IPSec with two Cisco RV220W's

I have two Cisco RV220W's. FTP over my VPN is so slow, that I have to slow down the FTP Transfer to about 10kbps in order to keep the tansfer steady. Trying to move TB's of information at that speed is not reasonable. What will resolve this issue?

Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
Please give me your insight on this....

Similar Messages

  • Bridge with two Cisco AP's

    Hello Everyone,
    So I have a scenario here and I’m wondering if this plan I have will work flawlessly or is there anything I have to lookout for?
    So I'm going to bridge two Cisco AP's 1260 and 3500, which have an 880 router on each side.
    (Currently I have a VPN set-up through the internet for the two locations to communicate)
    (Naturally they are currently in different subnets)
    Will absolutely change this and set up as one subnet.
    There is VLANs setup on each router (same VLANs)
    VLAN 1
    And
    VLAN 10
    Everything is configured on the Routers and AP's for these VLANs (works flawlessly over the VPN).
    So now since I’m going to get rid of the VPN and set-up a bridge with two AP's, will having same VLANs across both routers be a problem?
    Will VLANs work OK through the bridge?
    Besides using (IP helper address DHCP-IP) command on the non-root bridge side router to forward DHCP requests to the root bridge side router,
    Is there anything else I have to consider?
    Also I want to be able to route internet traffic on the non-root bridge side through the WAN port, and only route LAN traffic through the bridge...
    Will I have to use Access list for this?
    Sorry everyone...
    I know this is a lot I'm throwing out there...
    Thanks in Advance
    Regards,
    Ed

    Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
    will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
    I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
    Please give me your insight on this....

  • Etherchannel trunk with two cisco switch

    Hi, my company using only one Cisco 3750 switch with VLAN1,2,3,4,5. 
    Now my company bought another cisco switch and we would like to etherchannel trunk between both and create new VLAN in new switch.  We look over from partner, some of them suggested we use LACP, and some of them suggest we use PAgP.  We are so confuse which will be better in our environment.
    Previous: Router <> 3750 switch A (VLAN 1,2,3,4,5)
    Now we bought another Cisco Switch B:  Router <>3750 switch A <> switch B (add more VLAN 6,7,8,9,10)
    Which of below command is the best choice to suit our company ? suppose we use 2 port of gigabitethernet 1/0/1 and 1/0/2 trunk?  All VLAN 1-10 need to communicate with each other.
    interface GigabitEthernet1/0/1
     channel-group 1 mode active  <<< (use "active" or "desirable" is the best choice)
     switchport mode trunk
    interface GigabitEthernet1/0/2
     channel-group 1 mode active
     switchport mode trunk
    interface Port-channel 1
     switchport trunk encapsulation dot1q << (do we need put this? as we think this is by default after trunk?)
     switchport mode trunk
     switchport nonegotiate <<< (do we need "nonegotiate" if both switch setup same configure?)

    Hello
    My understanding is pagp and lacp basically perform the same features - however as PAGP is cisco propriety LACP is IEEE standard which can be used between different route/switch vendor platforms.
    As for disabling DTP ( switchport nonegotiate) - i would agree to do this suggestion, As so not to  have trunks being dynamically created.
    Lastly i would manually prune unused vlans across trunk interfaces, to save on cpu and memory usage because of the stp instances that coild be used ( however such a small vlan database  like yours would not be an issue)
    So to summarise:
    Cisco to Cisco ehterchannels =PAGP
    Cisco to other vendors = LACP
    L2 etherchannel
    ================
    1) default physical interfaces (if possible)
    2) configure port-channel in physical interfaces
    -- port-channel will be created automatically
    3)create trunking encapsulation or access port mode directly in port-channel interface
    4)enable physical interfaces "no shut"
    conf t
    default int ran fa0/1 -3 ( if applicable)
    int ran fa0/1 -3
    shut ( if applicable)
    channel-group 1 mode xxx
    int port-channel 1
    switchport trunk encap dot1q
    switchport- mode trunk
    switchport nonegotiate
    switchport trunk allowed vlan 1-10
    res
    Paul

  • File Sharing over IPsec with RV220W

    Hello all,
    Ultimately, the issue is that I have two RV220Ws with an IPsec VPN tunnel between them that appears to be up but that I can't seem to get folder sharing going over. Here's the background.
    I originally had two Netgear FVS318s set up with a VPN tunnel and everything worked as expected. I could connect to the server at the office from a machine at home and browse the files and more importantly do nightly backups of files that had changed at the office over the VPN to the house. The problem with the FVS318s was that for wireless I had to have another device and that the WAN to LAN throughput was something like 7Mbps. Kind of limiting when you consistently get 22Mbps from the ISP.
    So, I bought two Cisco RV220Ws to replace them with. I started by replacing the one at home and was able to get it going with the FVS318 at the office. The VPN was stable and I had no problem browsing the files on the server as I had already been doing. A couple weeks later I replaced the FVS318 at the office with the other RV220W and the VPN came up fine but I lost all ability to file share between the two sites. I've watched the phase 1 and 2 negotiations and they look good from both ends. Looking at the IPsec Connection Status shows IPsec SA Established. I know that the tunnel is there because I can ping various machines at the other site from either end. I've tried just about everything I can think of but I just can not get file sharing going. The other issue is that while I can ping each of the RV220Ws from either end, when I try to hit the distant end's management console through a web browser, I get the initial SSL certificate warning that I click proceed on and then it just sits there spinning trying to load the management console on the distant RV220W. With the FVS318s I could hit the distant end management consoles via browser. So, here's more detail.
    Site: Home
    Subnet: 192.168.1.x
    Comcast Business Class Internet with a static IP
    Site: Office
    Subnet: 10.2.10.x
    Comcast Business Class Internet with a static IP
    I know the difference between my static (inbound IP) and my gateway (outbound IP)
    I tried creating firewall access rules by defining services as follows:
    FS-TCP: 135 - 139 TCP
    FS-UDP: 135 - 139 UDP
    SMB-TCP: 445 TCP
    SMB-UDP: 445 UDP
    Then the firewall access rules as follows (I'll just give a couple examples so you'll get the gist)
    Connection type: Inbound (WAN(Internet) > LAN (local network))
    Action: Always allow
    Service: SMB-TCP
    Source IP: Single IP
    Start: xxx.xxx.xxx.xxx (this is the gateway IP of the distant end at home)
    Send to Local Server (DNAT IP): 10.2.10.x (the static IP of the server)
    When that wasn't working, I created another set of rules for the internal IPs of the distant end as follows:
    Connection type: Inbound (WAN(Internet) > LAN (local network))
    Action: Always allow
    Service: SMB-TCP
    Source IP: Address Range
    Start: 192.168.1.1
    Finish: 192.168.1.254
    Send to Local Server (DNAT IP): 10.2.10.x (the static IP of the server)
    I also enabled Remote Management of the RV220W as:
    Access Type: Single IP address
    IP Address: xxx.xxx.xxx.xxx (gateway IP of the distant end at home)
    Port 443
    When that didn't work, I created two additional firewall rules for port 443 for the home gateway IP and the internal 192.168.1.x IPs. Still no go.
    So this is where I'm stuck. In the FVS318s I did not have to create any firewall rules for the VPN traffic. I started off with no rules for the RV220W because I didn't expect it'd need them and then I began adding the firewall rules in order to troubleshoot. Here's the funny thing. If I drop the FVS318 back into place at the office site, it all works as expected.
    So where do I go from here guys? About the only thing I haven't done is burn down the VPN tunnel in the RV220Ws and I haven't done that because I can ping hosts on either end and if I drop the FVS318 back into place it works fine. I'm totally stumped and would sincerely appreciate any assistance anyone could provide. If you need additional configuration information, I can provide that.
    Thanks.

    Thanks for answering, I was beginning to worry nobody had any idea how to help.
    The IP subnets did not change on either end.
    I am using the IP address to map. Critical machines are either static IP or reserved in DHCP and are all in the IP range of the VPN Policy.
    I can ping distant end machines in both directions by IP through the tunnel but I can not ping by hostname. I do not have NETBIOS enabled on the VPN policy. I'm using OpenDNS on both sides, so when I try to ping the hostname of the server I get the opendns.com IP back because it couldn't resolve the IP of the hostname during the lookup.
    Sorry for the delay in replying. Unfortunately, one end is at home, the other at my wife's business. During the day, I'm at work on the other side of town from both.

  • Openswan client/Cisco RV220W not connecting

    I am attempting to connect a laptop with an openswan client (Openswan IPsec U2.6.28/K3.0.0-12-generic) with my Cisco RV220W. My connection fails, and the VPN status log shows the following:
    2011-12-06 15:04:59: [rv220w][IKE] INFO:  Configuration found for 108.58.YY.YY[500].
    2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received request for new phase 1 negotiation: 108.58.XX.XX[500]<=>108.58.YY.YY[500]
    2011-12-06 15:04:59: [rv220w][IKE] INFO:  Beginning Identity Protection mode.
    2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received unknown Vendor ID
    2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received Vendor ID: DPD
    2011-12-06 15:04:59: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:09: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:11: [rv220w][IKE] ERROR:  Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. c2e6f14d16bef607:02dbd105dcc0b299
    2011-12-06 15:05:19: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:29: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:39: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:49: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
    2011-12-06 15:05:59: [rv220w][IKE] ERROR:  Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. 5646ff766f579fb0:b221f323a56ba913
    My configuration on the RV220W is as follows:
    VPN Policy:
    Auto Policy
    Remote endpoint is an IP address with 108.58.YY.YY
    Local traffic is a subnet
    Remote traffic is a single IP (same as above)
    Encryption/hash settings are: 3DES, SHA1, no PFS key group, SA lifetime of 3600
    IKE Policy:
    Responder
    Main mode
    Local and Remote use explicit IP addresses
    3des,sha1,pre-shared key,DH group 2,lifetime of 28800,no dead peer detection,no xauth
    On the client, I have the following openswan configuration:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    # This file:  /usr/share/doc/openswan/ipsec.
    conf-sample
    # Manual:     ipsec.conf.5
    version    2.0    # conforms to second version of ipsec.conf specification
    # basic configuration
    config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
         # eg:
        # plutodebug="control parsing"
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        interfaces=%defaultroute
        plutodebug=all
        protostack=netkey
    # Add connections here
    conn L2TP-PSK
         # Use a pre-shared key.
          # Connection type _must_ be transport mode
         authby=secret
         keyingtries=3
         type=transport
         # "left" is the local linux machine
         left=%defaultroute
         leftprotoport=17/1701
          # "right" is the remote server
         right=108.58.XX.XX
         rightprotoport=17/1701
         # Do not install on startup
         auto=add
         # SA settings
          ike=3des-sha1-modp1024
         esp=3des-sha1
         keyexchange=ike
         pfs=no
    I would appreciate any insights into what might be going wrong here.

    Were you able to find a solution to your issue.   I am having a Similar issue connecting to a ASA 5510.
    Thanks!

  • Problem with fax rely bitween two Cisco 5350

    I have two cisco 5350 with the following setting:
    Originating cisco :
    voice service voip
    fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
    dial-peer voice 1 voip
    huntstop
    destination-pattern 111
    session target ipv4:xxx.xxx.xxx.xxx
    tech-prefix 011
    fax rate 4800
    fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
    no vad
    Terminating cisco :
    dial-peer voice 71 voip
    huntstop
    incoming called-number 111
    fax rate 4800
    fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
    no vad
    voice service voip
    fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
    So using such settings i can not send faxes.
    How can i find the problem ?

    Hi,
    I tried to use ls-redundancy 0 but - no result. When the faxes tring to connect to each other - i can hear the tones, but it looks like short tone and then silence.
    Also i use the following commadns to solve the broblem:
    -fax nfs 000000 at voip peer, fax interface-type and fax interface-type fax-mail. But no result also.

  • Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)

    hi all,
    I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000).  I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
    Do you think it will simulate 20MB bandwidth?  Or any other suggestion?  Please add any comment, thanks to all.

    Hi Nicholas,
    You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
    In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
    But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
    The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
    Please do rate if the given information helps.
    By
    Karthik

  • Cisco 4510E with two supervisor 8 problem

    dear all
    today we received new switch 4510r+E with two supervisors redundant .
    my problem Is when I start the switch it is working fine for 10 mins after that it is stop forward data .
    I try to force switchover to standby supervisor it is back to work for 10 minutes again after that stopped again .
    any ideas

    This is the only thing we found. we are trying it out tonight
    https://supportforums.cisco.com/discussion/12162221/catalyst-4506-e-sup-8e-arp-issues-any-vlan?referring_site=bss&channel=bdp

  • Unable to allow traffic from remote office - Cisco RV220W

    Hi there,
    I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
    This is the situation:
    1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
    2. IP range A office: 192.168.236.0/24
    3. IP range B office: 192.168.237.0/24
    4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
    5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
    6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
    7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
    8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
    In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
    I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
    Thanks a lot for your help in advanced!
    Eva

    Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
    -Tom
    Please mark answered for helpful posts

  • IPSEC issue in Cisco IAD 2431

    Hello all,
    I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:
    crypto map vpnmap 6 ipsec-isakmp
    description To_Grovecity
    set peer X.X.X.X
    set transform-set vpnset
    match address To_Grovecity
    crypto map vpnmap 10 ipsec-isakmp
    description To_Datacenter
    set peer Y.Y.Y.Y
    set transform-set vpnset
    match address To_Datacenter
    qos pre-classify
    ip access-list extended To_Grovecity
    permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
    ip access-list extended To_Datacenter
    permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255
    permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255
    permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255
    permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
      permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255
    permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255
    From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3
    As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.
    What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "
    permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?
    Thanks
    Mukundh

    Hi,
    In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...
    Otherwise Phase II does not come up.
    Thanks.
    Portu.
    Please rate any helpful posts.

  • Using SVTI with non Cisco peers

    Hello Community,
    I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.
    We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.
    I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).
    So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.
    I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).
    It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.
    Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):
    *Mar  1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx
    *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): IPSec policy invalidated proposal
    *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): phase 2 SA policy not acceptable! (local xx.xx.xx.xx remote yy.yy.yy.yy)
    *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    In this post, https://supportforums.cisco.com/message/3052235#3052235, it is suggested that when using a setup with VTI's, both sides/peers should use the same kind of setup i.e. VTI. I can imagine this to be realistic when you manage both peers.
    All Cisco docs assume both peers use (S|D)VTI.
    My questions:
    1. Is it possible to have a setup where PeerA (Cisco hadrware) uses SVTI with IPSEC and PeerB is unknown (can be any vendor) or uses some kind of ACL and given that all other encryption settings match
    2. Does anyone has experience with such a setup ? If so can you provide me with an example configuration
    3. Is there an other similair solution using a virtual interfaces or a loopback interface ?
    Thank you kindly for your input.
    Avinash
    I hope you can help me

    Hi there,
    Here is the related info for BE3000;
    Q. Does Cisco Business Edition 3000 support third-party SIP phones and shared-port-adapter (SPA) phones?
    A. No.
    From;
    http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps11370/qa_c67-697016.html
    Cheers!
    Rob
    "Talk about a dream
    Try to make it real" 
    - Springsteen

  • Connect ShrewSoft vpn client to Cisco RV220W

    Hi ,
    I can't get QuickVPN work with Cisco RV220W router, so configured ShrewSoft vpn client
    to connect to router with xauth advanced vpn configuration. It established tunnel , but no any ping is working from client to office computers or even
    to router IP (gateway) . What is wrong with my setup ?
    "Basic VPN Setup" doesn't allow me to save new "VPN client" : it throws strange error "IPsec VPN configuration
    has failed as the remote end point is already in use" .
    I attached example of xauth advanced vpn configuration
    Thanks
    Alex

    Hi Luis ,
    I did many checks on different Windows XP/7 through different ISP's of QuickVPN , according a lot of Cisco and community documents with same negative result , that it can't ping remote gateway .
    QuickVPN requires so many things to configure and check , that turns it to be impossible for use in company.
    I wanted to configure client-to-gateway VPN with IPsec xauth , that is supported by Cisco Small Business routers.
    Finally i configured client-to-gateway IPsec remote connection using both ShrewSoft and TheGreenBow 3d party VPN application. It was just matter to turn local host (VPN client) adapter mode to virtual with static IP address in subnet , different from remote (gateway) subnet.
    Thanks
    Alexey

  • Two Cisco Routers in one class-c network

    Hello,
    i have two cisco routers, which are connected to one switch. On this switch, there are several servers connected as well.
    When i connected the second cisco router, i got messages on the first router, that there is an ip address conflict. After a few minutes it seems as if the vpn tunnel on the first router breaks down because of this conflict. I'm not sure about this, but when i disconnected the second router again, the vpn tunnel could be established again. The vpn tunnel goes to another router via WAN and ends in the local class-c network, where both routers are in.
    Router1
    LAN 192.168.105.254 (255.255.255.0)
    WAN 212.xxx.xxx.xxx
    ||
    ||
    Cisco Switch
    ||
    ||
    Router2
    LAN IP 192.168.105.253 (255.255.255.0)
    WAN IP 217.xxx.xxx.xxx
    Router1
    int fa 0/1
    ip address 192.168.105.254 255.255.255.0
    Router2
    int fa 0/1
    ip address 192.168.105.253 255.255.255.0
    Could the /24 mask on the interfaces cause the conflicts?
    From the servers, none has the ip 192.168.105.253 or 192.168.105.254 and if i disconnect Router2, the IP 192.168.105.253 is not reachable from any system on the switch.
    So how does this ip address conflict occur?

    hello,
    can you check the router 1 log. with error message you should have a mac address
    May 10 05:32:20.489: %IP-4-DUPADDR: Duplicate address 10.10.10.1 on GigabitEthernet0/1.1, sourced by 0003.oc12.a2c3
    This should help you to identify host already with 192.168.105.253.
    Before connecting Router 2, from Router 1 ping 192.168.105.253 and do a sh arp ?
    HTH,
    regards,
    cisand

  • Making a VoIP call with the Cisco 837 ADSL router

    I would greatly appreciate if could please provide some technical assistance to my questions below:
    Is it possible to make a VoIP call between two 837 ADSL Cisco routers over a 1Mbps ADSL broadband connection?
    If so, can I configure this VoIP connection using either a PPPoE or ATM WAN link?
    Is it possible to make a VoIP call using a Cisco 837 Router while simultaneously surfing the Internet? In other words do I need two public IP addresses i.e. one for accessing the internet and one for making the VoIP call or is one static IP address obtained from my ISP sufficent.
    It is possible to configure QoS parameters (e.g. RSVP, Voice precedence, Voice codec selection) on this 837 router using PPoE or can it only be done using an ATM WAN interface?
    Does the Cisco 837 router support both the H.323 and SIP communication protocols? Do I need to purchase a certain IOS operating system version for VoIP calling?
    Does the VoIP dial peers need to be configured with both a POTS and VoIP phone numbers or is only one number required?
    Do I need to obtain a special VoIP number from my VoIP service provider? or can I use existing POTS numbers or made up numbers within the dial peers as this situation involves making a private VoIP call between two branch offices using 837 ADSL routers and not via a VoIP service provider.
    Finally, can I use POTS ordinary telephones with the Cisco 837 for making VoIP calls or do I strictly need to purchase VoIP phones?
    My apologies for the number of questions asked here but I currently need to know the technical ability of the Cisco ADSL 837 as I am thinking of employing these routers in my company organisation.
    I await your feedback in due course.
    Thanks,
    Martin Healy

    Hi,
    I give you a sample config of my router.
    class-map voice
    match access-group 101
    policy-map mypolicy
    class voice
    priority 128
    class class-default
    fair-queue 16
    ip subnet-zero
    gateway
    interface Ethernet0
    ip address 20.20.20.20 255.255.255.0
    no ip directed-broadcast (default)
    ip route-cache policy
    ip policy route-map data
    interface ATM0
    ip address 10.10.10.20 255.255.255.0
    no ip directed-broadcast (default)
    no atm ilmi-keepalive (default)
    pvc 1/40
    service-policy output mypolicy
    protocol ip 10.10.10.36 broadcast
    vbr-nrt 640 600 4
    ! 640 is the maximum upstream rate of ADSL
    encapsulation aal5snap
    bundle-enable
    h323-gateway voip interface
    h323-gateway voip id gk-twister ipaddr 172.17.1.1 1719
    h323-gateway voip h323-id gw-820
    h323-gateway voip tech-prefix 1#
    router eigrp 100
    network 10.0.0.0
    network 20.0.0.0
    ip classless (default)
    no ip http server
    access-list 101 permit ip any any precedence critical
    route-map data permit 10
    set ip precedence routine
    line con 0
    exec-timeout 0 0
    transport input none
    stopbits 1
    line vty 0 4
    login
    voice-port 1
    local-alerting
    timeouts call-disconnect 0
    voice-port 2
    local-alerting
    timeouts call-disconnect 0
    voice-port 3
    local-alerting
    timeouts call-disconnect 0
    voice-port 4
    local-alerting
    timeouts call-disconnect 0
    dial-peer voice 10 voip
    destination-pattern ........
    ip precedence 5
    session target ras
    dial-peer voice 1 pots
    destination-pattern 5258111
    port 1
    dial-peer voice 2 pots
    destination-pattern 5258222
    port 2
    dial-peer voice 3 pots
    destination-pattern 5258333
    port 3
    dial-peer voice 4 pots
    destination-pattern 5258444
    port 4
    end

  • Etherchannel two cisco 3750 stacks for iscsi?

    I have two sites connected by 96 strands of fibre. At each site I have an IBMv7000 relicating to the other one. For iSCSI traffic I have two Cisco 3750 switches, each are in 2 switch stack. 
    SAN A                         Fibre Link                          SAN B
            |                                                                        |
    Cisco Stack A =========================Cisco Stack B
            |                                                                        |
            |                                                                        |
    iSCSI Clients                                                       iSCSI Clients
    My question: Is it ok to connect the the two stacks with etherchannel using the fibre links? Will is provide the necessary redundancy, if one of the interfaces goes down?

    What model numbers of 3750 are you using?
    What is the distance between the stacks as this will dictate your fiber run modules.

Maybe you are looking for