I am trying this on a Cisco 1921 running c1900-universalk9-mz.SPA.157-3.M2.bin and I am unable to set the interface like you do at 9min 52secs in the video
Would it be possible to use a dynamic DNS name for the outside interface rather than an IP address? This would be for offices that don't have a static external address form there ISP's.
I have a cisco zrw100. I was able to get the router working so i can connect to it. How do I set it up so that I can allow users outside of building off site to connect.
i have two 2851. both have the AIM-VPN/EPII-PLUS module. can i do a site to site connection with them? i am trying to configure both of my routers according to this video and for some reasons it doesn't work.
hai soundtraining, i am planning to implement site to site vpn btw my two office by using cisco router 28xx ..but i have a doubt , shall i need to buy any licence
hi, the video is helpful and i need your help, we are setting up a network where one site has CISCO router and the other site has their router not the CISCO route. So how can i provide the connectivity??? Thanks
Awesome video. One question I want to ask regarding VPN IPsec. Is it possible to create site to site vpn IPsec when one site is using adls modem so the cisco router will be behind the modem. If it is can possible can you make a video on that or advice on that issue. Thanks
Hi, Thanks for this video. If I am not wrong, we do need dedicated /static IPs. In this video I can only see 192.168.X.X Can someone elaborate why its like this? Or where to replace IPs with dedicated IPs.
NA Apps The 192.168 addresses are used on the outside interfaces for demonstration purposes only. Presumably, you will get the outside addresses from a service provider. You can use the private addresses (192.168) on the inside interfaces. If you're not familiar with how to configure IP addresses on an interface, watch this video: ruclips.net/video/Y0ZnRmgINgE/видео.html
Hi, Thanks for quick reply. I have two static IPs / dedicated IPs that I will configure on WAN port. Will watch the video you mentioned hopefully will get back with some results. By the way, we DO NOT need to configure default GateWay when configuring the Static IP on WAN port?
NA Apps I have never gotten it to work without configuring the default gateway. That doesn't mean it won't work for you without a gateway. Please post if it works for you without a gateway.
I have configured a wrong interface during the configuration, after the command "set peer XX.XX.XXX.XX" i run "interface gigabitethernet 0/0" but my outside interface is gigabitethernet 0/1. so i tried removing that by "no interface gigabitethernet 0/0" but it's giving me an error. what i want to do is to select gigabitethernet 0/1 as my outside interface. Thanks, Sandy
Hi Don, Need to know that during your configuration you applied route map to interface directly without ACL declaration if we will put like this in production will it lead to outage as ACL 100 will do implicit deny to every packet. Please help me in same thanks regards Suresh Joshi
Great video, this will gives me an idea of what I'm going to connect from my home office and my office in the same city. I am wondering if you can give me your opinion. What is your thoughts about Cisco RV180 VPN Router for vpn. Would I use the same procedure to connect my home and office?
Hi, thanks for the awesome video. I have a question If service provider give us two gateways for two routers so does we need to set static route on both routers.? do we need to configure VPN on second router also.?
+Don R. Crawley Thx for the reply. I have tested VPN in on one router GNS3 but it was not working. when i used to ping host of the second router it says connection timeout.
This was done on actual 870 routers. I wish there was a way to run more modern software in GNS3 and perhaps the new version, due out in late 2014, will provide that support. Still, GNS3 is a great tool.
NA Apps I don't provide technical support or consulting. I recommend that you purchase a Cisco SMARTnet contract from the reseller where you purchased your router. The SMARTnet contract is not very expensive and it provides you with access to Cisco engineers to help with configuration and troubleshooting. Alternatively, there are a variety of forums where you can post questions and get answers from the community including supportforums.cisco.com, serverfault.com, and www.experts-exchange.com. Also, consider participating in a Cisco users group. This link will help you find a Cisco users group in your part of the world: learningnetwork.cisco.com/community/connections/cisco_user_groups_intl/locate?view=overview
The demo doesn't use NAT. If you use NAT on the router along with a site-to-site VPN, you must use an access-list with a NAT statement to specify which traffic you want to NAT and which you don't want to NAT. As to your comment about a user, there is no user in a site-to-site VPN, it's router-to-router. As you can see in the video, it works fine. The video is recorded live and there are no editing tricks.
Thanks for your comment. You should be able to set up a site-to-site VPN using an ADSL modem. Search on the term "site to site vpn over adsl" and there are several articles and discussions about how to do it. Good luck!
The VPN tunnels are from the outside interface on one router to the outside interface on the other router. In a typical site-to-site VPN configuration, you should configure the tunnel-groups and peers with the other router's outside interface IP address. The access-lists should be configured to permit traffic flows from one router's inside network to the other router's inside network. Hope that helps.
Thank you for the tutorial, sadly only our ISP can manage and configure our Cisco routers we only connect our main and branch office thru a configure VPN server but its not that really good =(.
Thanks Mr. Crawley, you have a very user friendly speaking voice - I googled ASA5505 Firewall to DMZ - and I found you. You gave me clarity on how I will design my senior project security setup. Will search your site for more firewall ideas and network segmentation. Thank you again, sir.
Thanks for your comment. Sorry for the delay in replying. I'm not sure how I missed it. It's a matter of configuring separate policies for the site-to-site and remote-access VPNs. Search on the term "site-to-site vpn and remote-access vpn on the same router". You'll find several forum and blog posts covering how to do it and issues others have encountered during the process.
Thanks, very nice 192.168.1.1 Is your default route correct? crypto ipsec transform-set VPNSET crypto map VPNSET do these have to be the same? VPNKEY is your AES key? How big can I make my key? How would I advertise the VPN via OSPF/EIGRP? I assume that the ACL No on R1 does not have to have the same as the ACL No on R2, ie ACL100 and ACL102 Can you do a demo where R1 and R2 also go to an ISP using completely different networks?
I'm not personally familiar with the RV180, but the reviews on Amazon for it are not very complimentary. It looks like it's probably more of a consumer or small business device than a commercial-grade router. I doubt that it's IOS-based, which means the same procedure as shown in the video would not work with it. Sorry I can't be more help.
Thank you so much for this GREAT video , i have some questions: will this configration be the same if the office got a static IP , but the host is using DHCP ? what will i change in this case? and after configuration how to access the vpn from the remote PC ? would it require a user name and password like the case when you make a vpn using the server-client config. ? if yes how to set users?
The dynamic IP address is not an ASA issue. You need a dynamic DNS client running on your inside subnet. The dynamic DNS client will detect when the ASA's outside IP address changes and update your DNS server's A record accordingly. It's been a while since I used that type of service, but just search for "dynamic dns update client" and you'll find something to try. The key is to put it on a computer on your inside subnet. The ASA itself doesn't support it, but your internal client should work.
Just to clarify, you're right to be thinking about a static IP address for the ASA. That's clearly the best solution. If, for whatever reason, that's not possible, the dynamic DNS client may solve your problem. Good luck!
Wow that was great, i got everything working in my home lab and GNS3! my one question is the last command ip route 0.0.0.0 0.0.0.0 192.168.1.1 where in the world do you get 192.168.1.1??? shouldnt it be .11 and .10? Thanks again for your great vid!
Great question. You would only use .10 and .11 as default routes if those were actually the gateways. In the real world, the two routers would not be directly connected, but would probably connect via a service provider. In that case, you would use whatever gateway address was provided by your service provider. In the lab, with the routers directly connected, it doesn't seem to matter what address you use, as long as you provide an address.
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
thanks
This guy is a pro
why was no diffie helman group set in the isakmp policy?
Great and Brilliant Training
So no cisco routers, no VPN? if the remote client is on a TPlink will they not be able to connect?
I am trying this on a Cisco 1921 running c1900-universalk9-mz.SPA.157-3.M2.bin and I am unable to set the interface like you do at 9min 52secs in the video
can any one provide a Link to download PDF STEP BY STEP VPN Configurations
what's the difference between a profile and a policy?
Thank you so much i could not had better introduction to VPNs than this video. all the best, Dusan
Would it be possible to use a dynamic DNS name for the outside interface rather than an IP address? This would be for offices that don't have a static external address form there ISP's.
skip to 5:07
Very well explained !! Best :) :)
I have a cisco zrw100. I was able to get the router working so i can connect to it. How do I set it up so that I can allow users outside of building off site to connect.
i have two 2851. both have the AIM-VPN/EPII-PLUS module. can i do a site to site connection with them? i am trying to configure both of my routers according to this video and for some reasons it doesn't work.
Your routers should support a VPN configuration, but I don't have experience with that particular module.
hai soundtraining, i am planning to implement site to site vpn btw my two office by using cisco router 28xx ..but i have a doubt , shall i need to buy any licence
hi,
the video is helpful and i need your help, we are setting up a network where one site has CISCO router and the other site has their router not the CISCO route. So how can i provide the connectivity???
Thanks
how do i know my DIA IP/VPN..?
Awesome video. One question I want to ask regarding VPN IPsec. Is it possible to create site to site vpn IPsec when one site is using adls modem so the cisco router will be behind the modem. If it is can possible can you make a video on that or advice on that issue. Thanks
How do you know what you've done here is even encrypting the traffic and not just routing as normal?
Hi,
Thanks for this video.
If I am not wrong, we do need dedicated /static IPs.
In this video I can only see 192.168.X.X
Can someone elaborate why its like this? Or where to replace IPs with dedicated IPs.
NA Apps The 192.168 addresses are used on the outside interfaces for demonstration purposes only. Presumably, you will get the outside addresses from a service provider. You can use the private addresses (192.168) on the inside interfaces. If you're not familiar with how to configure IP addresses on an interface, watch this video: ruclips.net/video/Y0ZnRmgINgE/видео.html
Hi,
Thanks for quick reply.
I have two static IPs / dedicated IPs that I will configure on WAN port.
Will watch the video you mentioned hopefully will get back with some results.
By the way, we DO NOT need to configure default GateWay when configuring the Static IP on WAN port?
NA Apps I have never gotten it to work without configuring the default gateway. That doesn't mean it won't work for you without a gateway. Please post if it works for you without a gateway.
You can try this in GNS3 with a Cisco 7200 router.
shouldn't the static route be just be set for the remote LAN address and reachable via the other router's outside IP address?
HI,
please can u tell me which cisco router's supports ipsec and vpn??
or is it depends on the ios version??
Will this VPN work with routing protocols using multicast/broadcast packets?
I have configured a wrong interface during the configuration, after the command "set peer XX.XX.XXX.XX" i run "interface gigabitethernet 0/0" but my outside interface is gigabitethernet 0/1. so i tried removing that by "no interface gigabitethernet 0/0" but it's giving me an error.
what i want to do is to select gigabitethernet 0/1 as my outside interface.
Thanks,
Sandy
Please make the same video for Ikev2.
Hi Don,
Need to know that during your configuration you applied route map to interface directly without ACL declaration if we will put like this in production will it lead to outage as ACL 100 will do implicit deny to every packet. Please help me in same
thanks regards
Suresh Joshi
Great video, this will gives me an idea of what I'm going to connect from my home office and my office in the same city. I am wondering if you can give me your opinion. What is your thoughts about Cisco RV180 VPN Router for vpn. Would I use the same procedure to connect my home and office?
Bryan McGann enjoyed this video immensely. It is worth watching.
Just found this awesome video...do you have one for setting up BGP peers?
Hi,
thanks for the awesome video. I have a question
If service provider give us two gateways for two routers so does we need to set static route on both routers.?
do we need to configure VPN on second router also.?
+Don R. Crawley Thx for the reply. I have tested VPN in on one router GNS3 but it was not working. when i used to ping host of the second router it says connection timeout.
Also you running this environment on GNS3? How did you manage to setup c870 on GNS3?
This was done on actual 870 routers. I wish there was a way to run more modern software in GNS3 and perhaps the new version, due out in late 2014, will provide that support. Still, GNS3 is a great tool.
Hi,
Is there email address I can email the configurations I have with modified version of network diagram (dedicated IPs).
Thanks in advance.
NA Apps I don't provide technical support or consulting. I recommend that you purchase a Cisco SMARTnet contract from the reseller where you purchased your router. The SMARTnet contract is not very expensive and it provides you with access to Cisco engineers to help with configuration and troubleshooting.
Alternatively, there are a variety of forums where you can post questions and get answers from the community including supportforums.cisco.com, serverfault.com, and www.experts-exchange.com. Also, consider participating in a Cisco users group. This link will help you find a Cisco users group in your part of the world: learningnetwork.cisco.com/community/connections/cisco_user_groups_intl/locate?view=overview
soundtraining.net Ok, thanks for your message and information.
great thanks sir don
The demo doesn't use NAT. If you use NAT on the router along with a site-to-site VPN, you must use an access-list with a NAT statement to specify which traffic you want to NAT and which you don't want to NAT. As to your comment about a user, there is no user in a site-to-site VPN, it's router-to-router. As you can see in the video, it works fine. The video is recorded live and there are no editing tricks.
thank you
Thanks for this video.
Thanks for your comment. You should be able to set up a site-to-site VPN using an ADSL modem. Search on the term "site to site vpn over adsl" and there are several articles and discussions about how to do it. Good luck!
The VPN tunnels are from the outside interface on one router to the outside interface on the other router. In a typical site-to-site VPN configuration, you should configure the tunnel-groups and peers with the other router's outside interface IP address. The access-lists should be configured to permit traffic flows from one router's inside network to the other router's inside network. Hope that helps.
Cracking video - thank you! Really helpful.
Thank you for the tutorial, sadly only our ISP can manage and configure our Cisco routers we only connect our main and branch office thru a configure VPN server but its not that really good =(.
an amazing video.
Thanks for sharing and hoping to see more educative videos like that from you.
Again, many thanks.
Thanks Mr. Crawley, you have a very user friendly speaking voice - I googled ASA5505 Firewall to DMZ - and I found you. You gave me clarity on how I will design my senior project security setup. Will search your site for more firewall ideas and network segmentation. Thank you again, sir.
Thanks for your comment. Sorry for the delay in replying. I'm not sure how I missed it. It's a matter of configuring separate policies for the site-to-site and remote-access VPNs. Search on the term "site-to-site vpn and remote-access vpn on the same router". You'll find several forum and blog posts covering how to do it and issues others have encountered during the process.
Thanks, very nice
192.168.1.1
Is your default route correct?
crypto ipsec transform-set VPNSET
crypto map VPNSET
do these have to be the same?
VPNKEY is your AES key? How big can I make my key?
How would I advertise the VPN via OSPF/EIGRP?
I assume that the ACL No on R1 does not have to have the same as the ACL No on R2, ie ACL100 and ACL102
Can you do a demo where R1 and R2 also go to an ISP using completely different networks?
I'm not personally familiar with the RV180, but the reviews on Amazon for it are not very complimentary. It looks like it's probably more of a consumer or small business device than a commercial-grade router. I doubt that it's IOS-based, which means the same procedure as shown in the video would not work with it. Sorry I can't be more help.
Thank you so much for this GREAT video ,
i have some questions:
will this configration be the same if the office got a static IP , but the host is using DHCP ? what will i change in this case? and after configuration how to access the vpn from the remote PC ? would it require a user name and password like the case when you make a vpn using the server-client config. ? if yes how to set users?
Thanks. Nice tut'
Mike
Thank you!
The dynamic IP address is not an ASA issue. You need a dynamic DNS client running on your inside subnet. The dynamic DNS client will detect when the ASA's outside IP address changes and update your DNS server's A record accordingly. It's been a while since I used that type of service, but just search for "dynamic dns update client" and you'll find something to try. The key is to put it on a computer on your inside subnet. The ASA itself doesn't support it, but your internal client should work.
I'm glad it was helpful. :)
Just to clarify, you're right to be thinking about a static IP address for the ASA. That's clearly the best solution. If, for whatever reason, that's not possible, the dynamic DNS client may solve your problem. Good luck!
Łukasz Kostecki nie popiera przejęcia
Kosteccy welcome to
thanks it's most helpful
Wow.. thanks
GREAT VIDEO. A++++++++++++
Perfect.
Hello Again,
Is there email address I can email the configurations I have with modified version of network diagram?
Thanks in advance!
Good intro' to VPN IPSEC. Thanks
Gre8 video
Wow that was great, i got everything working in my home lab and GNS3! my one question is the last command ip route 0.0.0.0 0.0.0.0 192.168.1.1 where in the world do you get 192.168.1.1??? shouldnt it be .11 and .10? Thanks again for your great vid!
Great question. You would only use .10 and .11 as default routes if those were actually the gateways. In the real world, the two routers would not be directly connected, but would probably connect via a service provider. In that case, you would use whatever gateway address was provided by your service provider. In the lab, with the routers directly connected, it doesn't seem to matter what address you use, as long as you provide an address.
soundtraining.net
ahhhh yes! The force is strong in you! Thank you again!