Duplicate private networks over vpn !

Similar Messages

• Problem accessing an adjacent remote network over VPN (2 asa5505)

  Hello all,
  I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
  I am able to ping site-to-site between 192.168.0 -> 192.168.2
  and
  192.168.1 -> 192.168.2
  I am unable to ping from remote site to the 172.16 network however.
  I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
  4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
  reply is timing out though.
  Any tips would be appreciated!
  My ACLS:
  REMOTE SITE:
  #NONAT
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 192.168.1.0 255.255.255.0
  #CRYPTO ACL
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  CORP SITE:
  #CORP
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
  nat (inside) 0 access-list 200
  nat (inside) 1 0.0.0.0 0.0.0.0
  #CRYPTO ACL
  access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
  access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
  Thanks in advance!

  The config looks ok.
  If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
  "4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
  Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?

• Layer 2 network over VPN

  Is it possible to extend the subnet (same broadcast domain) across a VPN tunnel? .For example we have 10.1.100.X in VLAN 100 at HQ can we use the same VLAN and same IP range at a remote site on the other side of the VPN tunnel, if so can they forward broadcast traffic?
  Siddhartha       

  You need to look into L2 tunneling (L2TP being possibly the choice, includes L2tp ovet ipsec).
  Both SSL and IPsec are L3 solutions, you can share same subnet as a LAN interface but you might have problem with broadcasts depending on your configuration and actual needs.

• DNS over VPN

  Hi community,
  I am having some trouble with dns over vpn. On server side of VPN the dns is working 100% i.e servername.domain.com resolves to local IP address correctly from within network. However, when i connect into network over VPN the dns does not work correctly - it resolves servername correctly but not servername.domain.com. I can overcome this by setting VPN above my Ethernet adaptor in service order but then all my traffic gets routed over VPN connection (which i don't want) - even if I try adding network routing defn on VPN server. I probably need to do something on the VPN client (Snow leopard 10.6.1)?
  Please help!

  Rather than dnsmasq and openwrt, I'd look at the DNS server here.
  My guess here would be that the DNS configuration is invalid, or the domain name incorrect, or such.
  For a simple split-brain, you'll have one forward zone with your local Mac OS X Server box as the DNS server, and one (created for you) reverse DNS zone. And you'll be using a unique domain name or (far better) a publicly-registered DNS domain. But this smells like a DNS error.
  Post the +dig -x+ of the IP address on your LAN, and the +dig host+ and +dig host.example.com+ of the domain name on your LAN. And given this DNS information is either public or is behind a firewall and thus accessible only via VPN, please post the real data rather than masked data.

• ASA 5505 VPN - how to access Two private networks

  Hello
  i have cisco 5505 and i confirgured a remote VPN clients.  here is my sceniro
  cisco switch 2950   ===  holds two private network 192.168.8.x  and 192.168.4.x
  vlan 2  outside interface -    Eth0/0       155.155.155.x
  Vlan 1 inside interface --       Eth 0/1    192.168.8.180
  VPN pool ip address  =  192.168.8.100 --110
  i drag i cable from my cisco switch and put in to Eth0/1. and i want to access this twor private networks 192.168.4.x and 192.168.8.x .
  now i can access to 192.168.8.x .
  but i can't access 192.168.4.x .. please can any one help me that.
  Regards
  Thomas

  configure a split tunnel list that contains the networks you want the client to access.
  Sent from Cisco Technical Support iPad App

• Migration over private network - Non-Cluster

  Hello everyone...
  I have a hyper-v cluster (3 nodes), and a second stand-alone hyper-v host; all of which is managed by SCVMM 2012 R2.  The VMM server, and all hyper-v hosts are connected to a 10gbs private network.
  When doing a live migration between nodes in the cluster; everything is being transferred over the 10gbs network.
  When doing a live migration between one of the cluster nodes and the stand-alone host, it uses the public LAN.
  All machines can ping each other on the 10gps network, so it isn't a connectivity issue.  (I am using that network to do backups as well.)
  On the stand-alone host, I have "use the following IP subnets" set to the subnet of the private network.
  All machines are running Windows Server 2012 R2.
  Any suggestions on how I can do the migration using the 10gps network?
  Thanks!

  Hi Sir,
  >>I have a hyper-v cluster (3 nodes), and a second stand-alone hyper-v host; all of which is managed by SCVMM 2012 R2.  The VMM server, and
  all hyper-v hosts are connected to a 10gbs private network.
  >>When doing a live migration between one of the cluster nodes and the stand-alone host, it uses the public LAN.
  If I understand correctly , you may need to check the link layer between the cluster node's live migrate IP and that stand-alone host's LM IP .
  I want to know the detail of the network topology between cluster and stand-alone host because you mentioned "it uses the public lan" .
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• Metadata over private network?

  How can I tell if the Metadata traffic is going over the private network I have set up and not over the public one that allows my machines to get internet over. I set the machines up over the private network and they always showed up in xSan Admin as the private addresses until I plugged the second network cables into my Metadata controllers and two of my clients. Now they show up as the addresses assigned by my DHCP server on my local network.
  My few clients that are not on my local internet network still seem to be communicating to my metadata controllers on the private side. I just want to make sure I am getting the best performance and Metadata isn't flying across my local network.
  Thanks!

  I think you can do several things to check this:
  x listen on the wires with an ethernettool
  x check /Library/Filesystems/Xsan/config/fsnameservers
  x check /Library/Filesystems/Xsan/data/<volumename>/log/cvlog
  x check /Library/Filesystems/Xsan/debug/nssdbg.out

• Duplicate remote networks and PAT - IOS VPN

  This question pertains to an IOS router running c3900e-universalk9-mz.SPA.152-4.M5.
  We are deploying a new VPN termination router that will support multiple IPSec tunnels to multiple unrelated external organizations. We have many of these VPN routers in other regions hosting dozens of IPsec tunnels to dozens of unrelated external organizations. In the past, to allow for IPv4 uniqueness, we have suggested (required) these external organizations to PAT their source addresses to unique public addresses owned by the external organization. In some cases, my company has provided a public range of addresses to the external organization which the external organization uses to PAT their sources before presenting the traffic to our side of the VPN tunnel.
  This has served us well and scales quite well.
  However, we are now faced with an external organization (the very first organization on this new VPN termination router) that wants to present my company with non-unique addresses in the 10.0.0.0/8 range. This external organization has requested that we PAT their sources for them, which I understand that technically we can do.
  My first question is, if my company decides to go into the business of PATing the 10/8 sources of other external organizations, how will this impact the IP network used at the remote end of the tunnel and could these remote networks be overlapping between two or more external organizations without using some flavor of VRF? I developed a scenario below that I'd like help in understanding:
  interface Port-channel20.2900
  description Internet Bound (Outside)
  crypto map JIM                                               
  ip address 130.96.10.243 255.255.255.248
  ip nat inside 
  interface Port-channel20.2901
  *** Transit DMZ or LAN Bound (Inside)
  ip nat outside
  ip address 130.96.10.251 255.255.255.248 
  If we had two crypto external organizations:
  External Organization #1
  crypto map JIM 100 ipsec-isakmp
  description ***
  set peer 1.1.1.1
  set transform-set esp-3des-sha
  set security-association lifetime seconds 28800
  match address SCA
  crypto isakmp key blah address 1.1.1.1
  ip access-list extended SCA
  permit ip host 130.96.10.92 host 130.96.10.223
  access-list 7 remark *** SCA NAT List - SCA *** JMM
  access-list 7 permit 10.254.0.0 0.0.255.255
  ip nat pool SCA 130.96.10.223 130.96.10.223 prefix 30
  ip nat inside source list 7 pool SCA overload
  ip route 1.1.1.1 255.255.2552.255 130.96.10.241
  ip route 10.254.0.0 255.255.0.0 130.96.10.241
  External Organization #2
  crypto map JIM 200 ipsec-isakmp
  description ***
  set peer 2.2.2.2
  set transform-set esp-3des-sha
  set security-association lifetime seconds 28800
  match address SCB
  crypto isakmp key blah address 2.2.2.2
  ip access-list extended SCB
  permit ip host 130.96.11.14 host 130.96.11.223
  access-list 8 remark *** SCB NAT List - SCB *** JMM
  access-list 8 permit 10.254.0.0 0.0.255.255
  ip nat pool SCB 130.96.11.223 130.96.11.223 prefix 30
  ip nat inside source list 8 pool SCB overload
  ip route 2.2.2.2 255.255.2552.255 130.96.10.241
  Imagine these flows are present:
  Flow #
  External Organization
  Source
  NAT Destination
  Real Destination
  1
  1
  130.96.10.92
  130.96.10.223
  10.254.10.10
  2
  2
  130.96.11.14
  130.96.11.223
  10.254.10.10
  Since our interesting traffic access-lists are based on PAT addresses, theoretically the flow could be positively associated with the crypto-map clause before PAT. Is it true that in the forward direction we have PAT, followed by routing, followed by encryption? If so, this would mean that after PAT and routing the egress interface would be the same for both flows (Port-channel20.2900) and the IP destination address would also be the same (10.254.10.10). However, the source IP address would be distinct for each flow. Since routing has already happened, isn’t the router smart enough to associate the post-PAT packet(s) with the correct crypto-map clause on the crypto-enabled interface which would be based on the access-list in the “match address” clause within the crypto-map:
  ip access-list extended SCA
  permit ip host 130.96.10.92 host 130.96.10.223
  ip access-list extended SCB
  permit ip host 130.96.11.14 host 130.96.11.223
  In theory it seems this would allow duplicate IP networks at remote sites. Am I correct? If I'm wrong, where and how exactly does this fail?
  Thanks,
  Jim

  Hey Nathan...
  My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
  So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
  Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
  I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
  With all that said... it may not work at all. Good Luck!

• Rman backup over private network

  How can I force an rman backup to use a private network instead of public network.

  Hi scottnoswa,
  create a net service in the tnsnames.ora which uses the private IP and use this to connect to the target.
  Regards,
  Lutz

• Mail, iCal Server and iChat server will not work over VPN

  I have an Airport Extreme Base Station at the office running the network. Behind it sits a Mac Mini Snow Leopard server running 10.6.3. The ports necessary for Mail, iCal Server and iChat work fine through that external connection. I can also connect with VPN from my 10.6.3 clients.
  HOWEVER, when I connect with the VPN clients, I am suddenly unable to access the Mail, iCal Server, Wiki server and iChat server. All connections time out. I can ping the server and I can do other things that do NOT work on the public Airport like ssh or VNC. ssh and VNC are closed at the airport extreme.
  So it's pretty odd. When I'm connected via the VPN, all ports that are forwarded to the Snow Leopard server time out over the VPN.
  I've tried various and sundry configurations with the VPN client. This includes trying to send all traffic over the VPN, moving it up in the service order, etc. etc. Nothing fixes it. DNS resolution is working fine, however when I do a wireshark capture of ppp0 traffic, I notice that SSL and TLSv1 handshakes appear to occur on the public IP address instead of the private network IP address... and they're all resets.
  Has anyone gotten this to work successfully? Like I said, all ports that are NOT forwarded through the Airport work fine over the VPN, but will not work when connected to the VPN. It's really bizarre.

  New data: any ports that are normally forwarded on the Airport Extreme to the Mac Mini server will not work when connected to the VPN.
  For instance, if I have imaps/993 forwarded from the Airport Extreme to the Mac Mini, it works fine over the Internet. If I connect to the VPN, I can connect to all OTHER services on the Mac Mini, but Mail, for instance, will not work.

• Virtual Private Networking

  I've tried to research this subject before I posted, but I really haven't found any good explanation - I've had an icon at the top right of my screen since I've had my computer - it's for "VPN" - which I've basically ignored until today - I'm curious as to its function. Like I said - I tried to find out more about it, but every explanation is unclear to me. Can anyone tell me, very simply, what exactly is VPN?

  The name kind of says it all, but a practical example often helps.
  First, think of a private network as any local area network such as that used in an office, your home, etc. Everything on that local area network (LAN) is private, and protected from the internet by firewalls, NAT devices, etc.
  That's all well and good for people inside the office. However there are many cases where people outside the office would also benefit from access to the internal/private machines. For example, sales people might benefit from accessing the corporate database on product availability, client profile, etc., or maybe want access to a corporate file server or email server.
  One option is to open those services to the outside world, but you then run into issues with protecting the data from unwanted users - e.g. hackers trying to crack into the corporate database, download financial information, etc.
  It's possible to do using various authentication systems, encryption systems, etc., but you have to apply the same rules over and over again to every service that you want to be able to access remotely, and missing just one leaves your entire network vulnerable.
  Enter the VPN.
  The VPN extends the concept of the private LAN to specific remote systems. Remote users connected to the VPN (e.g. that sales guy on the road, the IT guy working from home, etc.) authenticate once to a VPN server and then appear to be in the LAN, just as if they were at a desk in the office.
  As far as all the internal servers are concerned, the user is local. He can do anything he'd be able to do in the office, including printing on office printers, accessing file servers, etc., without the need to specially configure each service, and without the need to open lots of holes in the corporate firewall.
  So the user on the VPN appears to be on the local network, but isn't - hence the 'Virtual' part of the equation.
  VPNs can be scaled to support anywhere from one or two users to thousands of users across multiple continents - it's not uncommon, for example, for multi-national corporations to have VPN connections between offices. That way anyone in any office can connect, securely and easily, with anyone else, without having to worry (too much) about where that resource is, or whether it's available outside of the office.
  Does that help?

• Proper routing for lan through verizon private network (GRE) to airlink gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  My first comment is that you have two posts in this forum and as far as I can tell they are exact duplicates, other than changing the title of the posts. It is better to figure what you want to ask and then to ask once.
  My second comment is that you have given us information about your central site. At some point we may also need some information about what is at the remote and how that is set up. But for now we will deal with what we know about your site.
  Before I deal with your specific questions I will comment that if you are able to access the remote airlinks that it is a pretty good indicator that the tunnels are probably working. But to understand the significance of this it would help if you clarify for us what address is on the local computer when you change the subnet to 255.255.0.0.
  Also what you have shown us allows us to see that BGP is configured but provides no insight into whether BGP is working or now. It would provide helpful information if you would post the output of show ip bgp sum.
  So to address your specific questions:
  You suggest that adding a static route for 192.168.1.0 might be part of the solution. But we have no information about what that network is or its significance. So we have no way to know whether the static route would help or not. But my guess (based on very scant information and therefore based mostly on assumptions) is that if BGP is working correctly that the static route is not needed.
  1) asks about an Ethernet address on the tunnel. I assume that you really meant to ask about the IP address assigned to the tunnel. The reason that the tunnel needs it own IP address is that we want a unique subnet assigned to the tunnel. If we used the address from the physical interface as you suggest then both tunnels would have the same address and that implies that they both connect to the same place, and that assumption is not correct.
  2) Yes it is correct to point the default route to the IP address that is the next hop from the Ethernet interface. You might want to have a route pointing at the tunnel address for remote subnets reached via the tunnel. But in looking at the config and trying to understand what was intended it is pretty obvious that running BGP over the tunnel is intended to learn the remote addresses over the tunnel and therefore there is no need for static routes for the remote resources.
  3) You should not need an additional permit for TCP 402. The TCP packet will be carried through the tunnel and the access list you are referring to will see the packet will modbus polling as GRE traffic and not as TCP traffic.
  HTH
  Rick

• VOIP over VPN need clarification

  Hi,
  Recently I have implemented Site-to-Site VPN between ASA and sonic wall firewall.
  Problem: I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
  Tried below mentioned t’shot steps:
  From ASA side we had two subnets (10.20.1.x/24 – Data and 10.20.2.x/24 – Voice ) and one subnet (192.168.x.x/24 ) from sonic wall side as interesting traffic ( lan to lan). When I configured site-to-site configuration on both ends my phase-1 and phase-2 came UP and can able to communicate between each other. (In interesting traffic I created two objects and bind those objects as one object-group for source i.e. ASA side lan subnet and one object for remote-Lan as destination)
  My call manager is rest behind ASA and Ip phones needs to communicate from sonic wall side to inside ASA.
  I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
  So, I  done supernetting the data subnet and voice subnet into single network i.e. 10.20.x.x/16 at ASA side and applied the configuration changes (changed ACL, nonat rule, Voice QOS ACL accordingly), and I’m able to hear voice both end and I can communicate properly from ASA inside Ip phone to Sonic wall inside Ip phone and vice versa.
  My question: I’m not understanding the logic how this supernetting resolved dead voice issue.
  Pls clarify my question I’m bit confused on this.

  It's not recommended. Although VPNs guarantee a secure pipe end-to-end, they don't guarantee latency and variations in latency (Jitter).

• CUPC Over VPN

  We resolved a VPN issue that was preventing us to be able to log in to CUPC over VPN. I am now able to log in, I can see my buddy list and their status, however the CUPC status in the bottom of the window is listed as "Offline (No Network)".
  Server Health:
  Logon Server: Not Connected - Disconnected
  Phone Config: Downloaded
  Presence: Connected
  Desk Phone: Not Connected
  Softphone: Not Active
  Voicemail: Connected
  Secure Messaging: Not Connected - Server Unreachable
  LDAP: Not Available - Server Unreachable
  What could be causing some of the servers to be connected while others are disconnected? We are running Microsoft ISA VPN.

  This is likely an ISA VPN configuration issue. CUPC creates separate connections to each system. For example, voicemail is an IMAP or secure IMAP connection, presence is a SIP connection, desk Phone is CTI, etc. All traffic is not tunneled through CUPS.
  You will need to troubleshoot the individual protocols to understand why Microsoft's VPN product is not properly transproting them. A good place to start would be attempting telnet connections from the VPN-connected machine to the locations specified in the relavent profile on CUPS. Example: Can you telnet to your LDAP server's port as defined in CUPS?

• Voice over vpn-call not completing

  Hi folks,
  I got a problem,where with voice over vpn. So far my voip calls were running purely on shared IP internet. Today we had tried to make two side a vpn site-to-site tunnel and send traffic thru.vpn is working. (md5,des)
  The problem We faced is when i dial a number, the other side party's phone rings for 6-8 seconds and the call gets disconnected.Whether or not the called party answers the call gets disconnected after 6-8 secs. Iam not getting any ring back, while actually other side phone rings. No voice is going thru.
  my network is normalpbx--to--Cisco3800 to--Pix--to--QuintumGateway
  isdn debug shows Cause code18-no user responding.
  help me on this...

  Hi,
  can you provide configurations of the voice gateway and pix.
  Anyway my best guess is the PIX:)
  Check timers, check security policies.