Clustering for VPN site-to-site VPN concentrator?

Similar Questions

• MIB for VPN concentrator

  I'm trying to locate the MIBs for a concentrator VPN 3030, specifically maximum connections.

  Thank you

  Hello:

  All 3K MIBs are located at:

  FTP://FTP.Cisco.com/pub/MIBs/supportlists/vpn3000/vpn3000-supportlist.html

  Hope that helps

  Jean Marc

• Failover with VPN concentrator

  Hi all

  We have unique VPN concentrator which is the single point of failure, so need your help to mitigate the same

  The topology diagram is attached

  Site A and Site B.

  Site B has internet gateways where we have existing VPN.

  The intention to introduce the site A & Concentrator VPN gateway VPN is set as well

  Our design is provided for in

  Connectivity between the two locations & other office is managed by BGP.

  Default route is pointing at the Internet gateway.

  Info by the Internet Segment.

  ·         We have the SP independent IP range

  ·         Switching between 2 SP to site B is obtained by using the iBGP and eBGP

  Challenge: VPN concentrator single Point of failure (the Cisco VPN concentrator 3000)

  Here are the design goals

  ·         Implement internet gateways to the Site - A which will have redundancy level of Portal Site

  ·         Place on the VPN concentrator, which will act as a switch between site

  o If the concentrator vpn site B is out of box A VPN site must support all traffic.

  Concentrator VPN active o replica of Site B

  Is it possible to achieve the objectives of design.

  Please help about the VPN concentrator... How I can set VPN concentrator in failover mode... Just as we do firewalls?

  Help, please

  Hi yogesh,

  Concentrator VPN supports failover through VRRP. Please find the following for your reference document:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

  As for the addition of failover for VPN concentrator, you happen to have a spare hub VPN to run VRRP?

  Don't know if you know, however, VPN concentrator comes end of life and the last delivery date was November 2007, as a result, you will not be able to buy VPN concentrator more.

  Here's the EOL notificatin for your reference:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

• Two links one for VPN Site to Site and another for internet on the same router configuration

  Hi all

  I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.

  my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24.   Please find attached Config and advice it will be OK and works fine

  Thanks in advance...

  Mikael

  Hello

  For me, it looks like it has configured the route correctly;

  ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.

  Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.
  

  The public_IP_HO must be defined according to the map of encryption using the set by the peers command.

  I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.

  The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).

  HTH,

• What is the function of the IOS minimum set required for VPN site-to-site software?

  Hi guys,.

  I have a Cisco 1841 router to do a VPN site-to site. I would like to know what is the function of the IOS minimum set required for VPN site-to-site software?

  Thanks in advance.

  Hi Ja,

  Advanced security or more should do it. The version of the IOS, you can try later 12.4 T which is c1841-advsecurityk9 - mz.124 - 24.T5.bin, in which case you don't want to go to 15.1 still.

  I hope this helps.

  Raga

• aid required for the image backup vpn concentrator

  Hi, I am unable to download the vpn concentrator ios image to the tftp server. is someone can pls tell me what is the procedure for that. I can't find good documentation on it. pls help someone.

  concerning

  Assane

  Assane,

  You try to save the image of the hub to the VPN concentrator. Like the 4.7.2.D or the version E or F of the code. If this is the case, it is not possible to copy the image file from the hub to the tftp server.

  You must download the CEC file.

  He had an answer to your question earlier, but it pointed you on how to make a backup of your CONFIGURATION file.

  If this answers your question, feel free to write it down.

• Configuration file for the VPN concentrator

  Hello

  I have a text-based VPN concentrator configuration file, and I want to know if there is a configuration guide of Concentrator VPN that I can use to refer to this file. The configuration on cisco.com guide is currently for the GUI based configuration.

  Furthermore, if there is a tool/utility that will read the configuration file in the format GUI without physical access to the device, which will also help.

  Thanks in advance for any assistance.

  There is a "XML export screen" in the management section of the files on the VPN concentrator. You can export the current configuration of the concentrator in a XML format, which provides the labels and values for the fields in the configuration file.

  http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html#wpxref53361

• problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

  Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

  Some basic information:

  I work at a seller who needs from one site to the other tunnel.  There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system.  I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range.  So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator.  The hosts behind the tunnel use 20x.x.x.x public IP addresses.

  My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper.  The seller sees my packages and provider host meets them and sends them to the tunnel.  They never reach the external interface on my Cisco router.

  I'm from the external interface so that my endpoint and the peers are the same IP address.  (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.)  Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

  I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host.  Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel.   The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel.  The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

  The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

  Here is what we have done so far:

  (1) confirm the config with the help of Cisco 2811.  The tunnel is up.  SH cyrpto ipa wristwatch tunnel upward.
  (2) turn on Nat - T side of the tunnel VPN landscapers
  (3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
  (4) successfully, tunnel and reach a different configuration hosting
  (5) to confirm all the settings of tunnel with the seller
  (6) the seller confirmed that his side host has no way and that it points to the default gateway
  (7) to rebuild the tunnel from scratch
  8) confirm with our ISP that no way divert traffic elsewhere.  My gateway lSP sees my directly connected external address.
  (9) confirm that the ACL matches with the seller
  (10) I can't get the Juniper because he is in production and in constant use

  Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

  Options or ideas are welcome.  I had countless sessions with Cisco webex, but do not have access to the hub of the seller.  I can forward suggestions.

  Here's a code

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2

  Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

  Crypto-map dynamic dynmap 30
  Set transform-set RIGHT

  ISAKMP crypto key address No.-xauth

  interface FastEthernet0/0
  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
  IP 255.255.255.240
  IP access-group 107 to
  IP access-group out 106
  NAT outside IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  crypto mymap map

  logging of access lists (applied outside to get an idea of what will happen.  No esp traffic happens, he has never hits)

  allowed access list 106 esp host host newspaper
  106 ip access list allow a whole
  allowed access list 107 esp host host Journal
  access-list 107 permit ip host host Journal

  access-list 107 permit ip host host Journal
  107 ip access list allow a whole

  Crypto isa HS her
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
    QM_IDLE ASSETS 0 1010

  "Mymap" ipsec-isakmp crypto map 1
  Peer =.
  Extend the 116 IP access list
  access - list 116 permit ip host host (which is a public IP address))
  Current counterpart:
  Life safety association: 4608000 kilobytes / 2800 seconds
  PFS (Y/N): N
  Transform sets = {}
  myTrans,
  }

  OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

  (4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

  !
  (1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

  !
  IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

  !

  (6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

  !

  (2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

  (3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

  (1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

  !

  (5) crypto-nat route-map permit 5 <> condition for the specific required NAT
  corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

  (7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

  Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1).  When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2).  When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4).  We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

• BW policy on VPN concentrator

  I've got a 3030 VPN concentrator with 4.0.1 B. I OS release have implemented a policy of BW for the VPN site - to many. Is it possible to check/see if the policy is applied (for example, deleted if traffic over the limit)?

  Thank you, Meg

  Monitoring - statistics - bandwidth Mgmt should give you some details.

• What has replaced the vpn concentrator?

  Greenhorn here, I was not to sit in this place.  We have three remote sites, sister of institutions, we share an app with.  Host us the app.  A site has a configuration of vpn concentrator, the other two use a leased from point to point line. They each have a router that connects to a single router.  They want to replace the lines leased by using a vpn.  Do the digging, I see that the hubs are EOL.

  So, what is used to replace the hub today?  What is a solution today from leased lines? They are all poor profit. My guess is that they will say look on Ebay for a hub if the solution is too expensive.

  Thanks Jim

  Jim

  The package of security (CISCO2901-SEC/K9 or CISCO2921-SEC/K9) is the convenient way to get the combination of the router, the software and licenses you will need. I don't think that you need something more elaborate than one of these security packages.

  I think one of these would be a good choice for you. It's been a while since I looked at the details of these routers. My recollection is that the 2921 offers more power, more interfaces and a few other benefits and would be attractive to many of us. But I think I understand your needs, I believe that the 2901 router cheaper and quite adequate for you.

  HTH

  Rick

• 501 to 3000 PIX VPN concentrator

  I know that a lot of these configs have been covered here and have read a few today. Here's my dilemma.

  We have a VPN concentrator in our GOING to Florida. We set up a remote site of contract in another State. The customer is what allows us to place our PIX 501 on their (private) network and out to the internet to return to our VPN concentrator. According to the staff of the company, you have to cross a their corporate firewall. We have assigned a private to our internal ethernet IP address and has assigned a private one for us to use on our external interface on the PIX. The two private investigation periods are in the 192.168.129.x/24 (our inside) and 192.168.96.x/26 (on the outside provided by customer)

  Initially, they were to provide a public IP address peer with against our public IP hub. Now, they are unable to do so.

  They provided a possible PAT range of public IP addresses to go against, but there is no way of knowing what particular IP peer against. Is it possible to be able to point the VPN concentrator for a range of public IP addresses and hope a peers. I can ping from the PIX coming out to our public address of VPN concentrators. Any help would be appreciated.

  We configure ezvpn, however, the problem is that the vpn tunnel can only be activated from the pix not starting from the hub.

• ASA - several IPS for VPN

  I'll put up Anyconnect to replace our customers of Cisco IPsec VPN, since it is end of life. A part of the process is to get an SSL certificate and a FULL domain name to use for this. I've got that and it is applied to the ASA very well. Now we don't get these warnings to the subject it is not not sure and such.

  The problem is that we use a non-standard port for the SSL VPN from 443 is already sent to an internal device. I have unused public addresses to the external interface of the ASA, but I don't know how I could use them. I would like to have a different IP address for SSL VPN, so I don't have to mess with the port forward that is currently in place. I read on proxy arp, but that looks like it could be a problem. I could have someone connect another cable to a different interface on the ASA (5512-X) and assign this static interface I want for the VPN, but I'm not sure it will work well. We have connections VPN site to site in place as well. Can I have the ASA listening on two different interfaces at the same time?

  Recap:

  IP 1 - address primary NAT, Site at tunnels put end here, some Cisco IPsec VPN terminate customer

  IP 2 - want to have all customers of Anyconnect connect here, to migrate all legacy Cissco IPsec clients until they are all over Anyconnect.

  Key is that I can not stop listening on IP 1 for site-to-site connections.

  Thoughts?

  Thank you!

  On the SAA, you cannot use the additional IPS for VPN.

  If tcp/443 is already used for an external server, then I would reconfigure the DNS entry for it to use the second IP address that must be sent to the internal server. You can then use the IP interface of the ASA for AnyConnect.

• Dynamic routing for VPN Failover L2L

  Hello

  Can someone offer me some advice on this please?

  I have attached a simple diagram of our EXTENSIVE referral network.

  Overview

  • The firewall is ASA 5510 running 8.4 (9)
  • Basic to the Headquarters network uses OSPF
  • On ASA static routes are redistributed into OSPF
  • On ASA for VPN static routes are redistributed into OSPF with 130 metric so redistributed BGP routes are preferred
  • Basic network has a static route to 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
  • Branch Office WAN uses BGP - routes are redistributed into OSPF
  • The branch routers using VRRP for redundancy of the IP for the default gateway of local customers.
  • Branch router main past off VRRP IP to router backup when the WAN interface is down
  • BO backup router (. 253) contains only a default route to the internet
  • In normal operation, the traffic to and from BO uses Local Branch Office WAN
  • If local BO WAN link fails, traffic to and from the BO uses IPSec VPN via public Internet

  I try to configure dynamic routing on our network for when a branch switches to the IPsec VPN. What I want to happen (not sure if it is possible) is for the ASA announce the subnet to the remote end of the VPN in OSPF to Headquarters.

  I managed to get this working using IPP, but for some reason any VPN stay up all the time when we are not in a failover scenario. This causes the ASA added the table as a static route is the remote subnet in it and do not use the announced route of OSPF from the core network. This prevents the BO customers access to the Internet. If I remove the IPP on the VPN setting, ASA learns the route to the subnet via the WAN BO - resumes normal operation.

  I have configured the metric of the static routes that get redistributed into OSPF by ASA superior to 110. This is so that the routes redistributed by the WAN BO OSPF BGP, are preferred. The idea being that when the WAN link is again available, the routing changes automatically and the site fails to WAN BO.

  I guess what I need to know is; This design is feasible, and if so where I'm going wrong?

  Thank you

  Paul

  Hi Paul,.

  your ASA maintains the tunnel alive only because this path exists on ASA.  This is why you must use IP - SLA on ASA to push network taffic "10.10.10.0/24" based on the echo response, using the ALS-intellectual property

  Please look at the example below, in the example below shows that the traffic flows through the tunnel, only if the ASA cannot reach the 10.10.10.0/24 network via the internal network of HQ.

  This configuration illuminate ASA.

  Route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10

  (assuming 10.0.0.2 ip peering from inside the ip address of the router to HO)

  Route outside 10.10.10.0 255.255.255.0 xxx.xxx.xxx.xxx 254

  (value of 254 is a more expensive route to go via IPSec tunnel and x = the bridge by default-ISP)

  ALS 99 monitor

  type echo protocol ipIcmpEcho 10.10.10.254 inside interface

  NUM-package of 3

  frequency 10

  Annex monitor SLA 99 life never start-time now

  track 10 rtr 99 accessibility

  Let me know, if this can help.

  Thank you

  Rizwan James

• VPN concentrator + PIX on LAN-&gt; customers can not reach local servers

  Hello

  I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.

  For the topology:

  The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.

  On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the

  VPN client-PCs.

  I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses

  the 10.0.100.0/24 range.

  The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to

  internal to the 10.0.1.28 server.

  To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in

  10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.

  So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is

  Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1

  This does not solve my problem though.

  In the PIX logs, I see the entries as follows:

  % 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064

  The PIX seems to abandon return packages, i.e. traffic from the server back to the client

  To my knowledge, the problem seems to be:

  Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.

  My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the

  package because he has not seen the package from the client to the server.

  So here are my questions:

  (o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and

  computers servers on the local network (10.0.1.0/24)?

  (o) someone else you have something like this going?

  PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.

  Thank you very much in advance for your help,.

  -ewald

  Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.

  Best regards

  Robert Maras

• Cisco VPN Client behind PIX 515E,-&gt; VPN concentrator

  I'm trying to configure a client as follows:

  The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

  Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

  You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?