Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 1841 VPN

Hi,

I have an 1841 router in site-A that is connected to site-B (Fortinet FW) via L2L VPN over the internet. If a remote-access user would connect to site-A, via RA VPN over the internet, would he be able to connect to site-B as well? Is this also possible if I have an ASA FW instead of an 1841 router?

Thanks! :)

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco 1841 VPN

If its supported then it would be the same like the ASA (Under the crypto map configuration).

Regards

Farrukh

19 REPLIES

Re: Cisco 1841 VPN

New Member

Re: Cisco 1841 VPN

Neat! Thanks for this. And would really appreciate if you could send a link for a sample config of Cisco1841 for this setup.

Thanks very much! :)

Re: Cisco 1841 VPN

For IOS this is the only link I know of, you will have to modify it based on the ASA Link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

Hi,

Thanks for this. I'll just have to test it first. Btw, there won't be any issues if the other FW is Fortinet, right?

Thanks again,

Patricia

Re: Cisco 1841 VPN

If you can form a regular L2L VPN with the fortinet (which can be sometimes tricky) then the spoke 2 spoke should be OK as well. The real intelligence lies in the HUB device in such a setup.

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

Hi,

I have tried to test this setup, unfortunately, to no success. :(

The connection of L2L and remote access are ok. But if the VPN client tries to connect to the spoke network, it doesn't work. When I check crytpo ipsec sa, there's no spi for this connection. Would you know the possible reasons for this?

Thanks!

Re: Cisco 1841 VPN

I would have to look at your configuration to comment on that. Make sure that the spoke to client traffic is included in your crypto ACL, nat exemption etc.

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

Hi Farrukh,

See attached config of the hub (Cisco1841) and spoke (ASA5505).

I did some config changes and now my L2L is not up too. :(

Thanks,

Pat

New Member

Re: Cisco 1841 VPN

Hi Farrukh,

I'm also attaching the debug on my L2L vpn connection. From the ASA, it has an error of "Removing peer from correlator table failed, no match!". I've checked all the attributes and acls, still I can't find any differences in the config.

Thanks!

New Member

Re: Cisco 1841 VPN

Ooppsss, here is the attachment.

Thanks!

Re: Cisco 1841 VPN

Why have you enabled PFS on one side and not the other?

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

How would I enable pfs in 1841?

Thanks!

Re: Cisco 1841 VPN

If its supported then it would be the same like the ASA (Under the crypto map configuration).

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

Ok, have configured it now and will test the connection later as I can't plug the test router into the network yet. Hmm, just wondering if this will solve the issue of VPN client getting into the spoke network? :)

Thanks!

Re: Cisco 1841 VPN

I doubt. That will require further configuration and (maybe) troubleshooting. I would suggest to take it step by step.

Regards

Farrukh

New Member

Re: Cisco 1841 VPN

Hi Farrukh,

I've added the pfs to the router but I'm still getting the same error. :(

Regards,

Patricia

New Member

Re: Cisco 1841 VPN

Hi Farrukh,

Disregard my previous mail, your suggestion worked! Now, for the VPN client to access the spoke? What steps do I need to do? :)

Thanks!

New Member

Re: Cisco 1841 VPN

Hi Farrukh,

Everything is working now! Didn't do other major changes, just the psf. Thanks for your help. :)

Regards,

Patricia

Re: Cisco 1841 VPN

Ok thats great :) Glad I could help.

Regards

Farrukh

485
Views
5
Helpful
19
Replies
CreatePlease to create content