DPLC or Local Loop vpn connection

Dear all,

Please help me on this. I have a cisco ASA 5510 with basic license and I want to configure on this product as below:

1 interface e0/0 (outside)

2 interface e0/1 (inside)

3 interface e0/2 (connect to branch with DPLC or vpn local loop connection)

The question is, can I configure connection point to point vpn from HQ to branch on DPLC or the local loop connection?

Please check the diagram as an attachment file.

Help, please!

Thanks and best regard,

Marlene

There is some limitation in 5505 and you must correct the licenses to operate. Please refer to this document for more information:

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/gu...

Vishnu

Tags: Cisco Security

Similar Questions

Customer Cisco PIX 501 VPN connects but no connection to the local network

Hi all:

I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

I have attached the PIX configuration.

Advice will be greatly appreciated.

********************

6.3 (5) PIX version

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxxxx

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool ippool 192.168.2.1 - 192.168.2.5

location of PDM 192.168.2.0 255.255.255.0 outside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) - 0 102 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup vpn3000 ippool address pool

vpngroup vpn3000 Server dns 68.87.72.130

vpngroup vpn3000-wins 192.168.1.100 Server

vpngroup vpn3000 split tunnel 101

vpngroup vpn3000 downtime 1800

password vpngroup vpn3000 *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:xxxx

****************

The DNS server is the one assigned to me by my ISP.

My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

"isakmp nat-traversal 20" can do the trick.

Cisco ipsec Vpn connects but cannot communicate with lan

I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside. A glimpse of what could be wrong with my config would be greatly appreciated. I posted the configuration as well as running a few outings of ipsec. I also tried with multiple operating systems using cisco vpn client and shrewsoft. I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.

Thanks for any assistance

SH run

!
AAA new-model
!
!
AAA authentication login radius_auth local radius group
connection of AAA VPN_AUTHEN group local RADIUS authentication
AAA authorization network_vpn_author LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PST - 8 0
clock to summer time recurring PST
!
no ip source route
decline of the IP options
IP cef
!
!
!
!
!
!
no ip bootp Server
no ip domain search
domain IP XXX.local
inspect the high IP 3000 max-incomplete
inspect the low IP 2800 max-incomplete
IP inspect a low minute 2800
IP inspect a high minute 3000
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW esmtp
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
IP inspect name SDM_LOW ssh
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2909270577
revocation checking no
rsakeypair TP-self-signed-2909270577
!
!
TP-self-signed-2909270577 crypto pki certificate chain
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
Archives
The config log
Enable logging
size of logging 1000
notify the contenttype in clear syslog
the ADMIN_HOSTS object-group network
71.X.X.X 71.X.X.X range
!
name of user name1 secret privilege 15 4 XXXXXXX

!
redundancy
!
!
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group roaming_vpn
key XXXXX
DNS 192.168.10.10 10.1.1.1
XXX.local field
pool VPN_POOL_1
ACL client_vpn_traffic
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
Set the security association idle time 1800
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 76.W.E.R 255.255.255.248
IP access-group ATT_Outside_In in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly in
load-interval 30
automatic duplex
automatic speed
No cdp enable
No mop enabled
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
no ip address
load-interval 30
automatic duplex
automatic speed
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
10.1.1.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1,200
encapsulation dot1Q 200
IP 10.1.2.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
IP forward-Protocol ND
!
IP http server
IP http authentication aaa-authentication of connection ADMIN_AUTHEN
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
IP route 0.0.0.0 0.0.0.0 76.W.E.F
!
ATT_Outside_In extended IP access list
permit tcp object-group ADMIN_HOSTS any eq 22
allow any host 76.W.E.R eq www tcp
allow any host 76.W.E.R eq 443 tcp
allow 987 tcp any host 76.W.E.R eq
allow any host 76.W.E.R eq tcp smtp
permit any any icmp echo response
allow icmp a whole
allow udp any any eq isakmp
allow an esp
allow a whole ahp
permit any any eq non500-isakmp udp
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
deny ip 127.0.0.0 0.255.255.255 everything
refuse the ip 255.255.255.255 host everything
refuse the host ip 0.0.0.0 everything
NAT_LIST extended IP access list
IP 10.1.0.0 allow 0.0.255.255 everything
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
client_vpn_traffic extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
!
radius of the IP source-interface GigabitEthernet0/1.10
Logging trap errors
logging source hostname id
logging source-interface GigabitEthernet0/1.10
!
ATT_NAT_LIST allowed 20 route map
corresponds to the IP NAT_LIST
is the interface GigabitEthernet0/0
!
!
SNMP-server community [email protected] / * /! s RO
Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
Server enable SNMP traps vrrp
Server SNMP enable transceiver traps all the
Server enable SNMP traps ds1
Enable SNMP-Server intercepts the message-send-call failed remote server failure
Enable SNMP-Server intercepts ATS
Server enable SNMP traps eigrp
Server enable SNMP traps ospf-change of State
Enable SNMP-Server intercepts ospf errors
SNMP Server enable ospf retransmit traps
Server enable SNMP traps ospf lsa
Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
SNMP server activate interface specific cisco-ospf traps shamlink state change
SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
Enable SNMP-Server intercepts specific to cisco ospf errors
SNMP server activate specific cisco ospf retransmit traps
Server enable SNMP traps ospf cisco specific lsa
SNMP server activate license traps
Server enable SNMP traps envmon
traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
Server enable SNMP traps auth framework sec-violation
Server enable SNMP traps c3g
entity-sensor threshold traps SNMP-server enable
Server enable SNMP traps adslline
Server enable SNMP traps vdsl2line
Server enable SNMP traps icsudsu
Server enable SNMP traps ISDN call-information
Server enable SNMP traps ISDN layer2
Server enable SNMP traps ISDN chan-not-available
Server enable SNMP traps ISDN ietf
Server enable SNMP traps ds0-busyout
Server enable SNMP traps ds1-loopback
SNMP-Server enable traps energywise
Server enable SNMP traps vstack
SNMP traps enable mac-notification server
Server enable SNMP traps bgp cbgp2
Enable SNMP-Server intercepts isis
Server enable SNMP traps ospfv3-change of State
Enable SNMP-Server intercepts ospfv3 errors
Server enable SNMP traps aaa_server
Server enable SNMP traps atm subif
Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
Server enable SNMP traps memory bufferpeak
Server enable SNMP traps cnpd
Server enable SNMP traps config-copy
config SNMP-server enable traps
Server enable SNMP traps config-ctid
entity of traps activate SNMP Server
Server enable SNMP traps fru-ctrl
SNMP traps-policy resources enable server
Server SNMP enable traps-Manager of event
Server enable SNMP traps frames multi-links bundle-incompatibility
SNMP traps-frame relay enable server
Server enable SNMP traps subif frame relay
Server enable SNMP traps hsrp
Server enable SNMP traps ipmulticast
Server enable SNMP traps msdp
Server enable SNMP traps mvpn
Server enable SNMP traps PNDH nhs
Server enable SNMP traps PNDH nhc
Server enable SNMP traps PNDH PSN
Server enable SNMP traps PNDH exceeded quota
Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
Server enable SNMP traps pppoe
Enable SNMP-server holds the CPU threshold
SNMP Server enable rsvp traps
Server enable SNMP traps syslog
Server enable SNMP traps l2tun session
Server enable SNMP traps l2tun pseudowire status
Server enable SNMP traps vtp
Enable SNMP-Server intercepts waas
Server enable SNMP traps ipsla
Server enable SNMP traps bfd
Server enable SNMP traps gdoi gm-early-registration
Server enable SNMP traps gdoi full-save-gm
Server enable SNMP traps gdoi gm-re-register
Server enable SNMP traps gdoi gm - generate a new key-rcvd
Server enable SNMP traps gdoi gm - generate a new key-fail
Server enable SNMP traps gdoi ks - generate a new key-pushed
Enable SNMP traps gdoi gm-incomplete-cfg Server
Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
Server enable SNMP traps gdoi ks-new-registration
Server enable SNMP traps gdoi ks-reg-complete
Enable SNMP-Server Firewall state of traps
SNMP-Server enable traps ike policy add
Enable SNMP-Server intercepts removal of ike policy
Enable SNMP-Server intercepts start ike tunnel
Enable SNMP-Server intercepts stop ike tunnel
SNMP server activate ipsec cryptomap add traps
SNMP server activate ipsec cryptomap remove traps
SNMP server activate ipsec cryptomap attach traps
SNMP server activate ipsec cryptomap detach traps
Server SNMP traps enable ipsec tunnel beginning
SNMP-Server enable traps stop ipsec tunnel
Enable SNMP-server holds too many associations of ipsec security
Enable SNMP-Server intercepts alarm ethernet cfm
Enable SNMP-Server intercepts rf
Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
Server RADIUS dead-criteria life 2
RADIUS-server host 192.168.10.10
Server RADIUS 2 timeout
Server RADIUS XXXXXXX key
!
!
!
control plan
!
!

Line con 0
privilege level 15
connection of authentication radius_auth
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
connection of authentication radius_auth
entry ssh transport
line vty 5 15
privilege level 15
connection of authentication radius_auth
entry ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
Server NTP 192.168.10.10
NTP 64.250.229.100 Server
!
end

Router ipsec crypto #sh her

Interface: GigabitEthernet0/0
Tag crypto map: SDM_CMAP_1, local addr 76.W.E.R

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
current_peer 75.X.X.X port 2642
LICENCE, flags is {}
#pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x5D423270 (1564619376)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0x2A5177DD (709982173)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301748/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x5D423270 (1564619376)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301637/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)

outgoing ah sas:

outgoing CFP sas:

Routing crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVE

IPv6 Crypto ISAKMP Security Association

In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.

Sent by Cisco Support technique iPhone App

Internet VPN connection disconnects

Good afternoon

I have the Cisco VPN Client and several established connections. When I connect to them I have connected either to the VPN, I can access the network and their teams. But I have a problem on one of the connections and is well connected to the VPN, connect you to servers and other things, but I block internet access to the computer. It is the only link that happens to me.

The thing is that the internet really works, otherwise it would remain active VPN connection doesn't let me server.

I noticed in the log and when I try to access that the internet does not connect and the journal starts a loop that reads:

728 12:59:59.978 25/04/13 Sev = Info/5 IKE / 0 x 63000040

DPD ACK from xxx.xxx.xxx.xxx, seq # receipt = 2818950532, seq # expected = 2818950532

729 13:00:09.963 25/04/13 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

730 13:00:10.463 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to xxx.xxx.xxx.xxx

731 13:00:10.463 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment at xxx.xxx.xxx.xxx, our seq # = 2818950533

732 13:00:10.503 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = xxx.xxx.xxx.xxx

733 13:00:10.503 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

734 13:00:10.503 25/04/13 Sev = Info/5 IKE / 0 x 63000040

DPD ACK from xxx.xxx.xxx.xxx, seq # receipt = 2818950533, seq # expected = 2818950533

735 13:00:19.977 25/04/13 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

736 13:00:20.978 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to xxx.xxx.xxx.xxx

737 13:00:20.978 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment at xxx.xxx.xxx.xxx, our seq # = 2818950534

738 13:00:25.986 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to xxx.xxx.xxx.xxx

739 13:00:25.986 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment at xxx.xxx.xxx.xxx, our seq # = 2818950535

740 13:00:29.991 25/04/13 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

..............

2422 14:20:31.267 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259166

2423 14:20:31.297 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = .yyy

2424 14:20:31.297 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

2425 14:20:31.297 25/04/13 Sev = Info/5 IKE / 0 x 63000040

From DPD ACK.yyy, seq # receipt = 2261259166, seq # expected = 2261259166

2426 14:20:41.782 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) a.yyy

2427 14:20:41.782 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259167

2428 14:20:41.812 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = .yyy

2429 14:20:41.812 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

2430 14:20:41.812 25/04/13 Sev = Info/5 IKE / 0 x 63000040

From DPD ACK.yyy, seq # receipt = 2261259167, seq # expected = 2261259167

2431 14:20:52.299 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) a.yyy

2432 14:20:52.299 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259168

2433 14:20:52.329 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = .yyy

2434 14:20:52.329 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="" yyy.yyy.yyy.yyy="" isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

2435 14:20:52.329 25/04/13 Sev = Info/5 IKE / 0 x 63000040

From DPD ACK.yyy, seq # receipt = 2261259168, seq # expected = 2261259168

2436 14:21:02.811 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) a.yyy

2437 14:21:02.814 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259169

..............

4807 16:03:35.041 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259640

4808 16:03:35.071 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = .yyy

4809 16:03:35.071 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

4810 16:03:35.071 25/04/13 Sev = Info/5 IKE / 0 x 63000040

From DPD ACK.yyy, seq # receipt = 2261259640, seq # expected = 2261259640

4811 16:03:45.537 25/04/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) a.yyy

4812 16:03:45.537 25/04/13 Sev = Info/6 IKE/0x6300003D

Request DPD shipment a.yyy, our seq # = 2261259641

4813 16:03:45.567 25/04/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = .yyy

4814 16:03:45.567 25/04/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

4815 16:03:45.567 25/04/13 Sev = Info/5 IKE / 0 x 63000040

From DPD ACK.yyy, seq # receipt = 2261259641, seq # expected = 2261259641

And forever... I tried to contact the technicians have the VPN server, but it is said that everything is correct and that it's something on my network.

I have on my network I have no firewall between the two, or the router.

When I log in, I get an Ip address, for example:

IP: 192168118105

Mask: 255.255.252.0

Default gateway: 192.168.116.1.

But I can't even ping the gateway! Also gives me a DNS set:

-192.168.24.170

-192.168.24.171

But I get the DNS either!

It also gives me as a primary WINS server

-10.6.1.92

And as a child:

-10.168.100.92

Anyway, the idea is to connect to the internet through the computer on which the VPN, the VPN, then remote desktop connection to connect through a test server. But then, when I connect to the cuts VPN had my office remotely via internet!

I spoke with them several times since my network I see NOTHING unusual, indeed, none of the other connections gives me problems, just that.

Another thing I noticed is that the status option-> statistics-> details of the itinerary, routes secured me give the IP 0.0.0.0 and other VPN connections give me some Ip address...

I also checked the possibility of IPSec over UDP (NAT / PAT)...

Any idea which could be at fault?

Thanks in advance, Bye!

Hi David,

You mentioned "one other thing I noticed, is that the status option-> statistics-> details of the route, as Secured routes gives me the IP 0.0.0.0 and other VPN connections give me an IP... "This means that there is no split tunneling configured on the VPN server. "Details of the route section defines the destinations that you will be able to access the VPN and it is pushed by the VPN server.

So, if you see 0.0.0.0 in the section above, all the traffic from your computer, on the VPN server, including internet traffic tunnel. Two possibilities:

-C' is the expected flow, should work if the VPN server required the config to route internet traffic.

"- If not and you use only the VPN to access to certain resources and the internet should still work locally, in this case end of VPN server config must be modified split tunnel configuration so that it instead of pushing ' 0.0.0.0 ' route sends a route as"x.x.x.x"where"x.x.x.x"is the resource behind the VPN tunnel. In this way, the internet works locally.

Whatever it is, it's a matter of end of VPN server config.

Simple explanation of the split tunneling:

http://en.Wikipedia.org/wiki/Split_tunneling

HTH.

-

Sourav

VPN connection question

In my workplace, there are two networks is the local LAN that connect other computers to the internet and the wireless network which my computer connect to and is directly to the internet, my question is that is it possible to connect to the LAN over the internet using the connection V P N if yes how? Please help me because whenever I want to read my emails, I have to put the UTP cable which will be sometimes annoying.
Please indicate all the measures that are needed to establish the VPN connection.

Ask it professionals about your place of work. They know what is possible and what is not.

Where I work, there is an available VPN that allows connections to the LAN from outside work. If I use a laptop computer provided by the company, access the LAN just as if I'm at work. If I use my PC, I get a link that allows me to access a limited number of resources, such as the email of the company. I can, however, DRC to my desktop at work PC and can get access to the local network.

Try to create a new VPN connection but Creat new network connection is grayed out

Hello world

Thank you for your help in advance.

I would like to ask why I could not create a new VPN connection as the "Creat new network connection" is grayed out. I'm also sure that remote access connection manager, and another car once are started.

I can create an account with my domain administrator account. But once I passed the orginary user, the shortcut to the connection could not be accessed. I also tried to add the user to the local Administrators group, and the result is the same.

HOEP that you can help.

Thank you.

Windows XP Service Pack 3?

Do you have any software security 3rd party running on this computer? Or maybe something in group policy that limits access to create a new network connection?

-B-
http://www.officeforlawyers.com | http://www.OneNote-tips.com
Author: Guide to counsel for Microsoft Outlook

RV180 VPN connects and allows you to browse the files, but falls when opening a file.

Last week, we received our 300Mbps fiber connection. We bought the RV180 due to its high performance, and he manages the speed perfectly.

However, when you set up VPN, I encountered a strange problem.

Establishing a QuickVpn or PPTP is simple and connection is no problem. But I'll be fine. I can communicate with QuickVpn or PPTP and find a NAS or PC directory structure, but when I try to open a file the VPC connection drops.

I activate the remote management.
I can ping google.com f-l 1472 without fragmentation, so a WAN MTU of 1500 should be ok.
I have tried disabling attack prevention firewall.

I have install the following experience: the firmware update (1.0.2.6), restore the default settings.

Set up the RV180 as follows:

IPv4 WAN (Internet)

------------------------------------------------------------------

Internet connection type: Automatic Configuration - DHCP

DNS Server Source: Get dynamically for ISP

MAC address of the router: use the default address

IPv4 LAN (local area network)

------------------------------------------------------------------

Host name: RV180

IP address: 192.168.75.1

Subnet mask: 255.255.255.0

Mode DHCP: DHCP Server

Domain name: LCDVT

From the IP address: 192.168.75.100

End IP address: 192.168.75.254

Rental time: 24

DNS Proxy: enable

Preventing attacks

------------------------------------------------------------------

WAN (Internet) security controls

Meet Ping on WAN (Internet): disabled

Stealth mode: disabled

Floods: disabled

LAN (local area network) security controls

Block UDP Flood: disabled

Parameters of the ICSA

Block the anonymous ICMP Messages: disabled

Block fragmented packets: disabled

Block multicast packets: disabled

VPN users

------------------------------------------------------------------

PPTP server: enabled

From the IP address: 192.168.75.50

End IP address: 192.168.75.99

Table setting VPN Client:

---------------------------

No: 1

Enabled: enabled

Username: lcdvt

Password: *.

Allow the user to change the password: NA

Protocol: PPTP

Web access

------------------------------------------------------------------

Access on the LAN of HTTPS Web Interface: enabled

Remote management: enabled

Type of access: IP range

Start of range: 192.168.75.1

End of series: 192.168.75.254

Port number: 443

Remote SNMP: disabled

The rest of the menu options are, except for logging policies where I have everything turned on by default.

In this experiment, I connect from a remote location, start navigating among directories of the drive without any problems and then open a file, after which the VPN connection falls (or some process breaks down). After the transfer of a few 100 KB blocks the VPN connection.

Error logs

------------------------------------------------------------------

Thu Mar 20 00:39:18 2013(GMT+0100) [rv180] nimfNetIfaceTblHandler [System] [NIMF]: could not get LedPinId

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] IP: 62.45.238.236

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] BCAST: 62.45.239.255

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] subnet: 255.255.254.0

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] GW: 62.45.238.1

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] DNS1: 62.45.45.45

Thu Mar 20 00:39:25 2013(GMT+0100) [rv180] [System] [PROGRAM] DNS2: 62.45.46.46

Thu Mar 20 00:39:25 2013 (GMT + 0100) [rv180] [System] [PROGRAM] Interface: eth1

Thu Mar 20 00:39:32 2013(GMT+0100) [rv180] nimfNetIfaceTblHandler [System] [NIMF]: could not get LedPinId

Thu Mar 20 00:40:58 2013(GMT+0100) [rv180] nimfNetIfaceTblHandler [System] [NIMF]: could not get LedPinId

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] IP: 62.45.238.236

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] BCAST: 62.45.239.255

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] subnet: 255.255.254.0

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] GW: 62.45.238.1

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] DNS1: 62.45.45.45

Thu Mar 20 00:41:10 2013(GMT+0100) [rv180] [System] [PROGRAM] DNS2: 62.45.46.46

Thu Mar 20 00:41:10 2013 (GMT + 0100) [rv180] [System] [PROGRAM] Interface: eth1

Thu Mar 20 00:41:19 2013(GMT+0100) [rv180] nimfNetIfaceTblHandler [System] [NIMF]: could not get LedPinId

Warning logs

------------------------------------------------------------------

Thu Mar 20 00:39:13 2013(GMT+0100) [rv180] [System] [DHCPC] dhcpcDisable: removed dhclient.leases

Thu Mar 20 00:40:54 2013(GMT+0100) [rv180] [System] [DHCPC] dhcpcDisable: removed dhclient.leases

Sat 1 Jan 01:02:43 2011 (GMT + 0100) [rv180] [Kernel] [KERNEL] [23.090000] /home/aruns/rv180w/updated_dec19_final/beta-v1/rv180w-common/comps/gpl/ipset/src/ipset/kernel/ip_set.c: ip_set_create: no type set 'nethash', 'setPublicNet' has not created value

What I am doing wrong? Or the device?

I am interested in what the solution to these problems. Research on get a rv180...

First car of Huntsville and bike e-magazine: www.huntsvillecarscene.com

ASA5505 - remove VPN connections

Hey all, have a simple question.

the following page indicates it can handle up to 10 connections vpn with a basic license. This means that we can configure only 10 credentials of the vpn user/pass? or, we can create, for example 50 accounts user/pass, but only 10 can remote in at the same time.

http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

Thanks for the help.

-robert

Robert,

That's right... 10 ways to connections VPN is a vpn connections simultaneous maximum with base... license you can create as many users in the local database asa but only 10 RA VPN client sessions can be established, however, that this column includes also the VPN L2L, say if you have 1 site-to-site vpn and 9 RA vpn which has a total of 10 sessions VPN.

Concerning

ASA 5505 ASDM VPN connection problem

Hello

We are running a version of firewall ASA 5505 8.4 (4) 1. The ASDM version is 6.4 (9).

The problem is when the creation of remote access VPN connection, it works fine for about 2-3 days.

After that, the VPN client cannot connect more and gives the error code 789.

In this case, the VPN clients are clients of Windows 7 from different remote networks with the same problem scenario.

Windows 8.1 clients cannot connect at all and show the same error code...

All connections go through the keys defaultragroup and preshare match on both sides.

When the user to connect attemps I receive the following text in the log of the ASDM:

6 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, P1 retransmit msg sent to the WSF MM

5 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, in double Phase 1 detected package. Retransmit the last packet.

5 April 10, 2015 10:53:03 IP = 5.240.31.116, encrypted packet received with any HIS correspondent, drop

When I implemented the remote login through ASDM I followed the instructions according to the following link:

http://www.databasemart.com/HOWTO/Cisco_VPN_Remote_Access_Setup_ASA5500...

The steps were a little different, but almost the same, given that these instructions show an old version

I'm interested in trying the steps according to this link but not sure this will help me solve the problem id:

http://www.petenetlive.com/kb/article/0000571.htm

Any help would be appreciated!

Thank you

Hello

If you use local authentication (user name and password on the SAA), so why you would need this threshold?

tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!

Remove it and try.

WRVS4400N with AG300 and VPN connections

I bought a WRVS4400N router hoping to add wireless and VPN capability at a remote office LAN. I want to be able to establish a VPN connection from my PC to the central office to the WRVS4400N to remote desktop, access and administer systems at the remote office. Remote desktop systems is unnecessary access to systems to the central office.

Before you deploy the WRVS4400N to remote desktop, I'm stable and by configuring it to our central office.

Our central office is a router Linksys AG300 and ADSL service for Internet connection. It works well and I don't want to change it.

I have connected the WRVS4400N to our central office LAN and it has an IP address on its WAN port assigned by the DHCP server on the AG300.

What I do not understand how to establish a VPN connection to a system on the Internet at the WRVS4400N on the local network. I have a laptop with the QuickVPN software installed. If I connect my laptop to the AG300 (i.e. the same switch as the WAN port on the WRVS4400N) I can establish a VPN connection to the WRVS4400N but if I connect to my laptop to the Internet (via my ADSL service at home), I am unable to set up the VPN. I don't know how to configure the AG300 so that the VPN from my laptop reaches the WRVS4400N.

I transfer ipsec enabled on the AG300, but this does not seem to run the VPN with the WRVS4400N.

Can someone tell me what I need to do?

Is there some other DSL modem I could use that facilitates the connection? There is another DSL modem (I don't know make/model until I visit the site) used in remote desktop, but I could replace it if I knew that the replacement work.

Update: I got it to work. See https://supportforums.cisco.com/thread/2108785 for the advice that has been most useful.

The essential steps have been before the ports indicated in this article (and UDP 500) to the WRVS4400N and I dropped a bit of the MTU (do not know if this was really necessary). Now I can establish connection QuickVPN, except when the Windows Firewall interferes.

Hello

Thank you for posting. In the AG300, transmit the following ports to the IP address of the WAN WRVS4400N port: 443, 500, 4500, 60443. This allows you to establish a QuickVPN for the WRVS4400N using the WAN IP of the AG300.

3 RVS 4000 with VPN connection

Hello

I want to connect in a triangle 3 RVS 4000 router with VPN

I configured 3 routers, which can connect to the Internet. Each of them are configured as the gateway.

I created 2 tunnels on each router. But the vpn connection cannot be established.

Here is the configuration of ROUTER1 another are configured in the same way, only the remote group configuration is different

What I also open some ports for VPN, if yes which and were

Thanks fpr your help and your response

HP. Meyer

Hi hanspetermeyer,

Thank you for posting. You don't need to open all the ports for VPN. I noticed that your screenshot shows two routers have a common LAN subnet of 192.168.100.x. You will need a different local subnet for each router:
1. 1 router: 192.168.1.1
2. Router 2: 192.168.2.1
3. Router 3: 192.168.3.1
I think that you will find the tunnels only connect once you change the LAN IP of the routers so that they are on different subnets. Please let us know if it works.

VPN connection with external modem

Cisco 2651XM router

using a wic adsl card I was able to establish a vpn connection from a computer on to my 2651xm router cisco vpn client successfully, but I can't get a connection using an external modem.

My local network at the end of the vpn server is on 172.16.1.xx and goes into the router on f0/0, which stood at 172.16.1.30.

Port f0/1 is 192.168.1.100 and goes to an external modem set as default gateway

192.169.1.254. with this configuration I can surf the internet on the computers in the lan at the server end.

Problem is that I can't get a connection from a remote machine VPN connect. It worked when I used the wic adsl connection, but then I used only

the port of f0/0 that was connected to my local network. But now I'm including the f0/1 port to connect to an external modem, vpn client cannot connect. The cisco vpn client tries to connect by using tcp on port 10000 and I have to configure it in the modem, but do not know if I did it correctly. I tried to transmit the port both 192.168.1.100 (f0/1) and 172.16.1.30 (f0/0), but neither will not work. My config running is attached. Thanks for the pointers.

----------------------

#show running-config router

Building configuration...

Current configuration: 2757 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

vpn hostname

!

boot-start-marker

boot-end-marker

!

no set record in buffered memory

no console logging

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

activate the password xxxxxxxxxxx

!

AAA new-model

!

!

AAA authentication login default local

AAA authentication login sdm_vpn_xauth_ml_1 local

AAA authentication login sdm_vpn_xauth_ml_2 local

AAA authorization sdm_vpn_group_ml_1 LAN

AAA authorization sdm_vpn_group_ml_2 LAN

!

AAA - the id of the joint session

!

resources policy

!

no location network-clock-participate 1

No network-clock-participate wic 0

IP cef

!

!

!

!

name-server IP 192.168.1.254

name-server IP 192.168.1.255

IP ddns update method sdm_ddns1

DDNS both

!

!

!

!

!

username secret xxxxxxxxxxx 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group workgroup

vpnkey key

pool SDM_POOL_2

ISAKMP crypto sdm-ike-profile-1 profile

match of group identity working group

client authentication list sdm_vpn_xauth_ml_2

ISAKMP authorization list sdm_vpn_group_ml_2

client configuration address respond

virtual-model 2

!

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

Profile of crypto ipsec SDM_Profile1

game of transformation-ESP-3DES-SHA1

isakmp-profile sdm-ike-profile-1 game

!

!

!

!

!

ATM0/0 interface

no ip address

Shutdown

No atm ilmi-keepalive

DSL-automatic operation mode

!

interface FastEthernet0/0

IP 172.16.1.30 255.255.0.0

IP nat inside

IP virtual-reassembly

automatic speed

Half duplex

No mop enabled

!

interface FastEthernet0/1

Description $ETH - WAN$

updated client dns IP dhcp-server no

IP ddns update hostname vpn.vpn

IP ddns update sdm_ddns1

dhcp customer_id FastEthernet0/1 IP address

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

!

tunnel type of interface virtual-Template2

IP unnumbered FastEthernet0/1

ipv4 ipsec tunnel mode

Tunnel SDM_Profile1 ipsec protection profile

!

router RIP

version 2

network 172.16.0.0

network 192.168.1.0

No Auto-resume

!

local IP 192.168.1.110 SDM_POOL_1 pool 192.168.1.120

local IP SDM_POOL_2 172.16.1.21 pool 172.16.1.29

!

!

IP http server

no ip http secure server

IP nat inside source list 3 interface FastEthernet0/1 overload

!

Remark SDM_ACL category of access list 1 = 2

access-list 1 permit 172.16.0.0 0.0.255.255

Note access-list 2 = 2 SDM_ACL category

access-list 2 allow to 192.168.1.0 0.0.0.255

Remark SDM_ACL category from the list to access 3 = 2

access-list 3 permit 172.16.0.0 0.0.255.255

!

!

!

!

control plan

!

!

!

!

Line con 0

line to 0

line vty 0 4

password: xxxxxxxx

!

!

end

Hello

On the ADSL Modem, you must before 500, port 4500 UDP and 10,000 to the IP address of the router.

Basically, tell you the Modem to 192.168.1.100 transmitting any packet received on 192.169.1.254.

On the client VPN choose encapsulation UDP NAT, make use of NAT - T standard.

Please rate if this helped.

Kind regards

Daniel

VPN connected but no visible network

so I have a windows 7 (VPN server) desktop computer and a windows laptop 7 (VPN client) and I have set up the incoming VPN connection on my desktop and a client VPN connection on my laptop. When I go and establish a VPN connection, it says that I'm connected on my laptop and my desktop but I can't access my network resources. Ive been cracking as a result for a few weeks now and have gotten nowhere with it, any help would be greatly appreciated. Thank you!

I can't access something like \\ServerName\ShareName I can't do a ping them either. address ranges are not the same on the server or client networks. the funny this is that it says I am connected at both ends, the customer declares that ipv4 has no internet access on the vpn which is fine because all I want is access to the network and it shows that I have an ip address assigned on the vpn map. side server but it is said that ipv4 and ipv6 are not connected, but if I do "ipconfig/all" he shows me his ip address on the vpn.

client side, I've disabled 'Gateway on remote network use default' so that I can still have access to the internet on the im client that is connected to the vpn. on the side server, I tried selecting "Assign addresses automatically using DHCP" as well as "specify IP addresses (with a beach which is on the client and the server ip address range).» I have also "Allow the calling computer to specify its own IP address" selected on the server.

When I finally fell a VPN server on a Vista box I got the address assigned to the configuration of clients like that.

http://theillustratednetwork.MVPs.org/Vista/PPTP/VPNSetup06.jpg

The address range was the same that the server of the LAN address range, in this case, I used 192.168.10.X on the local network.

http://theillustratednetwork.MVPs.org/Vista/PPTP/ExampleVistaVPNNetwork.PDF

Customer recevrait.31 ou.32...

Of course assumed that the customer was or would not be on a LAN 192.168.10.X to start. If it was so I could have problems connecting to shares on my LAN Server.

MS - MVP Windows Desktop Experience
"When all else fails try what the captain suggested before you started...". »

VPN connection before user logon in the domain environment

I took a huge project, but managed to set up a comprehensive network for an organization not-for-profit. Is only a single obstacle, but the answer is completely referring me.

I installed a Windows 7 Ultimate in a test environment. The server is standard 2012 and are located off site. I have configured VPN and can connect, but remains one of the limitations...

THE SITUATION

... the computer, I am preparing in aura production environment users and will be on the field. They have shut down the computer during the night and on weekends. During my tests, I found that VPN will NOT connect automatically. I don't want a users to this remote location with access to the local office any longer. Everyone must sign their credentials of domain only, and I'll be locking the local office with identifying information has changed.

With the help of Google, I found several ways to automate so-called VPN connection, but every article I've read so far says that it happens as a script at logon Windows. Who defeated the purpose here. I wish the VPN to be connected at startup, BEFORE the opening of the session, so that users can sign on the field immediately after the power of the computer. I had considered just giving a directive to leave the PC on 24/7, but in case of crash or regular updates of Windows, which would put us back to the start.

DEMAND

Can I do so that the VPN connects automatically TO a user on a desktop computer log?

THE SPECS

The clients are on Windows 7 Ultimate Edition

Connection VPN set up in windows (no third party software)

Windows Server 2012 with Active Directory server-side

Before someone says, yes I know that Server 2012 has called DirectAccess, however even if it is installed, it is not an option with my setup because I won't drag desktop through the city to connect to the domain when I can use VPN just as easily without the risk of damaging the material.

I appreciate the answers and eager to solve this. It must be possible, as I hear from companies doing this all the time for satellite facilities. Have a good night :)

Hello Christopher,

The question you have posted is linked to the virtual private network (VPN), and the right place for you to contact would be TechNet support.

I suggest you to check with TechNet support for more information.

http://social.technet.Microsoft.com/forums/en-us/newThread?category=WindowsServer&Forum

PIX 515E - VPN connections

Hello

I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.

I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.

Users are connected to the internet via an ADSL router and the LAN switch.

--------------------------------------------------

PIX Config:

6.3 (4) version PIX

interface ethernet0 car

Auto interface ethernet1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable encrypted password xxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxx encrypted passwd

hostname ABCDEFGH

ABCD.com domain name

clock timezone IS - 5

clock to summer time EDT recurring

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside xxx.xxx.xxx.xxx 255.255.255.0

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool vpnpool 192.168.2.1 - 192.168.2.254

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 0-list of access inside_out-nat0_acl

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server RADIUS (inside) host ABCDE timeout 10

AAA-server local LOCAL Protocol

RADIUS protocol radius AAA-server

Radius max-failed-attempts 3 AAA-server

AAA-radius deadtime 10 Server

RADIUS protocol AAA-server partnerauth

AAA-server partnerauth max-failed-attempts 3

AAA-server deadtime 10 partnerauth

partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

card crypto client outside_map of authentication partnerauth

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

ISAKMP identity address

part of pre authentication ISAKMP policy 8

ISAKMP strategy 8 3des encryption

ISAKMP strategy 8 md5 hash

8 2 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup myvpn address vpnpool pool

vpngroup myvpn ABCDE dns server

vpngroup myvpn by default-field ABCD.com

splitting myvpn vpngroup split tunnel

vpngroup idle 1800 myvpn-time

vpngroup myvpn password *.

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.200 - 192.168.1.254 inside

dhcpd dns ABCDE

dhcpd lease 3600

dhcpd ping_timeout 750

field of dhcpd ABCD.com

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

--------------------------------------------------

Thanks in advance.

-Amit

Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.

If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.

DPLC or Local Loop vpn connection

Similar Questions

Maybe you are looking for