Cisco Site to Site + Remote Access VPN

There are some small office brunches needing both remote access to the office itself,
The remote access clients, like configured HERE and a permanent connection to another SITE (to the HQ for example).
Here is a quick guide for configuring multiple VPN types on a Cisco Router.

In this case I have configured a tunnel to a Fortinet FW (,
For the authentication I used 3DES and SHA1 for the hashing.
Cisco Lan, Forti Lan

Here is my configuration:

Set a password for the tunnel ( may use a certificate instead )
crypto keyring Site-Key
  pre-shared-key address key 0 Cisco2Forti
Configure VPN Phase 1 Policy
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 28800

crypto isakmp profile Site-PH1
   keyring Site-Key
   match identity address
Configure VPN Phase 2
crypto ipsec transform-set Site_Set esp-3des esp-sha-hmac
Set Split-tunnel - what will be routed through
IP access-list Extended Site_ACL
permit ip
combine all the Settings to a VPN Tunnel :
crypto map clientmap 10 ipsec-isakmp
 set peer
 set transform-set Site_Set
 set isakmp-profile Site-PH1
 match address Site_ACL
Almost same thing for the Client access
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group Client-Access
key Client2Site
pool ippool
acl Client_ACL

crypto isakmp profile Client
   match identity group alicenet
   client authentication list auth
   isakmp authorization list auth
   client configuration address respond

crypto ipsec transform-set Client_Set esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
 set transform-set Client_Set
 set isakmp-profile Client

IP access-list Extended Client_ACL
permit ip

crypto map clientmap 100 ipsec-isakmp dynamic dynmap
Client to site VPN will also require configuring an ip pool - Basically DHCP for VPN
ip local pool ippool
For both of them to work we need to enable the Crypto (VPN) on the external interface,
in my case FastEthernet4
interface FastEthernet4
ip address
crypto map clientmap 
And one last thing, in case there is NAT enabled – make sure to disable the NAT in the VPN
for example:
ip access-list extended NAT
deny ip
deny ip
permit ip any

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

1 comment:

  1. It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act. remote control computer