VPN SITE to SITE (RV520-FE-K9 TO RV042)

Hello Everyboddy,
I got some issues here, so i hope you can help me out.
What i´m tryin to do is seting up a vpn betwen these two routers, so i´ve checked the configuration many times but i didn´t find the problem.
PS: Sorry for hiding the public addresses and info is just that my company does not want to share them.
Here´s the debug from the SR520:
Mar  3 16:06:12.359: ISAKMP (0:0): received packet from xxxx.xxxx.xxxx.xxxx dport 50
0 sport 500 Global (N) NEW SA
*Mar  3 16:06:12.359: ISAKMP: Created a peer struct for 1xxxx.xxxx.xxxx.xxxx, peer por
t 500
*Mar  3 16:06:12.359: ISAKMP: New peer created peer = 0x83B94084 peer_handle = 0
x8000000B
*Mar  3 16:06:12.359: ISAKMP: Locking peer struct 0x83B94084, refcount 1 for cry
pto_isakmp_process_block
*Mar  3 16:06:12.359: ISAKMP: local port 500, remote port 500
*Mar  3 16:06:12.359: insert sa successfully sa = 847E3DB8
*Mar  3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  3 16:06:12.363: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
*Mar  3 16:06:12.363: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  3 16:06:12.363: ISAKMP:(0):No pre-shared key with xxxx.xxxx.xxxx.xxxx!
*Mar  3 16:06:12.363: ISAKMP : Scanning profiles for xauth ...
*Mar  3 16:06:12.363: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1
policy
*Mar  3 16:06:12.363: ISAKMP:      life type in seconds
*Mar  3 16:06:12.363: ISAKMP:      life duration (basic) of 28800
*Mar  3 16:06:12.363: ISAKMP:      encryption DES-CBC
*Mar  3 16:06:12.363: ISAKMP:      hash MD5
*Mar  3 16:06:12.363: ISAKMP:      auth pre-share
*Mar  3 16:06:12.363: ISAKMP:      default group 1
*Mar  3 16:06:12.363: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
*Mar  3 16:06:12.363: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  3 16:06:12.363: ISAKMP:(0):no offers accepted!
*Mar  3 16:06:12.363: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx.xxxx.xxxx.xxxx
remote 1xxxx.xxxx.xxxx.xxxx)
*Mar  3 16:06:12.363: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*Mar  3 16:06:12.363: ISAKMP:(0): sending packet to xxxx.xxxx.xxxx.xxxx my_port 500 p
eer_port 500 (R) MM_NO_STATE
*Mar  3 16:06:12.363: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  3 16:06:12.363: ISAKMP:(0):peer does not do paranoid keepalives.
ot accepted" state (R) MM_NO_STATE (peer 1xxxx.xxxx.xxxx.xxxx)
*Mar  3 16:06:12.363: ISAKMP (0:0): FSM action returned error: 2
*Mar  3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
*Mar  3 16:06:12.363: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
*Mar  3 16:06:12.367: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer xxxx.xxxx.xxxx.xxxx)
*Mar  3 16:06:12.367: ISAKMP: Unlocking peer struct 0x83B94084 for isadb_mark_sa
_deleted(), count 0
*Mar  3 16:06:12.367: ISAKMP: Deleting peer node by peer_reap for xxxx.xxxx.xxxx.xxxx
: 83B94084
*Mar  3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  3 16:06:12.367: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA
*Mar  3 16:06:12.367: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar  3 16:06:12.367: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 190.75.132.212)
*Mar  3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Mar  3 16:06:12.367: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_S
A
HERE´S THE CONFIGURATION SR520:
Current configuration : 5091 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SR520_LEBRUN
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 $1$UuTx$Y.koYevk4/LPbBf64zkuS0
aaa new-model
aaa authentication login default local
aaa authentication login tango_authen_login line local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa session-id common
crypto pki trustpoint TP-self-signed-3291959072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3291959072
revocation-check none
rsakeypair TP-self-signed-3291959072
crypto pki certificate chain TP-self-signed-3291959072
certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323931 39353930 3732301E 170D3032 30333032 32313534
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393139
  35393037 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BBD5 6B0E11F1 D03D650E 22115792 E4CBC7A1 F2B744E6 AE965A32 36220A4B
  42BC3422 2291666D D013575C E56640E5 59327E55 F9DE394E 4AC4F9EF 6C25D0ED
  15F402F3 E2CDFEC5 B4E5CC55 CEC08A98 98EAEDCD 3A6C6D97 329FBC31 21502310
  DF5E553A F158389E 555BE050 81E888C0 261E0E86 BE3498D7 71991DBF 68250D68
  BCAF0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
  551D1104 1F301D82 1B535235 32305F4C 45425255 4E2E6C65 6272756E 5F6E6370
  2E636F6D 301F0603 551D2304 18301680 14E61EB4 559D8ACF 0A51400E E47A2A17
  1D85DAF7 A6301D06 03551D0E 04160414 E61EB455 9D8ACF0A 51400EE4 7A2A171D
  85DAF7A6 300D0609 2A864886 F70D0101 04050003 81810031 A3CB3462 64797A5B
  81BBC615 0044A2A4 4E392911 FB79B865 63E51183 A4DDC805 DBD9C8AD 3199C6FE
  8791B246 E94D2CE5 59D7288B 6D72A231 FB9E4EFE 67167CF2 822145EB 372E666E
  8289DE17 3187B72E 620BE58E C864F8B3 D84308A0 29995603 A19A9F94 79955C6F
  666491F6 226F2546 02DDE1D8 112DCF7A 1DC9F003 635972
        quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp pool 1
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   domain-name labrun_ncp.com
   dns-server 200.44.32.12 200.11.248.12
ip cef
ip domain name lebrun_ncp.com
ip ddns update method sdm_ddns1
HTTP
  add http://[email protected]/nic/update?system=dyn
dns&hostname=<h>&myip=<a>
  remove http://[email protected]/nic/update?system=
dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no vlan accounting input
no ipv6 cef
multilink bundle-name authenticated
username Admin privilege 15 secret 5 $1$cixn$hZS19piuPlZSX9vDLPCbK1
crypto isakmp policy 1
encryp des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key xxxxxxx address 192.168.4.0 255.255.255.0
crypto ipsec security-association idle-time 300
crypto ipsec transform-set VPN_LEBRUN_TIMON esp-des esp-md5-hmac
crypto map LEBRU_TIMON 1 ipsec-isakmp
set peer xxxx.xxxx.dyndns.org
set transform-set VPN_LEBRUN_TIMON
match address 110
archive
log config
  hidekeys
interface FastEthernet0
description INTERFACE DIRECTLY CONNECTED TO IPPX KX-NCP1000
switchport access vlan 2
interface FastEthernet1
description INTERFACE DIRECTLY CONNECTED TO RECORDING SERVER POLTYS
POLTYS_NCP
switchport access vlan 2
interface FastEthernet2
description FREE
switchport access vlan 2
interface FastEthernet3
description FREE
switchport access vlan 2
interface FastEthernet4
description INTERFACE DIRECTLY CONNECTED TO MODEM ADLS NETOPIA 2246n-XG
ip dhcp client update dns server none
ip ddns update hostname xxxx.xxxx.dyndns.org
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map LEBRU_TIMON
interface Vlan1
no ip address
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip default-gateway 192.168.2.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server
ip http secure-server
ip http client username Admin
ip http client password 0 xxxx.xxxx
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 115 interface FastEthernet4 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 115 deny   ip 0.0.2.0 192.168.4.0 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 any
control-plane
banner login ^COUTE^C
banner motd ^COUTE^C
line con 0
password telguer001
no modem enable
line aux 0
line vty 0 4
authorization exec tango_author_exec
login authentication tango_authen_login
scheduler max-task-time 5000
end
RV042 CONFIG:

Sorry for butting in....
Have you tried to create the VPN tunnel using the "local" and "remote" security groups as RANGE rather than SUBNET? really that should do exactly what you are describing.
When that is configured, the IPSec tunnel does two things,
1. Only allows traffic from IPs defined in the tunnel (both WAN and LAN source and destination) -- this is the ACL
2. Creates a route statement for all allowed devices through the tunnel.
Try this first and let us know, if you already did this please post a log.

Similar Messages

  • VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945

    Hi everyone,
    I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
    The connection will use internet connection for HO and each branch offices.
    And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
    what kind of VPN client server or VPN site-to-site that recommended for this deployment?
    and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
    So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
    please advise
    Regards,
    Ovindo

    Hi Leo,
    technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
    However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones,  but not 250 ipsec users and 10 phones.
    If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
    Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if  you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
    hth
    Herbert

  • VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042

                       Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
    Thanks

    On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
    Existing configuration
    object network email
    host 172.16.0.0
    description 255.255.0.0
    Correct configuration
    object network email
    subnet 172.16.0.0 255.255.0.0

  • How do I configure a VPN Site and Subnets in Lync when clients have /32 Addresses?

    Hello,
    I've found a few people asking this question out in the "interwebs" but no one seems to quite answer their question (Those poor souls).
    In most occasions that I've seen, my customers have configured their VPN networks with a /24 (255.255.255.0) ip address.  However, when those clients connect to the VPN they are actually getting a /32 (255.255.255.255) address. 
    This seems to pose an issue for Lync reporting when it comes to configuring a VPN site and VPN subnets.
    (NOTE:You might ask why these customers are not going about best practice and using split-tunneling?  In this case, they absolutely CANNOT institute split-tunneling so all traffic MUST flow through the VPN tunnel.)
    For example sake, here is how I would imagine to setup a VPN site with subnets in Lync Network Configuration:
    VPN (Site)
        -172.16.33.0  /24 (Subnet)
        -172.16.34.0  /24 (Subnet)
        -172.16.35.0  /24 (Subnet)
    The problem is that when I run a Location Report in Lync to look at call data to/from the VPN site, it's not there. Reason being, the VPN client was given a /32 address which doesn't match up to the /24 I configured in Lync. 
    So, in my mind my options are:
    Create a /32 subnet for each single address corresponding to a VPN client and attach them to the VPN site (What a mess).
    Change the subnet mask for the 3 subnets I've defined to /32 instead of /24 and see what happens even though putting an IP address of 172.16.33.0 /32 doesn't make much sense.
    Remove the subnets and site from Lync because CAC and Bandwidth control are actually useless over VPN.
    Any thoughts on this?
    John K. Boslooper | Lync Technical Specialist | Project Leadership Associates
    Phone: 312.448.2269 | www.projectleadership.net

    Jin,
    /32 addresses are a valid subnet mask, however that means that a host with a IP Address of 192.168.23.4 and a subnet mask of 255.255.255.255 (/32) is the ONLY host on that subnet.
    The VPN configuration is correct.  The /32 mask is common with a Juniper VPN  (which is what they are using) and the DHCP server that is handing out the addresses is the Juniper VPN appliance. 
    They have already started working out a plan to use a different internal DHCP relay which should hand out the addresses correctly. 
    There has to be someone else out there with this issue or that can point out that i'm overlooking one key principal with VPN subnets.
    Anyone? 
    John K. Boslooper | Lync Technical Specialist | Project Leadership Associates Phone: 312.448.2269 | www.projectleadership.net

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Hi josedilone19
    GRE is used when you need to pass Broadcast or multicast traffic.  That's the main function of GRE.
    Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
    However there are some other important aspect to consider: 
    In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
    GRE tunnels encase multiple protocols over a single-protocol backbone.
    GRE tunnels provide workarounds for networks with limited hops.
    GRE tunnels connect discontinuous sub-networks.
    GRE tunnels allow VPNs across wide area networks (WANs).
    -Hope this helps -

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Jose,
    It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
    Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
    HTH,
    Frank

  • Please gives sample configure VPN site to site on ASA 5512-x v.9.1!

    Dear All,
    Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.
    my is use that i dont know to how to configure nonat.
    i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html
    Best Regards,
    HK

    Hi,
    The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following
    object network SOURCE-NETWORK
    subnet
    object network DESTINATION-NETWORK
    subnet
    nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK
    In the above
    SOURCE-NETWORK contains the network on your side of the network
    DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
    The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
    The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.
    Depending how many source and destination networks we are talking about, this might need some modifying.
    Hopefully this helps
    - Jouni

  • Ipsec VPN site to site, best settings for optimal data transfer

    I have a ISA570 at work and have set up an ipsec VPN site to site connection with my router at home which is a RV180. I'm trying to do large backups from my office to my home storage. Can you tell me what are the most efficient settings as far as the VPN connection is concerned to optimize the transfer rate? Also any settings that I may make on my Windows 7 workstation at work. I'm transferring from a worstation to the terrastation that I have at my home.

    Hi Daniel,
    I noticed that your post was located in the VPN Site to Site instead of the Small Business Security area. I have moved your post to the correct area so that you will get some help.  As a Cisco customer with a service contract, you can call the small business support center to speak with an engineer.  The phone numbers are located here:
    https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport
    twitter: CiscoSBsupport

  • Can not ping between remote vpn site ???

    site A is l2l vpn,  site B is network-extend vpn,  both connect to same vpn device 5510 at central office and work well.  I can ping from central office to both remote sites,  But i can not ping between these two vpn sites ?  Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ??  Please help ...
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network SITE-A
     network-object 192.168.42.0 255.255.255.0
    object-group network SITE-B
     network-object 192.168.46.0 255.255.255.0
    access-list OUTSIDE extended permit icmp any any 
    access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A 
    nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
    crypto map VPN-MAP 50 match address HOLT-VPN-ACL
    crypto map VPN-MAP 50 set peer *.*.56.250 
    crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
    crypto map VPN-MAP interface outside
    group-policy REMOTE-NETEXTENSION internal
    group-policy REMOTE-NETEXTENSION attributes
     dns-server value *.*.*.*
     vpn-idle-timeout none
     vpn-tunnel-protocol ikev1 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value REMOTE-NET2
     default-domain value *.org
     nem enable
    tunnel-group REMOTE-NETEXTENSION type remote-access
    tunnel-group REMOTE-NETEXTENSION general-attributes
     authentication-server-group (inside) LOCAL
     default-group-policy REMOTE-NETEXTENSION
    tunnel-group REMOTE-NETEXTENSION ipsec-attributes
     ikev1 pre-shared-key *****
    tunnel-group *.*.56.250 type ipsec-l2l
    tunnel-group *.*.56.250 ipsec-attributes
     ikev1 pre-shared-key *****
    ASA-5510# show route | include 192.168.42 
    S    192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
    ASA-5510# show route | include 192.168.46
    S    192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
    ASA-5510# 
    Username     : layson-ne           Index        : 10
    Assigned IP  : 192.168.46.0           Public IP    : *.*.65.201
    Protocol     : IKEv1 IPsecOverNatT
    License      : Other VPN
    Encryption   : 3DES                   Hashing      : SHA1
    Bytes Tx     : 11667685               Bytes Rx     : 1604235
    Group Policy : REMOTE-NETEXTENSION    Tunnel Group : REMOTE-NETEXTENSION
    Login Time   : 08:19:12 EST Thu Feb 12 2015
    Duration     : 6h:53m:29s
    Inactivity   : 0h:00m:00s
    NAC Result   : Unknown
    VLAN Mapping : N/A                    VLAN         : none
    ASA-5510# show vpn-sessiondb l2l
    Session Type: LAN-to-LAN
    Connection   : *.*.56.250
    Index        : 6                      IP Addr      : *.*.56.250
    Protocol     : IKEv1 IPsec
    Encryption   : 3DES AES256            Hashing      : SHA1
    Bytes Tx     : 2931026707             Bytes Rx     : 256715895
    Login Time   : 02:02:41 EST Thu Feb 12 2015
    Duration     : 13h:10m:03s

    Hi Rico,
    You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
    example:
    Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
    object-group network SITE-A
     network-object 192.168.42.0 255.255.255.0
    object-group network SITE-B
     network-object 192.168.46.0 255.255.255.0
    nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
    static SITE-B SITE-B
    nat (outside,outside) source dynamic SITE-B  10.10.10.254 destination
    static SITE-A SITE-A
    Hope this helps
    Thanks
    Rizwan Rafeek

  • SSH VPN Site to Site ?

    Is there any such thing as a SSH VPN Site to Site ?
    Also, if using IPSec 3Des, is there a way to tune the packet size for a Site to Site VPN? If there is, what are the recommendations?

    Calling it an SSH tunnel would be incorrect. However, if the requirement is that you should be able to ssh into the PIX firewalls from behind each other then all you need is allow the ssh from the outside interface of the other PIX. E.g. :
    PIX 1 outside IP : 1.1.1.1
    PIX 2 outside IP : 2.2.2.2
    On PIX1 : ssh 2.2.2.2 255.255.255.255 outside
    On PIX2 : ssh 1.1.1.1 255.255.255.255 outside
    I've given the commands assuming the name of the interface that connects to the internet is 'outside'. If I've not understood the requirement correctly, please explain it in detail.
    HTH,
    Please rate if it helps,
    Regards,
    Kamal

  • Poor Network Performance from VPN sites

    We are experiencing poor network performance when connecting from hardware VPN sites. VPN sites have Cisco Hardware VPN client 3002 which terminates to Cisco 3005 VPN concentrator. Geting upload/download speeds of 355/484kbsp from VPN to surewest.com. If I remove the VPN and connect laptop directly to dsl modem, speeds are 3mb up and 1mb down. Any ideas what could be causing this?

    Try this
    Adjust the MTU and MSS size in concentrator and client.
    Try these link for more info:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

  • IOS 2811 VPN Site-toSite

    Hi Netpro
    I need search a IOS image whit support VPN Site-to-Site for 2800 series routers
    How feature have to find in Feture Navigator?
    Regards

    You can go to Feature Navigator and look for IPSEC Network Security.
    http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
    Regards,
    Arul
    ** Please rate all helpful posts **

  • VPN Site-To-Site

    Possuo 6 unidades da empresa que gostaria de interligar por VPN, seriam criados dois túneis um para dados e outro para voz.
    Possuo algumas dúvidas com relação a configuração, segurança, qualidade e disponibilidade.
    A infra pensada foi a seguinte:
    As 6 localidades ficam em locais diferentes da cidade, a maioria com conexão dsl, pensei em utilizar o DynDNS para identificálas na Internet, cada localidade possuirá um range de IP sequencial, os principais equipamentos de rede serão padronizados, a infra de cabos esta sendo to reformulada.
    1 - RV042 centralizando os túneis.
    5 - WRV210 ligando ao centralizador VPN.
    Como é a primeira vez que faço um projeto deste tipo peço a instrução de vocês sobre como proceder, toda e qualquer dica será válida.
    Agradeço a atenção de todos.

    Hello Farnell,
    This is possible, no problem at all
    What you will need to do:
    Include the traffic in the No_Nat rules on all of the sites for this traffic
    Configure routes pointing to the other subnet via the Azure device.
    Include in the crypto map to the azure site the traffic from both subnets
    Afterwards my friend, you should be up and running!
    Check my blog at http:laguiadelnetworking.com for further information.
    Cheers,
    Julio Carvajal Segura

  • Vpn site to site and remote access , access lists

    Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

    If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

  • Vpn site to site isa 570 to asa 5505 multiple local lan

    Hello, i have configured a site to site vpn with a asa 5505
    In the tunnel will pass the network 172.x.x.x/16 and 192.168.x.x/24 from local isa to a single lan 192.168.x.x/24 on remote asa
    I have create a group network address and i put the the default_lan and the other lan in it
    In the tunnell configuration i have use this group address with local lan parameter
    When the tunnel was up in the routing table i view the remote lan on interface ipsec0 but also i view the local lan on  interface ipsec0  
    Is this configuration n ot supported?
    Thank best regards             

    Hello, thank for answer.
    The problem is that tha second lan is a routing static lan.
    The ip address of ISA is 172.16.10.254/16 and the default_lan is 172.16.0.0/16
    The second lan is 202.1.1.0/24 and it is a staic lan on another gateway.
    When the site-to-site ipsec go up in routing table i see three route on interface ipsec0:
    The remote lan, the default-lan (that is also on default interface. Behaviour?) and a subnet lan 172.16.10.0/24.
    If i ping from a lan pc an ip of subnet 172.16.10.0/24, i see that the arp is equal at mac-address of ISA and i have a problem on the lan. It's normal?
    Best regards

Maybe you are looking for