VPN how to connect Head office with 10 sites

For Linksys router VPN configuration ...you can go to the below mentioned link:

http://www.equinux.com/cms_components/us/products/vpntracker/media/files/HowTo_Linksys_RV042.pdf

Thanks for suggestion, but i am looking for a vpn from cisco 5505 at the head office and rv042 at branch offices.

Hello MrHusty,

Thanks for the link, i had actually found that link before but was not sure if thats the best way, can you explain me little bit these steps, as i have 10 linksys rv042 to connect to ASA-5505, the rv's do not need to intercommunicate, they just need to access the asa-5505

what are the ip below ? i want to test the scenario below locally before we deploy, can you help me with the below ip ?

Add an IPSec rule
      access-list outside_cryptomap_20 line 1 extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
      crypto map outside_map 20 match address outside_cryptomap_20
      crypto map outside_map 20 set  pfs group2
      crypto map outside_map 20 set  peer  0.0.0.0
      crypto map outside_map 20 set  transform-set  ESP-3DES-MD5

Add access list
access-list inside_nat0_outbound line 4 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0

As a matter of fact, EasyVPN is the best practise solution for implementions with that many endpoints, but as far as i know rv042 does not support it.
I am now making a drawing for you ro understand better. I will post it soon

Thanks a lot for the detailed explaination, i am going to try this and come back to you if all works or if something does not work !! thanks a lot for the time !!

hello,

i am trying to type the commands but i get the error below, is there something i am missing to do !

ciscoasa(config)# crypto map outside_map 10 set transform-set ESP-3DES-MD5
ERROR: transform set with tag "ESP-3DES-MD5" does not exist.


you mentioned easy vpn, what routers do you suggest which works with easy vpn.

thanks.

sorry ! i missed the default configs !

Tried all, but the RV does not connect, where am i wrong !  can you please help

aa.aa.aa.aa is the cisco
bb.bb.bb.bb is the RV042

it just does not connect.

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address aa.aa.aa.aa 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!            
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HQ_to_station1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.22.33.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 match address HQ_to_station1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer bb.bb.bb.bb
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
             
group-policy RV042 internal
group-policy RV042 attributes
 vpn-tunnel-protocol IPSec
 pfs enable
tunnel-group bb.bb.bb.bb type ipsec-l2l
tunnel-group bb.bb.bb.bb general-attributes
 default-group-policy RV042
tunnel-group bb.bb.bb.bb ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
!
prompt hostname context
: end

skywalker,
   issue commands "debug crypto isakmp" and "debug crypto ipsec" , try to initiatetunnel traffic, then paste the output here

I am trying to redo with 5 rv042 routers, but when i paste the below, it says duplicate names, if i change the names then what happens to the command at the end ?

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

thanks for the help and time.

Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Can't find a valid tunnel group, aborting...!
Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Removing peer from peer table failed, no match!
Nov 25 10:14:30 [IKEv1]: Group = 10.100.100.2, IP = 10.100.100.2, Error: Unable to remove PeerTblEntry
Nov 25 10:14:40 [IKEv1]: IP = 10.100.100.2, Header invalid, missing SA payload! (next payload = 4)
Nov 25 10:15:00 [IKEv1]: IP = 10.100.100.2, Header invalid, missing SA payload! (next payload = 4)

i figured out the prob, stupid typo !!

one more question, i have 2 sites having same config,
1 ASA and 5 RV042
1 ASA and 5 RV042

can the ASA and ASA communicate ? have a secure vpn between each other ?

if you want, yes they can communicate

can you help me with the config ? as at some point we will need both head offices to communicate, its for the master slave database.

thanks a lot for the help.

Skywalker,
  Configuration is same as above. Add the remote site in ASA as if it was linksys. And do the same configuration at other asa, only changing the peer id and writing the interesting traffic and NAT ACL reverse.

MrHusty,

Can you help me with writing the interesting traffic ? and NAT ACL reverse, i have tried but the boxes do not talk to each other.

Mr Husty,

Will the above VPN allow all services ? like RDP, and other databases services, or i need to specify them in the cisco ?

Thanks,

Oh, i thought this question was finalized, no you dont have to specify them in cisco, they are permitted by default.

i am just stuck with the two cisco, not talking to each other, can you help just this one !

I believe this is a seperate question than the initial, you have to open up a nother question

This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.