Customer multicast via vpn traffic

Hi guys,.

Then. I have already created a vpn server on my router 878... while I can connect to this router and the network with ip - sec (cisco vpn client)...

Al works fine... but... when I also want to allow multicast on my vpn connection traffic. should I then a vpn free WILL? or what?

What is only necessary when you use a site to site vpn... ?

And how to activate it?

Thanksssss

There is no way we can send directly via remote access VPN tunnel multicast traffic.

Tags: Cisco Security

Similar Questions

  • IPTV/Multicast via VPN

    Currently have a requirement for our users VPN / wireless, to have the opportunity to view CNN/other via IPTV channels. We are using VPN concentrator 3030 of Cisco for our needs. This box is able to support multicast? What needs to be fact/set up to allow this works? Any help would be most appreciated. Thanks in advance.

    -Matt

    The 3000 series concentrators VPN currently does not support multicast. Concentrators 5000 series more do as well as the PIX and VPN router. There was some talk to the 3000 series support multicast traffic in a next version, but don't hold your breath. Code of the v5 is perhaps what I mean.

    I hope this helps.

  • Customer remote cannot access the server LAN via VPN

    Hi friends,

    I'm a new palyer in ASA.

    My business is small. We need to the LAN via VPN remote client access server.

    I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

    Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

    Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

    Who can help me?

    Thank you very much.

    The following configuration:

    ASA Version 7.0(7)
    
    !
    
    hostname VPNhost
    
    names
    
    dns-guard
    
    !
    
    interface Ethernet0/0
    
    nameif outside
    
    security-level 10
    
    ip address 221.122.96.51 255.255.255.240
    
    !
    
    interface Ethernet0/1
    
    nameif inside
    
    security-level 100
    
    ip address 192.168.42.199 255.255.255.0
    
    !
    
    interface Ethernet0/2
    
    shutdown
    
    no nameif
    
    no security-level
    
    no ip address
    
    !
    
    interface Management0/0
    
    shutdown
    
    no nameif
    
    no security-level
    
    no ip address
    
    management-only
    
    !
    
    ftp mode passive
    
    dns domain-lookup inside
    
    access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
    
    access-list allow_PING extended permit icmp any any inactive
    
    access-list Internet extended permit ip host 221.122.96.51 any inactive
    
    access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
    
    access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
    
    access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
    
    access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
    
    pager lines 24
    
    mtu outside 1500
    
    mtu inside 1500
    
    ip local pool testpool 192.168.43.10-192.168.43.20
    

    arp timeout 14400
    
    global (outside) 1 interface
    
    nat (inside) 0 access-list VPN
    
    nat (inside) 1 access-list PAT_acl
    
    route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
    

    
    
    username testuser password 123
    
    aaa authentication ssh console LOCAL
    
    aaa local authentication attempts max-fail 3
    

    no sysopt connection permit-ipsec
    
    crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
    
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    
    crypto dynamic-map dyn1 1 set reverse-route
    
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    
    crypto map mymap interface outside
    
    isakmp enable outside
    
    isakmp policy 1 authentication pre-share
    
    isakmp policy 1 encryption des
    
    isakmp policy 1 hash md5
    
    isakmp policy 1 group 2
    
    isakmp policy 1 lifetime 86400
    
    isakmp nat-traversal  3600
    
    tunnel-group testgroup type ipsec-ra
    
    tunnel-group testgroup general-attributes
    
    address-pool testpool
    
    tunnel-group testgroup ipsec-attributes
    
    pre-shared-key *
    
    telnet timeout 5
    

    ssh timeout 10
    
    console timeout 0
    

    : end

    Topology as follows:

    Hello

    Configure the split for the VPN tunneling.

    1. Create the access list that defines the network behind the ASA.

      ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

    2. Mode of configuration of group policy for the policy you want to change.

      ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

    3. Specify the policy to split tunnel. In this case, the policy is tunnelspecified.

      ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified

    4. Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

      ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

    5. Type this command:

      ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes

    6. Associate the group with the tunnel group policy

      ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn

    7. Leave the two configuration modes.

      ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

    8. Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

    Kind regards
    Abhishek Purohit
    CCIE-S-35269

  • VPN traffic via a secondary access provider

    Hello world

    I have been asked by a client to implement this topology:

    where:

    ISP 1 is used as primary internet connection.

    2 ISP will be used to connect remote users by IPsec VPN.

    Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.

    I read some post where, said, it's possible, but I want to be sure.

    Kind regards

    Jose

    ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.

    With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.

  • Check sensor SFR with FireSight via VPN - does not work

    Hello security experts.

    I have an ASA5515-X with SFR installed 5.4.0 and manage with 5.4 FireSight installed on the virtual machine on LAN and I record the sensor without any problem but when I try to register the sensor to FireSight via VPN I can't do. The interface on the ASA management has no intellectual property nor nameif configured and the interface is connected to the switch, SFR has the IP even configured as LAN addressing. I can see traffic being exchanged between the sensor and the FireSight but I can't save the sensor.

    Has anyone managed to register the sensor via VPN? Is there something else to be configured in order to save the sensor with the MC via the VPN?

    The delay between the Firesight and the sensor (on WAN and VPN) I get between 80 and 100 ms, what could be the problem?

    Thank you very much!

    Remi

    Hello

    If you are unable to telnet from DC to the sensor on the port 8305 delivers connectivity then.

    Can try you to ping from sensor to DC:

    ping -M do -c 20 -s 1572
    By default, the MTU is 1500 on eth0, if the ping does not work I will suggest to lower the MTU on the interface and see if it works. See also: / var/log/messages | grep sftunnel and see the error messages on DC and sensor and send it to me everywhere. Best regards, Aastha Bhardwaj rate if this is useful!

  • WSA issue with MS-OUTLOOK and VPN traffic

    Hi all

    I am facing a problem where

    1. my users are able to access their mail from the web page, but ms-outlook is not able to synchronize e-mail.

    2. our internal user to an external site via VPN, the user is able to establish the VPN connection, but the web page user tries to gain access to via VPN is not available. I can see traffic from the user to WSA in the firewall, but the traffic of WSA is not forward traffic after that.

    Please suggest. As it is new, I needmore helps everyone.

    Run the command grep in WSA CLI to get the corresponding access logs to see the behavior of the ASO at demand management.

    Grep, access connects for a starter, SSH to the ASO and run the following command from the CLI:

    1 Grep
    2. Enter the number of the journal you want to grep: 1 (for accesslogs)
    3. Enter the regular expression to grep: . *.
    4. do you want the search to be case insensitive? : Y
    5. do you want to tail the logs? : Y
    6. you want to paginate output? : N

    Please keep in mind WSA is passively receiving the traffic and please ensure those kind of traffic will be sent to ASO before confirm us that it of a WSA question or not.

  • Is VLAN via VPN possible with any of the Small Business routers?

    A tagged VLAN (for voice) will be routed through a VPN gateway to gateway on any of the Small Business routers, such as the SA520? This router is equipped

    Parameters of VLAN Trunking.

    No, it is not possible to send traffic to vlan via VPN on a series of SA500, but you can create a tunnel for each subnet, you need to pass traffic.

    hope this helps,

    Jasbryan

  • VPN needs access to all external internal vpn traffic traffic all in tunnel

    Hello

    Could someone help me find the problem?

    I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).)  VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database.  pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address

    trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.

    Here is the part of configuration:

    ASA Version 8.2 (2)
    ...........

    Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1

    Route inside companynet1 255.255.255.0 192.168.5.2 1

    Route inside companynet2 255.255.255.0 192.168.5.2 1

    Route inside companynet3 255.255.255.0 192.168.5.2 1

    Route inside companynet4 255.255.255.0 192.168.5.2 1

    ...............

    Route inside companynetn 255.255.255.0 192.168.5.2 1


    NAT (inside) 4 vpnpool 255.255.255.0 outside   <--------- is="" this="">

    Global (outside) 4 xx.10.194.238 netmask 255.255.255.255

    Split-tunnel-policy tunnelall

    .....................

    vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect

    vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect

    ............

    enable SVC

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    VPN - connections 8

    VPN-idle-timeout 10

    VPN-session-timeout 60

    Protocol-tunnel-VPN l2tp ipsec

    WebVPN

    SVC Dungeon - install any

    time to generate a new key of SVC 8

    SVC generate a new method ssl key

    SVC request no svc default

    internal GroupPolicy1 group strategy

    attributes of Group Policy GroupPolicy1

    VPN - connections 1

    VPN-idle-timeout 9

    VPN-session-timeout 45

    VPN-tunnel-Protocol svc

    Split-tunnel-policy tunnelall

    WebVPN

    SVC Dungeon - install any

    time to generate a new key of SVC 15

    SVC generate a new method ssl key

    client of dpd-interval SVC 30

    dpd-interval SVC 30 bridge

    value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.

    disable the SVC routing-filtering-ignore

    username vpnuser1 encrypted password xxxxxxx

    username vpnuser1 attributes

    VPN-group-policy GroupPolicy1

    VPN-idle-timeout 6

    VPN-session-timeout 20

    VPN-filter value vpnuser1_ONLY

    VPN-tunnel-Protocol svc

    value of group-lock COMAVPN

    type of remote access service

    tunnel-group DefaultRAGroup webvpn-attributes

    Disable group companyvpn aliases

    type tunnel-group COMAVPN remote access

    attributes global-tunnel-group COMAVPN

    address (inside) vpnpool pool

    address vpnpool pool

    SDI Group-authentication server

    authentication-server-group (inside) SDI

    LOCAL authority-server-group

    Group Policy - by default-GroupPolicy1

    tunnel-group COMAVPN webvpn-attributes

    activation of the Group companyremote alias

    I did anything wrong / missing?

    Thank you

    Yijun


    First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.

    Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.

    Here's the command:

    access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    You can then add all other subnets that are internal to the ACL sheep if you need VPN access.

    Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.

  • Financial reports - 11.1.2.1 client - connects via VPN only?

    Hello

    When I'm directly connected to the network or connected via their intranet wireless, I can connect to fin reports customer of Studio. However, if I train via VPN (Juniper), he returns with a message: you are not authorized to access. Please contact your system administrator. It is a mistake to end too many reports? Any ideas why/how this could happen?

    It is possible that your VPN is not open ports that you can use EN Studio.

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • Cannot connect remotely via VPN since installing the new modem/router

    Can anyone help please. Since the acquisition of a new router / modem I can no longer connect via VPN to my work PC remotely. It comes in I receive the error message. Can someone tell me if I need to change the settings for the new modem / router to access?

    Hello Joanna,

    Here are the steps you need to do first:

    1. Off static IP for my server and let the router assign IP address and changed the IP address of the port forward.
    2. Check the IP address because obviously, that changed when you plugged into the router again.
    3. Updated to the latest firmware for the router and NIC.

    For more detailed troubleshooting you can refer to this link: troubleshooting common VPN related errors.

    Let us know how it goes.

  • Programmatic access to remote files via VPN on Playbook

    Hello

    It is technically possible to download remote files via VPN programmatically?

    I can't find any documentation on this topic.

    Thank you

    Oh, not... I don't think it's possible.

  • 7.2 ASA5520 - filters VPN traffic

    Hi all,

    I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.

    I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.

    I did it in a router with this access list:

    Note access-list 101 VPN

    access-list 101 permit ahp host x.x.x.x everything

    access-list 101 permit esp host x.x.x.x any newspaper

    access-list 101 permit host x.x.x.x esp all

    access-list 101 permit udp host x.x.x.x any eq isakmp

    access-list 101 permit udp host x.x.x.x any eq non500-isakmp

    But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.

    Sincerely, Fernando.

    Fernando

    You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.

    So for the moment I see no way to do this without using an acl on your router upstream.

    I'll do a reading just in case I missed something.

    Jon

  • ASA5505 management via VPN/Anyconnect without group

    I have 2 questions about the configuration of the SAA.

    The first is related to the SSL VPN configuration. Just one group of users to which you connect to our main office via remote access. Is there a way to configure SSL VPN to not display a group selection?

    I have the omission of the list of the groups-tunnel-enable command and configuration group on user accounts locking, but neither work.

    Secondly, I am at a loss on how to configure ssh to allow users connected via VPN connections. I guess:

    SSH 172.16.1.0 255.255.255.0 inside

    with 172.16.1.0 24 is the ip pool assigned to remote access vpn users would do so, however, it's a no go. How can users of remote access (which are for the most part, all technicians) granted the possibility to connect to the device?

    Thanks for your help.

    To be able to manage the ASA via SSH via a VPN tunnel, you will need to enter the configuration command "in man".

  • If a PC with a DHCP server is connected via VPN, with her serve IP addresses on the tunnel?

    Situation: we have a few portable computers test Ubuntu running DHCP servers.  We need get the updates and other changes in corporate network sometimes.  Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.

    Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.

    Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?

    Thanks for reading.

    N ° DHCP uses layer 2 broadcasts to disseminate IP addresses.  Because your clients are connected via VPN, there is no contiguity of layer 2.  The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.

  • Capture packets for VPN traffic

    Hi team,

    Please help me to set the ACL and capture for remote access VPN traffic.

    To see the amount of traffic flows from this IP Source address.

    Source: Remote VPN IP (syringe) 10.10.10.10 access

    Destination: any

    That's what I've done does not

    extended VPN permit tcp host 10.10.10.10 access list all

    interface captures CAP_VPN VPN access to OUTSIDE gross-list data type

    Hello

    If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:

    list of allowed extended VPN ip host 10.10.10.10 access everything

    Capture interface outside access, VPN CAP_VPN-list

    Then with:

    See the capture of CAP_VPN

    You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:

      https:// /capture//pcap capname--> CAP

    For more details of capture you can find it on this link

    Let me know if you could get the information that you were trying to achieve.

    Please Don t forget to rate and score as correct the helpful post!

    David Castro,

    Kind regards

Maybe you are looking for

  • Problems updating to SP3

    I tried updating to SP3 after a clean install of Windows XP Pro SP2, and it is never finished and restarted (there was no window asking me to restart now or later). I tried to return to the Windows Update site after that, and he always tells me that

  • HP ProBook s 4720 keeps reseting on BIOS

    Hello. I have laptop HP ProBook 4720 s. 3 days ago, it began to restart itself after 30 min and then after 15 min and now when I power up is watch on the standard bios screen and then reboots after 2-3 sec. It is not at the system startup screen.  I

  • How to add a new e-mail address on Bell Sympatico Web site

    My homepage is sympatico.ca. When I click on 'Bell mail' need me a page where I can type in one of my email addresses. Which takes me to turn to a page where the emails from this account are saved (I leave emails on the server until I delete them). I

  • Rather than recall

    I downloaded again which was packed inside a previous version of CS6 first through the CC Manager before, but now I still do not see the previous version of first in my creative cloud Manager.I clicked on 'Find additional Apps' and selected 'Previous

  • How can I change the question required in L1 Feedback?

    The Admin settings - feedback page allows me to edit all questions except the required questions. How can I do?Also, is there a global turn to ask your feedback? I took a class and never received a request for feedback. The reminder is set on course