Vpn tunnels and Nat on Cisco soho 91 routers ??

Is it possible to create the following, using the soho 91 routers:
Router A (192.168.1.0) network
E0 192.168.1.250
E1 external ip (world ip)
Router B (192.168.99.0) network
E0 192.168.99.1
E1 external ip (world ip)
Router C (192.168.103.0) network
E0 192.168.103.1
E1 external ip (world ip)
tunnel1 = from Router A to Router B
tunnel2 = from Router A to Router C
on Router A
ip route 192.168.2.0 255.255.255.0 192.168.1.2
ip route 192.168.3.0 255.255.255.0 192.168.1.3
ip route 192.168.4.0 255.255.255.0 192.168.1.4
ip route 192.168.99.0 255.255.255.0 to-tunnel1
ip route 192.168.103.0 255.255.255.0 to-tunnel2
ip route nat (everything thing else)
on Router B
ip route 192.168.1.0 255.255.255.0 to-tunnel1
ip route 192.168.103.0 255.255.255.0 to-tunnel1
ip route nat (everything else)
on Router C
ip route 192.168.1.0 255.255.255.0 to-tunnel2
ip route 192.168.103.0 255.255.255.0 to-tunnel2
ip route nat (everything else)
Thanks.
Wayne

I assume you are using GRE tunnel and not IPSec. If GRE tunnel, the configuration looks OK except for Router C. The "ip route 192.168.103.0 255.255.255.0 to-tunnel2" should be "ip route 192.168.99.0 255.255.255.0 tunnel2 " pointing to the network connected to Router B. Also the correct command should not have "to-tunnel1", it is simply "tunnel1"

Similar Messages

ASA 5505 site-to-site VPN tunnel and client VPN sessions

Hello all
I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z). His satellite office will have a single PC sitting behind the ASA. In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
The first question I have is about the ASA 5505 and the various licensing options. I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A. Would someone please confirm or deny that for me?
Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules? Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
Thanks in advance for any assistance provided!

First question:
Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
Second question:
Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
Last question:
This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
Here is what needs to be configured:
1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
2) On site A configures: same-security-traffic permit intra-interface
3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
On Site Z:
access-list permit ip
On Site A:
access-list permit ip
4) NAT exemption on site Z needs to include vpn client pool subnet as well.
Hope that helps.
Message was edited by: Jennifer Halim

SSL VPN Tunnel and Windows 7

Hi
I have a SA520W with firmware 2.1.18 and are having huge trouble getting windows 7 clients to connect using the SSL VPN Tunnel in Split mode. I've tested the registered users using an XP machine, and they are able to log in just fine and I can ping servers on the inside of the network. On windows 7, however, the VPN tunnel is created, but no IP trafic flows over the virtual network adapter and I'm not able to ping resources on the inside of the network. For the XP clients, the SSL VPN tunnel works like a charm, but not not 7.
Are there any consideration to be taken on windows 7 to enable trafic over the SSL VPN virtual network adapter?
Windows firewall?
SSL service?

Hi skcisco11,
You can alternatively use Cisco VPN Client if your SA520 has firmware version 2.1.18 and above. Here is a document how to set it up:
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_vpnclient_appnote.pdf
Alternatively, please use the following document on how to setup SSL VPN. If you are using a local database on the SA520 to authenticate users,, then ignore the references to Active Directory.
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/active_directory.pdf
Hope this helps,
Julio

Configuring New Interface and NAT on Cisco 1900 Series Router.

Hello Cisco Team,
am asking for advise on how to how setup NAT rules and overload on my 2nd interface on my cisco 1900 series router,am not sure where am getting it wrong.
my router has 2 interface, interface one has IP address 10.5.5.5X and plugs into my ASA firwall and into my switch and works just fine.
i have just configured my second Interface with a new IP 172.16.0.X- i want to NAT my new IP address to our public IP address which is 41.77.X.X
my configuration so far are as follows.
GigabitEthernet0/0 172.16.0.X YES manual up up - Not working
GigabitEthernet0/1 10.5.5.X YES NVRAM up up- this works fine
GigabitEthernet0/0/0 41.77.X.X YES NVRAM up up

Hello Jon,
Thanks for your feedback, my router configuration are as follows.
interface GigabitEthernet0/0
description WL2504
ip address 172.16.0.2 255.255.254.0
duplex auto
speed auto
interface GigabitEthernet0/1
description WAN
ip address 10.55.55.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/0/0
description LINK TO CLT INTERNET
ip address 41.X.X.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type sfp
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 41.X.X.129
ip route 41.X.X.136 255.255.255.248 10.55.55.1
ip route 192.168.0.0 255.255.255.0 10.55.55.1
access-list 1 permit 10.55.55.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
from the router interface  interface GigabitEthernet0/0- I will connect it to my wireless Controller WL 2504

How to copy configuration files to and from the cisco ios routers that use SNMP

Hello,
I went on the page : https://supportforums.cisco.com/docs/DOC-1860
You explain how to get a config file and send it to a tftp server or oppositely.
I face this problem:
id090365:~> snmpset -v2c -c communitystring hostipaddress .1.3.6.1.4.1.9.9.96.1.1.1.1.2.98 i 1
Error in packet.
Reason: noCreation (That table does not support row creation or that object can not ever be created)
Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.98
Do you have any idea?
Thanks,
Olivier

I hadn't seen any snmp guides using snmpv3 and scp as transport protocol. For those looking to implement, here is what worked for me.
As with the other snmp config copy guides you will need to download the respective MIBS and load them in the snmp.conf file.
This post will specifically cover the snmpset commands for a v3 setup.
SNMP Environment:
Name        : net-snmp
Version     : 5.7.2
Release     : 17.fc20
snmp conf file in ~/.snmp/snmp.conf
   contains
defSecurityName XXX <- replace with v3 username
defContext ""
defAuthType SHA
defPrivType AES
defSecurityLevel authPriv
defAuthPassphrase ***** <-replace with authentication pass
defPrivPassphrase ***** <-replace with encryption pass
defVersion 3
showMibErrors no
mibs ALL
I would verify basic snmpv3 functionality with a snmpwalk of something simple like sysUpTime. When that's good proceed to the CONFIG-COPY snmp commands.
This is my bash script that does the entire copy asking only for a single argument of IP/Hostname of the device being backed up. The 2>/dev/null shown in the script or at the cli below redirects STDERR to null to avoid the MIB modules parsing errors.
#!/usr/bin/bash
DEVICE=$1
RANNUM=42
USER=******
PASS=******
SERVER=X.X.X.X
DATE=$(date +"%m_%d_%y")
snmpset $DEVICE ccCopyProtocol.$RANNUM i 4 ccCopySourceFileType.$RANNUM i 4 ccCopyDestFileType.$RANNUM i 1 ccCopyServerAddress.$RANNUM a "$SERVER" ccCopyFileName.$RANNUM s "$DEVICE.$DATE" ccCopyUserName.$RANNUM s $USER ccCopyUserPassword.$RANNUM s $PASS ccCopyEntryRowStatus.$RANNUM i 4 2>/dev/null
Once run you can check the status of the copy with the following command.
[root@localhost hlsb]# snmpwalk sbs-tech-switch ciscoConfigCopyMIB 2>/dev/null
CISCO-CONFIG-COPY-MIB::ccCopyProtocol.42 = INTEGER: scp(4)
CISCO-CONFIG-COPY-MIB::ccCopySourceFileType.42 = INTEGER: runningConfig(4)
CISCO-CONFIG-COPY-MIB::ccCopyDestFileType.42 = INTEGER: networkFile(1)
CISCO-CONFIG-COPY-MIB::ccCopyServerAddress.42 = IpAddress: 10.10.10.193
CISCO-CONFIG-COPY-MIB::ccCopyFileName.42 = STRING: sbs-tech-switch.07_09_14
CISCO-CONFIG-COPY-MIB::ccCopyUserName.42 = STRING: XXXX
CISCO-CONFIG-COPY-MIB::ccCopyUserPassword.42 = STRING: XXXX
CISCO-CONFIG-COPY-MIB::ccCopyNotificationOnCompletion.42 = INTEGER: false(2)
CISCO-CONFIG-COPY-MIB::ccCopyState.42 = INTEGER: successful(3)
CISCO-CONFIG-COPY-MIB::ccCopyTimeStarted.42 = Timeticks: (52270199) 6 days, 1:11:41.99
CISCO-CONFIG-COPY-MIB::ccCopyTimeCompleted.42 = Timeticks: (52270339) 6 days, 1:11:43.39
CISCO-CONFIG-COPY-MIB::ccCopyEntryRowStatus.42 = INTEGER: active(1)
CISCO-CONFIG-COPY-MIB::ccCopyServerAddressType.42 = INTEGER: ipv4(1)
CISCO-CONFIG-COPY-MIB::ccCopyServerAddressRev1.42 = STRING: "10.10.10.193"
After the successful copy completes the entry will exist for five minutes allowing for no further requests to be made with that particular random number. To send another request prior to the five minute clearing of the table send a "destroy" snmpset to clear the entry.
[root@localhost hlse]# snmpset sbs-tech-switch CISCO-CONFIG-COPY-MIB::ccCopyEntryRowStatus.42 i 6 2>/dev/null
CISCO-CONFIG-COPY-MIB::ccCopyEntryRowStatus.42 = INTEGER: destroy(6)
Hope this will save some time for those looking to implement a more secure snmp config copy setup.
V/R
Cody Hartley

Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
Daniel

What is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

SNMP Monitor PIX throught VPN tunnel

I have two Cisco PIX 515e firewalls configured in fail-over. The primary PIX has private address 192.168.1.5 and the secondary PIX (standby) has a private address 192.168.1.6. The PIX firewalls are running IOS 6.3.3. I'm connecting to the PIX firewalls through a VPN tunnel (PIXes terminate VPN tunnel) and my monitoring system uses SNMP to monitor devices behind the PIX firewalls and the primary PIX private IP address. I would also like to monitor the standby IP address 192.168.1.6 from the tunnel and have been unsuccessful thus far. I can do this from behind the PIX, but not through the tunnel (only the primary PIX).
Is there a way I can SNMP monitor (and PING) the IP address of the standby PIX through the VPN tunnel?
Please send email to [email protected]
Thank you,
frank

Paul,
Thank you for your email. Yes, we currently use this command to monitor the active private IP of the active PIX firewall through the VPN tunnel. What I would like to be able to monitor is the private IP address of the standby PIX firewall (has a different IP address while in standby mode) would like to make sure that it too is up and running (I can do this today for other PIX firewalls from the inside, but not through the tunnel.
Best regards,
Frank Pikelner
Hi Frank,
Dont think you are going to get that to work due to the routing issues. Sending syslog messages to the snmp server is the only way Ive done it in the past. Have you given this a try?
http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1052111
http://cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide09186a00800896ac.html
I hope this is of some help.
Cheers,
Paul.

Which packets go through the VPN tunnel

Guys,
I've just added a external server ip address to go through our vpn tunnel and then out the remote site internet connection.
How can I check that this is the path the packet is taking?
If I do a tracert then I can't see the path?
Thanks

Well, you could either monitor your logs on your VPN device (whatever that may be - not specified), as long as you have the appropriate logging level.
For a traceroute, assuming there's a routing device on the other end of the tunnel you would traverse, you should be able to see the last hop on your end being your VPN device, and then the router or the destination host, as the next hop (and that would indicate you're 'in' the tunnel).
A third option, and more challenging, is having a packet sniffer that knows the PSK, or has the ability to decrypt the session, and analyze the traffic from Wireshark or another packet analysis tool.
HTH!
-Chris

VPN s2s tunnel after PAT and NAT on non-cisco

hello!
I have cisco 1711. on LAN there is ZYXEL firewall. I have tried to establish s2s tunnel betwenn this LAN zyxel and other Zyxel on the other side with WAN.
cisco:
interface Serial0
description Polaczenie do Internetu$FW_OUTSIDE$
bandwidth 2048
ip address 80.50.92.xxx 255.255.255.252
ip nat pool PAT 213.77.105.248 213.77.105.252 prefix-length 29
ip nat inside source static 192.168.0.199 213.77.105.xxx extendable
ZYXEL is LAN 192.168.0.199 and NATed to 213.77.105.xxx
my qestion is:
is there posibility to establish s2s tunnel with host that in LAN has NATed to WAN address as above?

So you're saying that your configuration is :
Zyxel (LAN ) -> 1711 -> Zyxel (WAN ) and you want to establish a l2l VPN tunnel between the LAN and WAN Zyxel firewalls and you're NATting the LAN Zyxel firewall to a WAN address?
If yes, then your answer is : Yes you can do a VPN but using NAT-Traversal. It's a technology where the IKE ports of the initiator and the responder are changed from their default value of 500 to 4500 in order to support NAT devices working in-between the VPN. If your Zyxel firewall supports NAT-T then there's a good chance this will work

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

we are connecting Cisco 887VA router with various other Non-Cisco routers.
VPN tunnels are up and we can ping devices on the remote network through the VPN.
However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
I have tried adjusting MTU and MSS with no change.
Any ideas cause I'm running out of hair
My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

Hi,
i can get you a example VPN config (Cisco 1841) that works:
//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 192.168.49.0 0.0.0.255 any
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
crypto isakmp keepalive 30
crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
crypto map B2B 10 ipsec-isakmp
description b2b-fw
set peer PEERWANIP
set security-association lifetime seconds 86400
set transform-set SETNAME
match address 102
interface FastEthernet0/0
description wan_primary
crypto map B2B
ip nat outside
interface FastEthernet0/1
ip nat inside
route-map nonat permit 10
match ip address 150
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Regards
Markus

Site-Site VPN PIX501 and CISCO Router

Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.

YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end

Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

Hi Community.
I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
What do you think?

Hi,
Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
- Jouni

How to configure full tunnel with VPN client and router?

I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

I think it is possible. Following links may help you
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Configure a VPN client and Site to Site VPN tunnel

Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
SiteA config with working VPN tunnel to SiteB:
SITE A
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.x.x.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.x.x.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.x.x.0.0 201.201.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
SiteA-pix(config)#
Lines I add for Cisco VPN clients is attached
I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
Anyone any ideas what this can be?
Thanks

Heres my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.11.11.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.255.255.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
ip local pool pix_inside 200.x.x.100-200.220.200.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.x.x.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 match address 80
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup Remote address-pool pix_inside
vpngroup Remote dns-server 200.200.200.20
vpngroup Remote wins-server 200.200.200.20
vpngroup Remote default-domain mycorp.co.uk
vpngroup Remote idle-time 1800
vpngroup Remote password password
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I will attach debug output later today.
Thanks

Vpn tunnels and Nat on Cisco soho 91 routers ??

Similar Messages

Maybe you are looking for