VRF Tunneling traffic question?

Similar Questions

• Tunnel traffic to a subnet

  We have a tunnel vpn site-to-site that works well conecting the remote site 192.168.100.x/24 to our 10.27.x.x/16. We have however added a subnet on our end 172.16.100.x/24 with some portions to this topic. We would like the movement of the tunnel from the remote for this subnet. Behind the ASA (which ends the tunnel on our side), we also have a router that has the different subnets and how to route traffic to 172.16.100.x/24 in particular. The router is the default gateway for all devices on our local area network and its "is in turn the inside interface of the ASA gateway.

  ASA <--->router<---> main LAN (10.27.x.x/16)

  |

  |

  172.16.100.x/24

  Basically, my question is how to address the issue and tunnel traffic from the remote site to this new subnet.

  My assumtions are to:

  1. define the traffic from the remote site - 192.168.100.x to 172.16.100.x as 'interesting' on the remote site router, so he gets in the tunnel.

  2. set a static route on the SAA, he says that traffic to 172.16.100.x must go through our router... or

  3. set a 'syringe (for VPN traffic tunnel default gateway)"as our router...

  Would appreciate your comments on this. Thank you!

  You have it. Just define your interesting traffic on both sides and make sure that the ASA main has a road to the new subnet. Depending on your configuration, you also need to add an entry to the No. - NAT rules on the two ASAs to this new traffic.

  HTH,

  Paul

• Tunnel traffic inside IPSEC tunnel

  Hello world

  Site has a Site B through ASA IP Sec Tunnel.

  Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.

  In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.

  Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or

  Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?

  Thank you

  MAhesh

  Hello

  I think that you will probably see GRE in the ASA connection table when the connection is in use.

  You can try the command

  Show conn | Volition Inc.

  And see if this produceses matter what exit.

  Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.

  -Jouni

• Tunnel traffic through the Access Point

  I "tunnelenabled" in the parameters of Access Points of JSON: true;

  And on the Access Point associated connection servers config guide recommends not allowing the tunneling.

  The end result is that the traffic is going through the Access Point and not crossing does not connect to the server. The client wants to keep the absolute minimum for the ports open between the objects, so I want to tunnel traffic from the Access Points through the connection to the server, and then click the virtual and physical machines internal who installed the agent to view. Even when I check the options of tunnel on the login server it always appears as if traffic is bypassing the broker for the connections and go straight to the agents.

  
  

  What the configuration change that I do have all the traffic goes through the access points and associated connection servers?

  
  

  Thanks in advance for any help or suggestion-

  
  

  J

  After a lot of trial and error reduced us to certificates that we created for Access Points. HTML5 Blast Bridge did not have other names of the object in the cert. Once we gave them a cert that had the URL and not the SAN (subject alternative names) with the real access Point server names that Blast started working again.

• Multicast over GRE tunnel traffic

  Hi guys,.

  I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

  I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

  Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

  Hello

  There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

  Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

  HTH.

  Evaluate the useful ticket.

  Kind regards

  Terence

• Internet through a RA IPSec VPN Tunnel traffic

  Armed with an ASA 5505 Security Plus, I configure IPSec VPN for RA the VPN IP address pool is in the 192.168.2.0/28 network.

  The Lan is 192.168.1.0/24 with inside interface a.254.

  The VPN works great. What I would do is to route all internet through the firewall traffic when users are connected to the VPN. I put this gateway 192.168.1.254 tunnel, but I'm having no luck to get it works.

  Any ideas?

  Thanks in advance!

  You are just going to route internet traffic to the remote vpn client to the ASA and backward on the Internet?

  If the above statement is correct, you need not configure the tunnel default gateway.

  But you need to configure NAT for the ip pool, so they can go to the internet, as well as the 'same-security-movement' command as follows:

  NAT (outside) 1 192.168.2.0 255.255.255.0

  permit same-security-traffic intra-interface

  In addition, assuming that you have not have split configured tunnel.

• VPN, Internet and a Split Tunnels traffic

  Please attached photo because I hope that explains what I really want to do, but here's the break down.

  When a VPN Client connects to remote access to 1-ASA5510 I want all Internet traffic to send to 2 - ASA5510 instead of back to the default route. When it comes out 2-ASA5510, it passes through the content filter. 2 - ASA5510 has Split Tunnel put in place and we are trying to do away with Tunnel from SPlit.

  I hope this is clear enough.

  Any ideas would be helpful

  Dan

  Dan,

  Difficult but doable! First of all, there is a nice feature in the ASA that allows configuration of remote proxy based on VPN profile by: -.

  Group Policy <> attributes

  use a MSIE-proxy-server method

  Internet Explorer-proxy server value x.x.x.x

  activate Internet Explorer-proxy local-bypass

  Well Yes you guessed it - works only on Microsoft Internet Explorer.

  I don't think that any policy based routing would work for you - bad luck.

  But you can try another feature - traffic through the tunnel, which is normally used in the topllogy of EasyVPN: -.

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd8060b477.html

  Configuration of the ASA at the bottom, I probably would test this with the IP address of the 2651 router!

  HTH.

• Error of tunneling traffic to 2 networks on the same link?

  Hi all

  Here is my list of current access to bring up my VPN tunnel. Everything works fine with it, but I have several networks from the source router. How to encrypt traffic from the same source router going to the same router by peers. Do I have to create a different ACL or can just add another license to the current ACL statement?

  INT_Traffic extended IP access list
  IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255

  Can I change the ACL above to this? Every time I add the second permit States below, I get the error below.

  INT_Traffic extended IP access list
  IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255

  ip permit 172.30.3.0 0.0.0.255 172.30.3.0 ip 0.0.255 or permit 172.16.0.0 0.0.255.255 172.30.4.0 0.0.0.255

  peer networks peer Destination source.

  Mar 1 04:18:29.842: IPSEC (sa_request):,.
  (Eng. msg key.) Local OUTGOING = 192.168.0.1, 192.168.0.2 = distance.
  local_proxy = 172.16.0.0/255.255.0.0/0/0 (type = 4),
  remote_proxy = 172.30.4.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
  lifedur = 3600 s and KB 4608000,
  SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
  * 04:18:29.850 Mar 1: ISAKMP: set new node 0 to QM_IDLE
  * 04:18:29.850 Mar 1: ITS a exceptional applications (102.72.38.92 local port 500, 102.72.38.64 remote port 500)
  * 1 Mar 04:18:29.854: ISAKMP: (1001): sitting IDLE. From QM immediately (QM_IDLE)
  R2(config-ext-NaCl) #.
  * 04:18:29.854 Mar 1: ISAKMP: (1001): start Quick Mode Exchange, M - ID of 623193098
  * 04:18:29.858 Mar 1: ISAKMP: (1001): initiator QM gets spi
  * 1 Mar 04:18:29.862: ISAKMP: (1001): send package to 192.168.0.2 my_port 500 peer_port 500 (I) QM_IDLE
  * 04:18:29.862 Mar 1: ISAKMP: (1001): sending a packet IPv4 IKE.
  * 04:18:29.866 Mar 1: ISAKMP: (1001): entrance, node-623193098 = IKE_MESG_INTERNAL, IKE_INIT_QM
  * 04:18:29.866 Mar 1: ISAKMP: (1001): former State = new State IKE_QM_READY = IKE_QM_I_QM1
  * 04:18:30.422 Mar 1: ISAKMP (0:1001): received packet of 192.168.0.2 dport 500 sport Global 500 (I) QM_IDLE
  * 04:18:30.426 Mar 1: ISAKMP: node set-1733728027 to QM_IDLE
  * 1 Mar 04:18:30.430: ISAKMP: (1001): HASH payload processing. Message ID =-1733728027
  * 1 Mar 04:18:30.430: ISAKMP: (1001): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
  SPI 2018370628, message ID =-1733728027, his 664824F8 =
  * 1 Mar 04:18:30.434: ISAKMP: (1001): delete message spi 2018370628
  R2 (config-ext-nacl) #ID =-623193098
  * 04:18:30.434 Mar 1: ISAKMP: (1001): node-623193098 error suppression REAL reason "remove larval.
  * 04:18:30.434 Mar 1: ISAKMP: (1001): node-1733728027 error suppression FALSE reason 'informational (en) State 1.
  * 04:18:30.438 Mar 1: ISAKMP: (1001): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  * 04:18:30.438 Mar 1: ISAKMP: (1001): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  hostname R2
  !
  boot-start-marker
  boot-end-marker
  !
  !
  No aaa new-model
  memory iomem size 5
  IP cef
  !
  !
  !
  !
  no ip domain search
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  Archives
  The config log
  hidekeys
  !
  !
  crypto ISAKMP policy 50
  BA aes 256
  preshared authentication
  Group 5
  key cisco address 192.168.0.2 crypto ISAKMP xauth No.
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac Cisco
  !
  VPN_MAP 10 ipsec-isakmp crypto map
  defined peer 192.168.0.2
  game of transformation-Cisco
  match address INT_Traffic
  !
  !
  !
  !
  !
  !
  !
  interface FastEthernet0/0
  IP 172.16.0.2 255.255.255.252
  automatic duplex
  automatic speed
  !
  interface Serial0/0
  the IP 192.168.0.1 255.255.255.252
  clock speed of 128000
  card crypto VPN_MAP
  !
  interface FastEthernet0/1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  interface Serial0/1
  no ip address
  Shutdown
  2000000 clock frequency
  !
  router RIP
  version 2
  network 172.16.0.0
  network 192.168.0.0
  No Auto-resume
  !
  IP forward-Protocol ND
  !
  !
  IP http server
  no ip http secure server
  !
  INT_Traffic extended IP access list
  IP address 172.16.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255
  IP address 172.16.0.0 allow 0.0.255.255 172.30.4.0 0.0.0.255
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  Line con 0
  exec-timeout 0 0
  Synchronous recording
  line to 0
  line vty 0 4
  opening of session
  !
  !
  end

  R2 #.

  (1) you can not configure the same subnet for the subnet source and destination. Each end of the VPN must be unique. Therefore, you cannot add "ip 172.30.3.0 allow 0.0.0.255 172.30.3.0 0.0.255" to the ACL INT_Traffic.

  (2) If you add another row of ACL under INT_Traffic, you also add the same image mirror ACL on the VPN peer device. You can not simply add the ACL on the router, because the other router wouldn't know the newly created ACL, so this will not work.

  You can add the following line under INT_Traffic ACL:

  IP address 172.16.0.0 allow 0.0.255.255 172.30.4.0 0.0.0.255

  But you must also add the image mirror ACL on the device VPN peer as follows:

  IP 172.30.4.0 allow 0.0.0.255 172.16.0.0 0.0.255.255

  But, Yes, you can add several lines ACL under INT_Traffic if you want to encrypt via the VPN tunnel. Just make sure that the 2 points above.

  Hope that helps.

• VPN Tunnel point question

  I think to put 2 ASA 5505 devices and their use

  a VPN point - point connection to another. What I need to know, is the licensing of the device of the SAA.

  I'm looking for is a device with 10 users, 10 VPN IPSec peers, 2 license SSL and 3DES/AES license. The location I think to put this account 8 workstations and 1 printer. There are other devices that have an IP (about 20), but they are for internal network only, they will be used not for VPN access. This authorisation system will work or will I have different or more license?

  Thank you

  -Jon

  Hello

  The ASA has a matter of license 10 users who account for the number of devices that you have inside the ASA (not more than 10 IP addresses).

  If there is a single tunnel of point-to-point IPsec, there is no problem because the ASA supports up to 10 with the given license.

  If you need traffic from more than 10 IP behind the ASA, you can increase the license for 50 or unlimited.

  Thus with Security Plus can increase VPN peer at 25.

  It will be useful.

  Federico.

• VPN3005 and GRE as interesting traffic (in tunnel)

  Hello

  is it possible to qualify the GRE or interesting traffic IPinIP tunnel traffic

  (in the Tunnel LAN2LAN) on a VPN3005.

  On router or PIX simply define you access-list with gre or IP, how

  can you do that on a hub if possible?

  Thanks in advance,

  Kind regards

  Stefan

  Hello

  Just set the Lists(based on interesting traffic) network and hub crypt GRE traffic as IP or ICMP protocol, so no specific configuration is necessary.

  Thank you

  AFAQ

• ASA 5510 VPN multiple tunnels through different interfaces

  Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?

  We have 2 public interfaces on our ASA connected to 2 different suppliers.

  We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.

  We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).

  I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel.  If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.

  If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.

  What Miss me?

  Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)

  permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0

  NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice

  card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map

  card crypto PUBLIC_B_map 10 set counterpart x.x.x.x

  card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1

  PUBLIC_B_map PUBLIC_B crypto map interface

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  IKEv1 pre-shared-key *.

  Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

  If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.

  What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP.  There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.

  Any ideas?

  Hello

  I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection

  You could try adding add the following configuration

  card crypto PUBLIC_B_map 10 the value reverse-road

  This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.

  If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.

  The route to the remote VPN peer through the ISP B does not to my knowledge.

  I would like to know if it works for you.

  It may be useful

  -Jouni

• ACL by crypto-interesting setting direct tunnel IPSEC-L2L

  Hi all

  I need to put additional hosts on the existing ACL crypto-interesting on a tunnel directly with real-time traffic.

  I have a network-side remote engineer to apply the same to their end.

  My question is it will interrupt existing tunnel/traffic if we put additional hosts on the ACL on both sides at the same time?

  Thank you!

  Each permit in TS in ACL generates its own IPsec security association.

  There should be no impact on existing services - just pay more attention is not to introduce any overlap of the ACL.

  Another topic that is very often updated card crypto DB that sometimes one must remove and re-add the crypto map configuration - which will cause traffic distruption.

  Marcin

• fix Microsoft Teredo Tunneling adapter CD-ROM drive, does not

  I made the trouble taken and updated drivers and I still have the yellow flag.  Also have the yellow flag on my HP Photosmart printer.

  Songs of salvation,

  1. what exactly is the problem with "Teredo Tunneling adapter"?

  2. have you downloaded the drivers of printer from the HP Web site?

  CASES1:

  Teredo Tunneling adapter question:

  In computer networks, Teredo is a tunneling protocol designed for connectivity (Internet Protocol version 6) independent platform provideIPv6 to nodes that are located inIPv4 networks. Compared to other similar protocols its particularity is that it is able to fulfil its function even behind network address translation (NAT) devices.

  If you have uninstalled then it may be a problem in connecting network and network security.

  If you have it turned off I suggest you to activate it.

  To activate it follow the steps below:

  Right-click the Teredo Tunneling Interface > update driver software... > Browse my computer for driver software > let me pick from a list of drivers for devices on my computer.

  Case 2:

  CD Rom drive problem:

  You can run the fixit and let us know the result.

  Case 3:

  Printer problem:

  Refer to solve printer problems

  It will be useful.

• VPN site-to-site UP-ACTIVE but no traffic

  Hi guys,.

  I have to solve this situation please help me!

  I have 2 routers two cisco:

  (A) cisco IOS Software, software C1700 (C1700-ADVIPSERVICESK9-M), Version 12.4 (15) T11, VERSION of the SOFTWARE (fc2)

  (B) cisco IOS Software, 1841 (C1841-ADVSECURITYK9-M), Version 15.1 (4) M8, VERSION of the SOFTWARE (fc2)

  simple VPN IPSEC between

  My VPN tunnel is mounted and I have good matches con access-list 110 but no ping, no traffic between the LANS 2.

  Fix you will find so many site A and B configurations, sh encryption session, sh encryption session detail, sh crypto isakmp sa, sh cryto ipsec his

  I really hope that someone can help me... I m is crazy!

  What are the ip addresses 82.113.192.24 and 82.113.194.113? They are hops in the path of dialer3? I guess no, that you would see the packages that you have launched are natted, and the cause, the reason would be because they will release another way "not via dialer3" or because the "NAT-DATI-ADSL2" route map does not work as it should.

  I still believe the problem is related to the way of road to the REGION of BROKER, I think that dialer3 is not used when the tunnel traffic is being introduced to areaCattolica.

  I would create a small lab today to test the roadmap that you applied on dialer3 nat statement. He will have to start troubleshooting with some debugs, but before that I would like to test the road map then let you know.

  Kind regards

  Aref

• Is this a DMVPN tunnel before directed broadcasts?

  Hi people.

  We had a problem interesting in one of our shelves in our DMVPN network.

  The RADIUS 2811, its process was 98% with the entrance of property intellectual process taking 98%.

  Of netflow, I saw many broadcasts led through tun4 which is a dmvpn tunnel.

  SrcIf SrcIPaddress DstIf DstIPaddress Pr PCDR as Pkts
  FA0/0 169.254.29.148 Tu4 169.254.255.255 11 0089 0089 9136
  FA0/0 169.254.220.230 Tu4           169.254.255.255 11 0089 0089 1935
  FA0/0 169.254.153.196 Tu4           169.254.255.255 0089 0089 11 14 K

  the 169.254.X.X address is free windows configured when a pc is unable to obtain an IP address.

  the configuration of the tunnel is like that and I wonder if, because of the "property intellectual PNDH multicast ' forwards all multicast and broadcast over the tunnel traffic.

  Is this the case?

  interface Tunnel4
  bandwidth 2048
  address IP X.X.X.X 255.255.252.0
  no ip redirection
  IP 1400 MTU
  penetration of the IP stream
  property intellectual PNDH authentication xxxxx
  property intellectual PNDH card A.A.A.A. B.B.B.B
  map of PNDH IP multicast B.B.B.B
  PNDH id network IP-100003
  property intellectual PNDH holdtime 600
  property intellectual PNDH nhs Y.Y.Y.Y
  registration of the PNDH non-unique IP
  property intellectual shortened PNDH
  the PNDH IP forwarding
  load-interval 30
  QoS before filing
  source of Loopback4 tunnel
  multipoint gre tunnel mode
  tunnel key 100003
  backup tunnel ipsec protection profile

  Hi Rick, thanks for the note :)

  Hi George,.

  Another solution is to create the static route for null point 0 for these unwanted traffic.

  Kind regards

  Lei Tian