Solved

VPN

Posted on 2009-05-04
8
342 Views
Last Modified: 2012-05-06
i have a router 1841. i have configured it for site to site connection with an ASA 5510, the configuration is working perfectly. Next i configured the router for VPN remote connection and it worked but it stopped the site to site connection.

my problem was that i configured both with the same NAME of crypto map but with different sequences and different encryption too.

I changed the name of the crypto map for the site to site and it worked again but the VPN remote connection is not working.

Is there a solution for my problem, having one internet connection and one router???
0
Comment
Question by:outlaw17
  • 4
  • 4
8 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24294304
You need to use the same crypto map name but the key is the remote access VPN sequence number be higher than the site to site.  Good practice is to use 65535 for the remote access VPN sequence number.
0
 

Author Comment

by:outlaw17
ID: 24294426
here's the following config. The VPN sequence number is higher than the site to site and i used the 65535 for the remote access VPN

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpnkey address xxx.xxx.xxx.xx
!
crypto isakmp client configuration group VPN
 key vpnkey
 dns xxx.xxx.xxx.xx
 pool vpnpool
 acl vpn-split-tunnel
 netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set set-60 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set set-10 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set set-10
!
!
crypto map vpn client authentication list vpn-authentication
crypto map vpn isakmp authorization list vpn-authorization
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
 set peer xxx.xxx.xxx.xx
 set transform-set set-60
 match address 170
crypto map vpn 65535 ipsec-isakmp dynamic dynmap
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24294523
Looks good.  Can you post access-list 170 and the vpn-split-tunnel access-list.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:outlaw17
ID: 24294732
ip access-list extended vpn-split-tunnel
 permit ip 195.125.1.0 0.0.0.255 195.125.10.0 0.0.0.255
!
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.50.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.51.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.52.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.53.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.54.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.55.0 0.0.0.255
access-list 170 permit ip 195.125.1.0 0.0.0.255 195.125.56.0 0.0.0.255

ip local pool vpnpool 195.125.10.1 195.125.10.15

these are not public, just private used inside the network
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24294869
Looks good also.   So with this config, what doesn't work?
0
 

Author Comment

by:outlaw17
ID: 24294901
with this config, the site to site stops from working. Maybe from this access-list???

access-list 180 deny   ip 195.125.1.0 0.0.0.255 195.125.10.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.50.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.51.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.52.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.53.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.54.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.55.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 195.125.56.0 0.0.0.255

ip nat inside source list 180 interface FastEthernet0/1 overload
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24294993
That's the problem, it should be this:

access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.10.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.50.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.51.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.52.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.53.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.54.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.55.0 0.0.0.255
access-list 180 deny ip 195.125.1.0 0.0.0.255 195.125.56.0 0.0.0.255
access-list 180 permit ip 195.125.1.0 0.0.0.255 any
0
 

Author Comment

by:outlaw17
ID: 24298855
hi JFrederick, i did what u told me but still didn't work. the problem was with the username and password. The site-to-site was not working coz of it. i created isakmp profile for site-to-site and vpn client so that the site-to-site wouldn't use the username and password and it worked very well. Thank you anyway.

0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco VPN client v5 migration to Anyconnect VPN? 8 52
VPN issue 2 66
OSPF - Convergence & Downtime 9 37
Windows 2012 R2 Anywhere Access and PCI compliance 5 33
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question