Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
3
Replies

Site to Site VPN configured; need remote VPN on same interface

Myghty1
Level 1
Level 1

‎09-25-2017 01:46 PM - edited ‎03-12-2019 04:34 AM

~Diagram attached~

Is this possible?  I am just learning this portion of networking and it is a little bit confusing.  

Right now, I have a successful site-to-site VPN from the ASA 5505 LAN (192.x.x.x) to the R1 LAN (10.x.x.x) on my 2901 router.  Endpoints of the tunnel are 174.x.x.x (outside of ASA) and 219.x.x.x. (outside of R1).  Server1 can ping Server2 and vice versa.  The 1841 router emulates the internet.  

 

I am now trying to add remote VPN access to the 219.x.x.x on R1 the 2901.  From reading, I understand that I can have more than one crypto isakmp policy on an crypto map but only one crypto map assigned to an interface. I have configured and nested a dynamic-map into the static map and gave it a higher priortiy (999) compared to the static (10).  

 

I am attempting a debug on the 2901 when I attempt to connect to the 219.x.x.x address using Cisco VPN Client 5.0.07.0440.  Deciphering a debug is new to me as well but I'm trying.  From my understanding, the debug results are telling me that my profile can't be found and encryption algorithm does not match policy and probably more...

 

1) Is what I want to do possible and if so, a normal practice or ill-advisedd? Is there an alternate/best practice suggestion to accomplish my objective?

2) Do I need to make changes in options of the VPN Client?

3) Anywhere procedures for this can be found?

4) quick summary of how to proceed

 

Thank you in advance

Labels:
Preview file
26 KB
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎09-27-2017 12:25 PM

The easy part of the question to answer is that yes what you are trying to do should be possible. It should work to have both site to site VPN and Remote Access VPN both terminate on the interface of the router. The not so easy part to answer is why it is not working.

 

I believe that you are on the right path. It is true that one of the essential parts is that remote access VPN on the router needs to use dynamic map and that the sequence number of the dynamic entry needs to be higher than the sequence number of the static entries. If the debug output seems to say that there is a mismatch then it is quite likely that there is a mismatch. But we do not have enough information to provide much insight. Perhaps you can post the router config (disguising any sensitive parts such as public IP address and passwords). Also some of the debug messages might be helpful.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Myghty1
Level 1
Level 1
In response to Richard Burts

‎09-28-2017 01:42 PM

Thank you much for your reply, Richard.  

 

I have scrubbed and attached the config...possibily too much scrubbing. 

Preview file
4 KB
Preview file
6 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Myghty1

‎10-02-2017 01:36 PM

Thank you for posting the config and the debug output. The debug output shows fairly clearly that something is not matching between your router config and what is expected by the VPN client. This link discusses an IOS router running both site to site VPN and Remote Access VPN. I hope you find something in it that is helpful

https://supportforums.cisco.com/t5/vpn/remote-access-vpn-for-cisco1841/td-p/1450254

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents