Cisco VPN Site to Site - Interesting traffic required to put in place a VPN or not?

Similar Questions

• After the upgrade yesterday from Vista to Windows 7, now my Cisco VPN does not work and I get an error message titled: grounds 440 driver fault. Any ideas to fix this?

  After the upgrade yesterday from Vista to Windows 7, now my Cisco VPN does not work and I get an error message titled: grounds 440 driver fault.  Any ideas to fix this?

  This was the solution!  The works of vpn as $ 1 million now.  I followed the instructions above to enter the uninstall program and selecting the repair option.  I rebooted the machine, then used the troubleshooting on vpn software compatibility option.  Selected Windows windows xp (service pack 2) as the correct software and cisco vpn client started right up.

  Thanks, Nick!

  Rick

• Cisco VPN does not work in the Sierra

  I just upgraded to OS Sierra and the Cisco VPN, I had the installer does connect more.  The Setup looks right into network preferences. When I click it looks like it is trying but stops without asking for a password.

  Cisco VPN client may need to update or re-installed. If she uses the PPTP Protocol, it will not work. Support for PPTP was ignored, because it is no longer considered as secure.

• Cisco VPN does not ask for the UN or PW

  I took a cleint with a Cisco Pix. When I connect to the VPN with Cisco VP customer and the PCF, they gave semi-bas just connects, no prompt for username or password. The first question is that the configuration? And how to change that? Looks like a security breach delayed.

  Thanks

  Nick

  Hello Nick,

  I think you are missing the following command:

  client authentication card crypto outside_map LOCAL

  Unfortunately, I don't have a PIX right now, but I think he should do the trick.

  HTH.

  Please evaluate the useful messages.

• Using Cisco VPN with desktop remotely

  Hi, I work with many customers that use Cisco VPN for remote access.  Unfortunately the Cisco VPN does not work well with my VPN IBM client so I can't have both running on my computer.  So, I thought that I would like to install the Cisco VPN on an old machine, connect to this computer via desktop to distance and VPN in the network from the customer via the VPN.

  Well, who does not work either.  As soon as I connect to the network via the VPN Remote Desktop client loses the connection.  Can someone tell me if it works as designed (WAD) or if there is a secret of configuration to operate?

  Thanks in advance...

  John,

  When you connect via VPN to the network client on the remote computer, the connection RD proper case?

  I think it's because the VPN connection that you have drawn on the client computer is configured to encrypt all traffic, and that's why the RD connection to your computer of the drops.

  You can do a quick test... on the VPN client computer under statististics (VPN software) verification and check if secure roads is 0.0.0.0 (no split tunneling).

  If Yes... and if having access to the VPN server, which can be changed.

  Federico.

• VPN Site to Site ASA (only happens with interesting traffic)

  Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic?  I need to keep this tunnel independently of traffic is anyway to do this?

  Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

  -Use the IP SLA on a Cisco device

  -Perform a host TCP ping

  -Setting up a host of the site has press site B as a NTP source ASA

  Thank you for evaluating useful messages!

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• Cisco VPN client + VPN site-to-site

  Hi all

  I have two ASA5505 with a site to site VPN.

  One of the ASA is connected to the internal network 192.168.150.0.

  It is connected to 192.168.151.0.

  I also configured IPSec Cisco VPN client that is connected to 192.168.150.0.

  I would like to know if it is possible for a connected with the Cisco VPN client to access the 192.168.151.0 by the site-to-site VPN network.

  Thank you!

  Hello

  If you mean that the IP addresses of the VPN Pool are something like 192.168.150.x then I suggest to use a totally different network than those used on LANs.

  At the software level 9.1 basically causes changes to how are the NAT0 configurations.

  MAIN SITE

  network of the VPN-POOL object

  subnet x.x.x.x y.y.y.y

  being REMOTE-LAN network

  192.168.151.0 subnet 255.255.255.0

  destination of static NAT VPN VPN-POOL POOL (outdoors, outdoor) static REMOTE - LAN LAN

  REMOTE SITE

  network of the VPN-POOL object

  subnet x.x.x.x y.y.y.y

  the object of the LAN network

  192.168.151.0 subnet 255.255.255.0

  NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

  Otherwise, I would imagine that the same kind of configurations above apply. You need the ' same-security-movement ' command to allow the 'outside' to ' outside ' of the movement. You will have to ensure that the ACL from Tunnel Split contains the remote site network. And of course, you should make sure that the ACL crypto sets / include traffic between VPN pool and the network 192.168.151.0/24 on both sides ASAs.

  -Jouni

• Cisco VPN Site to Site with a static and dynamic does not

  Hello

  I have ASA 5510 in Headquarters with static, IP and ASA 5505 in the remote site behind ADSL router trying to establish VPN, but its failure in phase 1

  Config of the headquarters

  interface Ethernet0/0

  Description link to router LeaseLine

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.248

  !

  interface Ethernet0/1

  Description link to LAN internal

  nameif inside

  security-level 100

  IP 172.17.1.15 255.255.255.0

  access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.20.1.0 255.255.255.0

  access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.19.1.0 255.255.255.0

  access extensive list ip 172.17.1.0 vpn_to_remote allow 255.255.255.0 172.19.1.0 255.255.255.0

  extended VPN ip 172.17.1.0 access list allow 255.255.255.0 172.20.1.0 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  Crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  correspondence address 1 crypto dynamic-map cisco VPN

  Crypto dynamic-map cisco 1 set of transformation-ESP-AES-256-SHA

  card crypto outside_map 10 correspondence address vpn_to_remote

  card crypto outside_map 10 set pfs

  card crypto outside_map 10 peers set y.y.y.y

  card crypto outside_map 10 transform-set esp-aes-256-md5

  outside_map crypto 10 card value reverse-road

  dynamic outside_map 30-isakmp ipsec crypto map Cisco

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  md5 hash

  Group 5

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  tunnel-group y.y.y.y type ipsec-l2l

  tunnel-group ipsec-attributes y.y.y.y

  pre-shared-key *.

  tunnel-group parkplace type ipsec-l2l

  tunnel-group ipsec-attributes parkplace

  pre-shared-key *.

  The Remote Site configuration

  interface Vlan1

  nameif inside

  security-level 100

  address 172.20.1.1 IP 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 192.168.1.2 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  ICMP list extended access permit icmp any one

  access-list SHEEP extended ip 172.20.1.0 allow 255.255.255.0 172.17.1.0 255.255.255.0

  extended VPN 172.20.1.0 ip access list allow 255.255.255.0 172.17.1.0 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) 0 access-list SHEEP

  NAT (inside) 1 0.0.0.0 0.0.0.0 outdoors

  Access-group ICMP in interface outside

  Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  crypto map outside_map 1 is the VPN address

  peer set card crypto outside_map 1 83.111.252.242

  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  tunnel-group fairmount type ipsec-l2l

  tunnel-group fairmount ipsec-attributes

  pre-shared-key *.

  Best regards / Asfar

  Hello

  Have you tried to replace the names of 'tunnel-group' entry with Ip address on both ends... ?

  Thank you

  MS

• T61, Vista Business with Cisco VPN problem since the last update on the Lenovo site.

  Hello

  I use a T61, Vista Business, Cisco VPN Client v.5.0.02.0090.  Since my last update, October 2, 2008 on the Lenovo ThinkVantage Productivity Center site, I can't connect to my VPN Office. It was working perfectly before this software update. The only thing I remember is the update of the driver for Intel 4965AGN card v.12.x. I went to v.11.5 but it's not better.

  When I try to connect, I get the message "secure VPN connection terminated by a peer. "433 reason: (reason unspecified peer). I did a test with 'ping' IP address of the VPN and the response of the address.

  Usually, when the VPN Client is able to make the connection in the network connection window, I see "connection to the network space 2 (the Cisco VPN system map)" enabling / disabling Disable to activate the State. But there in my case, turn it off.

  I can connect with another PC using Windows XP. Thus, the VPN works.

  Any ideas?

  Thank you

  I met a very similar problem with my X61s. I was able to fix this by removing the print reading software for which an update was also installed on 2 Oct. As I barely use the fingerprint reader, it wasn't a problem for me. The Cisco VPN worked never better...

• Client Vpn Cisco vpn remote site inaccessible (one site to another)

  Hello

  I configured two vpn with pix 515 cisco connection. One using a cisco vpn client and another another site to site vpn connectin with other pix.

  I have my local network with 192.168.149.0 network, vpn clinet pool with 192.168.17.0 network and a remote site with 192.168.145.0.

  Client vpn local network accessible and always remote site, but 192.168.17.0 (vpn client) 192.168.145.0 not accessible (remote site).

  Plese help me!

  Thank you

  This scenario is possible with no v6.x, v7.x

  the link below is an example of configuration:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Cisco 877 site to site VPN routers a DHCP end cannot get the tunnel

  Hello

  I have two 877 cisco routers with the static ip address and other (3 routers more) with ADSL DHCP using the no - IP.com.

  Currently I'm doing tests with only the static IP router and a DHCP router.

  I can't go up the tunnel and running, I can connect using Cisco VPN client, but a site that is the most important of them does not work

  I followed the example of configuration on this document http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

  But I have no session encryption of output as well as no ipsec or isakmp output using this command (it's on the static IP router)

  SH crypto ipsec his

  Crypto isakmp HS her

  SH encryption session

  on the dynamic ip on the router side, I exit that with the sh command its crypto ipsec

  This is the output

  R3 #sh crypto ipsec his

  Interface: Dialer1

  Tag crypto map: mymap, local addr xxx.xxx.xxx.xxx

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx (Static ip of the router hub) port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : xxx.xxx.xxx.xxx, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Interface: ATM0

  Tag crypto map: mymap, local addr 0.0.0.0

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB ATM0

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1

  Tag crypto map: mymap, local addr 0.0.0.0

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1492 mtu 1492 ip, ip mtu IDB virtual Network1

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Set the configuration is for both routers

  Thanks in advance

  Kind regards

  Hello

  Try the following changes:

  HUB

  NAT extended IP access list

  deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  ip permit 192.168.1.0 0.0.0.255 any

  !

  TALK

  NAT extended IP access list

  deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

  ip licensing 192.168.5.0 0.0.0.255 any

  the example you mentioned was not using NAT while you are. Check following link:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml?referring_site=smartnavRD

  HTH

  Andy

• multi-site VPN with just the cisco vpn client

  Hello everyone

  Please I need your help.

  We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

  My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

  It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

  Michael

  Please note all useful posts

• Bring up the tunnel vpn crypto without interesting traffic map

  Is it possible on ASA to bring up the tunnel vpn site to site static crypto map without generating interesting traffic? I want to reverse route injection generate road dynamic until traffic begins to flow.

  Roman,

  Unless something chnaged recently RRI inserts routes without present SAs, meaning that they are static (in contrast to current default behavior on IOS 12.4 (9) T-I_think leave).

  But to answer the question, in more recent versions, you can bring up the tunnel using packet - trace CLI.

  M.

  Edit: request for improvement that will present the same features of IPP on ASA as on IOS:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCsx67450

• ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

  Dear all,

  I need your help to solve the problem mentioned below.

  VPN tunnel established between the unit two ASA.   A DEVICE and device B

  (1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

  (2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

  (3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

  will go up.   After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

  (it comes to rescue link: interesting won't be there all the time.)

  checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

  February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

  February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

  February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

  February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

  February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

  February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

  February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

  February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

  February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

  Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

  card crypto bidirectional IPsec_map 1 set-type of connection

  I hope that it might help to solve your problem. Kind regards.