Hazem Badr
asked on
Cisco 887VA and Cisco Rv042
Dear Experts
Can any one Please confirm that we can configure Cisco 887VA with Cisco Rv042 VPN Site to Site ?
Can any one Please confirm that we can configure Cisco 887VA with Cisco Rv042 VPN Site to Site ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The configuration will look like this on the 887VA
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key {preshared key} address {ip address remote device}
crypto ipsec transform-set Site2site esp-3des esp-sha-hmac
crypto map Site2site-map 10 ipsec-isakmp
description Site2Site
set peer {ip address remote device}
set security-association lifetime seconds 28800
set transform-set Site2site
match address TRAFFIC-TO-VPN
interface / dialer with is bound to youre outside interface
crypto map Site2site-map
!
ip nat inside source route-map ALLOW-NAT interface {outside interface} overload
ip access-list extended NAT-POOL
deny ip {local subnet} 0 0.0.0.255 {remote subnet} 0.0.0.255
permit ip {local subnet} 0.0.0.255 any
ip access-list extended TRAFFIC-TO-VPN
permit ip {local subnet} 0 0.0.0.255 {remote subnet} 0.0.0.255
!
dialer-list 1 protocol ip permit
!
route-map ALLOW-NAT permit 10
match ip address NAT-POOL
!
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key {preshared key} address {ip address remote device}
crypto ipsec transform-set Site2site esp-3des esp-sha-hmac
crypto map Site2site-map 10 ipsec-isakmp
description Site2Site
set peer {ip address remote device}
set security-association lifetime seconds 28800
set transform-set Site2site
match address TRAFFIC-TO-VPN
interface / dialer with is bound to youre outside interface
crypto map Site2site-map
!
ip nat inside source route-map ALLOW-NAT interface {outside interface} overload
ip access-list extended NAT-POOL
deny ip {local subnet} 0 0.0.0.255 {remote subnet} 0.0.0.255
permit ip {local subnet} 0.0.0.255 any
ip access-list extended TRAFFIC-TO-VPN
permit ip {local subnet} 0 0.0.0.255 {remote subnet} 0.0.0.255
!
dialer-list 1 protocol ip permit
!
route-map ALLOW-NAT permit 10
match ip address NAT-POOL
!
Set up Site to Site in the RV042 in the VPN tab and selecting Site to Site setup (not Client to Gateway).
Provide a tunnel number and name.
Local Gateway type IP Only
Local external IP
Local Security group Subnet
IP Address
Subnet mask
Remote Gateway type IP Only
Remote external IP
Remote Security Group Subnet
IP Address
Subnet Mask
IP SETUP
Keying Type: IKE Pre Share
Phase 1 DH Group 2
Phase 1 3DES or higher (preferably higher)
Phase 1 Authentication SHA1
PFS: No
Phase 2 same as phase 1
Pre share key - provide one
Advanced+
Use main mode, not aggressive
Keep alive ON
Dead Peer Detect 10 seconds
NAT Traversal: May need to be on or off.
Now set up IPsec in the other router the same way and it should work