Solved

VPN how to connect Head office with 10 sites

Posted on 2010-11-20
24
984 Views
Last Modified: 2012-05-10
We have a central Cisco ASA5505 and would like to connect 10 sites having Linksys RV042, can somebody share a config ? its basically to access database server which is located at the head office, and the sites do not need to be able to browse internet, they just need to do vpn and connect to database. Can somebody helps with configs ? and if this is a real possible solution.
0
Comment
Question by:skywalker7
24 Comments
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 34180682
For Linksys router VPN configuration ...you can go to the below mentioned link:

http://www.equinux.com/cms_components/us/products/vpntracker/media/files/HowTo_Linksys_RV042.pdf
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34182156
Thanks for suggestion, but i am looking for a vpn from cisco 5505 at the head office and rv042 at branch offices.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 34188710
Following is a good source
http://www.mattiasholm.com/node/15

You can ask about any step that you need help
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34189036
Hello MrHusty,

Thanks for the link, i had actually found that link before but was not sure if thats the best way, can you explain me little bit these steps, as i have 10 linksys rv042 to connect to ASA-5505, the rv's do not need to intercommunicate, they just need to access the asa-5505

what are the ip below ? i want to test the scenario below locally before we deploy, can you help me with the below ip ?

Add an IPSec rule
      access-list outside_cryptomap_20 line 1 extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
      crypto map outside_map 20 match address outside_cryptomap_20
      crypto map outside_map 20 set  pfs group2
      crypto map outside_map 20 set  peer  0.0.0.0
      crypto map outside_map 20 set  transform-set  ESP-3DES-MD5

Add access list
access-list inside_nat0_outbound line 4 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34189219
As a matter of fact, EasyVPN is the best practise solution for implementions with that many endpoints, but as far as i know rv042 does not support it.
I am now making a drawing for you ro understand better. I will post it soon
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 500 total points
ID: 34190026
Here is a sample
sample.jpg
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34190287
Thanks a lot for the detailed explaination, i am going to try this and come back to you if all works or if something does not work !! thanks a lot for the time !!
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34200071
hello,

i am trying to type the commands but i get the error below, is there something i am missing to do !

ciscoasa(config)# crypto map outside_map 10 set transform-set ESP-3DES-MD5
ERROR: transform set with tag "ESP-3DES-MD5" does not exist.


you mentioned easy vpn, what routers do you suggest which works with easy vpn.

thanks.
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34200314
sorry ! i missed the default configs !
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34200652
Tried all, but the RV does not connect, where am i wrong !  can you please help

aa.aa.aa.aa is the cisco
bb.bb.bb.bb is the RV042

it just does not connect.

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address aa.aa.aa.aa 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!            
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HQ_to_station1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.22.33.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 match address HQ_to_station1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer bb.bb.bb.bb
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
             
group-policy RV042 internal
group-policy RV042 attributes
 vpn-tunnel-protocol IPSec
 pfs enable
tunnel-group bb.bb.bb.bb type ipsec-l2l
tunnel-group bb.bb.bb.bb general-attributes
 default-group-policy RV042
tunnel-group bb.bb.bb.bb ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
!
prompt hostname context
: end


0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34213705
skywalker,
   issue commands "debug crypto isakmp" and "debug crypto ipsec" , try to initiatetunnel traffic, then paste the output here
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:skywalker7
ID: 34213787
I am trying to redo with 5 rv042 routers, but when i paste the below, it says duplicate names, if i change the names then what happens to the command at the end ?

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

thanks for the help and time.
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34213840
Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Can't find a valid tunnel group, aborting...!
Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Removing peer from peer table failed, no match!
Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Error: Unable to remove PeerTblEntry
Nov 25 10:14:40 [IKEv1]: IP = 10.100.100.2, Header invalid, missing SA payload! (next payload = 4)
Nov 25 10:15:00 [IKEv1]: IP = 10.100.100.2, Header invalid, missing SA payload! (next payload = 4)
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34214003
i figured out the prob, stupid typo !!

one more question, i have 2 sites having same config,
1 ASA and 5 RV042
1 ASA and 5 RV042

can the ASA and ASA communicate ? have a secure vpn between each other ?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34214800
if you want, yes they can communicate
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34215318
can you help me with the config ? as at some point we will need both head offices to communicate, its for the master slave database.

thanks a lot for the help.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34227545
Skywalker,
  Configuration is same as above. Add the remote site in ASA as if it was linksys. And do the same configuration at other asa, only changing the peer id and writing the interesting traffic and NAT ACL reverse.
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34246068
MrHusty,

Can you help me with writing the interesting traffic ? and NAT ACL reverse, i have tried but the boxes do not talk to each other.
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34383879
Mr Husty,

Will the above VPN allow all services ? like RDP, and other databases services, or i need to specify them in the cisco ?

Thanks,
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34385316
Oh, i thought this question was finalized, no you dont have to specify them in cisco, they are permitted by default.
0
 
LVL 1

Author Comment

by:skywalker7
ID: 34403116
i am just stuck with the two cisco, not talking to each other, can you help just this one !
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34426580
I believe this is a seperate question than the initial, you have to open up a nother question
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34869532
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now