Failover with VPN concentrator
Hi all
We have unique VPN concentrator which is the single point of failure, so need your help to mitigate the same
The topology diagram is attached
Site A and Site B.
Site B has internet gateways where we have existing VPN.
The intention to introduce the site A & Concentrator VPN gateway VPN is set as well
Our design is provided for in
Connectivity between the two locations & other office is managed by BGP.
Default route is pointing at the Internet gateway.
Info by the Internet Segment.
· We have the SP independent IP range
· Switching between 2 SP to site B is obtained by using the iBGP and eBGP
Challenge: VPN concentrator single Point of failure (the Cisco VPN concentrator 3000)
Here are the design goals
· Implement internet gateways to the Site - A which will have redundancy level of Portal Site
· Place on the VPN concentrator, which will act as a switch between site
o If the concentrator vpn site B is out of box A VPN site must support all traffic.
Concentrator VPN active o replica of Site B
Is it possible to achieve the objectives of design.
Please help about the VPN concentrator... How I can set VPN concentrator in failover mode... Just as we do firewalls?
Help, please
Hi yogesh,
Concentrator VPN supports failover through VRRP. Please find the following for your reference document:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml
As for the addition of failover for VPN concentrator, you happen to have a spare hub VPN to run VRRP?
Don't know if you know, however, VPN concentrator comes end of life and the last delivery date was November 2007, as a result, you will not be able to buy VPN concentrator more.
Here's the EOL notificatin for your reference:
Tags: Cisco Security
Similar Questions
-
problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator
Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.
Some basic information:
I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.
My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.
I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)
I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.
The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.
Here is what we have done so far:
(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant useIs there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?
Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.
Here's a code
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac
Crypto-map dynamic dynmap 30
Set transform-set RIGHTISAKMP crypto key
address No.-xauth interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap maplogging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)
allowed access list 106 esp host
host newspaper
106 ip access list allow a whole
allowed access list 107 esp hosthost Journal
access-list 107 permit ip hosthost Journal access-list 107 permit ip host
host Journal
107 ip access list allow a wholeCrypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010 "Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip hosthost (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)
(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT
!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function!
(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic
!
(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication
(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT
(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT
!
(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl
Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding
-
VPN concentrator + PIX on LAN->; customers can not reach local servers
Hello
I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.
For the topology:
The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.
On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the
VPN client-PCs.
I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses
the 10.0.100.0/24 range.
The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to
internal to the 10.0.1.28 server.
To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in
10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.
So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is
Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1
This does not solve my problem though.
In the PIX logs, I see the entries as follows:
% 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064
The PIX seems to abandon return packages, i.e. traffic from the server back to the client
To my knowledge, the problem seems to be:
Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.
My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the
package because he has not seen the package from the client to the server.
So here are my questions:
(o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and
computers servers on the local network (10.0.1.0/24)?
(o) someone else you have something like this going?
PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.
Thank you very much in advance for your help,.
-ewald
Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.
Best regards
Robert Maras
-
Replication failover PIX VPN (CEP) certificate
Hello
Had a pair of PIX 525 on 6.3 (4) version running in active/failover mode, I recently configured VPN authenticated by certificates, which involved the use of PRACTICE in order to get the certificate to the PIX. Certificates have been imported for the PIX from a snap-in with the software component CEP Protocol Windows CA server by following the instructions described here: http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263 .
It all works very well, the configuration has been saved, certificates registered cases using "ca save all", everything works well except the certificates that have been imported have not been replicated for the PIX failover - the command 'Show the ca certificate', shows not all certs.
Private keys show 'sh ca mypubkey rsa' are the same on both devices.
I'm not able to find any documentation about how certificates must be replicated on the PIX failover, and it is not possible to write certificates again on the PIX failover using the commands they were initially imported by:
PIX - fw # conf t
WARNING *.
Configuration of replication is NOT performed the unit from standby to Active unit.
Configurations are no longer synchronized.PIX - FW (config) auth ca ca
WARNING *.
Configuration of replication is NOT performed the unit from standby to Active unit.
Configurations are no longer synchronized.Everyone knows a similar issue or how to get the PIX failover with the new ca certificates?
Kind regards
Sarunas
Hello Sarunas
PIX 6 indeed do not synchronize keys and certificates automatically.
However, you should be able to do this first, forcing a failover (i.e. secondary image make it active), then register (now active) high school with the certification authority.
HTH
Herbert
-
RV042 v3 &; RV082 v3: WAN Failover + restore VPN
We have a v3 RV082 and RV042 v3 with latest firmware.
They have all two Dual WAN (backup active Smartlink).
They connect with each other via the VPN (with VPN enabled and configured backup Tunnel).
When primary internet (WAN1) fails, and it switches to the internet backup (WAN2),
We have to manually replace the VPN of WAN1 WAN2 interface to restore
the VPN tunnel.
We tried to create a second instance of VPN using WAN2, however it will not save
due to a conflict of network with VPN original (even if we move the destination VPN
IP and VPN backup tunnel IP). I imagine that the conflict is the destination network.
How do we automate the VPN interface change an outage of the internet?
Or about what work can be done to ensure the VPN is restored after a
failover of the Internet (WAN interface change).
To address scenarios, you need the two operating sites in the double-wan load-balancing mode. The main tunnel is formed with two interfaces WAN1 and the backup tunnel is formed with two interfaces to WAN2.
-
Cisco VPN Client behind PIX 515E,->; VPN concentrator
I'm trying to configure a client as follows:
The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.
Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.
You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?
-
3015 VPN concentrator Version help
The 3015 comes not only as no redundant hw together? If not, how do I know which version I have?
I don't have the CD of VPN client supplied with the appliance, can it be downloaded or bought?
Thanks for any help.
Jeff
The 3015 comes with no card encryption HW (SEPs). This is the same chassis as the 3030, 3060 and 3080, the only difference between the models is the memoy in the box and how many MS and feeds they included. The 3015 allows you to upgrade to a more powerful area by simple addition of MS, but as is, it's basically empty.
The client code and the VPN concentrator here are downloadable from EAC:
http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml
You will need a CCO login that has access to this page.
-
I've got a 3030 VPN concentrator with 4.0.1 B. I OS release have implemented a policy of BW for the VPN site - to many. Is it possible to check/see if the policy is applied (for example, deleted if traffic over the limit)?
Thank you, Meg
Monitoring - statistics - bandwidth Mgmt should give you some details.
-
Download the firmware from the 3030 VPN concentrator?
Hello
I would like to download a newer firmware our vpn concentrator but wish to download a copy of the old firmware. Is this possible and how can I do? It seems that the only option is to download, as well as a fall on a document that indicate how to go back but still doesn't explain not how can I get a copy of the old firmware. Thank you
I think that Cisco pulls some of the older minor revisions out of the web for major versions when the image becomes a bit old. 3.5 (3), you should be fine with 3.6 (which is available for download). You cannot copy the picture from the hub as far as I know.
-
I'm running the port scan (Angry IP Scanner) against VPN concentrator. Sometimes it shows the port as open 21. I have disabled ftp under "Management protocols" sometimes it shows the port 389 & 1002 as open. What wrong with my VPN concentrator?
I activated only IPSEC protocol Tunneling.
When I run the scan of port which ports are should be included amongst them open?
Thank you
Hello avilt,
VCA means Cluster Virtual Agent. This is used mainly when the VPN 3000 pair is configured for load balancing,... when doing so cells communicate with each other on VCA and we must normally allow this on the filters...
My question is, u have allowed this filter on the public interface? you see the ports via the VPN concentrator or you make a sweep WILL and see these ports (such as FTP) to be opened on the VPN concentrator?
REDA
-
Redundancy of VPN concentrator
Hello
I have some doubts on the VRRP process in VPN concentrators.
(1) the shared address group (private and public) is the same as addresses real Ip of the master, correct?
For example, if I have it set up like this:
Master: public (10.10.10.1); private (20.20.20.1)
Backup: public (10.10.10.2); private (20.20.20.2)
Shared group address must be: public (10.10.10.1) and private (20.20.20.1), correct?
(2) if I already have a configured VPN concentrator and I would like to had another one for redundancy, and I maintain the same IP address as before for the master, I don't need to change anything to the neighbors of the VPN concentrator, right?
(3) if the master goes down, the backup will take over VPN connections, users will always use the same IP address that before to connect by VPN. However if I want to access the administration of backup should I always access the correct 20.20.20.2?
Thank you.
Best regards
Norberto
Yes, you are absolutely right with your 3 statements.
With your second question, if you want to add another VPN hub for redundancy, you can actually use the other VPN concentrator configuration and simply change the ip address that you assign to the public and private interfaces is unique. Everything must be the same it is the shared group addresses, as well as the role as a slave instead of master.
Here is more information about VRRP for your reference:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml
Hope that helps.
-
VPN concentrator 3005 - problem of IP attribution
I have a strange problem with the VPN concentrator 3005. I have the private interface configured with 192.168.3.3/24 as the ip address. For all the users I assign an ip address from the same network (for example) 192.168.3.105/24 or use an IP address pool (192.168.3.100 - 192.168.3.150) the connection fails and the hub will specify that it cannot assign an ip address to the client.
However, if I configure the user address pool or a client on a subnet different it works and the user GET connected. For example, 192.168.2.105/24. I hit him a back-end switch and do not really want to have to add a router to talk between subnets.
Am I missing something?
Any help is appreciated!
Alan,
It is recommended to assign another pool of IP addresses for VPN clients to internal network.
Although it is not recommended, you should be able to assign a Pool of IP addresses that is part of the same internal network and it should work. The only thing that you must be aware of, is that this range of IP addresses assigned to customers should not be used on the internal network
You can post the VPN3000 logs when its not able to assign an IP address to the VPN Client.
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
What has replaced the vpn concentrator?
Greenhorn here, I was not to sit in this place. We have three remote sites, sister of institutions, we share an app with. Host us the app. A site has a configuration of vpn concentrator, the other two use a leased from point to point line. They each have a router that connects to a single router. They want to replace the lines leased by using a vpn. Do the digging, I see that the hubs are EOL.
So, what is used to replace the hub today? What is a solution today from leased lines? They are all poor profit. My guess is that they will say look on Ebay for a hub if the solution is too expensive.
Thanks Jim
Jim
The package of security (CISCO2901-SEC/K9 or CISCO2921-SEC/K9) is the convenient way to get the combination of the router, the software and licenses you will need. I don't think that you need something more elaborate than one of these security packages.
I think one of these would be a good choice for you. It's been a while since I looked at the details of these routers. My recollection is that the 2921 offers more power, more interfaces and a few other benefits and would be attractive to many of us. But I think I understand your needs, I believe that the 2901 router cheaper and quite adequate for you.
HTH
Rick
-
I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.
1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.
2. cannot access other networks except the network associated with the inside interface natively.
3. I can not ping to the internet from inside, be it on the VPN or not.
I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.
Here is the config:
Output of the command: "sh run".
: Saved
:
ASA Version 8.4 (1)
!
hostname BVGW
domain blueVector.com
activate qWxO.XjLGf3hYkQ1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 10
IP 5.29.79.10 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.1.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 172.19.1.1 255.255.255.0
management only
!
passive FTP mode
DNS server-group DefaultDNS
domain blueVector.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the subject of WiFi network
172.17.100.0 subnet 255.255.255.0
WiFi description
the object to the Interior-net network
172.17.1.0 subnet 255.255.255.0
network of the NOSPAM object
Home 172.17.1.60
network of the BH2 object
Home 172.17.1.60
the EX2 object network
Home 172.17.1.61
Description internal Exchange / SMTP outgoing
the Mail2 object network
Home 5.29.79.11
Description Ext EX2
network of the NETWORK_OBJ_172.17.1.240_28 object
subnet 172.17.1.240 255.255.255.240
network of the NETWORK_OBJ_172.17.200.0_24 object
172.17.200.0 subnet 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
network-object BH2
network-object NOSPAM
Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group
Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0
mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source EX2 Mail2
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination
NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
!
the object to the Interior-net network
NAT (inside, outside) dynamic interface
network of the NOSPAM object
NAT (inside, outside) static 5.29.79.12
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1
Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1
Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1
Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1
Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1
Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server blueVec protocol ldap
blueVec AAA-server (inside) host 172.17.1.41
LDAP-base-dn DC = adrs1, DC = net
LDAP-group-base-dn DC = EIM, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net
microsoft server type
Enable http server
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 24.32.208.223 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.17.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 172.17.1.100 - 172.17.1.200 inside
dhcpd 4.2.2.2 dns 8.8.8.8 interface inside
dhcpd lease interface 100000 inside
dhcpd adrs1.net area inside interface
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
internal blueV group policy
attributes of the strategy of group blueV
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
value by default-field ADRS1.NET
internal blueV_1 group policy
attributes of the strategy of group blueV_1
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
adrs1.NET value by default-field
username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA
username gwhitten attributes
VPN-group-policy blueV
rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username
attributes of username rparker
VPN-group-policy blueV
username mhale encrypted password privilege 0 2reWKpsLC5em3o1P
username mhale attributes
VPN-group-policy blueV
VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password
username VpnUser2 attributes
VPN-group-policy blueV
Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password
username Vpnuser3 attributes
VPN-group-policy blueV
username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb
username VpnUser1 attributes
VPN-group-policy blueV
username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS
username dcoletto attributes
VPN-group-policy blueV
username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0
username jmcleod attributes
VPN-group-policy blueV
rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username
rhanna attributes username
VPN-group-policy blueV
username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk
username rheimann attributes
VPN-group-policy blueV
username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo
username jwoosley attributes
VPN-group-policy blueV
2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username
kdavis username attributes
VPN-group-policy blueV
username mbell encrypted password privilege 0 adskOOsnVPnw6eJD
username mbell attributes
VPN-group-policy blueV
bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username
bmiller username attributes
VPN-group-policy blueV
type tunnel-group blueV remote access
tunnel-group blueV General-attributes
address VPN2 pool
authentication-server-group blueVec
Group Policy - by default-blueV_1
blueV group of tunnel ipsec-attributes
IKEv1 pre-shablue-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:2491a825fb8a81439a6c80288f33818e
: end
Any help is appreciated!
-Roger
Hey,.
Unfortunately, I do not use ASDM myself but will always mention things that could be done.
You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active
You have the following line under the "group policy"
Split-tunnel-policy tunnelspecified
You will also need this line
Split-tunnel-network-list value
Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?
To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT
VPN-CLIENT-PAT-SOURCE network object-group
object-network 172.17.200.0 255.255.255.0
NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE
In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work
I could myself try the following configuration of NAT
object-group, network LAN-NETWORKS
object-network 10.2.0.0 255.255.255.0
object-network 10.3.0.0 255.255.255.128
object-network 10.10.10.0 255.255.255.0
object-network 172.17.100.0 255.255.255.0
object-network 172.18.1.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.30.0 255.255.255.0
object-group, network VPN-POOL
object-network 172.17.200.0 255.255.255.0
NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL
Add ICMP ICMP Inspection
Policy-map global_policy
class inspection_default
inspect the icmp
or alternatively
fixup protocol icmp
This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.
-Jouni
-
VPN concentrator - using several authentication servers
Hello
I have a question regarding the use of more than one authentication server to authenticate users connecting to a VPN concentrator.
Is it possible to add several, different (for example: SDI and RADUIS) servers for authentication in the list and make sure that users authenticate to each other to establish the VPN. It seems just a user to authenticate through one of them to establish a VPN. Can you make the user to authenticate through multiple servers?
Thank you
Cam
Cam
I have no experience with this issue, so I have an opinion but no facts. I suppose that it is possible to separate the authentication of the user of the NAC/posture validation.
Perhaps someone with experience with this or the necessary expertise for this can help us with some facts.
HTH
Rick
Maybe you are looking for
-
Upgrade to IOS 10.02 since then stop it WiFi on iphone 7. No idea how to fix? no idea how to report to apple?
-
My computer will not download iTunes or Skype error APPDATA and ASL.ll
My computer will not download iTunes or Skype because he "cannot find"APPDATA"and ASL.ll. Can anyone help?
-
My hotmail screen comes up and when I go in the box it opens the first page but the hourglass will not go away, nor, it let me open mail or send an e-mail. ???
-
Pavilion w2007: windows vist stop working
Missing Windows of the screen. a message in the lower right corner says "this copy of windows vista is not genuine. It came with the computer which i purched new sams club. He directs me to a window that gives me a choice of entering a code that c
-
I was wondering if there was a way to disable the mode "standby", only when the computer is idle? Like say I want to play music on my laptop as I do in bed. If I close the lid, it stops the music and goes to sleep. I don't want to leave the lid op