Cisco RV042 VPN hub and spokes, connecting spokes question

Hello

I have a few Cisco RV042 router and VPN links them with a hub and spoke topology.

Each speaks VPN works, they manage to connect to the platform.

The hub can see each VPN active rays.

A computer under the hub can connect to a computer in any talks.

A computer under any talks can connect to a computer running the hub.

Which works very well.

Now, what I really need, is to connect computers under a RADIUS to connect to computers under another spoke.

It don't work.

Current configuration of LAN:

HUB IP / mask: 192.168.0.1 / 255.255.255.0

Spoke1 IP / mask: 192.168.1.1 / 255.255.255.0

Spoke2 IP / mask: 192.168.2.1 / 255.255.255.0

I was wondering if the Cisco RV042 can be configured to allow that and HOW?

If we can not do, should what other router I use as a hub? Should I change the rays as well?

Thank you and have a nice day

Hope that this document can point you the right direction.

https://supportforums.Cisco.com/docs/doc-12534

Tags: Cisco Support

Similar Questions

VPN Hub and Spoke with NAT

Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

Hub (MEAN): 10.1.6.x

PIX 515e (HUB): 172.16.3.x

RV042 (SPOKEN): 192.168.71.x

PIX 515e (HUB):

Outside - 12.34.56.78

Interior - 172.16.1.1

Hub (TALK):

Outside - 87.65.43.21

Interior - 10.1.6.1

RV042 (SPOKEN):

Outside - 150.150.150.150

Interior - 192.168.71.1

The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

On PIX you need a static policy statement,

NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

And modify the ACL of appropriately crypto to include natted address.

Simple IOS VPN IPsec HUB and Spoke failover HUB

Hi all

I have a nd architecture VPN Hub spoke with Asit, IKEv1 and IPsec.

My hub is connected to a single service provider.

I wish I had a hardware redundancy for my hub.

Instead of creating a double tunnel in each Department, I would like to use my router 4000ISR failover protocol.

Is it possible to simply achieve?

If I use IOS IPsec failover that I need to deploy my changes on the two router or (such as ASA) I can set the active router and allow the watch to receive the chenges?

Thanks to you all.

Johnny

If your ISP connection is one that has a routed block and you can connect two routers same in it, you can then configure HSRP.

The source of the Tunnel becomes the HSRP address. Rays may not know that there are two routers.

Easy failover.

Alternatively, you can have a single tunnel with hubs double (if you do not use HSRP). You don't have to borrow the double tunnels.

Ask about hub and spoke VPN between several sites

Hello

I currently have a 'hub' ASA 5505 that connects to 4 sites running 877 routers.

Since the network hub, I can connect to all the sites fine but what I would do is almost to compartmentalize the different VPN links in small groups.

The ASA 5505 hub mainly provides IP telephony via the VPN from a PBX allowing users at the other end of the VPN to make outgoing calls and receive incoming calls. However, a couple of the sites would be able to call them internally through the hub. It must obviously be allowed between their different networks of traffic.

Currently, when you try an internal call rings, but there is no audio data anyway. I guess that's due to restrictions of access list. I don't know yet if what I'm trying to achieve is possible as I'm a bit of a rookie, but any help would be appreciated. I have attached the hub and 2 rays below.

The ideal final result would be the interconnectivity between the two rays through the hub, it seems reading as its possible, but I do not understand my head around it! It would involve using different subnet to the hub masks?

Any help would be greatly appreciated!

Thank you

Jack

ASA "hub" VPN config

network of the OAKOW object
255.255.255.0 subnet 192.168.12.0
network of the OAKIV object
subnet 192.168.11.0 255.255.255.0

ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

interface Vlan1

nameif inside

security-level 100

192.168.5.1 IP address 255.255.255.0

Static NAT to destination for static LAN LAN OAKOW OAKOW source (indoor, outdoor)
Static NAT to destination for static LAN LAN OAKIV OAKIV source (indoor, outdoor)

network obj_any object
NAT dynamic interface (indoor, outdoor)

Access-group interface incoming outside

Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS ikev1
card crypto HOSTEDMAP 100 corresponds to the address ACL_OAKOW
card crypto HOSTEDMAP 100 set pfs
card crypto HOSTEDMAP 100 peer set 4.3.2.1

card crypto HOSTEDMAP 100 set transform-set HOSTEDTS ikev1
card crypto HOSTEDMAP 101 corresponds to the address ACL_OAKIV
card crypto HOSTEDMAP 101 set pfs
HOSTEDMAP 101 peer set 5.6.7.8 crypto card
card crypto HOSTEDMAP 101 set transform-set HOSTEDTS ikev1

HOSTEDMAP interface card crypto outside
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 allow outside
Crypto ikev1 am - disable

IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800

internal TBOakOW group strategy
attributes of Group Policy TBOakOW
Ikev1 VPN-tunnel-Protocol

internal TBOakIV group strategy
attributes of Group Policy TBOakIV
Ikev1 VPN-tunnel-Protocol

tunnel-group 4.3.2.1 type ipsec-l2l
tunnel-group 4.3.2.1 General attributes
Group Policy - by default-TBOakOW

4.3.2.1 tunnel-group ipsec-attributes
IKEv1 pre-shared-key *.

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 General attributes
Group Policy - by default-TBOakIV
tunnel-group 5.6.7.8 ipsec-attributes
IKEv1 pre-shared-key *.

877 VPN "spoke 1' config '.

VPDN enable

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800

isakmp encryption key * address 1.2.3.4

Crypto ipsec transform-set esp-3des esp-sha-hmac TB0ak

map OakOW 10 ipsec-isakmp crypto
defined peer 1.2.3.4
game of transformation-TB0ak
PFS group2 Set
match address VPN

interface Vlan1
Description - LAN-
192.168.12.1 IP address 255.255.255.0
IP nat inside

interface Dialer0
card crypto OakOW

overload of IP nat inside source list NAT interface Dialer0

NAT extended IP access list
refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255
IP 192.168.12.0 allow 0.0.0.255 any
list of IP - VPN access scope
IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

877 config VPN "talked about 2'.

VPDN enable

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800

isakmp encryption key * address 1.2.3.4

Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS

map TBVPNOak 10 ipsec-isakmp crypto
defined peer 1.2.3.4

game of transformation-HOSTEDTS
PFS group2 Set
match address ACL-VPN-to-ASA

interface Vlan1
Description internal LAN-
192.168.11.1 IP address 255.255.255.0
IP nat inside

interface Dialer0
card crypto TBVPNOak

overload of IP nat inside source list NAT interface Dialer0

IP extended ACL-VPN-to-ASA access list

ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

NAT extended IP access list
deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
ip licensing 192.168.11.0 0.0.0.255 any

You must rewrite it ACL on spoke1:

NAT extended IP access list

refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255

refuse the 192.168.12.0 ip 0.0.0.255 192.168.11.0 0.0.0.255

IP 192.168.12.0 allow 0.0.0.255 any

list of IP - VPN access scope

IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

IP 192.168.12.0 allow 0.0.0.255 192.168.11.0 0.0.0.255

and talk 2:

NAT extended IP access list

deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

ip licensing 192.168.11.0 0.0.0.255 any

IP extended ACL-VPN-to-ASA access list

ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

ip licensing 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

And ACL on SAA

ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

ACL_OAKOW to access extended list ip 192.168.11.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

ACL_OAKIV to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

You must allow the traffic of intra-interface:

permit same-security-traffic intra-interface

also, you can check the translation NAT nat debug command

_____________________________________________________________________________

Help seriously ill children all together. All information on this subject, is posted on my blog

Hub and spoke VPN network traffic between two points talked

Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

In doing so, I can avoide the tunnel between two offices (and B)

See you soon

Hello

You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

If the hub is an ASA you must authorize same-security-traffic intra-interface permits

If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

Federico.

Topology Hub-and-spoke (between vpn´s of the site-to-site connections)?

Hi all

I have a friend who has in his company an ASA5505 to the central point and about 5 remote sites connected through site to site Vpn.

All tunnels are up and reached the central network.

The only traffic that goes throw that the tunnel's traffic with the destination of local network of ASA.

My friend asked me what he should get from a remote Vpn site to another remote site Vpn, passing throw the central site ASA5505.

The ASA5505 can reach all remote networks throw tunnels.

Can someone give me a bit short what suits him for the SAA to carry traffic between the tunnels of VPN´s?

Need static routes on remote sites to announce other remote sites?

Best regards

Hi Tiago,

you will need to do 3 things primarily:

On the hub, you need to configure:

permit same-security-traffic intra-interface

(this allows the traffic out of the same interface it came in the - in the traffic between the spokes of your case will come outside and return outside).

Then, on the hub as well as on the rays, you need to add all traffic a spoke-to-spoke to the crypto ACL and ACL nat exemption.

Depending on how your addressing scheme, you may be able to aggregate to avoid making very large ACL (to 5 rays I guess it's still manageable if).

No way should be necessary on the rays or the hub (unless the vpn tunnels take a path different than your ordinary internet traffic, I assumed that this is not the case).

Let me know if you need more details.

HTH

Herbert

RV042 VPN devices and iOS4.2

Hello

I have problems with the VPN between RV042 and iOS4.2 devices (iPhone/iPad).

First question is ' is it possible at all the.

Second question is 'how '.

I configured the tunnel group and created for the VPN user. In my Windows XP-laptop QuickVPN seems to work very well.

But when I try to connect with iPhone or iPad (3G) I'll get a message like "the server is not responding.

RV042 journal, I found the following lines:

Dec 10 13:09:29 2010	The VPN log	Initial message of aggressive Mode [iOS_device_public_IP], but no (wildcard) connection has been configured
Dec 10 13:09:29 2010	The VPN log	[Tunnel negotiation of Info]< responder="" received="" aggressive="" mode="" 1st="" packet="">
Dec 10 13:09:29 2010	The VPN log	Useful load of Vendor ID received Type = [Dead Peer Detection]
Dec 10 13:09:29 2010	The VPN log	Ignorant Vendor ID payload Type = [Cisco-unit]
Dec 10 13:09:29 2010	The VPN log	Ignorant Vendor ID payload Type = [XAUTH]
Dec 10 13:09:29 2010	The VPN log	Vendor ID payload ignorant Type = [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 10 13:09:29 2010	The VPN log	Vendor ID payload ignorant Type = [draft-ietf-ipsec-nat-t-ike-02]
Dec 10 13:09:29 2010	The VPN log	Payload Vendor ID received Type = [draft-ietf-ipsec-nat-t-ike-03]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [9909b64eed937c65...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [80d0bb3def54565e...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [4d1e0e136deafa34...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [439b59f8ba676c4c...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [8f8d83826d246b6f...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [4df37928e9fc4fd1...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [4a131c8107035845...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [4a131c8107035845...]
Dec 10 13:09:29 2010	The VPN log	Regardless of the Vendor ID payload [4a131c8107035845...]

Any ideas what's happening?

RV042 does not support the iPhone VPN connection.

Here is the list of what iPhone supports:

http://www.Cisco.com/en/us/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iPhone.html

Cisco 877 VPN - two routers remote connection to the head office

Hi all.

Our headquarters has a 877.

Our two remote sites also have 877 and they have a permanent tunnel in 877 headquarters which works OK.

My problem is that two remote sites cannot talk to each other - but they can talk to the seat of fines.

I guess I sort of NAT problem - so I'll post the relevant configs and if someone could take a look and point me in the right direction, I had to be very happy!

Head office config is a txt 192.168.16.5 file

Remote site 'Riversdale' is the 192.168.17.1 text file

Remote site 'Tynewydd' is the 192.168.18.1 text file

How have you checked with pings? Is this an internal host to internal host?

You can check with pings between rays? Please use the internal interface of rays for both source and destination addresses. And send me 'Show details crypto session' of all the routers both before and after the sending of pings.

One thing I forgot in your rays (both) config file is on NAT. Please reorganize both deny entries followed first allow entry.

access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 100 permit ip 192.168.17.0 0.0.0.255 any

access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.255

BB10 and BBM connected Apps questions

1 when he invites to the connected app BBM I can fill in the fields and click on invite-nothing happens

where did - inviting directly from surveys BBM works instantly.

2. on the page / screen with the bar scanner/updates / apps - connected app is here. What is a clickable link?

3 NFC - tap to invite to BBM does not connect?

These issues are related?

@MSohm

Alrighty then.

VPN high availability: double 3 k in the hub and the PIX as rays

Hi Experts.

In my scenario, I need routing between the rays and, above all, high availability (HA).

On the shelves, I have Pix 501/506E, OS ver 6.3. In the hub, I have a couple of redundant VPN3k.

What mechanism is the best:

1 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "load balancing" feature of the VPN3k?

2 - hub and spoke topology with remote EzVPN in rays - to HA, I can take advantage of the "backup server" feature of the VPN3k?

3 any-to-any topology (an IPSEC tunnel between any pair of sites) - for HA, I can take advantage of the 'LAN-to-LAN backup' feature of the VPN3k?

Thank you

Michele

I'd go with NLB on the backup server. With load balancing your connections will be spread over the two hubs. If a hub dies, then at least it will only affect half of your connections, rather than each of them in case of death of your primary and backup servers using.

If a hub dies, your PIX connections will be de-energized for a short period, but they will be able to reconnect back automatically without making you no change.

Impossible to route traffic through a tunnel "will" in a frame relay Center and spoke environment.

Hello

I have a network star frames environment.

Headquarters (hub) and around seven remote branch offices.

I'm trying to encrypt all data between the hub-and-spoke is borrowing point gre tunnels to point of the hub-spoke.

I made the necessary set up on all routers and using SDM and all tunnels appeared.

The problem when I tried to redirect all traffic to the respective subnet through the tunnel s assigned

nothing is happen.

I decided to do a bit of troubleshooting with a radius of one and test the connection to the hub.

Ping from Headquarters to the tunnel endpoint

Router01 #ping ppp.168.140.14

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to ppp.168.140.14, wait time is 2 seconds:

.....

Success rate is 0% (0/5)

Ping of speaks to the tunnel endpoint

router04 #ping ppp.168.140.4

Send 5, echoes ICMP 100 bytes to ppp.168.140.4, wait time is 2 seconds:

.....

See nearby networking is learned by talking about following the eigrp process

router04 #sh ip eigrp not

Neighbors of the EIGRP intellectual property to process 10

H address Interface Hold Uptime SRTT RTO Q Seq

(s) (ms) NTC Num

14 40 2280 0 2493678 2d21h Se0/0/0.1 0 10.x.x.1

See nearby networking learned by Hub following the eigrp process

H address Interface Hold Uptime SRTT RTO Q Seq

(s) (ms) NTC Num

8 ppp.168.160.16 Tu2 31 00:00:26 1 5000 1 0

7 ppp.168.150.15 Tu1 13 00:00:47 1 5000 1 0

3 ppp.168.170.17 Tu3 14 00:00:59 1 5000 1 0

2 ppp.192.168.190.19 Tu4 13 00:01:05 1 5000 1 0

0 ppp.168.140.14 Tu0 31 00:01:18 1 5000 1 0

11 10.x.0.6 Se0/0/0.4 12 02:40:20 53 318 0 399684

1 10.x.x.9 Se0/0/0.7 11 02:41:20 1380 5000 0 377427

9 10.x.x.5 Se0/0/0.3 11 02:44:28 47 1426 0 370651

4 10.x.x.7 Se0/0/0.5 12 51 306 0 363006 1d23h

5 10.x.x.8 Se0/0/0.1 12 77 462 0 1210492 2d06h

12 11 51 306 0 395295 2d21h Se0/0/0.8 10.x.x.11

6 10.x.x.4 Se0/0/0.2 14 53 318 0 284379 2d21h

Router01 #.

I have a closed configurations of the hub and one of the RADIUS (the problem as outline above that happens for all the rays).

There is also the pre-shared keys were Strip and IP set up for security reasons.

Concerning

Jomo

Sure no problem.

Have a good holiday.

Cisco RV042 cannot create a simple VPN?

Hello

I'm confused because I'm trying to set up a simple VPN (client of the bridge), but I can't!

A SSL VPN or an IPSEC VPN, whatever...

The RV042 firmware is up-to-date, and I try QuickVPN as a customer vpn (also updated...)

My configuration details:

I'm at the: 192.168.2.14/24

My RV042: 192.168.2.250/24

And the VPN intend to connect to: 192.168.4.x

I am currently in testing... that's why I use private IP...

Customer gateway

Add a new VPN group

	Tunnel ofgroup VPN
Group No.	1
Name of the tunnel:	VPN TEST
Interface:	WAN1WAN2
Activate:

Configuration of local groups

Type of local security group:	Range IPSubnetIP
IP address:	192.168.4.0
Subnet mask:	255.255.255.0

Remote Client installation

Remote client:	Domain Name (FQDN) Email address (USER FQDN) Client Microsoft VPN XP/2000
Domain name:	Microsoft.com

IPSec configuration

Input mode:	IKE with preshared key
Group of the phase 1 of DH:	Group 1-768 bitGroup bitGroup 2-1024 bit 5-1536
Encryption of the phase 1:	DES3DESAES-128AES-192AES-256
Authentication of the phase 1:	MD5SHA1
Phase 1 time in HIS life:	28800 seconds
Perfect Forward Secrecy:
Group of the phase 2 DH:	Group 1-768 bitGroup bitGroup 2-1024 bit 5-1536
Encryption of the phase 2:	DES3DESAES-128AES-192AES-256
Authentication of the phase 2:	MD5SHA1
Time for phase 2 of HIS life:	3600 seconds
Pre-shared key:	123456

so far, nothing fancy... Ok?

So I create my username for the test:

VPN Client Access


	User name:
	New password:
	Confirm the new password:
	Allow the change of password:	YesNo.
	Active:

	DTSInfo-online Active

The user is created and activated...

For the test, I have disabled the firewall (router + windows 7).

A dnow, when I lunch the QuickVPN client:

Then, when I have lunch:

> Connection...

> Activation of policy...

> Verification of network...

> The remote gateway is not responding. You don't want to wait? [NO]

> Disconecting from the server...

This means that, after activation of the policy, I am connected on the router (user status: active). But when he check network... I am offline!

There is the newspaper of the RV042:

dec 18 12:57:50 2012	The VPN log	description of the additional connection (qknips1)
dec 18 12:57:50 2012	The VPN log	listen to IKE messages
dec 18 12:57:50 2012	The VPN log	forget the secrets
dec 18 12:57:50 2012	The VPN log	loading of the secrets of ' / etc/ipsec.d/ipsec.secrets'
18 12:57:57 dec 2012	The VPN log	(qknips1): removal of connection

If I'm signed for 7 seconds... Why?

Can someone help me?

When I try with the built-in Windows VPN client, newspapers are filled just more... ^ ^

Help! hour

Thanks (and sorry for my bad English ^ ^)

Hello

Please use our forum

Hi Skip my name is Johnnatan and I'm part of the community of support to small businesses. I ve seen your post and I see you are using Windows 7 and that you disable your firewall to test your connection. A configuration of the computer and the router must be in order to solve your problem.

Computer

As you use Windows 7, you must enable the Windows Firewall and create 2 rules, also make sure that Ipsec communication is allowed, you can follow these steps:

http://www6.nohold.NET/CiscoSB/Loginr.aspx?login=1&PID=2&app=search&VW=1&articleid=2922

Router:

Go firewall > basic settings and

Disable: Block WAN request

Enable: Remote Management

Go to VPN > VPN Passthrough and make sure everything is activate.

I hope that you will find this answer useful, if it was satisfactory to you, please indicate the question as answer. Please note post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Support of Cisco network engineer.

Cisco Anyconnect VPN client cannot establish a connection.

Hello

I am trying to connect to my server license from the University. I use 'Cisco Anyconnect VPN', but when it is goinh to initialize the connection it gives me the error "unable to establish a connection to the VPN client. At this point, the network of my Cisco anyconnect adapter gets disable automatically.

I have no antivirus, and also it happens even when I turn off my firewall.

Please help me solve this problem that prevents me from my all of the work!

Thank you in advance.

In addition to the advice of John I would also look at this document from Cisco for possible help...

http://www.Cisco.com/image/gif/paws/100597/AnyConnect-VPN-Troubleshooting.PDF

Cisco help as much as possible...

http://www.Cisco.com/en/us/products/ps8411/tsd_products_support_series_home.html

Its also possible you may have to run or reinstall the Cisco client in compatibility mode, if they do not have a version of Windows 7.

http://Windows.Microsoft.com/en-us/Windows7/help/compatibility

http://Windows.Microsoft.com/en-us/Windows7/open-the-program-compatibility-Troubleshooter

http://Windows.Microsoft.com/en-us/Windows7/make-older-programs-run-in-this-version-of-Windows

Otherwise contact your university network administrators may also be a viable option.

MS - MVP Windows Expert - consumer
"When all else fails try what the captain suggested before you started...". »

Cisco VPN Client and Windows XP VPN Client IPSec to ASA

I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

Config is:

!

interface GigabitEthernet0/2.30

Description remote access

VLAN 30

nameif remote access

security-level 0

IP 85.*. *. 1 255.255.255.0

!

access-list 110 scope ip allow a whole

NAT list extended access permit tcp any host 10.254.17.10 eq ssh

NAT list extended access permit tcp any host 10.254.17.26 eq ssh

access-list extended ip allowed any one sheep

access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

flow-export destination inside-Bct 192.168.1.27 9996

IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

ARP timeout 14400

global (outside-Baku) 1 interface

global (outside-Ganja) interface 2

NAT (inside-Bct) 0 access-list sheep-vpn

NAT (inside-Bct) 1 access list nat

NAT (inside-Bct) 2-nat-ganja access list

Access-group rdp on interface outside-Ganja

!

Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

dynamic-access-policy-registration DfltAccessPolicy

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

Crypto ipsec transform-set newset aes - esp esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

Crypto ipsec transform-set vpnclienttrans transport mode

Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

life crypto ipsec security association seconds 214748364

Crypto ipsec kilobytes of life security-association 214748364

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

card crypto interface for remote access vpnclientmap

crypto isakmp identity address

ISAKMP crypto enable vpntest

ISAKMP crypto enable outside-Baku

ISAKMP crypto enable outside-Ganja

crypto ISAKMP enable remote access

ISAKMP crypto enable Interior-Bct

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

No encryption isakmp nat-traversal

No vpn-addr-assign aaa

Telnet timeout 5

SSH 192.168.1.0 255.255.255.192 outside Baku

SSH 10.254.17.26 255.255.255.255 outside Baku

SSH 10.254.17.18 255.255.255.255 outside Baku

SSH 10.254.17.10 255.255.255.255 outside Baku

SSH 10.254.17.26 255.255.255.255 outside-Ganja

SSH 10.254.17.18 255.255.255.255 outside-Ganja

SSH 10.254.17.10 255.255.255.255 outside-Ganja

SSH 192.168.1.0 255.255.255.192 Interior-Bct

internal vpn group policy

attributes of vpn group policy

value of DNS-server 192.168.1.3

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

BCT.AZ value by default-field

attributes global-tunnel-group DefaultRAGroup

raccess address pool

Group-RADIUS authentication server

Group Policy - by default-vpn

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

Hello

For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

Please see configuration below:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

or

http://tinyurl.com/5t67hd

Please see the section of tunnel-group config of the SAA.

There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

"crypto isakmp nat-traversal.

Thirdly, change the transformation of the value

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

Let me know the result.

Thank you

Gilbert

Cisco 1700 Setup as a hub for Cisco Anyconnect VPN

The complete configuration for the router is attached. Additional configuration includes forwarding port 443 (the two tcp/udp), udp 4500, udp 500 and udp 50 to 192.168.1.20.

Objective: Configure Cisco 1700 router as a VPN server, which a Cisco Anyconnect VPN client in. The VPN server is behind a NAT.

Question 1: The Cisco Anyconnect client pulls its set of configuration of the router? I just need to point to the correct IP address and hit connect and it will do the rest? If not, what additional client side configuration must be done? I noticed, it tries to connect on port 443 to my router, but I don't really know why and I know that my router is not listening on this port, so I know I'm missing something:-D.

Question 2: What are the features specifically include easy vpn server? I am confused as to exactly what it is. From what I can tell when you configure easy vpn server you simply set up a regular VPN.

Question 3: Cisco Easy VPN remote has something to do with Cisco Anyconnect or they are completely distinct?

Sorry for the newbie questions. It's really hard to understand the different systems and features on it and most of the examples I found dealt with the VPN router to router rather than configurations just for computers of end users, but I'll be the first to admit that I am new on this hahaha.

Thanks for your help.

PS: Any comment on the misconfigs are welcome. I'm still trying to understand fully exactly what each command does.

Grant

Grant,

AnyConnect can do SSLVPN or IPsec (with IKEv2), ezvpn is all about IKEv1, it won't work.

There (part 3) customers who will be able to connect to ezvpn, as well as the former customer Cisco VPN, but AC is not.

BTW... it's not 50/UDP, this is IP protocol 50 (or sometimes 51) - ESP (or AH).

You don't have TCP and UDP 443 for IPsec, but you may need them for SSL.

And seriously... series of 1700? Wow, this is a 'retro' kit :-) Support ended 6 years ago.

M.

Cisco RV042 VPN hub and spokes, connecting spokes question

Similar Questions

Maybe you are looking for