Console Cable - Cisco VPN 3000 Concentrator

Similar Questions

• VPN 3000 Concentrator logging

  Our company uses a 3000 VPN concentrator for our VPN access.

  Is there a way to view a log history of what the user connected to the VPN and what IP address they were assigned?  This would be 2 days ago, which was over the weekend.

  Thank you.

  To obtain this type of information, you must configure an external management server, syslog server and send this info to this server.

  You can for example download any freeware like http://www.kiwisyslog.com kiwi syslog server, then configure the hub to send the logs on the server.

  Here's how to use the VPN 3 k and syslogs etc...

  http://www.Cisco.com/en/us/partner/docs/security/vpn3000/vpn3000_47/configuration/guide/events.html

  For information more fancy graphical reporting you can also use Cisco Security Manager http://www.cisco.com/en/US/partner/products/ps6498/index.html

  There are also 3rd party sofwware out there who can collect this type of information such as the engine firewall monitor of manage - may also collect newspapers of concentrators Cisco VPN - connections vpn etc...
  http://www.ManageEngine.com/products/firewall/distributed-monitoring/index.html

  Concerning

• Cisco VPN 3000 at work and at home

  I have a Cisco VPN to my desk that I can use to get to my home office network using my VPN client. Unfortunately I can't print on my personal printer (which is on a switch) then I am connected to the VPN. After I disconnect the VPN, I am able to print again at my home printers. What can I do to set this up, so I can see my printers on my way home when I am connected to the VPN to work.

  Thank you for your help.

  Kind regards

  Diane

  Diane,

  It is very likely that you use at home the same subnet exists at your office. For example, if you use 192.168.1.X and the VPN is configured to send all traffic through the tunnel 192.168.1.X because it's your office network, you would see this symptom. A simple solution would be to change your home network 192.168.0.X

  I hope this helps. If so, please indicate the position.

  Brandon

• Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator

  Hi guys,.

  I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.

  The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address.  We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that.  Here is a screenshot of what I tried:

  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  nameif ethernet2 dmz1 security50

  name 172.16.1.48 Cust_DVR1

  permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1

  permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1

  IP outside X.Y.Z.227 255.255.255.224
  IP address inside 192.168.1.1 255.255.255.0

  location of PDM Cust_DVR1 255.255.255.255 outside

  Global 1 X.Y.Z.230 (outside)
  Global (dmz1) 1 interface
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  outside_map 30 ipsec-isakmp crypto map

  outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">

  card crypto outside_map 30 match address centura_map_30

  card crypto outside_map 30 the transform-set ESP-3DES-MD5 value

  outside_map interface card crypto outside

  ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network.  I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).

  THANKS MUCH FOR ANY HELP!

  -Mario

  Hello

  For example, you can NAT your internal via the tunnel network traffic when you go to this customer.

  In this way, they will see your unique internal network as an IP address.

  Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227

  Is this what you need?

  Federico.

• How to configure VPN 3000 Concentrator for remote access

  I have inherited a VPN concentrator and want to configure it to provide remote access to my internal laboratory network when I'm traveling.  Private interface is configured as 192.168.1.240/24.  Public interface is configured as one of my public IP addresses.  I have a public IP pool on the back side of a cable modem Roadrunner.  I created a pool of addresses for clients such as 192.168.1.200 by 192.168.1.205.  I created all group configurations, group and user base.

  In the IP Routing tab, I see a default route pointing to my IP address of public gateway - the IP address of my box of roadrunner cable modem gateway.

  Since my VPN client, I am able to connect to the VPN concentrator.  I get an address from the pool and check the details of the tunnel under the statistics section shows IP address correct pool for the customer and the correct public IP address of my VPN reorga

  Jeff,

  According to statistics, it seems that the client sends traffic to the hub, but his answer not get back.

  We need check the hub settings itself.

  I need check the hub settings and that it is a GUI based device so I can't even ask to see the technology and the only option available is to WebEx.

  You're ok with webex, pls lemme session comfortable time id and e-mail to send the invitation, it takes no more time and we will carry it out

  Thank you

  Ankur

• NAT via LAN-to-LAN configuration between router IOS and Cisco VPN 3000

  Hello

  I have the following document on the creation of a virtual LAN2LAN including NAT private network.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

  It? s easily do this with the hub. Now, I have to set it up on the IOS router, and for this purpose, I can? t find any information. NAT, I have my private network to a single IP address that must be by tunnel as my local network official.

  Anyone have documentation on this szenario? I can? t is not on the OCC.

  Thanks for the support

  Hello.

  Concentrators are very friendly units (IMHO) to VPN with NAT and VPN.

  You build an acl defined traffic over the vpn (110) based on the nat wouldn't

  You create an acl to set what is NAT had (111) and create a NAT statement accordingly

  Here is an example configuration.

  !

  crypto ISAKMP policy 10

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  vpnsrock crypto isakmp key! address x.x.x.x

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  10 VPN ipsec-isakmp crypto map

  defined peer x.x.x.x

  game of transformation-ESP-3DES-SHA

  match address 110

  !

  interface Fa0

  NAT outside IP

  VPN crypto card

  !

  !

  interface fa1

  IP nat inside

  !

  IP nat inside source list 111 interface fa0 overload

  IP route 0.0.0.0 0.0.0.0 y.y.y.y

  access-list 110 permit ip fa0 - ip network-remote control-generic generic-mask

  access-list 111 allow local-network ip network-remote control-generic generic-mask

  !

• Failures of intermittent connection to the VPN 3000 Concentrator

  Hello

  I managed a VPN 300 hub that works with happiness for several years with no problems. All users are part of the same group and authenticate on a server RSA. We recently moved from Authentication Manager RSA RSA 7.1 Authentication Manager 6.1. Continuous everthing works well for several weeks, then at the beginning of this week we started having users intermittently failing to connect to the VPN. I don't know if this problem is related to our new server RSA, but we have other devices on the network that authenticate on it without any problem, so I guess the problem is with the Concentrator VPN itself.

  When users fail they just get a generic error message 'Reason 427 completed peer connection'. Live event log shows "group = vpn, status = is not off duty" when their connection fails. Other times they connect normally and no error messages appear. There seems to be no real reason, sometimes your connection fails, but if you keep trying you will get eventually in [However it may take several attempts in the course of an hour or two until you succeed, or you can get immediately without a problem].

  I don't think that it's a network problem, because I ran continuous for the hub and the RSA server pings while users are experiencing these problems and there are no drops.

  Authentication RSA server monitor always shows that the user is authenticated successfully, the connection of users actually succeed or not. I'm tempted to reboot just the hub, but we have tunnels VPN site-to-site connected on it and I'm a little worried if it is faulty you can not come back at all.

  Has anyone encountered this problem before?

  Thanks in advance

  Hi Graham,

  My guess is that the new RSA server is slower to react, causing the Timeout vpn3000 sometimes - this would explain all the symptoms (nature intermitten's not in service, the success of logs on the server).

  I don't have a vpn3k at hand to check, but I think that in the config server aaa where you set the ip address etc. of the RSA server, you can also set a time-out value - see if increasing this value help.

  HTH

  Herbert

• VPN 3000 Concentrator authentication failure.

  Hi team,

  I am facing the error of authentication in the hub.

  Scenario: -.

  Hub is integrated with AD.

  Error: -.

  ---

  2451 11/22/2009 13:20:35.550 SEV = 3 RPT AUTH/5 = 19132 86.62.198.251
  Authentication was rejected: reason = Unspecified
  manage 396, server = 172.27.1.13 =, user = 23733, area =

  Hi subashmbi,

  I have more questions for you: -.

  1. which authentication protocol is used with AD?

  2. by chance "23733" user which you see the authentication error, part of several groups defined in AD?

  As a quick test, try to switch the VPN group to NT domain authentication and let me know how it goes...

  If NT does not work then try LOCAL authentication.

  Waiting for your answer, the answers to the questions posed above and the results of the test with NT and LOCAL...

  Concerning

  M

• What are the ports used by the Cisco VPN Client?

  Hello

  I need to open my outgoing traffic on my firewall to allow two interns (LAN) Cisco VPN Client to connect to their Internet virtual private network.

  I already opened the port 500/UDP, but they are not able to connect. If I open all outgoing ports, they can connect.

  What are the ports used by the Cisco VPN Client?

  Thank you

  You need to open:

  UDP 500

  ESP protocol

  You must also open the UDP 4500 port (if using NAT - T).

  In addition, if the clients are connecting to a VPN 3000 Concentrator series and it is configured for all other options of NAT-transparency, corresponding ports must be open. By default:

  1. If using IPSec over TCP 10000, then open TCP 10000.

  2. If using IPSec over UDP 10000, open UDP 1000.

• Public interface on VPN 3000

  Hello

  It is as sure to fix the public interface on a VPN 3000 Concentrator on the internet? Or should there be a firewall in front.

  I understand that the public interface is "hardcoded" and only open ports you'd pass firewall anyway, but I just wanted to check with experts to ensure that :-)

  Peter

  Hi Peter,.

  I don't think there are major problems involving the public interface of VPN 3030 Internet. It is means in reality for public access... it is a little hardened to allow only specific protocols... If you have an ID, you can monitor the traffic on this interface and shun unnecessary connections if necessary... you also have filters on the public interface, which allows you to restrict the traffic...

  set the vpn behind a firewall increases the complexity of your network. You may as well have this behind, but it will be a little complicated.

  I hope this helps... all the best

  REDA

• Network VPN 3000 list

  I keep to err msge "mask/area bad ip address/subnet mask/generic id" when you attempt to add a class C network to the list a VPN 3000 Concentrator using the CLI. Here's my entry 192.168.51.0/0.0.0.255. The number and the wildcard mask seem ok. Isn't the right syntax?

  Vincent, you're very welcome and thank you for the update... happy all worked... Please rate as solved post.

  Rgds BST

  Jorge

• VPN 3060 concentrator error

  I have a Cisco VPN 3060 concentrator and sometimes I get the following message from syslog. What does this error mean?

  Local7.warning, SEV 2 RPT EVENT/42 = 30 = save to FTP server failed (9)

  It seems that you configure the VPN concentrator to send the log saved on an FTP file.

  You can check the following for parameters:

  Configuration | System | Events | FTP backup

  These are the 2 FTP options which can be configured on the VPN concentrator.

• Cisco VPN 3060 - Cisco ASA conversion

  We are about to embark on the passage of all extensions L2L and network (Cisco ASA 5505 s) of the Cisco VPN 3060 concentrator to a Cisco ASA 5520.

  We bsemblable woul to see if there is a simple method to do this as a converter?  Also, there are lessons learned?  We run 8.4.3 so that we know that the NAT configuration has differed.  The 3060 configuration can be changed in anyway for help in configuring the ASA?

  Thank you

  Dwane

  Thank you for your understanding Dwane.

  Please mark this message as answered.

  Good day.

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett