Need VPN HELP!!! UP-IDLE only.

Question:

I am trying to connect my Cisco Catalyst 3560 office 2801 router with a static IP to my home 2851 router that has a dynamic IP address via a VPN

Currently I seem to have a VPN connection but no data crosses it.  When I issue the command SHOW CRYPTO SESSION, here is what I get:

OFFFICE 2801

Interface: FastEthernet0/0

Session status: UP-IDLE

Peer: 70.193.201.242 port 10327

  IKEv1 SA: local 40.197.68.9/4500 remote 70.193.211.19/10327 Active

HOME 2851

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: 40.197.68.9 port 500

  IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 40.197.68.0/255.255.255.7

        Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/0

Session status: UP-IDLE

Peer: 40.197.68.9 port 4500

  IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active

Any idea why I am not able to get the IPSec part to work?

CONFIG FILES:

2801 OFFICE

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS-1 esp-3des esp-md5-hmac

!

crypto dynamic-map NCL-vpn 10

set security-association lifetime seconds 86400

set transform-set TS-1

match address VPN1-FLA-TRAFFIC

!  

crypto map VPN-FLA-MAP 10 ipsec-isakmp dynamic NCL-vpn

!

interface FastEthernet0/0

ip address 40.197.68.9 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-FLA-MAP

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip forward-protocol nd

!   

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 40.197.68.10

ip route 192.168.2.0 255.255.255.0 192.168.10.5

!

ip access-list extended VPN1-FLA-TRAFFIC

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

! ---------- This is used for local SSH only ----------

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2516279958

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2516279958

revocation-check none

rsakeypair TP-self-signed-2516279958

!

!

crypto pki certificate chain TP-self-signed-2516279958

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

!  ------------------ END LOCAL USE PKI --------------------------

------------------For VPN use ------------------------

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 40.197.68.9

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 40.197.68.9

set transform-set TS

match address VPN-TRAFFIC

!

interface GigabitEthernet0/0

description Router - C3524 Port Fa0/23 192.168.70.1

ip address 192.168.70.2 255.255.255.252

duplex auto

speed auto

crypto map vpn-to-hq

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

Answer:

2801 OFFICE

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN Cisco 3560 Switch communication.

simple question

Question:

Kindly i need to ask ,WS-C3560X-24T-L  what does it mean by subnet zero at this phrase " The ip subnet zero command is not configured on a router "

Answer:

clear explanation with WS-C3560X-24T-S Price example.

http://www.packetu.com/2011/11/14/the-ip-subnet-zero-command/

Change the VLAN-to-MSTI mapping effect

Question:

We are about to migrate a Cisco Catalyst 3560 large network from  Rapid Spanning-tree to MST. There is one question , at the moment, which is not clear. Assuming that we have an MST region with 500 switches ( all in the same region).  We now wish to add one new vlan. What is the procedure and effect of this change.

My question relates to the process of the change. From my understanding , the moment I add one vlan to one switch, that switch will no longer be in the same region as the original region because the VLAN to MSTI mapping has changed. This will cause what effect. Where does one start to make this change? In the root bridge of the region, where then the moment the change is committed,  the old region won't see the former switches in its region?

If you start the change at the bottom, then as you make the change in more and more switches, they do will drop out of the original region. If all this is true then it seems that until all 500 switches have the changed MST configuration, there won't be a stable spanning-tree topology. This could create  a maitnance  issue where every such change may  take a long  time  and while the  change is being applied to all 500 switches the spanning-tree and hence the network will not be stable or production enabled.

Answer:

Check out these threads:

https://supportforums.cisco.com/message/3501257#3501257

https://supportforums.cisco.com/thread/2107908#3458041

In short - creating or deleting a VLAN will not cause a topology change or a MST region separation because VLANs are pre-mapped into MST instances before they even exist. Changing this VLAN-to-instance mapping would indeed cause the MST region to become split until all switches were identically configured, but creating or deleting the VLAN alone has no impact Cisco 3560 Switch on the MST region.

Connect three routers to two networks?

Question:

The image of my current WS-C3750X-48P-L Price setup is below. I am tryint to connect the Central router to the ISP router through a switch. Same with the South router. However, I want the Central and South routers to not be on the same network. Central will be 222.222.222.0/30 and South will be 222.222.222.4/30. Packets between Central and South will be routed through the ISP router, including a VPN connection between the two. The problem I am having is that I can't get the crypto map setting to work on subinterfaces, so how can I keep this set up without needing to connect the two routers to the ISP router directly?

The ISP and that switch are meant to represent an Internet connection. This is why I can't have them on the same network.I am still pretty new to this, so forgive my ignorance if I haven't posted all the required information.

Answer:

Add 2 vlans to the 2960; 1 vlan for South and 1 vlan for Central.  create a trunk between the 2960 and the 2811 ISP router.

the configure the sub interfaces on the 2811 that represent each VLAN to be in either 222.222.222.0/30 and the other sub interface in 222.222.222.4/30.

so lets say your fa0/1 on your isp router is connected to the 2960:

fa0/1.100

description central

encapsulation dot1q 100

ip address 222.222.222.1 255.255.255.252

fa0/1.200

description south

encapsulation dot1q 200

ip address 222.222.222.4 255.255.255.252

(syntax off the top of my head)

 =============================

Please remember to rate useful posts, by WS-C3750X-24S-S  clicking on the stars below.  

BGP Multihoming design topology

Question:

There a few design considerations WS-C3750X-24S-S Price I was hoping I could get some insight from the community on.. Before I start, the ultimate goal for us to use BOTH Internet connections in an active/active configuration - utilizing both pipes..

Disclaimer: I have gathered this design from a lot of other posts that have somewhat of a similiar topology with ASA-->3750-->router pair-->CPE--internet.. Please keep an open mind if you think im on the wrong track..

Please see the attached design topology.

Questions related to design:

What kind of routes should I get from each carrier? I have been told that partial/partial routes plus a default route form each carrier is the way to go. Also, I've heard mention that full routes from both carriers are preferred. My ASR1001's can support ~500k routes. I know the global table is approximately ~337k routes. My goal is to use both pipes and use the best outbound path per carrier.

We will be leasing our /24 space from SONIC. I plan on running OSPF on the DC-Edge-SW1 in conjunction with iBGP - so I can default originate two equal cost routes back to my ASA. My confusion is when the traffic hits DC-Edge-SW1, there will be default equal-cost iBGP routes to both ASR1001's (DC-Edge-RT1 & DC-Edge-RT2). If the switch does not have the BGP table, it will just load-share across both ASR's. When the traffic hits the ASR's, will they know which carrier has the best path and route accordingly?

Should the iBGP connection between both routers be directly connected ? Or will it suffice through the L3 3750 connection? Also, with the limitations on the routes for the ASR1001 at ~500k. If we end up getting full routes from carriers and create a iBGP neighborship between both routers, will this exceed the route limitations on this platform?

On both routes, I will have the network statement 'network 12.231.69.0 mask 255.255.255.0.' This is a leased network from SONIC, and we NAT everything on our ASA to 12.231.69.10. My question is, will this be a problem broadcasting this network from our AS to both carriers AS?

Refer to bgp-design.jpg - is it a requirement that I use our leased public subnet 12.231.69.0/24 for the interfaces from ASA5510 -> 3750 -> ASR1001?

Thank's in advance for any assistance/insight you can provide as this is the most advanced topology I have worked with.

Answer:

There is one problem with using 2 x /30's between your edge routers and the 3750 -> ASA, when your iBGP session advertises routes to the other peer they will be blackholed / unreachable.

For example say DC-Edge-RT1 (12.231.69.2)  advertises a route for 208.67.0.0/16 to DC-Edge-RT2 via iBGP, DC-Edge-RT2 will know that 208.67.0.0/16 is via 12.231.69.2. To forward a packet to 208.67.0.0 DC-Edge-RT2 will lookup the route to 12.231.69.2 and will find a route via OSPF which is via the 3750.

DC-Edge-RT2 will then spit out a packet destined for 208.67.0.0/16 out the interface to the downstream 3750, this is where the problem occurs, the 3750 doesn't have a clue how to get to 208.67.0.0/16 because unlike the BGP routers it doesn't have the full table. Well it would use the default routes but you have two of those so that's undesirable.

A solution could be (same one I used):

Setup a HSRP group between your two edge routers so they share a virtual address say: 12.231.69.2/29, give RT1 12.231.69.3 for it's physical address and RT2 12.231.69.4 for it's physical address. Then create a Vlan on your 3750 with a Layer 3 SVI with an IP of 12.231.69.5.

Just need one default route then: 0.0.0.0 0.0.0.0 12.231.69.2

iBGP will still do some amount of load-sharing depending on the information in the various BGP tables...

If and when you get this up and running you can view the BGP path (and thus your AS Number) from the following LG:

http://lg.he.net/

Do a bgp route query for your prefix, will show the AS number and AS-PATH

Any questions, holla!

Oh, just a thought, if there's no requirement for your 3750 to be Layer 3, then you could just create the same HSRP group but put both your Edge routers & your ASA in the same Layer 2 VLAN with no SVI and then set your HSRP group as the Default Gateway for your ASA's WS-C3750X-12S-S  WAN interface.....

VPN IPsec over Dialer interface not working

Question:

I am completely out of ideas and Cisco 3560 I rely on the community's help to make a Cisco 881 router finally work.

I have the following configuration:

Current configuration : 2964 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service dhcp

!

hostname HOSTNAME

!

boot-start-marker

boot-end-marker

!

!

no logging console

enable secret 4 Nq2Qa3VgUxOFKhtuNYSfTjmG8tcryP67rejoLPHyZ4Q

enable password PASSWORD

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

no process cpu autoprofile hog

memory-size iomem 10

clock timezone EST -5 0

clock summer-time EDT recurring

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3171263040

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3171263040

revocation-check none

rsakeypair TP-self-signed-3171263040

!

!

ip source-route

!

!

!

!

!

no ip cef

ip name-server x.x.x.151

ip name-server x.x.x.152

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn SERIALNO

!

!

username UNAME privilege 15 secret 4 crXTpaYLDkjN6CD9fmkh71./aAHmBSTDMR/AkifA20U

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SECRET address x.x.x.202

crypto isakmp keepalive 10 5 periodic

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN-Map-01 10 ipsec-isakmp

set peer x.x.x.202

set transform-set 3DES-SHA

set pfs group2

match address Crypto-list-01

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description DSL Interface

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Vlan1

description Internal LAN

ip address 192.168.110.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

no ip route-cache

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

ppp pap sent-username USERNAME password 0 PASSWORD

no cdp enable

crypto map VPN-Map-01

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

ip nat inside source route-map RMAP_1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended Crypto-list-01

permit ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended DSL_ACCESSLIST

permit ip 192.168.110.0 0.0.0.255 any

!

access-list 101 deny   ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.110.0 0.0.0.255 any

!

!

!

!

route-map RMAP_1 permit 10

match ip address 101

!

!

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!

end

The following is the result of SHOW CRYPTO SESSION:

Interface: Dialer1

Session status: UP-ACTIVE

Peer: x.x.x.202 port 500

  IKEv1 SA: local x.x.x.161/500 remote x.x.x.202/500 Active

  IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

        Active SAs: 2, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 216.223.131.202 port 500

  IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

        Active SAs: 0, origin: crypto map

As much as I understand, the VPN tunnel is active.

I can access the Internet, but I cannot access anything through the VPN tunnel.

Can you help me, please, with this problem?

Answer:

At least you have a mistake in the NAT-config which can interfere with the traffic that should be sent through the tunnel. Remove the following line and try again:

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

-- 

Don't stop after you've improved your network! Cisco 3560V2 Price Improve the world by lending money to the working poor:

http://www.kiva.org/invitedby/karsteni

MPLS for my Company - ISP offers managed router - yay or nay?

Question:

I wanted to get some opinions on Catalyst 3560X the topic above.  We are purchasing MPLS services from a large ISP and they offer a managed router option.  I will also have a Cisco ISR 2900 at each site running SRST for my voice system.  I have some experience with BGP and am not scared at all to support it if need be.  That said, I am currently looking at pros and cons of going with a managed router from this company vs managing my own.  Actually, I will manage my own regardless and would just plug it into the managed router.  My router is perfectly capable of handling the BGP protocol but I am hoping that I can get some opinions from all of you.  Thanks in advance!


Pros/Cons of Managed and Unmanaged MPLS router.


Answer:

there are some operational advantages:
If the router fails, the provider has to fix/replace it in a time given by the contract SLA.
And it's also his responsibility to configure the CE router correctly to comply with the PE router configuration and the provider standards.
There is a clear demarcation line of responsibility: the provider is responsible for any trouble up to the CE router LAN port.

On the other hand, it's important for the customer to get an efficient read-only access to the routers - some providers don't like to let the customers to see the running config, e.g., and provide only a restricted set of CLI commands to the customer.

And last but not least:
The contract should cover how much would the customer pay for configuration changes on the CE routers managed by the provider. Some providers do the changes for free, some require payment per a config change.
But it's more about the contract conditions than WS-C3560X-24T-L Price technical aspects.

Remove a neighbour from BGP Route Propergation

Question:

First time poster so hope WS-C3750V2-24TS-S Price I have located this in the correct thread etc

I am very new to BGP routing and am in need of help with the following:

BGP has been setup between our Nexus 5k core's ISP router for our private IP network managed by them.  There is 1 BGP router from what I understand and 1 AS number has been used which has 2 nieghbours set on the Nexus 5k.

Is it possible to remove 1 of the neighbours from this without blowing away the config and starting again with BGP? Reason for this is we don't require BGP to send routes to this neighbour anymore.

Answer:

To disable the neighbour as mentioned previously use the shutdown key word.

switch(config)# router bgp xxxx

switch(config-router)# neighbor 172.18.30.14 remote-as xxxx

switch(config-router-neighbor)#

switch(config-router-neighbor)# shutdown

(Optional) Administratively shuts down this BGP neighbor. This command triggers an automatic notification and session reset for the BGP neighbor sessions

This will leave the existing config intact apart from the neighbour being shutdown which is the goal here if I understood correctly.

If you want to remove the configuration for this particular neighbour

switch(config)# router bgp xxxx

switch(config-router)# no neighbor 172.18.30.14 remote-as xxxx

This will remove all commands for this neighbour I believe, but still leave the rest of your BGP configuration intact.

___________________________

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/unicast/5_0_3_N1_1/l3_bgp.html#wp1078063  WS-C3750X-48T-S 

ip tracking... not tracking

Question:

I have this config,

when I remove the dsl cable from the Cisco 3560X Price router, tracking shows all 3 objects as down and then it goes to dialer1.

problem I have is when I plug the dsl cable back, all the objects stay to DOWN even after 5 minutes it just never goes back to UP state so it never goes back to my dialer0.

I was under the impression that when dsl comes up, tracking will go up and things will move over to the main dsl line.

I'm running this on a 891 router with ios Version 15.2(4)M3

          

track 1 list boolean or

object 12

object 13

object 14

delay up 60

!

track 12 ip sla 12 reachability

!

track 13 ip sla 13 reachability

!

track 14 ip sla 14 reachability

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip sla 12

icmp-echo <IP ON THE INTERNET> source-interface Dialer0

frequency 30

ip sla schedule 12 life forever start-time now

ip sla 13

icmp-echo <IP ON THE INTERNET> source-interface Dialer0

frequency 30

ip sla schedule 13 life forever start-time now

ip sla 14

icmp-echo <IP ON THE INTERNET> source-interface Dialer0

frequency 30

ip sla schedule 14 life forever start-time now

Answer:

Can you add 3 specfic static route for IP ON THE INTERNET.I hope then Track1 will come UP

For Ex: ip route 4.2.2.2 255.255.255.255 Dialer0  Cisco 3560X 

Connection problem

Question:

I have a 2611XM router that im WS-C3560V2-24TS-S trying to connect to the internet. Basically its set up below.

*Cable Modem plugs into my router F0/0 port.

*Router F0/1 plugs into my switch(2950G) port one and then port 2 is then plugged into my computer.

But i am not getting it to work, what am i missing? Is the configuration needing to be set up properly? Should i be checking the switch or the router? Commands i need to type in to help you give you more information?

Answer:

You either need to add dns manually if you are keeping your static ip on your workstation, or change your workstation back to dhcp so you can acquire ip settings from your dhcp pool in the router.

more information ,you can visit  http://www.3anetwork.com/cisco-ws-c3560v2-48ts-s-price_p49.html

Connecting 2 routers with only FastEthernet

Question:

I have a home lab Cisco 3560V2 Price I am trying to connect a 1710 to a 2610 with just using the fast ethernet ports.  I understand that serial connections and t1 csu/dsu connections use clocking, etc.  How can I configure FA ports to do the same AND be routable?

Answer:

you do not need to set clocking on fastethernet interfaces. If you want this particular link to be routable all you have to do is ensure that both ends are within the same ip range, e.g.

Router 1

Interface fa0/0

IP address 10.0.0.1 255.255.255.252

Speed auto

Duplex auto

No shut

Router 2

Interface fa0/0

IP address 10.0.0.2 255.255.255.252

Speed auto

Duplex auto

No shut

This should allow you to 'ping' the other side, if you are able to, then there is connectivity.

If you want to achieve routing for different subnets you can use static routing or a dynamic routing Cisco 3560V2 protocol.

MPLS l2vpn Route Distinquisher Question

Question:

I have something I really Cisco 3560 Switch don’t understand about l2vpn in comparison to l3vpn connections.

With l3vpn we have 2 mpls label the top label for communicating between the PE and the PE (most likely loopback ip’s of these routers) and we have the mpls vpn (inner) label with consists of the ip prefix   the route distinquisher so mpls know how to differentiate same routes from multiple customers.

Unfortunately now my confusion starts, with l2vpn connections you also have routedistinquishers, but why do we have them there? For instance with Juniper you have a remote site ID 1 which is communicating with remote site ID 2 and we do nothing with prefixes at all. So if i say this RD is used for making every l2vpn connection in the cloud unique, is this a correct way of saying it?

Answer:

first of all, the inner label in L3 VPN is not related to the route distinguisher

The VPNv4 prefix is formed by prepending the RD to the original 32 bit IPv4 prefix.

the route distinguisher makes the prefix unique in the signalling plane allowing to discriminate between overlapping prefixes in different VRFs /VPNs.

The inner label is an attribute of the VPNv4 NLRI and is part of the forwarding plane, the sending PE node tells to all the potential peers what inner label it expects to receive when traffic is sent to this specific NLRI.

In Juniper L2VPN signalling is made with MP BGP using a different address family the l2vpn address family.

This is called Kompella L2VPN from the name of its inventor.

As you have guessed also in this case the RD assumes the role of identifying the site. If you can look at the l2vpn MP BGP route you will see the site-id at the end of the composite prefix.

We could say that in L2VPN the prefix is indeed the site id prepended by some other information including Cisco 3560 the RD.

Two ISP, 1 network and 4 remote network(MPLS)

 I have a Cisco 2911 Router WS-C3560X-24T-S from 3Anetwork.com and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). this was achieved with the following confg ..

int fa 0/0/0 (Inter)

ip nat outside

int fa 0/0/1 (CANTV)

ip nat outside

int gi 0/0 (Lan)

ip nat inside

ip policy route-map PBR

ip access-list standard 10 (out CANTV)

permit host 192.168.0.99

permit host 192.168.0.94

ip access-list standard 20 (Exit Inter)

permit 192.168.0.0 0.0.1.255

ip nat inside source list 10 interface fa 0/0/1 overload

ip nat inside source list 20 interface fa 0/0/0 overload

route-map PBR permit 10

match ip address CANTV

set ip next-hop fa 0/0/1

route-map PBR permit 20

match ip address INTERCABLE

set ip next-hop fa 0/0/0

ip access-list extended CANTV

permit ip any host 192.168.0.99

permit ip any host 192.168.0.94

ip access-list extended INTERCABLE

permit ip 192.168.0.0 0.0.1.255 any

My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy-route internet sends me all the way.

You can give a solution to this or another configuration?

The supplier 3Anetwork.com can help but their technical support charge is a bit high, so I would prefer WS-C3560X-48T-L  to do by myself.

Thanks for your help.

NAT - VPN - routing

Hello experts,

I have a connection WS-C3560X-24T-L  to the remote site over VPN.

and I need to alow any traffic from my inside network to address 172.16.1.1  . All other traffic need to go over vpn.(other side of VPN 192.160.20.0)

interface GigabitEthernet0/0

ip address A.B.C.D 255.255.255.252

duplex auto

ip nat outside

speed auto

crypto map VPN_site

!

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip nat pool IzlazTerminali interface GigabitEthernet 0/0

ip nat inside source list out_1 pool EXIT overload

!

ip route 0.0.0.0 0.0.0.0 A.B.C.D1

!

ip access-list extended VPN_site

permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.20.255

permit ip 192.168.1.0 0.0.0.255 host .x.x.x.x

ip access-list extended out_1

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.1

but now there is no access to the internet via vpn!!!

The supplier 3Anetwork.com can help but their technical support charge is a bit high, so I would prefer to do by myself.

Thanks for your help.

MsoN� l < X � �L� =EN-US>Answer:

No it won't.  You need to use, a minimum of, 12.4(4)T.  Pay attention to the "T" train.

Go here.  Look at the left-hand column.

Click the 12.4 > 12.4T and choose for the IOS of your choice.

Please don't forget to rate our useful posts. 

I suppose the latest and greatest firmware would be the most appropriate, in the 12.4 range, eg 12.4.24T8(ED), would you agree?

I can't make that decision for you.  For me, I would.  Read the Release Notes so you'll know what open cavaets are still available.

When I speak to my supplier, they tell me that support for this device is discontinued and that it is no longer available for a new contract.

1841 is already End-of-Sale since 01 November 2010, however, you can try to get your vendor WS-C3560X-24T-S to download the IOS for you.