Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
10
Replies

2 VPN SITE TO SITE with REMOTE ACCESS VPN

Go to solution
ahmedzniti
Level 1
Level 1

‎05-27-2013 06:17 AM - edited ‎02-21-2020 06:55 PM

Hi

I have a c 870 Router and i would like to put it 2 differents VPN SITE TO SITE and a Remote access VPN ( VPN CLIENTS)  so is it possible to put the 3 VPN in the same Router if yes can u give me the steps or the exemple to configure

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9
In response to ahmedzniti

‎05-29-2013 08:13 AM

So, on Routers will be:

ipsecrouter_vpn-h.gif

Cisco 2611:

LAN: 10.10.10.0 /24

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 100 permit ip 14.1.1.0 0.0.0.255 10.10.20.0 0.0.0.255     --> VPNPOOL

!

crypto map clientmap 10 ipsec-isakmp

    set peer 172.18.124.199

     match address 100

!

ip local pool ippool 14.1.1.1 14.1.1.254

!

access-list 120 permit ip 10.10.10.0 0.0.0.255 14.1.1.0 0.0.0.255

access-list 120 permit ip 10.10.20.0 0.0.0.255 14.1.1.0 0.0.0.255 --> REMOTE NETWORK

!

crypto isakmp client configuration group ra-client

     pool ippool

      acl 120

!


Please notice that the configuration is incomplete, I only added the relevant changes you must make to allow the RA clients across the LAN-to-LAN tunnel, of course, the LAN-to-LAN settings must match on the other side of the tunnel i.e. ACL mirror, NAT and so on.

HTH,

Portu.


View solution in original post

0 Helpful
10 Replies 10

Go to solution
Andrew Phirsov
Level 7
Level 7

‎05-27-2013 06:59 AM

Surely it's possible. You can do it using regular crypto-maps or in a "new" way using VTIs, wich is preferable.

Look through this guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/config_library/12-4t/secon-12-4t-library.html

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Andrew Phirsov

‎05-27-2013 04:55 PM

Hi,

It really depends on your needs and the type or device the Router is connecting to. If you are connecting to an ASA, then VTI is not going to work.

If you are connecting to a third-party device or Cisco ASA, then I would go with the crypto map.

Check this out:

Configuring IPsec Between Two Routers and a Cisco VPN Client 4.x

HTH,

Portu.

0 Helpful

Go to solution
ahmedzniti
Level 1
Level 1
In response to Javier Portuguez

‎05-29-2013 07:01 AM

Hi

Thanks for your help so i have another question : Is it possible to authorize a traffic coming by the remote access vpn(pool VPN) pass through the IPSEC Tunnel to communicate withe the remote site ?

Regards

Ahmed Zniti

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to ahmedzniti

‎05-29-2013 07:04 AM

Hi Ahmed,

May I know what you mean by "authorize"?

Thanks

0 Helpful

Go to solution
ahmedzniti
Level 1
Level 1
In response to Javier Portuguez

‎05-29-2013 07:09 AM

Means that the vpn pool traffic configured by remote access can pass through vpn site to site tunnel and communicate with LAN Remote Site

Regards

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to ahmedzniti

‎05-29-2013 07:14 AM

I do understand your question correctly, all you need is to include the remote LAN network to the VPN client's SPLIT ACL (in case that you use split-tunneling) and also add the VPN pool to the LAN-to-LAN encryption domain.

Remember to update the NAT rules and encryption domain on the remote end of the tunnel as well.

Let me know,

Portu.

0 Helpful

Go to solution
ahmedzniti
Level 1
Level 1
In response to Javier Portuguez

‎05-29-2013 07:39 AM

Hi

Thanks yes this my question so can you send me an exemple of configuration using this scenario ?

Regards

Ahmed Zniti

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to ahmedzniti

‎05-29-2013 07:47 AM

Just following the document that I sent you earlier.

When you define the crypto ACL for the LAN-to-LAN add the VPN pool network as well.

And when you add the ACL under the client configuration group, make sure you include the remote network (s).

Are you planning to deploy this on Cisco Routers or ASAs?

Thanks,

Please rate any helpful posts

0 Helpful

Go to solution
ahmedzniti
Level 1
Level 1
In response to ahmedzniti

‎05-29-2013 07:52 AM

I will deploy this configuration on Cisco Routers

Thanks a lot Javier

Best Regards

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to ahmedzniti

‎05-29-2013 08:13 AM

So, on Routers will be:

ipsecrouter_vpn-h.gif

Cisco 2611:

LAN: 10.10.10.0 /24

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 100 permit ip 14.1.1.0 0.0.0.255 10.10.20.0 0.0.0.255     --> VPNPOOL

!

crypto map clientmap 10 ipsec-isakmp

    set peer 172.18.124.199

     match address 100

!

ip local pool ippool 14.1.1.1 14.1.1.254

!

access-list 120 permit ip 10.10.10.0 0.0.0.255 14.1.1.0 0.0.0.255

access-list 120 permit ip 10.10.20.0 0.0.0.255 14.1.1.0 0.0.0.255 --> REMOTE NETWORK

!

crypto isakmp client configuration group ra-client

     pool ippool

      acl 120

!


Please notice that the configuration is incomplete, I only added the relevant changes you must make to allow the RA clients across the LAN-to-LAN tunnel, of course, the LAN-to-LAN settings must match on the other side of the tunnel i.e. ACL mirror, NAT and so on.

HTH,

Portu.


0 Helpful
Customers Also Viewed These Support Documents