09-25-2017 01:46 PM - edited 03-12-2019 04:34 AM
~Diagram attached~
Is this possible? I am just learning this portion of networking and it is a little bit confusing.
Right now, I have a successful site-to-site VPN from the ASA 5505 LAN (192.x.x.x) to the R1 LAN (10.x.x.x) on my 2901 router. Endpoints of the tunnel are 174.x.x.x (outside of ASA) and 219.x.x.x. (outside of R1). Server1 can ping Server2 and vice versa. The 1841 router emulates the internet.
I am now trying to add remote VPN access to the 219.x.x.x on R1 the 2901. From reading, I understand that I can have more than one crypto isakmp policy on an crypto map but only one crypto map assigned to an interface. I have configured and nested a dynamic-map into the static map and gave it a higher priortiy (999) compared to the static (10).
I am attempting a debug on the 2901 when I attempt to connect to the 219.x.x.x address using Cisco VPN Client 5.0.07.0440. Deciphering a debug is new to me as well but I'm trying. From my understanding, the debug results are telling me that my profile can't be found and encryption algorithm does not match policy and probably more...
1) Is what I want to do possible and if so, a normal practice or ill-advisedd? Is there an alternate/best practice suggestion to accomplish my objective?
2) Do I need to make changes in options of the VPN Client?
3) Anywhere procedures for this can be found?
4) quick summary of how to proceed
Thank you in advance
09-27-2017 12:25 PM
The easy part of the question to answer is that yes what you are trying to do should be possible. It should work to have both site to site VPN and Remote Access VPN both terminate on the interface of the router. The not so easy part to answer is why it is not working.
I believe that you are on the right path. It is true that one of the essential parts is that remote access VPN on the router needs to use dynamic map and that the sequence number of the dynamic entry needs to be higher than the sequence number of the static entries. If the debug output seems to say that there is a mismatch then it is quite likely that there is a mismatch. But we do not have enough information to provide much insight. Perhaps you can post the router config (disguising any sensitive parts such as public IP address and passwords). Also some of the debug messages might be helpful.
HTH
Rick
09-28-2017 01:42 PM
10-02-2017 01:36 PM
Thank you for posting the config and the debug output. The debug output shows fairly clearly that something is not matching between your router config and what is expected by the VPN client. This link discusses an IOS router running both site to site VPN and Remote Access VPN. I hope you find something in it that is helpful
https://supportforums.cisco.com/t5/vpn/remote-access-vpn-for-cisco1841/td-p/1450254
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide