Hi

it · ‎04-17-2017

Dears,

I would like to discuss regarding VPN Site to Site

'N' Number of showroom are connected to main office through VPN site to site.

Showroom side CISCO887VA router is configured

Main office cisco router 2900 series and ASA firewall ASA5520( All showroom VPN are configured in ASA)

ASA configuration:-
#conf t
access-list VPN-ACL-3 extended permit ip 192.168.0.0 255.255.0.0 (172.16.XX.0 255.255.255.0)
crypto map FJ_CM 3 match address VPN-ACL-3
crypto map FJ_CM 3 set peer (public ip address of showroom)
crypto map FJ_CM 3 set ikev1 transform-set FJ_TRSMF_SET
tunnel-group (public ip address of showroom) type ipsec-|2|
tunnel-group (public ip address of showroom) ipsec-attributes
ikev1 pre-shared-key F@yendra2012

*****************************************************************************

From Showroom side i can't ping to another showroom.

Kindly please give me a suggestion or configuration where i have to apply.

Thanks for your cooperation

nurbol555 · ‎04-17-2017

Hi!

Can you please show as full configuration from both side?

it · ‎04-17-2017

What would be a configuration from showroom to another showroom side.

To see each other and also ping each other devices.

Richard Burts · ‎04-17-2017

There are several options that you can consider each of which could provide the showroom to showroom communication that you want. Bear in mind that what you have now are point to point hub and spoke VPN where multiple spokes communicate with the hub. This is very good when spokes need to communicate with the hub but does have scaling issues when spokes need to communicate with other spokes.

1) Implement DMVPN. This will be the most scalable of the solutions but also represents a large change in your existing network. DMVPN uses multi-point tunnels and easily handles spoke to spoke communication.

2) Keep your existing site to site (point to point) VPN. For each of the spoke VPNs you would add to the access list identifying traffic for the encryption (that is used in the crypto map) the IP addresses of each of the other spokes. This will make the access list more complex but it is the way to have the showroom to showroom traffic be sent through the VPN. Note that as you change the access list at the spoke that you need to make corresponding changes to the access list at the main office for that showroom.

3) Set up a full mesh of site to site VPN so that each showroom is a peer not only with main site but is also a peer with each of the other showrooms.

I am guessing that you may choose 2) since it is the closest to what you currently do and it keeps the hub and spoke architecture. But you could choose any of the options and if correctly implemented any of the options could produce the results that you want.

HTH

Rick

HTH

Rick

it · ‎04-17-2017

For each Showroom Router configuration:-

#Conf t
service password-encryption
hostname (Al-R)
enable secret XXXX

#crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XYZ address XXXX(Public ip address)
crypto isakmp key XYZ address XXXX(Public ip address)
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set FJ-TRSFRM-SET esp-3des
esp-md5-hmac

#crypto map FJ-CM 10 ipsec-isakmp
set peer XXXX(Public ip address) default
set peer XXXX(Public ip address)
set transform-set FJ-TRSFRM-SET
match address VPN-ACL

#interface ATM0
no shut
pvc 0/35
pppoe-client dial-pool-number 1

#interface vlan1
ip address (172.16.XX.1 255.255.255.0)
ip nat inside
ip virtual-reassembly

#interface Dialer1
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname (XXXX.com.sa)
ppp chap password (1234)
ppp pap sent-username (XXXX.com.sa)
password (1234)
crypto map FJ-CM

ip route 0.0.0.0 0.0.0.0 Dialer1
ip nat inside source route-map LAN-To-Internet
interface Dialer1 overload

ip access-list extended LAN-To-INT-ACL
deny ip 172.16.XX.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 172.16.XX.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip (172.16.XX.0 0.0.0.255) 192.168.0.0
0.0.255.255

route-map LAN-To-Internet permit 10
match ip adddress LAN-To-INT-ACL

#line con 0
password #####
login
line vty 0 4
password #####
login
end
wr memk

*********************************************************************

HQ MAIN OFFICE SIDE FOR EACH BRANCH

ASA configuration:-
access-list VPN-ACL-3 extended permit ip 192.168.0.0 255.255.0.0 (172.16.XX.0 255.255.255.0)
crypto map FJ_CM 3 match address VPN-ACL-3
crypto map FJ_CM 3 set peer (public ip address of showroom)
crypto map FJ_CM 3 set ikev1 transform-set FJ_TRSMF_SET
tunnel-group (public ip address of showroom) type ipsec-|2|
tunnel-group (public ip address of showroom) ipsec-attributes
ikev1 pre-shared-key XYZ

Note:- I want Showroom to Showroom communication.

nurbol555 · ‎04-17-2017

Hi

Wich public ip address you use on showroom side? Is that dinamic ip address wich changes every time?