Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
1
Replies

routing between two VPNs on same interface

MikeCaditz
Level 1
Level 1

‎11-29-2011 07:39 PM - edited ‎03-04-2019 02:27 PM

I have both a Easy VPN server and a site-to-site VPN on the same outside interface of a 2911 router.

Currently, a Easy VPN client has no route int the router then out the site-to-site VPN to the remote site.

How can I create this route?

Building configuration...

Current configuration : 18830 bytes

!

! Last configuration change at 19:01:55 PCTime Tue Nov 29 2011 by admin

! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin

! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SFGallery

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

clock timezone PCTime -7 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name gpgallery.com

ip name-server 10.10.10.10

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.10.10.80

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint SFGallery_Certificate

enrollment selfsigned

serial-number none

ip-address none

revocation-check crl

rsakeypair SFGallery_Certificate_RSAKey 512

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain SFGallery_Certificate

certificate self-signed 01

  xxxx

            quit

license udi pid CISCO2911/K9 sn xxxxxx

license boot module c2900 technology-package securityk9

license boot module c2900 technology-package datak9

!

!

object-group network Corp

172.16.4.0 255.255.252.0

10.10.10.128 255.255.255.224

!

object-group network SFGallery

172.16.0.0 255.255.252.0

10.10.10.0 255.255.255.128

!

object-group network NY

10.10.10.160 255.255.255.224

!

object-group network GPAll

group-object SFGallery

group-object NY

group-object Corp

!

username xxx privilege 15 secret 5 xxxx

username  xxx privilege 15 secret 5 $xxx

username xxxx privilege 15 secret 5 $xxxxx

!

redundancy

!

!

!

!

no ip ftp passive

ip ssh version 1

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

!

!

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

!

zone security sslvpn-zone

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 209.101.19.226

!

crypto isakmp client configuration group SFGallery

key xxxxxx

dns 10.10.10.10 10.10.10.80

wins 10.10.10.10 10.10.10.80

domain gpgallery.com

pool SDM_POOL_1

acl 111

save-password

split-dns gpgallery.com

max-users 25

max-logins 2

netmask 255.255.252.0

banner ^CWelcome to GP Gallery . . . ^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group SFGallery

   client authentication list ciscocp_vpn_xauth_ml_3

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 3

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 43200

set transform-set ESP-3DES-SHA3

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to209.101.19.226

set peer 209.101.19.226

set transform-set ESP-3DES-SHA1

match address 107

!

!

!

!

!

interface Loopback1

ip address 192.168.5.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description T1 Cybermesa$ETH-WAN$

ip address 65.19.62.60 255.255.255.240

ip access-group 105 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LANOverloadNet$ETH-WAN$

ip address 172.16.0.1 255.255.252.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN$ETH-LAN$

ip address 10.10.10.2 255.255.255.128

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

!

interface Virtual-Template2

ip unnumbered Loopback1

zone-member security sslvpn-zone

!

interface Virtual-Template3 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 60000

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent

ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent

ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent

ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

!

no logging trap

logging 10.10.10.107

access-list 1 permit 192.168.1.2

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 72.216.51.56 0.0.0.7

access-list 1 permit 172.16.0.0 0.0.3.255

access-list 1 permit 172.16.4.0 0.0.3.255

access-list 1 permit 10.10.10.128 0.0.0.31

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 permit 65.19.62.48 0.0.0.15

access-list 1 permit 10.10.10.0 0.0.0.127

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark CCP_ACL Category=1

access-list 100 permit ip any host 10.10.10.2

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd

access-list 100 deny   tcp any host 10.10.10.2 eq telnet

access-list 100 deny   tcp any host 10.10.10.2 eq 22

access-list 100 deny   tcp any host 10.10.10.2 eq www

access-list 100 deny   tcp any host 10.10.10.2 eq 443

access-list 100 deny   tcp any host 10.10.10.2 eq cmd

access-list 100 deny   udp any host 10.10.10.2 eq snmp

access-list 100 permit udp any eq domain host 10.10.10.2

access-list 100 permit udp host 10.10.10.80 eq domain any

access-list 100 permit udp host 10.10.10.10 eq domain any

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 72.216.51.56 0.0.0.7 any

access-list 101 permit ip 172.16.0.0 0.0.3.255 any

access-list 101 permit ip 172.16.4.0 0.0.3.255 any

access-list 101 permit ip 10.10.10.128 0.0.0.31 any

access-list 101 permit ip 65.19.62.48 0.0.0.15 any

access-list 101 permit ip host 192.168.1.2 any

access-list 101 permit ip 10.10.10.0 0.0.0.127 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 72.216.51.56 0.0.0.7 any

access-list 102 permit ip 172.16.0.0 0.0.3.255 any

access-list 102 permit ip 172.16.4.0 0.0.3.255 any

access-list 102 permit ip 10.10.10.128 0.0.0.31 any

access-list 102 permit ip 65.19.62.48 0.0.0.15 any

access-list 102 permit ip host 192.168.1.2 any

access-list 102 permit ip 10.10.10.0 0.0.0.127 any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd

access-list 103 deny   tcp any host 172.16.0.1 eq telnet

access-list 103 deny   tcp any host 172.16.0.1 eq 22

access-list 103 deny   tcp any host 172.16.0.1 eq www

access-list 103 deny   tcp any host 172.16.0.1 eq 443

access-list 103 deny   tcp any host 172.16.0.1 eq cmd

access-list 103 deny   udp any host 172.16.0.1 eq snmp

access-list 103 permit ip any any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 105 remark Auto generated by SDM Management Access feature

access-list 105 remark CCP_ACL Category=1

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq telnet

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq telnet

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 22

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 22

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq www

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq www

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 443

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 443

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq cmd

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq cmd

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd

access-list 105 deny   tcp any host 65.19.62.60 eq telnet

access-list 105 deny   tcp any host 65.19.62.60 eq 22

access-list 105 deny   tcp any host 65.19.62.60 eq www

access-list 105 deny   tcp any host 65.19.62.60 eq 443

access-list 105 deny   tcp any host 65.19.62.60 eq cmd

access-list 105 deny   udp any host 65.19.62.60 eq snmp

access-list 105 permit tcp any host 65.19.62.61 eq 443

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255

access-list 105 permit udp any eq domain host 65.19.62.60

access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60

access-list 105 permit esp host 209.101.19.226 host 65.19.62.60

access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp

access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 105 permit ip any any

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 108 remark CCP_ACL Category=2

access-list 108 remark IPSec Rule

access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 108 permit ip 70.56.215.0 0.0.0.255 any

access-list 109 remark CCP_ACL Category=2

access-list 109 remark IPSec Rule

access-list 109 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 109 permit ip 172.16.0.0 0.0.255.255 any

access-list 111 remark CCP_ACL Category=4

access-list 111 permit ip 10.10.10.0 0.0.0.127 any

access-list 111 permit ip 10.10.10.128 0.0.0.31 any

access-list 111 permit ip 172.16.0.0 0.0.3.255 any

access-list 111 permit ip 172.16.4.0 0.0.3.255 any

access-list 111 permit ip 10.10.10.160 0.0.0.31 any

!

!

!

!

route-map SDM_RMAP_4 permit 1

match ip address 109

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

route-map SDM_RMAP_2 permit 1

match ip address 108

!

!

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps transceiver all

snmp-server enable traps ds1

snmp-server enable traps call-home message-send-fail server-fail

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps license

snmp-server enable traps envmon

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps flash insertion removal

snmp-server enable traps c3g

snmp-server enable traps ds3

snmp-server enable traps adslline

snmp-server enable traps vdsl2line

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps energywise

snmp-server enable traps vstack

snmp-server enable traps mac-notification

snmp-server enable traps bgp

snmp-server enable traps isis

snmp-server enable traps rf

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps nhrp nhs

snmp-server enable traps nhrp nhc

snmp-server enable traps nhrp nhp

snmp-server enable traps nhrp quota-exceeded

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server enable traps bfd

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down

snmp-server host 10.10.10.107 public

!

!

!

control-plane

!

!

banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 102 in

transport input telnet

line vty 5 15

access-class 101 in

transport input telnet

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
1 Reply 1

Sam Smiley
Level 3
Level 3

‎11-30-2011 12:38 PM

Hi Michael,

The answer is in the crypto map configuration...

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to209.101.19.226

set peer 209.101.19.226

set transform-set ESP-3DES-SHA1

match address 107

reverse-route

This will allow your remote clients to access either site.

Cheers,

Sam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card