09-23-2010 09:54 AM - edited 02-21-2020 04:52 PM
Hello,
I have got Cisco ASA 5540 at Headqurters and Cisco 857 ADSL router at Branch Office with internet up. I have created a site to site vpn workplace ASA and branch router and its wokring fine.
Please see the attached snap (scenario 1) for referral.
Presently I have assigned Public IPs to Remote Lan PC( Branch Office). Now I am planning to give them private range (lets say 192.168.4.0/24).
It will be just like lan to lan vpn.
What I had ito add in my configuration on ASA and Router to make this possible.I am not pretty good in VPN connectivity. So I need experts help and advice.
If something not clear please let me know.
Thanking in Advance.
09-23-2010 10:12 AM
Hi,
This might help you:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml
All you need to do is to change your crypto access-list on the ASA and the router. If you send the current config, we can tell you what exactly needs to be changed.
Thanks and Regards,
Prapanch
09-23-2010 10:33 AM
hi prapanch,
Thanks for quick response
Firstly,please ignore my previous attachment because it has got some ip mistakes.
here is my router config
Current configuration : 3748 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hospital
!
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T14.bin
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 $1$I7fD$hFcavQfsBAttAU3kdsCyo0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-514007288
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-514007288
revocation-check none
rsakeypair TP-self-signed-514007288
!
!
crypto pki certificate chain TP-self-signed-514007288
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35313430 30373238 38301E17 0D303230 35313430 35303431
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34303037
32383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A2EABB56 14D234BE 7889BC4D A55C7A99 0461AB52 AEEB74F9 4240866D CFE99361
093C1C41 5225FD37 41266629 C9758902 F7A17B16 0982CA9A B9FA3AAF 40A0C258
A55E8EEC 183249CF 3E0A4F1A E6C044D5 25735261 5D38C06A 421411A2 4FCD8644
D834C59F A57E9391 A09D8AAB 57C18AEA 804FCB47 0EC6F632 5E0647A6 4C82EA29
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820944 722E4661 6B656568 301F0603 551D2304 18301680 1443A6AE
ABA34B03 84DE5AA5 AA18D747 5899D8BA 3F301D06 03551D0E 04160414 43A6AEAB
A34B0384 DE5AA5AA 18D74758 99D8BA3F 300D0609 2A864886 F70D0101 04050003
8181002F A141EFFE E7E015D4 1BC5D116 EEF1F6FA 2956E23E FE4A8A0D FF3293D9
3E9E9C09 8ABBD4BD 08947278 8276FB24 4D42E45F 877029F1 CEC1423E E38CDBA6
08855E81 41D6281B 3DE69A80 913DC48F DCB05F81 151F4BB2 3F69DD5C 49F7BDF2
0E7E2A02 C10A9906 BF3E2AA3 61D967A2 7A1C4377 9B598D48 4CA26916 FC9D251C 8CE796
quit
dot11 syslog
!
!
ip cef
ip name-server 212.93.x.x
ip name-server 212.93.x.x
!
!
!
username admin privilege 15 password 7 070C2E414B4D0D041C170218
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 11.11.11.14
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to11.11.11.14
set peer 11.11.11.14
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 78.32.95.174 255.255.255.248
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXX
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 78.32.94.172 0.0.0.7 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 1306181F0E48102B20212127
login local
!
scheduler max-task-time 5000
end
......................................................................
ASA config
access-list Outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 78.32.94.172 255.255.255.248
access-list inside_nat0_outbound line 6 extended permit ip 192.168.1.0 255.255.255.0 78.32.94.172 255.255.255.248
tunnel-group 65.34.132.167 type ipsec-l2l
tunnel-group 65.34.132.167 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 65.34.132.167 ( Dynamic IP from ISP)
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
09-23-2010 02:18 PM
In your router you have
access-list 100 permit ip 78.32.94.172 0.0.0.7 192.168.1.0 0.0.0.255
change it for
access-list 100 permit ip (new network) 192.168.1.0 0.0.0.255
In the ASA
ASA config
access-list Outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 (new network)
access-list inside_nat0_outbound line 6 extended permit ip 192.168.1.0 255.255.255.0 (new network)
I suppose that you are going to be using NAT for the rest of the traffic right? Then you will need to do a NO-NAT int the router as well. Do the nat exception with a route-map.
09-23-2010 02:22 PM
Check the link that Naryanan added. The router is doing a nat exception with the help of a route-map
09-23-2010 10:18 AM
Hey Samir,
please follow the link below for the configs ......
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml
kindly notify me if you face any issues.
Regards,
Naryanan.
09-24-2010 04:38 AM
Thank you experts for your help and great information.
I will notify if there is any issue faced.
One more i had to point out here is that Do I have to add any route on the ASA.
09-24-2010 05:34 AM
Hi Experts,
I have a defualt router on the router
ip router 0.0.0.0 0.0.0.0 Dialer 1
So do i had to configure any route for this case.
09-24-2010 05:37 AM
No, you do not need any extra route on the router. The default route on the router will suffice.
Hope that helps.
09-24-2010 06:00 AM
So I dont have to put any route on the router pointing to ASA outside
interface.
Please clarify,
Thank
09-24-2010 06:05 AM
Yes, you are absolutely right. There is no need for any other extra routes on the router.
09-24-2010 11:50 AM
Hi All,
Here, one question arises in my mind
Well the PC's ( local network) behind the ASA will be able to access Remote Network (behind branch office router) ?
09-27-2010 03:38 AM
Hello Experts
Please see the attached configuration of Site to Site VPN between Router and ASA.
But I cannot ping and reach the internal network behind the ASA from Branch Office and vice versa
VPN tunnel is established (fyi)
Please experts can you help whats wrong in the config.
09-27-2010 03:59 AM
The router configuration is incorrect.
ACL 100 which is the crypto ACL needs to mirror image the ASA Outside_1_cryptomap ACL.
Router ACL 100 should say:
access-list 100 permit permit 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255
Router ACL 101 for the NAT statement should say:
access-list 101 deny ip 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
Hope that helps.
09-27-2010 05:05 AM
Thanks for you reply.
I'll try and update
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: