Cisco VPN concentrator 3005

FW 4.1.7r

I can't the https management work on the device. The event logs tell something, of not being able to add the ssl certificate to the private interface. I tried to turn on/off box https without success. I also restarted the device.

Anything else I can try?

You can check if the self-signed certificate VPN concentrator has expired.

It will be under the Administration--> Management of certificates

Tags: Cisco Security

Similar Questions

VPN concentrator 3005 - problem of IP attribution

I have a strange problem with the VPN concentrator 3005. I have the private interface configured with 192.168.3.3/24 as the ip address. For all the users I assign an ip address from the same network (for example) 192.168.3.105/24 or use an IP address pool (192.168.3.100 - 192.168.3.150) the connection fails and the hub will specify that it cannot assign an ip address to the client.

However, if I configure the user address pool or a client on a subnet different it works and the user GET connected. For example, 192.168.2.105/24. I hit him a back-end switch and do not really want to have to add a router to talk between subnets.

Am I missing something?

Any help is appreciated!

Alan,

It is recommended to assign another pool of IP addresses for VPN clients to internal network.

Although it is not recommended, you should be able to assign a Pool of IP addresses that is part of the same internal network and it should work. The only thing that you must be aware of, is that this range of IP addresses assigned to customers should not be used on the internal network

You can post the VPN3000 logs when its not able to assign an IP address to the VPN Client.

Let me know if it helps.

Kind regards

Arul

* Please note all useful messages *.

Help, please! Microsoft Vs Cisco VPN Client VPN

Could someone please indicate if the Cisco VPN Client is safer than the VPN integrated Microsoft on windows XP? If the Cisco client is more secure than why? Microsoft it does not use IPSEC and PPTP right?

Please advise - very urgent!

I don't know a customer Cisco Cisco VPN concentrator is safer, but I'm not sure exactly why.

Carlton,

Take a deeper look at the same time, all your questions will be answered once you look at these links.

IPSec is a Cisco VPN standard, open customer or any customer VPN IPSec based should meet these standards. You'll learn more by reading these few bellow of links at the end of the reading you will be to have a better

perspective on the customer you would gear more to use as a professional network.

Personally, I've been away little by little PPTP and substituting Cisco VPN clients. Don't get me wrong, PPTP is still widely used there, but it is more vulnerable.

With Ipsec VPN, you have a wider choice of authentication algorithms, to base

granularity of ciphers as a way to implement a secure VPN extreamely for RA architecture

Introduction to IPsec

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a0080094203.shtml

Introduction to PPTP/L2TP

http://www.Clavister.com/manuals/ver8.6x/manual/VPN/pptp_basics.htm

Analysis of vulnerabilities and implementation MS PPTP

http://www.Schneier.com/paper-PPTP.html

http://www.Schneier.com/paper-PPTP.PDF

Alternative workaround to use client MS using L2TP over Ipsec

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

In addition, you can do a google search on "hacking PPTP" or "Ipsec" to preview more vulnerabilities.

Rgds

Jorge

problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

Some basic information:

I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.

My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.

I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

Here is what we have done so far:

(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant use

Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.

Here's a code

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2

Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

Crypto-map dynamic dynmap 30
Set transform-set RIGHT

ISAKMP crypto key address No.-xauth

interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP 255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap map

logging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)

allowed access list 106 esp host host newspaper
106 ip access list allow a whole
allowed access list 107 esp host host Journal
access-list 107 permit ip host host Journal

access-list 107 permit ip host host Journal
107 ip access list allow a whole

Crypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010

"Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip host host (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}

OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

!

(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

!

(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

!

(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

Failover with VPN concentrator

Hi all

We have unique VPN concentrator which is the single point of failure, so need your help to mitigate the same

The topology diagram is attached

Site A and Site B.

Site B has internet gateways where we have existing VPN.

The intention to introduce the site A & Concentrator VPN gateway VPN is set as well

Our design is provided for in

Connectivity between the two locations & other office is managed by BGP.

Default route is pointing at the Internet gateway.

Info by the Internet Segment.

·         We have the SP independent IP range

·         Switching between 2 SP to site B is obtained by using the iBGP and eBGP

Challenge: VPN concentrator single Point of failure (the Cisco VPN concentrator 3000)

Here are the design goals

·         Implement internet gateways to the Site - A which will have redundancy level of Portal Site

·         Place on the VPN concentrator, which will act as a switch between site

o If the concentrator vpn site B is out of box A VPN site must support all traffic.

Concentrator VPN active o replica of Site B

Is it possible to achieve the objectives of design.

Please help about the VPN concentrator... How I can set VPN concentrator in failover mode... Just as we do firewalls?

Help, please

Hi yogesh,

Concentrator VPN supports failover through VRRP. Please find the following for your reference document:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

As for the addition of failover for VPN concentrator, you happen to have a spare hub VPN to run VRRP?

Don't know if you know, however, VPN concentrator comes end of life and the last delivery date was November 2007, as a result, you will not be able to buy VPN concentrator more.

Here's the EOL notificatin for your reference:

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Cisco VPN Client behind PIX 515E,-> VPN concentrator

I'm trying to configure a client as follows:

The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

Console Cable - Cisco VPN 3000 Concentrator

Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.

Thank you

JP

JP,

Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.

http://www.sealevel.com/product_detail.asp?product_id=787

With regard to the regular cable this hub comes with you can use it.

http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF

Adidtional information for your initial hub seup -.

http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260

Concerning

PLS rate useful posts

ASA & concentrator 3005 VPN fails

Hi guys,.

I set up a VPN between an ASA 5510 running OS 7.2 (Base) and a concentrator 3005.

VPN stands up perfectly if launched from the ASA, but fails the Phase2 when momentum since the (1.1.1.5) 3005. Failing that, the ASA through the following errors:

Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, PHASE 1 COMPLETED
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 172.19.0.0 - 255.255.0.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, data Proxy received in payload ID remote IP subnet: address 172.19.0.0, the mask 255.255.0.0, protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 192.168.2.0 - 255.255.255.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, received from the IP local subnet in payload ID Proxy data: address 192.168.2.0, mask 255.255.255.0, protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing notify payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, QM IsRekeyed its not found old addr
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto, check card = mymap, seq = 9...
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto Card = mymap, seq = 9, ACL does not proxy IDs src:172.19.0.0 dst: 192.168.2.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, remote peer IKE configured crypto card: dynmap
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, ITS processing IPSec payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, all IPSec security association proposals found unacceptable.
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, sending prevent message

What I gather from the above output is that seq 9 Crypto mymap map does not correspond to the proposal offered by the 3005. And guess what, it's not - so no surprise - but Seq 12 matches. SO I guess that the ASA is not verified the 3005 against the whole proposal Card Crypto. Fair supported? And if yes, what someone know why not?

TIA

See you soon

Scott

Hi Scott,.

We found it.

The dynamic Crypto map must be attached to the static Crypto map only once all static entries have been configured.

The best way is to attach the dynamic map to the last line of the static map which is line no 65535.

So follow these steps and let me know how it goes

No map mymap 10-isakmp ipsec crypto dynamic dynmap

map mymap 65535-isakmp ipsec crypto dynamic dynmap

Please indicate in the commands above in the ASA configuration prompt.

See you soon,.

Nash.

SafeNet and Cisco VPN Client Compatible?

I have been using the Cisco VPN for quite awhile with no problems. Recently, we have added a Watchguard Firebox somewhere else and have installed the Client of Watchguard MUVPN, otherwise known as a customer of Safenet.

Since the installation, I could not yet properly use the Cisco Client. If I disable the two Services of Safenet, I invited to my user id and password and connect to the Cisco Concentrator and get an ip, etc. However, I can't ping anything on the network.

My solution is to completely uninstall both clients and reinstall the Cisco by itself. This is not very practical.

If anyone know a fix for this I'd appreciate comments.

Thank you

Patrick Dunnigan

Hi Patrick,

I only got lucky with the SafeNet customer brand Watchguard with the 4.0.x releases of the Cisco client. I think Cisco 4.6 clients use a newer driver from the DNE or else that plays well with SafeNet.

In any case, here's how to set up PC that requires both clients:

First, install the Cisco VPN client. Restart the application, and then stop and disable the Windows service.

Install the client for Watchguard, reboot as requested.

Then, stop and set to manual both SafeNet services, then start and set to automatic the Cisco service.

Delete the shortcut in your Start menu Startup group safecfg.exe (or the key of HKLM\MS\Windows\CurrentVer\Run, where he gets set.)

Delete the shortcut to start for the Cisco VPN client as well.

Whenever you want to use the Cisco customer, you can just launch the Dialer to IPSec. If you want to run the SafeNet client, stop the Cisco service, start the services of SafeNet, then run safecfg.exe. A few batch files facilitate this process for users.

Hope that helps,

Chris

configuration VPN concentrator 3000 backup

Hello

Can someone tell me how can I take backup of my Cisco VPN 3000 series concentrator configuration?

in GUI and command mode?

I couldn't find any good document describing.

Here is the link on how to Backup/restore configs and work with the file system.

http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html

MS RADIUS and Cisco VPN client

We currently have with a Server Windows RAS and IAS authentication with PPTP to users.

I want to move a hub (we have two not used) and the use of the Cisco VPN client with IPSEC 3005, also using the RADIUS (IAS) in Windows to authenticate against Active Directory.

I have a config to work for the client and it performs authentication, but I'm afraid that you can't configure IAS to work with IPSEC, unless you configure the policy for

"Unencrypted authentication (PAP, SPAP).

on the Authentication tab

and

"No encryption".

on the encryption tab.

Are encrypted with IPSEC credentials to establish the tunnel of the Cisco VPN client?

For RADIUS PAP authentication, the user name is clear and the password is encrypted with the RADIUS shared secret.

To maximize security, you would use GANYMEDE + or IPSec transport mode and isolated VLAN. But for most of us, strong passwords and physical security prevents the RADIUS PAP to a significant weakness.

Configuration file for the VPN concentrator

Hello

I have a text-based VPN concentrator configuration file, and I want to know if there is a configuration guide of Concentrator VPN that I can use to refer to this file. The configuration on cisco.com guide is currently for the GUI based configuration.

Furthermore, if there is a tool/utility that will read the configuration file in the format GUI without physical access to the device, which will also help.

Thanks in advance for any assistance.

There is a "XML export screen" in the management section of the files on the VPN concentrator. You can export the current configuration of the concentrator in a XML format, which provides the labels and values for the fields in the configuration file.

http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html#wpxref53361

What are the ports used by the Cisco VPN Client?

Hello

I need to open my outgoing traffic on my firewall to allow two interns (LAN) Cisco VPN Client to connect to their Internet virtual private network.

I already opened the port 500/UDP, but they are not able to connect. If I open all outgoing ports, they can connect.

What are the ports used by the Cisco VPN Client?

Thank you

You need to open:

UDP 500

ESP protocol

You must also open the UDP 4500 port (if using NAT - T).

In addition, if the clients are connecting to a VPN 3000 Concentrator series and it is configured for all other options of NAT-transparency, corresponding ports must be open. By default:

1. If using IPSec over TCP 10000, then open TCP 10000.

2. If using IPSec over UDP 10000, open UDP 1000.

VPN issues - 3005 to ASA5510

We are moving from a concentrator 3005 to an ASA5510 and I have a few questions.

In the 3005, you can disable and enable easy VPN tunnels. You go into politics and check or uncheck the box for enable. What is the method to temporarily disable a tunnel on the SAA? Through the ASDM of preference, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM its value for 8 (28800) hours, but I don't see this value in the config at all. I can't quite see a value of 86400 for the isakmp policy. If it is set in the ASDM like 8 hours, why doesn't it appear in the config? Has priority on the time-out, the policy of tunnel or isakmp policy?

Thank you!

Ryan,

For your remote access to the vpn session users max connection time can be specified in attributes of tunnel group policy. Go to your group of tunnel in ASDM > general develop several obtions and uncheck maximum connect time here, you can specify minutes the vpn session will end when it reaches the time in minutes.

example to specify 90 minutes you can also do this through cli, note it's not a time out that this will decrease the session in 90 minutes for all members of the Group of tunnel.

group-policy attributes
vpn-session-timeout 90

You can disable it as:

group-policy attributes
no vpn-session-timeout

as I don't know how to disable vpn L2L sessions support there is no option to turn on/off as in the vpn concentrators, this is a nice feature in the hub, but I haven't seen yet a feature of ASA like that or not aware of an Im.

HTH

Rgds

Jorge

3015 VPN concentrator Version help

The 3015 comes not only as no redundant hw together? If not, how do I know which version I have?

I don't have the CD of VPN client supplied with the appliance, can it be downloaded or bought?

Thanks for any help.

Jeff

The 3015 comes with no card encryption HW (SEPs). This is the same chassis as the 3030, 3060 and 3080, the only difference between the models is the memoy in the box and how many MS and feeds they included. The 3015 allows you to upgrade to a more powerful area by simple addition of MS, but as is, it's basically empty.

The client code and the VPN concentrator here are downloadable from EAC:

http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml

You will need a CCO login that has access to this page.

Cisco VPN concentrator 3005

Similar Questions

Maybe you are looking for