01-28-2020 10:15 AM
I currently have a vpn from a site A to a Site B, Site A has internet access locally but the internet modem was placed in bridge mode, now all navigation should go through site B,
But it is not like that, there is no navigation on site A, but the private network of both ends is reached, they will know if there is any configuration that is happening to me on the router, annex config
crypto ipsec security-association de por vida segundos 86400
!
!
!
!
crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
username **** password ******
xauth userid mode local
interface FastEthernet4
descripción LINK to WAN
no ip dirección
ip flujo ingreso
duplex
velocidad automática auto
pppoe-client dial-pool-number 1
!
interfaz Vlan1
dirección ip 172.16.223.1 255.255.255.0
ip access-group 101 out
ip helper-address 172.16.21.44
ingreso de flujo ip
ip virtual-reesembly
ip tcp ajuste-mss 1412
crypto ipsec client ezvpn crws-client inside
!
interfaz Marcador0
dirección IP negociada
grupo de acceso ip 102 en
ip mtu 1452
ingreso de flujo de
ip montaje virtual ip
encapsulación ppp
intervalo de carga 30
grupo de
marcadores 1 grupo de marcadores 1
autenticación de ppp chap pap callin
ppp cap nombre de host ventaschihuahua
ppp chap contraseña 0 *** ******
ppp pap nombre de usuario enviado ******** contraseña ********* ¡
no hay cdp habilitado el
cliente cripto ipsec ezvpn crws-client
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
lista de acceso 101 permiso ip cualquiera cualquier
lista de acceso 102 permiso ip cualquiera cualquiera
access-list 103 permiso ip 172.16.223.0 0.0.0.255 cualquier
marcador-list 1 protocolo ip permit
route-map SDM_RMAP_1 permiso 1
coincidencia ip address 103
!
snmp-server community alen RO
!
plano de control
!
!
01-28-2020 11:22 AM
Hello,
add the lines marked in bold to your configuration:
crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username **** password ******
xauth userid mode local
!
ip access-list extended VPN_TRAFFIC
permit ip 172.16.223.0 0.0.0.255 any
01-28-2020 12:18 PM
add the ACL as I request it but it remains the same without internet access
crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key *******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username ******* password ********
xauth userid mode local
VPN_ofchi# sh access-lists
Extended IP access list 101
10 permit ip any any (105559 matches)
Extended IP access list 102
10 permit ip any any (133441 matches)
Extended IP access list 103
10 permit ip 172.16.223.0 0.0.0.255 any
Extended IP access list VPN_TRAFFIC
10 permit ip 172.16.223.0 0.0.0.255 any
VPN_ofchi#
01-28-2020 01:08 PM
Hello,
is the ASA allowing traffic from 172.16.223.0/24 to be natted towards the Internet ?
Post the configuration of the ASA as well...
01-28-2020 01:20 PM
Yes
MTYVPNASA# sh run | i 172.16.223.0
network-object 172.16.223.0 255.255.255.0
network-object 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_30 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip 172.16.44.0 255.255.252.0 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHIHUAHUA extended permit ip any 172.16.223.0 255.255.255.0
route Outside 172.16.223.0 255.255.255.0 187.141.226.33 1
route Outside 172.16.223.0 255.255.255.0 187.141.226.35 1
Router
VPN_ofchi#sh crypto ipsec sa
interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 189.237.131.214
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.223.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 187.141.226.35 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1702, #pkts encrypt: 1702, #pkts digest: 1702
#pkts decaps: 1143, #pkts decrypt: 1143, #pkts verify: 1143
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 189.237.131.214, remote crypto endpt.: 187.141.226.35
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xF5EF2FA6(4126093222)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE33CFA5C(3812424284)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4390726/28564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
01-28-2020 02:28 PM
Hello,
you posted only access lists, post the entire running configuration so I can see the NAT statements...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide