f



site-to-site VPN

I have this schema:


CompanyA                CompanyB          CompanyC
 inIP:192.168.2.0       192.168.1.0         192.168.10.0
exIP:aaa.bbb.107.96  xxx.yyy.97.34/28 aaa.bbb.97.50/29

I need to configure site tosite VPN between companyB and CompanyC is
working fine but I can't get site to site VPN between CompanyA and
CompanyB working. Every site also has configured VPN for remote users
working fine.


I spent lots of time researching whats wrong but I cant figure out.


If someone has some time to review my configs I'll appreciate the help.



I'll be glad also if you give me some advise how to troubleshoot this.


Thanks,


CompanyB:
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.10.0 255.255.255.0
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.6.0 255.255.255.0
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list CompanyC permit ip 192.168.1.0 255.255.255.0 192.168.10.0
255.255.255.0
access-list out_in permit tcp any host xxx.yyy.97.35 eq smtp
access-list out_in permit tcp any host xxx.yyy.97.35 eq www
access-list out_in permit tcp any host xxx.yyy.97.35 eq https
access-list out_in permit tcp any host xxx.yyy.97.35 eq domain
access-list CompanyA permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
ip address outside xxx.yyy.97.34 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.6.210-192.168.6.220
pdm history enable
arp timeout 14400
global (outside) 1 xxx.yyy.97.43
nat (inside) 0 access-list bypassingnat
nat (inside) 1 172.16.100.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.97.33 1
route inside 172.16.100.0 255.255.255.0 192.168.1.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address CompanyC
crypto map newmap 20 set peer xxx.yyy.97.50
crypto map newmap 20 set transform-set myset
crypto map newmap 25 ipsec-isakmp
crypto map newmap 25 match address CompanyA
crypto map newmap 25 set peer aaa.bbb.107.96
crypto map newmap 25 set transform-set myset
crypto map newmap 30 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255
isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 14400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 14400
vpngroup CHerndon address-pool clientpool
vpngroup CHerndon dns-server 192.168.1.10
vpngroup CHerndon wins-server 192.168.1.10
vpngroup CHerndon default-domain CompanyB.com
vpngroup CHerndon split-tunnel bypassingnat
vpngroup CHerndon idle-time 1800
vpngroup CHerndon password ********


CompanyA:
access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list out_inside permit tcp any host aaa.bbb.107.99 eq www
access-list out_inside permit tcp any host aaa.bbb.107.99 eq 443
access-list out_inside permit tcp any host aaa.bbb.107.99 eq domain
access-list out_inside permit tcp any host aaa.bbb.107.99 eq smtp
access-list in_out permit tcp host 192.168.2.11 any eq smtp
access-list in_out deny tcp any any eq smtp
access-list in_out permit ip any any
access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list bypassingnat permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
ip address outside aaa.bbb.107.96 255.255.252.0
ip address inside 192.168.2.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.1.1.10-10.1.1.36
pdm history enable
arp timeout 14400
global (outside) 1 aaa.bbb.107.103 netmask 255.255.255.0
nat (inside) 0 access-list bypassingnat
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group out_inside in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 aaa.bbb.104.1 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address CompanyB
crypto map newmap 10 set peer xxx.yyy.97.34
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map vpngroup client authentication TACACS+
isakmp enable outside
isakmp key ******** address  xxx.yyy.97.34 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup svinzant address-pool clientpool
vpngroup svinzant dns-server 192.168.2.10
vpngroup svinzant wins-server 192.168.2.10
vpngroup svinzant default-domain companyA.com
vpngroup svinzant split-tunnel vpnacl
vpngroup svinzant idle-time 1800
vpngroup svinzant password ********


CompanyC:
access-list acl_outside permit icmp any any echo-reply
access-list acl_inside permit ip any any
access-list 101 permit ip 192.168.11.0 255.255.255.0 10.10.8.16
255.255.255.240
access-list 103 permit ip 192.168.10.0 255.255.255.0 10.10.8.32
255.255.255.240
access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.16
255.255.255.240
access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.32
255.255.255.240
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list CompanyB permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
ip address outside xxx.yyy.97.50 255.255.255.248
ip address inside 10.10.8.1 255.255.255.0
ip local pool eespool 10.10.8.17-10.10.8.30
ip local pool localpool 10.10.8.33-10.10.8.46
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) xxx.yyy.97.53 192.168.10.20 netmask
255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
route inside 192.168.10.0 255.255.255.0 10.10.8.2 1
route inside 192.168.11.0 255.255.255.0 10.10.8.2 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set des
crypto map partner-map 15 ipsec-isakmp
crypto map partner-map 15 match address CompanyB
crypto map partner-map 15 set peer xxx.yyy.97.34
crypto map partner-map 15 set transform-set myset
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup eeshome address-pool eespool
vpngroup eeshome dns-server 12.127.16.68
vpngroup eeshome wins-server 192.168.10.20
vpngroup eeshome default-domain CompanyB.com
vpngroup eeshome split-tunnel 101
vpngroup eeshome idle-time 1800 
vpngroup eeshome password ********

0
1/12/2007 3:10:10 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

2 Replies
799 Views

Similar Articles

[PageSpeed] 16

You may wish to investigate the Cisco Site-to-Site VPN Config Wizard:

http://www.ifm.net.nz/cookbooks/501gui/

Sincerely,

Brad Reese
http://www.BradReese.Com

0
www
1/12/2007 4:00:53 AM
I try also:

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255
no-xauth no-config-mode

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255
no-xauth no-config-mode 

but it doesnt work either.

0
Exclusive
1/12/2007 2:56:15 PM
Reply:

Similar Artilces:

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted ...

Cisco 1700 Site-Site VPN
Hello, I'm trying to set up a Site to Site VPN with two Cisco 1700 Routers. But I didn't get it to fly. When the tunnel ist setup the routing doesn't work or other things. Here is what I want to do: 192.168.4.0/24 -- RouterA --- INTERNET --- RouterB -- 192.168.6.0/24 Router A and Router B have a static IP. Lets Say IPA and IPB. Here is my config of RouterB. RouterA locks mostly the same except it does Dialup so the interface on the outside is Dialer0. I didn't find the failer. Can someone plz help me out? Router config from Router B ============================ ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterB ! boot system flash c1700-k9o3sy7-mz.122-11.t11.bin logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 SECPASSWORD ! username USER password 0 PASSWORD memory-size iomem 25 ip subnet-zero ! ! ip dhcp excluded-address 192.168.6.1 192.168.6.20 ! ip dhcp pool dhcpKoeln network 192.168.6.0 255.255.255.0 default-router 192.168.6.1 ! ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 4 ! ! crypto isakmp policy 110 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key KEY123 address IPA ! ! crypto ipsec transform-set mine esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer IPA set transform-set mine match address 102 ! interface Ethern...

Site to Site VPN routing
I am trying to connect a Cisco 1841 router to a Nortel VPN Router 1010 via a IPSEC VPN tunnel. I actually have the tunnel up and running. My problem is that I cannot figure out how to tell the Cisco Router to route traffic from its private network to the private network on the Nortel Router. The Nortel Router seems to just route traffic to the Cisco Router's public interface and it works. If I put a static route in the Cisco Router to route to the Nortel Router's public interface, I get nothing. Any help would be appreciated. On Sep 21, 1:46 pm, peachma...@yahoo.com wrote: > I...

Cisco 877 NAT and site-site VPN
Hello, Can you NAT a site-to-site VPN? I have a Cisco 877 which I have been using for internet access. My internal network 10.10.10.0/24 is hidden behind the router's static external IP address using NAT. Now I am trying to set up a VPN to another company, Their firewall is 199.99.99.99. Within their network I need to access computers in subnet 177.77.77.0/24 I set up the VPN using Cisco Security Device Manager (SDM) - This changed my NAT rule to use route-map so that the NAT and VPN would not conflict, This means that my internal addresses are not hidden from the other end of the VPN, they see 10.10.10.x as the source address ip nat inside source list 1 interface Dialer0 overload became ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload route map SDM_RMAP_1 permit 1 match ip address 103 access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any However the other company cannot route my 10.10.10.x address within their internal networks because it conflicts with addresses they are using. I tried deleting access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 in the hope that this would cause it to NAT my traffic inside the VPN but it didn't seem to help. Can I amend my configuration so that my internal addresses are translated to something they can use? Can I reinstate NAT for the VPN somehow so that the other end sees my traffic as having ...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed ...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed Mohammed Alani wrote: > I have done a simplified step-by-step procedure to do site-to-site > VPN. Please take a look at it and give me your notes. Is it clear and > simple? did I miss something? Yes. You do not give the router models and IOS versions. Change the router or the IOS version and things look different. Gerald On May 2, 12:13 pm, Gerald Vogt <v...@spamcop.net> wrote: > Mohammed Alani wrote: > > I have done a simplified step-by-step procedure to do site-to-site > > VPN. Please take a look at it and give me your notes. Is it clear and > > simple? did I miss something? > > Yes. You do not give the router models and IOS versions. Change the > router or the IOS version and things look different. > > Gerald Thank you for taking the time to look at the article Gerald. Your note is true. The procedure works on SOHO routers and few of the other routers. I will add it. Mohammed ...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed ...

VPN
Here is my debug and config... it appears as if the tunnel is being set up but I cannot access the remote LAN. Any suggestions? TIA. : Saved : PIX Version 6.3(5) fixup protocol tftp 69 names access-list 102 permit tcp any any eq www access-list 102 permit icmp any any access-list 102 permit icmp any any echo-reply access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.252.0 access-list 101 permit icmp any any access-list NoNAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.252.0 ip address outside 1.1.1.1 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0 global (outside) 1 1.1.4 nat (inside) 0 access-list NoNAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.123 1 sysopt connection permit-ipsec crypto ipsec transform-set abcd1 esp-des esp-md5-hmac crypto map map1 1 ipsec-isakmp crypto map map1 1 match address 101 crypto map map1 1 set peer 4.4.4.4 crypto map map1 1 set transform-set abcd1 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000 : end pixfirewall(config)# ********************************** ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA pa...

Cisco ASA 5500 to Router site to site VPN
I'm trying to setup a site to site VPN between a Cisco 3725 and a ASA5505, I am able to create a VPN between the ASA5505 and a PIX515 and the 3725 router and a 2600 router so I'm not sure what I'm missing when it comes to the router/ASA combo. My two configurations are below... ASA5500 : Saved : ASA Version 7.2(4) ! hostname bambam domain-name default.domain.invalid enable password blah encrypted passwd blah encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.31.12.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group ppoe ip address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list outside_2_cryptomap extended ...

Cisco PIX 501-515 Site-to-Site VPN Issue
I'm deferring to the experts in this group to help me solve a nightmare of a PIX configuration issue. I have a PIX 501 located in Connecticut and a PIX 515 located in New York and am trying to put together a site-to-site VPN. The remote access on the 515 works like a charm, but I've been unable to make any headway with the site-to-site. The only way that I've been able to initiate the connection, in fact, is to launch the packet tracer on the 515 to 'send' a packet from an IP on the 515's network to an IP on the 501's. Everything comes back okay, but if I try to ping or connect to any machine on either of the networks from the other one, it doesn't go through, and no useful debugging information seems to be returned. If anyone has any insight into what might be going on, your advice would be tremendously appreciated. I've copied the configurations below and have removed only the clearly-irrelevant parts. PIX 501: Internal IP Range: 10.0.2.0/255.255.255.0 External IP: x.x.123.29 PIX 515: Internal IP Range: 10.0.0.0/255.255.255.0 Remote Access: 10.0.1.0/255.255.255.0 External IP: x.x.23.17 CISCO PIX 501 IN CONNECTICUT PIX Version 6.3(5) access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any any object-group TCP access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255....

Site-to-Site VPN & VPN Server
We currently have a site-to-site VPN. We would like to also setup our own VPN so our agents can work from home. When I use the SDM to setup the VPN server, it takes down the site-to-site. Questions are: 1) Is this possible, if so, then thats great :-) 2) If it is possible, is SDM the best in setting up this? Can I have the same IP Sec Policy for both vpns? I haven't had any luck using SDM. Best to go on to CCO and look for some sample configs to help you with this. If you cannot find any, then post your config, and take out the IP"s and passwords so we are not tempted t...

Site to Site VPN error on Cisco ASA5500 and router 1800
Hi All, When I configured site to site VPN between Cisco ASA 5500 (outside IP address: 1.2.3.4, inside ip: 192.168.0.50) and 1800 router (outside IP address 5.6.7.8, inside ip: 192.168.46.1), I got the following error and can not establish VPN tunnel: 1. Error on ASA 5500: |11:45:35|713904|||IP = 5.6.7.8, Received encrypted packet with no matching SA, dropping |11:45:35|113019|||Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m: 00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, Removing peer from correlator table failed, no match! |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, QM FSM error (P2 struct &0x97f6d50, mess id 0xba4d2406)! |11:45:35|713904|||Group = 5.6.7.8, IP = 5.6.7.8, All IPSec SA proposals found unacceptable! |11:45:35|713119|||Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED |11:45:35|113009|||AAA retrieved default group policy (LAN-LAN) for user = 5.6.7.8 |11:45:35|713903|||Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes |11:45:35|713172|||Group = 5.6.7.8, IP = 5.6.7.8, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device 2. Debug info on 1800 router: 13:28:50 Local7.Debug 192.168.46.1 2448: 13:28:50 Local7.Debug 192.168.46.1 2447: *Jan 4 18:29:17.255: ISAKMP: (2018):Old State = IKE_DEST_SA New State = IKE_DEST_...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site)
From: Hoff Hoffman [mailto:hoff-remove-this@hp.com]=20 Sent: Wednesday, August 16, 2006 2:06 PM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) JF Mezei wrote: > Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect especially >=20 > If he starts to evaluate migration costs, he might find it cheaper to > migrate to Linux or Windows. Yes, ...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) #2
-----Original Message----- From: Dave Froble [mailto:davef@tsoft-inc.com]=20 Sent: Thursday, August 17, 2006 12:23 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) Stanley F. Quayle wrote: > On 16 Aug 2006 at 14:42, Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect >=20 > Another CHARON-VAX possibility [Shameless Plug Alert (tm)] is to=20 ...

Site to site VPN
Hi, I've got a problem with a site to site VPN. My company runs web services for its customers. As part of the set up for one of them I've had to set up a VPN between us and them (I'm using a safe@office 500P, they're using a PIX). The VPN works well, but when it is up, the customer can no longer access our web service. It's been suggested that they should be using internal IP addresses to access the service, but unfortunately this doesn't work either. As far as I can see, when the VPN is up, all access to our services is being sent down the tunnel rather...

T1 Site-to-Site VPN
Soon I will have to setup a T1 with 2 1841 routers each with a CSU/DSU module. I have a back-to-back test setup here, and I have that part working. The next step was to establish a VPN tunnel between the 2 routers. That step is also working. Here is the network diagram: Host (10.10.20.20) | (LAN IP: 10.10.20.1) Cisco 1841 (WAN IP: 192.168.60.1) | (WAN IP: 192.168.40.1) Cisco 1841 (LAN IP: 10.10.10.1) | Host (10.10.10.10) Host 10.10.10.10 can ping anybody on the 10.10.20.0/24 network. Great. My problem is that 192.168.40.1 can also ping anybody on the 10.10.20.0/24 network. I know that I need to setup an ACL, but I want to make sure that I do this right. I only want VPN traffic to be able to pass through, and I want to deny any other traffic coming into each router. I currently have an extended ACL matched to each crypto map, and I'm about 99.99999% sure that it's correct. However, if I add a deny any any ACL to my serial interface, then nobody and ping anybody anymore. This makes sense to me, but I want the extended ACL match to my cypto maps to take precedence over that ACL and let VPN traffic through. What's the correct way to do this? Thanks. -- John RouterA: ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterA ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ip cef ! ! ! ! ip domain name...

HELP! Site-site vpn
Hi guyz, I'm very new in this cisco product so i need ur guidance and patience in helping me out. We have a main office and branch office and intend to connect both of them through site-site vpn. I have a cisco 837 on both office and i successfully managed to get the vpn site-site on both office running. But, i'm having a trouble on the branch office. It seems like i can't ping to the server internal ip address(192.168.1.1) at the main office. I can ping the server external ip address(10.10.10.2). From the main office, i'm able to ping the branch office internal ip address(17...

Site to Site VPN Tunnel
I have a site to site VPN tunnel setup. The network diagram can be found at www.virgoletta.com. There are some issues with the VPN tunnel. One is why can't I ping devices through the tunnel? Also, if I try to telnet into a device from the ASA side to the PIX I am not abel to? I looked on the loggs for the ASA and below is the output. However, if I try to telnet from the PIX side to the ASA side I can telnet but cannot ping. If you need me to post the config for both the ASA and PIX let me know. Thank You single_vf %ASA-7-609001: Built local-host inside:10.1.1.4 single_vf %ASA-3-305006: portmap translation creation failed for tcp src inside:10.178.183.68/1025 dst inside:10.1.1.4/23 single_vf %ASA-7-609002: Teardown local-host inside:10.178.183.68 duration 0:00:00 single_vf %ASA-7-609002: Teardown local-host inside:10.1.1.4 duration 0:00:00 ...

site to site VPN
hi all, i use 878 router (open internet line) and user connect to server (back of 878) with site to site VPN. i can try to server with RDP but i can't. but i can try to connect over internet to Remote desktop i can do it. how can i connect to server over RDP ( with site-to-site vpn) ? thanks ...

PIX site-to-site VPN
Internet / \ 11.11.11.11 22.22.22.22 ADSL Router ADSL Router 10.0.11.254 10.0.0.22.254 | | 10.0.11.1 10.0.22.1 PIX 506E PIX 501 192.168.11.254 192.168.22.254 | | New York LAN San Jose LAN http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72b.html I am trying to set up a hardware VPN based on the link above, but the multiple internet IP setup in the document has confused me. The following is what I intend to add to the ...

site-2-site VPN
Hi everybody, I was asking about the S2S VPN lately, but have a bit different question now. What are the industry standards / best practices to securely connect two company branches? I was thinking of a VPN connection, but it does not allow one to connect two identical subnets e.g. 10.11.12.0/24 with 10.11.12.0/24. Is there a way to connect two offices via VPN and reduce or eliminate the possibility of subnet overlap? Thanks, AL ALeu schrieb: > I was asking about the S2S VPN lately, but have a bit different question > now. What are the industry standards / best practices to sec...

site to site VPN problems
I have a problem with a site-to-site VPN that I would like some help with as I am all out of ideas. This is the situation. I work in a hospital and currently use PIX 501's to create a link over a network to give clinics access to our main site which has a PIX 515. I have set lots of these up and everything works fine, apart from running Microsoft Exchange clients. When outlook is opened, a lot of the time it just hangs and does nothing, and when outlook does this, the PC likes to hang too. I know there is an issue with fixup protocol smtp and outlook, but is a fixup protocol used in a si...

Site to Site VPN Problem
Dear all I am facing a problem in Site to Site VPN between PIX 515E and FireBox the problme is that only one subnet is working as we have 4 vlans (10.0.208.0,10.3.48.0,10.2.0.0,10.1.0.0) and I am only able to access the other side of network (172.16.0.0 in FireBOX) from 10.1.0.0 subnet and while remaining subnets are unable to connect what can be the reason. Below is the config access-list ispf_vpn permit ip 10.0.208.0 255.255.240.0 172.16.0.0 255.255.0.0 access-list ispf_vpn permit ip 172.16.0.0 255.255.0.0 10.0.208.0 255.255.240.0 access-list ispf_vpn permit ip 10.3.48.0 255.255.240.0...

Site-to-site VPN with NAT
Can I construct a site-to-site VPN between 2 PIX 501's and use a natted network between the sites? Is this possible with ver 6.x software or do I need ver7.x? JHG In article <1147727348.537035.190310@u72g2000cwu.googlegroups.com>, <jhgraves@ddi-wans.com> wrote: >Can I construct a site-to-site VPN between 2 PIX 501's and use a natted >network between the sites? Yes. >Is this possible with ver 6.x software or >do I need ver7.x? If the network uses one-to-one NAT, then you can do it using any release supported on the 501. If the network uses PAT (Port Address Translation) then you need PIX 6.3 and you need "isakmp nat-traversal 20" BTW, PIX 7.x is not supported on the 501 and likely will never be. Adding to Walter's reply: Configure the pixes normally, Then configure VPN normally without using the NAT. If that is working. Configure NAT. Remember to use the natted addresses in the crypto acl. -Vikas ...

Web resources about - site-to-site VPN - comp.dcom.sys.cisco

How To Stop Creepy Ads From Following You From Site To Site
Firefox is considering adding a "do not track" feature, but Internet Explorer 8 already has one.

[技术分享]小谈 TMG 建立 IPsec Site-to-Site VPN - 微软大中华区安全博客 - 比特博客
TMG作为微软的网关产品可以和其他产品建立Site-to-Site VPN,这样可以让两端防火墙后面的指定资源实现互访。而IPsec VPN是当前比较流行的VPN,又可以和其他设备兼容。在配置过程中,不少客户遇 ..

Resources last updated: 3/28/2016 6:53:46 PM