conn = 0

ISADB: Reaper checking HIS 0x10fcddc, id_conn = 0

crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500

ISAKMP: its not located for ike msg

#####################################################

Get rid of:

static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0

You don't need it. Change:

OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0

access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN

TO:

access list permits OUTGOING ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN

access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 remotevpnLAN

This indicates the PIX not NAT IPSec traffic. NAT happens BEFORE IPSec in the PIX, so if you the traffic IPSec nat it will never match your crypto access list and will not be encrypted.

This, however, should not stop the tunnel of Phase 2 of the course of construction, they would stop flowing above the tunnel, traffic, so you still have a problem somewhere. What I'm guessing, is that the Sonicwall (SW) has a different encryption-defined list access, it must be the EXACT OPPOSITE of what is configured on the PIX. In other words, the SW should be encrypting the traffic of "remotevpnLAN-24" "intranet/8", make sure that the subnet mask ar ETHE same too. "

To answer your questions:

1. it simply means that the PIX has not received a response and is to retransmit the last ISAKMP packet. The process_block simply means that the PIX has dropped a package that was to be encrypted because the IPSec tunnel has not been built. If you get the tunnel built, these messages will disappear.

2. the 3 first static does not appear to be linked to the tunnel IPSec, if they are simply to access a server inside, then they will not affect this VPN tunnel. The last of them should be deleted, as I already said.

3. for traffic initiated from inside the PIX, the order is incoming ACL, then NAT, IPSec processing. That's why your OUTGOING ACL must allow traffic first, then your NAT 0 statement refuses to be NAT had, then the encryption function is the traffic and the number.

4 do what I said above :-)

If you still have no luck, re - run debugs, but initiate traffic behind the Sonicwall, in this way the Sonicwall will try and debug of build that the tunnel and you will get more information on the PIX. Mainly, we'll see what traffic model the SonicWall is configured to encrypt (you don't see if the PIX initiates the tunnel).

Site to site VPN with router IOS

I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

Thank you in advance.

Pete.

Pete

I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

I hope that your application is fine and that my suggestions could be useful.

[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

HTH

Rick

Site to Site VPN configuration does not

Hello

I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.

My VPN on ASA1 and ASA2 configs are below:

ASA1

Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0

Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400

tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1

Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside

ASA2

Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0

Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400

tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1

Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside

I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.

I tried a few commands show and they came out absolutely empty... as I have not configured:

SH in detail its crypto isakmp

There are no SAs IKEv1

There are no SAs IKEv2

SH crypto ipsec his

There is no ipsec security associations

Anyone have any ideas?

Hi martin,

Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.

--------------------

ASA1

ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------

ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.

-------------------------
OUTPUTS:

*********************

ASA1 (config) # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

---------------------

ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2

access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2

#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2

------------------------
ASA2 (config) # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE

------------------------

ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2

access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2

#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
-------------------------

VPN traffic routed not when ATM / Dialer interface is up

Similar Questions

Maybe you are looking for