Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Hi,

Actually I have to make a VPN between an 5520 ASA and a Cisco 887VA-K9 Router.

Connected to ASA I have the outside interface, the inside-DMZ interface, the PCs interface and the VoIP interface. In the other site I will need to have a new subnet and a VoIP phone which I need to connect to the VoIP subnet in the other side in order to work with our CCM servers.

My question is: do I need two VPN established between ASA and 887 Router?

How should I do it?

Thank you very much.

Kind regards.

15 REPLIES

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Here is a Cisco documentation, will you give complete config steps.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Thanks

Rizwan Rafeek

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Hi Rizwan,

thank you for your answer, it will be my next step.

I tried to stablished the DSL connected but in the configuration mode, when I enter in atm0 configuration and I write dsl operating-mode auto I get an invalid input detected. Do you know why do I get this?

Thank you very much.

Kind regards.

David Fernandez.

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Delete your current setup you have for DSL and please try this out for DSL connectivity, please use interface-names to match your interfaces on your router and consider "interface dialer 1" as your real interface and corresponding to "Interface FastEthernet0" become nothing but a physical interface not much going on as far as router is concerned....  So your VPN crypto connection goes into "interface dialer 1" as well not into "Interface FastEthernet0".


Interface FastEthernet0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no shut
exit



interface dialer 1
ip address negotiated
encapsulation ppp
ip mtu 1492
ip nat outside
ppp authentication pap callin
ppp pap sent-username your-pppoe-user-name pass KING-OF_THE_Hill
dialer pool 1
no shut
exit

interface FastEthernet1
no shut
ip address
ip adjust-mss 1452
ip nat inside
exit

Hope that helps.

Thanks

Rizwan Rafeek

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Thank yo,

I have just done it, but I am afraid I can't apply that configuration to FastEthernet 1 interface, as long as it is a Layer2 link.

ip address didn't showed me such a message. I couldn't neither bring "ip nat inside" and "ip adjust-mss" commands to such an interface.

Do you mean I will not be able to use all fastethernet ports as part of the VPN? I thought it was posible to connect to router to the internet and use all fastethernet ports to connect devices as if they were working in the network abroad

thank you very much for your answers.

kind regards.

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Please post your config on the forum, please let me see it.

thanks

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

hi,

before posting configuration, I willsay I have speak to our ISP and they gave us this data referring to the configuration:

dinamycal ip

encapsulation LLC

vpi 8

vci 32

and after that the DNS and username and password.

here is the configuration, thank you very much:

Current configuration : 1761 bytes

!

! Last configuration change at 14:54:08 UTC Mon Feb 6 2012

! NVRAM config last updated at 08:27:17 UTC Mon Feb 6 2012

! NVRAM config last updated at 08:27:17 UTC Mon Feb 6 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname RouterBarcelona

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$5u04$xEVGC9HqBE3U23GYKQ1601

enable password 7 096D1F001B25431D0007

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

no ip source-route

no ip routing

!

!

!

!

ip dhcp pool mypool

network 192.168.123.0 255.255.255.0

domain-name cione.es

dns-server 194.30.0.1 80.58.61.250

default-router 192.168.123.1

lease 7

!

!

no ip cef

ip name-server 80.58.61.250

ip name-server 80.58.61.254

no ipv6 cef

!

!

license udi pid CISCO887VA-K9 sn FCZ160393ZJ

!

!

!

!

!

!

controller VDSL 0

!

ip ssh version 2

!

!

!

!

!

!

!

interface Ethernet0

no ip address

no ip route-cache

shutdown

!

interface ATM0

no ip address

atm ilmi-keepalive

!

interface FastEthernet0

no ip address

pppoe-client dial-pool-number 1

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address 192.168.123.1 255.255.255.0

no ip route-cache

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp pap sent-username adslppp@telefonicanetpa password 7 06070B32405E1909

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password 7 06270135491E034936

login

transport input all

!

end

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Hi David,

Your "interface dialer 1" looks fine, however your routed-port for your Router (i.e. RouterBarcelona) is "interface Ethernet0"

So please copy this over to "interface Ethernet0" not on "Interface FastEthernet0" and remove previous config from "Interface FastEthernet0".  Port "Interface FastEthernet0" must be a switch port.  What is your router model number?

Interface Ethernet0

no ip address

pppoe enable

pppoe-client dial-pool-number 1

no shut

exit

You also need to copy these two lines to your SVI "interface Vlan1" 

interface Vlan1

ip adjust-mss 1452

ip nat inside

At last you need to add a default router as below...

ip route 0.0.0.0 0.0.0.0 dialer 1

----------------------------------------------------------------

For users on vlan1 to access internet, you must have a PAT overload on dialer interface as shown below.

ip access-list extended PAT_ACL

permit ip 192.168.123.0 0.0.0.255 any

ip nat inside source list PAT_ACL interface Dialer1 overload

Thanks

Rizwan Rafeek

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Hi again,

I have config all interfaces as you wrote, but I can not deliver "ip adjust-mss .." comand to the interface Vlan1

Anyway it is not negotiating with provider. CD light is green, but there is no link on data light

thank you very much

kind regards

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Since it is not PPPoE but rather PPP over ATM right?

copy this on your router and your use your ATM0 interface to connect to your ISP modem.

interface atm 0.1 multipoint

pvc 8/32

   pppoe-client dial-pool-number 1

encapsulation llc

protocol ppp virtual-template 1

Remove this config from "Interface Ethernet0" as shown below please.

Interface Ethernet0

no ip address

pppoe enable

pppoe-client dial-pool-number 1

no shut

exit

Let me know, how that coming along.

thanks

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

I think it is PPPoE,

at least that was the configuration in the other router.encapsulation mode (in the other router is configured as LLC/SNAP-Bridging)

thank you

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Remove the previous config you applied on ATM "interface atm 0.1 multipoint"

"aal5snap" is LLC/SNAP in bridging mode.

Can you find out, authentcation is pap or chap ?

If authentication portocol is chap change your dialer1 as shown below.


interface Dialer1

ip address negotiated

ip mtu 1492

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap chap callin

ppp chap hostname adslppp@telefonicanetpa

ppp chap password 0 your-password-goes-here

ppp chap sent-username adslppp@telefonicanetpa password 0 your-password-goes-here

Apply this on the atm0 interface.


interface ATM0
dsl operating-mode auto
encapsulation aal5snap ppp dialer
no atm ilmi-keepalive
pvc 8/32
   pppoe-client dial-pool-number 1

Let me know.

Thanks

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

I am sorry, but I cannot  bring "dsl operating-mode auto" to the command line

whenever I tried to  write that down I always found the same %Invalid input detected, I cannot even write dsl and then press tab key, I get nothing, indicating it doesn't recognize the command "dsl"

do you think I am missing something in the hardware configuration?

thank you

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

"do you think I am missing something in the hardware configuration?" no.

"dsl operating-mode auto" is to automate the config, however you still can manually configure it.

Please post your config on the forum.

thanks

Re: 2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

hi

I attached the sh running-config command result.

Thank you,

kind regards.

2 VPNs between Cisco ASA 5520 and Cisco Router 887VA-K9

Please follow Cisco Documentation from the link below.  You also have to know, whether it is Chap or PAP authentication on PPPoE over ATM, so please check your ISP.

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080126dc0.shtml

thanks

1600
Views
0
Helpful
15
Replies
CreatePlease login to create content