Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

how to add another vpn tunnel to supplement existing vpn

I have Main site, and remote site.

currently Main site has a 3825 configured to provide internet service for main site, and remote site connects to main site, and ALL traffic from remote site is routed through main site, even remote site's public internet access goes through main site (so it goes through the separate hardware firewall at main site before internet)

 

I want to hook up a second line at the remote site with an ASA5505 to a vpn tunnel to the main site 3825 through the same 'route' as the original link is now.

(remote site: 'copperas cove'  with subnets 192.168.2.x         main site: subnet 192.168.1.x)

 

 

Username: admin
Password:
Main3825#sh run
Building configuration...

Current configuration : 7681 bytes
!
! Last configuration change at 10:41:15 CDT Wed Jun 18 2014 by admin
! NVRAM config last updated at 11:44:46 cdt Thu Mar 6 2014 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Main3825
!
boot-start-marker
boot system flash flash:c3825-advipservicesk9-mz.124-9.T7.bin
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone cdt -6
clock summer-time CDT recurring
!
!
no ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 4.2.2.2
!
!
voice-card 0
 no dspfarm
!
!
username admin *******************************
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.250.2 no-xauth
crypto isakmp key ******** address 192.168.250.3 no-xauth
!
crypto isakmp client configuration group KILLEEN
 key qei2dix
 dns 208.33.159.39 63.162.197.69
 pool ippool
 acl 150
 save-password
 max-logins 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map Outside_map 1 ipsec-isakmp
 description Connection to Copperas Cove
 set peer 192.168.250.2
 set transform-set ESP-3DES-SHA
 match address 101
crypto map Outside_map 2 ipsec-isakmp
 description Connection to Harker Heights Texas
 set peer 192.168.250.3
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 102
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/0
 ip address 192.168.37.250 255.255.255.0 secondary
 ip address 192.168.41.250 255.255.255.0 secondary
 ip address 192.168.8.250 255.255.255.0 secondary
 ip address 192.168.1.250 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description OUTSIDE INTERNET
 ip address 64.45.239.242 255.255.255.252
 ip nat outside
 no ip virtual-reassembly
 ip policy route-map TEST
 duplex full
 speed 100
 media-type rj45
 crypto map clientmap
!         
interface FastEthernet0/3/0
 description Copperas Cove  Harker Heights
 duplex full
 speed 10
!
interface FastEthernet0/3/1
 description HP WIFI
 switchport access vlan 22
!
interface FastEthernet0/3/2
 duplex full
 speed 100
!
interface FastEthernet0/3/3
 switchport access vlan 5
!
interface Vlan1
 description VPN CopperasCove
 ip address 192.168.3.199 255.255.255.0 secondary
 ip address 192.168.2.197 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map FIREWALL
!
interface Vlan5
 description ASA251 Port1
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan22
 description HP WIFI VLAN 22
 ip address 172.22.1.250 255.255.255.0
 ip access-group 109 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 192.168.200.100 192.168.200.200
ip route 0.0.0.0 0.0.0.0 64.45.239.241
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map INTERNET interface GigabitEthernet0/1 overload
!
logging 192.168.1.84
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.200.0 0.0.0.255
access-list 101 permit ip any 192.168.2.0 0.0.0.255
access-list 102 permit ip any 192.168.3.0 0.0.0.255
access-list 109 deny   ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 109 permit ip any any
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.250.0 0.0.0.255 any
access-list 150 permit ip 192.168.5.0 0.0.0.255 any
access-list 180 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 180 permit ip 192.168.1.0 0.0.0.255 any
access-list 180 permit ip 192.168.2.0 0.0.0.255 any
access-list 180 permit ip 192.168.3.0 0.0.0.255 any
access-list 180 permit ip 192.168.37.0 0.0.0.255 any
access-list 180 permit ip 192.168.41.0 0.0.0.255 any
access-list 180 permit ip 172.22.1.0 0.0.0.255 any
access-list 180 permit ip 192.168.8.0 0.0.0.255 any
access-list 189 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 189 permit ip 192.168.2.0 0.0.0.255 any
access-list 189 permit ip 192.168.3.0 0.0.0.255 any
access-list 189 permit ip 192.168.37.0 0.0.0.255 any
access-list 189 permit ip 192.168.41.0 0.0.0.255 any
access-list 189 permit ip 172.22.1.0 0.0.0.255 any
access-list 189 permit ip 192.168.8.0 0.0.0.255 any
access-list 190 permit ip any 192.168.2.0 0.0.0.255
access-list 190 permit ip any 192.168.3.0 0.0.0.255
access-list 198 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 deny   ip any 192.168.3.0 0.0.0.255
access-list 198 deny   ip any 192.168.2.0 0.0.0.255
access-list 198 remark inside_nat0_out
access-list 198 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
route-map FIREWALL permit 10
 match ip address 189
 set ip next-hop 192.168.5.2
!
route-map TEST permit 10
 match ip address 190
 set ip next-hop 192.168.1.251
!
route-map INTERNET permit 10
 match ip address 180
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179674
ntp master
ntp server 192.5.41.41 prefer
ntp server 192.5.41.40
!
end

Main3825#exit

 

any assistance would be greatly appreciated.

 

56
Views
0
Helpful
0
Replies
CreatePlease to create content