Router to Router Dialer VPN

Similar Messages

• Overwrite dynamic (eigrp) route when external dials into router

  Hi
  I would like to find a way to overwrite a dynamic (eigrp) route with a routing entry pointing to a dialer interface, when someone has dialed into this dialer interface.
  Does someone of you knows a way how this can be done?
  Thanks in advance and kind regards
  Mark

  Thanks tor you reply.
  Until now I have heard of reverse route injection only in conjunction with setting up vpn connections. And a quick search doesn't shows much. But I keep on searching.
  Maybe I should tell something more about my setup. There are 2 routers (both 2612). On the LAN side the do hsrp. And on the WAN side each of them has 2 BRI interfaces connected to a multi-line-hunting-group for dialin and dialout. On the LAN I do eigrp and so overwrite a static route pointing to the dialer on the second router because of an administrativ distance of 200 at the static route.
  When dialing out everything works fine. But when someone dials in to the second router (which is the hsrp standby one) the routing table of this router isn't changed/updated. I Bad expected something like a "directly connected" event puts a new entry in the routing table pointing to the now connected dialer Interface. But this does not happen.
  What I'm looking for is a way how this can be done, so that these is a backward pointing route on the hsrp standby router for the dialed in sides.
  Is there a way to do this?
  Regards
  Mark

• Dynamic Routing for Failover L2L VPN

  Hi,
  Can someone offer me some guidance with this issue please?
  I've attached a simple diagram of our WAN for reference.
  Overview
  Firewall is ASA 5510 running 8.4(9)
  Core network at Head Office uses OSPF
  Static routes on ASA are redistributed into OSPF
  Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
  Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
  Branch Office WAN uses BGP - Routes are redistributed into OSPF
  The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
  Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
  Backup BO router (.253) only contains a default route to internet
  Under normal operation, traffic to/from BO uses Local Branch Office WAN
  If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
  I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
  I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
  I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
  I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
  Thanks,
  Paul

  Hi Paul,
  your ASA keeps the tunnel alive only because that route exists on ASA.  Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
  Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
  This config will go on ASA,
  route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
  (assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
  route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
  (value 254 is higher cost of the route to go via IPSec tunnel and x =  to default-gateway of ISP)
  sla monitor 99
  type echo protocol ipIcmpEcho 10.10.10.254 interface inside
  num-packets 3
  frequency 10
  sla monitor schedule 99 life forever start-time now
  track 10 rtr 99 reachability
  Let me know, if this helps.
  thanks
  Rizwan Rafeek

• Router to Router VPN with Overlapping internal networks

  Hello Experts,
  One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
  Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
  Any link or config will be appreciated. I've been looking but no luck.
  Thanks,
  Randall

  Randall,
  Please refer the below URL for configuration details:
  Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
  Let me know if it helps.
  Regards,
  Arul
  ** Please rate all helpful posts **

• Router-to-Router VPN Security

  Hi there,
  Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
  We have two offices.
  Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
  Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
  Office B has private subnets that extend to 7 hops away. (running RIP)
  If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
  If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
  How do we defend our routers then?
  Thanks in advance!
  -Andrew

  Hi,
  when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
  The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
  Rgds, MiKa

• 887 router issue - data via VPN

  Hi
  I am having an issue i just cant get my head around, probably simple but i cant see the answer.
  We have a 887VAW router that connects via vpn to our HQ. From a site/user perspective everything works fine.
  Wireless and hard wire works for internet and data to HQ.
  The issue I am having is if i telnet to the router, I cant ping HQ from the CLI, but if i use ping and specify the routers ip as the source, the ping is successful.
  Router#ping 172.16.1.67 source 172.16.109.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.16.1.67, timeout is 2 seconds:
  Packet sent with a source address of 172.16.109.1
  Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/64 ms
  Router#ping 172.16.1.67
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.16.1.67, timeout is 2 seconds:
  Success rate is 0 percent (0/5)

  Hi,
  By default, if you do not mention the source ip, the traffic goes with source ip of the outside interface.
  This outside ip address is not encrypted by the vpn (interesting traffic acl).
  Regards,
  Pedro Lereno

• Injecting Global default Routes into a MPLS VPN

  Hi,
  I have a PE router running MPBGP which receives two default routes to the internet through an IPV4 BGP session. I need to import these routes in to a VRF and export them to different customer VRFs so that these VRFs are able to access Internet.
  I have used the feature called "BGP Support for IP Prefix Import from Global Table into a VRF Table" (URL:http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html#wp1063870)
  and imported these routes into a VRF.
  The issue is these routes are not propagated to any of the other PE routers which has customer VRFs configured.
  Has anybody tried this or a similar method to inject a dynamic default route into a MPLS VPN.
  Any suggestions would be highly appreciated.
  Thanks
  Subhash

  Hi Subhash,
  is there anything preventing you from terminating your internet BGP sessions in a VRF? Then everything should go smoothly, i.e. standard VRF import/export.
  So possibility A) create a VRF Internet, move bgp neighbor commands there and use filters preventing anything but the default route, then use route targets to distribute the default route into other VRFs.
  Possibility B) use static routing with packet leaking. Could look like this:
  ip route vrf Internet 0.0.0.0 0.0.0.0 global
  ip route vrf Internet 0.0.0.0 0.0.0.0 global 250
  ip route Serial0/0 !assuming this is where the customer router connects.
  Note: the BGP peer IP does not have to be directly connected! There has to be a LDP label for it though. so include your BGP peers network into your IGP and the backup will work, when you loose the link to the peer.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Routes and Routes Determination

  Hello All,
  I m basically a technical person and i m doing recording for routes and routes determination.
  I am facing one problem.
  while executing transaction 0vtc in one system , while saving data its asking for transport request.
  and when i execute the same transaction in IDES system , and when i save data it does not ask for the transport request.
  Is there any config for that?
  Please help me out...its required asap..
  thanks,
  jigs
  Helpful ans will be rewarded.

  Hi
  not sure if this would help. but going through some of the older posts here, here's something I gathered:-
  ++++++++++++++++++++++
  It also depends on the client settings, which is done by the BASIS guys. If the client settings are done in such a way that system should not generate requests then it will not generate a request.
  If the system is created as a Sandbox then also system will not ask for a request.
  using the T codes SE01 where all the list can be viewed , then select the task or transport request click on the trucj button .
  +++++++++++++++++++++
  hope it's a start

• Difference between Routing & Rate Routing

  Hi All,
  can anyone tell me difference between Routing & Rate Routing? can we use routing for REM? if no, then what will be the effect?
  Thanks,
  Rinky

  Hi Rinky ,
                 Routing and rate routing are task list in broad manner .
  standard task list: Describes the worksteps necessary to produce a material or perform an activity without reference to an order.( that means they are created without reference to order )
  Essential objects of a task list are header, operations, material component allocations, production resources/tools and inspection characteristics.
  Together with specific dates and quantities, task list data forms an important part of the order.
  The following task list types exist in the R/3 System:
  routing
  reference operation set
  rate routing
  reference rate routing
  inspection plan
  maintenance task list
  standard network
  master recipe
  Routing is created with ca01 and rate routing by ca21 .
  Routing is used in discrete manufacuting and rate routing in repetitive .
  Rate routing generally has only one operation  and prod line instead of work centers and operations in routings .
  Both routings can be used for scheduling , cosing and capacity planning .
  Hope this was helpful answer !
  Neal
  Edited by: Neal Gibson on Jun 30, 2008 11:46 AM

• Routing & rate routing

  hello everyone,
  myself rekha bamgude,i want to know difference between routing & rate routing?

  Hi rekha to get a quick (or any) response, create your new discussion in a space related to your query.  This way it will be visible to topic experts who will then see and reply to it.   
  Please move this thread to the relevant forum Enterprise Resource Planning (SAP ERP)
  as you mention
  i want to know difference between routing & rate routing?
  Many times we told this word (Search before you post ).
  please see this thread for more details.
  Difference between routing and rate routing
  poorna

• Routes and route groups expanded

  Is there any way to force the routes and route groups to show un-expanded when I click on the Routes/Groups tab in switch executive? I have many and it is difficult to navigate when they are all expanded.
  kph

  Hi kphite,
  At this time, there is no method to force the collapse of the routes and route groups.  However, thank you for this product suggestion.  Just so you know, we have previously considered the implementation of such a feature and agree that this functionality would be beneficial.  We do have it in our plans for future revisions of NI Switch Executive. 
  Thanks again!
  Chad Erickson
  Switch Product Support Engineer
  NI - USA

• ISR router EIGRP Route Tag

  Hi,
  Wondering any one has successfully set route tag for EIGRP routes?
  What I am trying to achieve here is to set route tag for the summary routes of the connected interfaces and subnets of some other connected interfaces.
  Let's say an ISR router R1 with IOS 15.1(4)M3 has three interfaces running with EIGRP.  
  Interface Gi0/0 
  ip add 172.16.0.1/24
  summary-add 172.16.0.0/16
  Interface Gi0/1 
  ip add 172.16.1.1/24
  summary-add 172.16.0.0/16
  Interface Gi0/2 
  ip add 192.168.2.1/24
  I am having difficulty to set route tag for summary add 172.16.0.0/16 and 192.168.2.0/24 before they get advertised to another router.
  Any idea please?
  Thanks
  Cedar

  Duplicate posts.  
  Go here:  https://supportforums.cisco.com/discussion/12256521/isr-router-eigrp-route-tag

• How to verify the routes from router when Polycom device Initiates traffic

  Hi,
  Could anyone please assist me in finding out the routes when Polycom device initiated traffic towards the BCS global.
  1) polycom equipemnt is connected to the Internal Lan of the customer and its traversing through Router,
  I checked though Ip accounting when the user initiates the traffic. (polycom device ip is x.x.x.10 and BCS global network is aa.aa.aa.0). When i checked IP accounting i found the destination ip is x.x.x.10 and source ip is aa.aa.aa.205 when user initiates traffic from Polycom device.
  2) I also found the static route in router for BCS global network (aa.aa.aa.0) but when I tried to trace route to IP address (aa.aa.aa.205) the output shows:
  1. * * *
  2. * * *
  10) * * *
  Could anyone please assist me is there any other any other way to find out the routes.

  Thanks, this did it for me. The verification from rommon was ok and I guess I can trust the rom even when not comparing the information with cisco webpage.

• Help with Remote access VPN on Cisco router 3925 via Dialer Interface

  Hi Everybody,
  I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link.  I want config VPN Remote Access and using software Cisco VPN client. But it doesn't  work.. Here my config router :
  HUNRE#show running-config
  Building configuration...
  Current configuration : 5515 bytes
  ! No configuration change since last restart
  version 15.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname HUNRE
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
  enable password cisco
  aaa new-model
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1050416327
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1050416327
   revocation-check none
   rsakeypair TP-self-signed-1050416327
  crypto pki certificate chain TP-self-signed-1050416327
   certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
    31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
    31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
    5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
    3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
    3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
    2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
    03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
    2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
    35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
    83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
    15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
    35A0B9FB FB76E976 3D2A19D7 006078
          quit
  ip name-server 210.245.1.253
  ip name-server 210.245.1.254
  ip cef    
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  vpdn-group 2
  license udi pid C3900-SPE100/K9 sn FOC1823839B
  license boot module c3900 technology-package securityk9
  username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
  username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
  redundancy
  track 1 ip sla 1 reachability
  track 2 ip sla 2 reachability
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp client configuration group VPN-HUNRE
   key hunre
   dns 8.8.8.8
   domain hunre
   pool IP-VPN
   acl 199
   max-users 100
  crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
   mode tunnel
  crypto dynamic-map DYNMAP 1
   set transform-set encrypt-method-1
  crypto map VPN client configuration address respond
  crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 192.168.1.1 255.255.255.0
   ip mtu 1492
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description FPT
   no ip address
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 1
  interface GigabitEthernet0/2
   description Connect to CMC
   no ip address
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 2
   no cdp enable
  interface Dialer1
   ip address negotiated
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp dns request
   crypto map VPN
  interface Dialer2
   description Logical ADSL Interface 2
   ip address negotiated
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1344
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp address accept
   no cdp enable
  ip local pool IP-VPN 10.252.252.2 10.252.252.245
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 10 interface Dialer1 overload
  ip nat inside source list 11 interface Dialer2 overload
  ip nat inside source static 10.159.217.10 interface Dialer1
  ip nat inside source list 199 interface Dialer1 overload
  ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
  ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.159.217.0 255.255.255.0 192.168.1.8
  ip sla auto discovery
  ip sla responder
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  access-list 10 permit any
  access-list 11 permit any
  access-list 101 permit icmp any any
  access-list 199 permit ip any any
  control-plane
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   password cisco
   transport input all
  line vty 5 15
   password cisco
   transport input all
  scheduler allocate 20000 1000
  ntp master
  end
  However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
  Hopeful for your answers !
  Thanks

  Hi David Castro,
  Thanks for your answer,
  I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE  and my router receive IP from ISP. Here show ip int brief :
  GigabitEthernet0/0         192.168.1.1     YES NVRAM  up                    up      
  GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
  GigabitEthernet0/2         unassigned      YES NVRAM  up                    up      
  Dialer1                    210.245.54.49   YES IPCP   up                    up      
  Dialer2                    101.99.7.73     YES IPCP   up                    up      
  NVI0                       192.168.1.1     YES unset  up                    up      
  Virtual-Access1            unassigned      YES unset  up                    up      
  Virtual-Access2            unassigned      YES unset  up                    up      
  Virtual-Access3            unassigned      YES unset  up                    up 
  But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
  Thanks very much !

• One router, multiple separate dial-in VPN configs... can it be done?

  I have one WAN edge (Internet) router shared by two, closely related, companies; one WAN port, two LAN ports. The companies have a different WAN public IP address then NAT into different LAN internal addresses.
  Is there any way to configure dialin PPTP VPN with different parameters depending on the IP address the request comes in on?
  (eg: If I want to VPN to company1, I go to a certain IP address, and If I want to VPN to company2, I go to a certain different IP address.)
  Basically, both companies want people to VPN in (using the standard Microsoft VPN client), but authentication will be done with different RADIUS (IAS) servers and the VPN clients will need to their IP addresses from different pools.
  Is this possible?
  Is it possible if I use a different VPN client (eg: Cisco VPN client?)

  You can use the IOS feature reliable static route using object tracking to detect the Metro trunk failure and force the ISDN backup to takeover the routing using a floating static route.
  Check out this link for more information and configuration steps.
  http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
  HTH
  Sundar