Failover with VPN concentrator

Similar Questions

• problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

  Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

  Some basic information:

  I work at a seller who needs from one site to the other tunnel.  There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system.  I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range.  So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator.  The hosts behind the tunnel use 20x.x.x.x public IP addresses.

  My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper.  The seller sees my packages and provider host meets them and sends them to the tunnel.  They never reach the external interface on my Cisco router.

  I'm from the external interface so that my endpoint and the peers are the same IP address.  (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.)  Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

  I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host.  Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel.   The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel.  The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

  The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

  Here is what we have done so far:

  (1) confirm the config with the help of Cisco 2811.  The tunnel is up.  SH cyrpto ipa wristwatch tunnel upward.
  (2) turn on Nat - T side of the tunnel VPN landscapers
  (3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
  (4) successfully, tunnel and reach a different configuration hosting
  (5) to confirm all the settings of tunnel with the seller
  (6) the seller confirmed that his side host has no way and that it points to the default gateway
  (7) to rebuild the tunnel from scratch
  8) confirm with our ISP that no way divert traffic elsewhere.  My gateway lSP sees my directly connected external address.
  (9) confirm that the ACL matches with the seller
  (10) I can't get the Juniper because he is in production and in constant use

  Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

  Options or ideas are welcome.  I had countless sessions with Cisco webex, but do not have access to the hub of the seller.  I can forward suggestions.

  Here's a code

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2

  Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

  Crypto-map dynamic dynmap 30
  Set transform-set RIGHT

  ISAKMP crypto key address No.-xauth

  interface FastEthernet0/0
  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
  IP 255.255.255.240
  IP access-group 107 to
  IP access-group out 106
  NAT outside IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  crypto mymap map

  logging of access lists (applied outside to get an idea of what will happen.  No esp traffic happens, he has never hits)

  allowed access list 106 esp host host newspaper
  106 ip access list allow a whole
  allowed access list 107 esp host host Journal
  access-list 107 permit ip host host Journal

  access-list 107 permit ip host host Journal
  107 ip access list allow a whole

  Crypto isa HS her
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
    QM_IDLE ASSETS 0 1010

  "Mymap" ipsec-isakmp crypto map 1
  Peer =.
  Extend the 116 IP access list
  access - list 116 permit ip host host (which is a public IP address))
  Current counterpart:
  Life safety association: 4608000 kilobytes / 2800 seconds
  PFS (Y/N): N
  Transform sets = {}
  myTrans,
  }

  OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

  (4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

  !
  (1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

  !
  IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

  !

  (6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

  !

  (2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

  (3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

  (1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

  !

  (5) crypto-nat route-map permit 5 <> condition for the specific required NAT
  corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

  (7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

  Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1).  When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2).  When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4).  We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

• VPN concentrator + PIX on LAN-&gt; customers can not reach local servers

  Hello

  I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.

  For the topology:

  The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.

  On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the

  VPN client-PCs.

  I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses

  the 10.0.100.0/24 range.

  The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to

  internal to the 10.0.1.28 server.

  To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in

  10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.

  So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is

  Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1

  This does not solve my problem though.

  In the PIX logs, I see the entries as follows:

  % 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064

  The PIX seems to abandon return packages, i.e. traffic from the server back to the client

  To my knowledge, the problem seems to be:

  Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.

  My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the

  package because he has not seen the package from the client to the server.

  So here are my questions:

  (o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and

  computers servers on the local network (10.0.1.0/24)?

  (o) someone else you have something like this going?

  PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.

  Thank you very much in advance for your help,.

  -ewald

  Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.

  Best regards

  Robert Maras

• Replication failover PIX VPN (CEP) certificate

  Hello

  Had a pair of PIX 525 on 6.3 (4) version running in active/failover mode, I recently configured VPN authenticated by certificates, which involved the use of PRACTICE in order to get the certificate to the PIX. Certificates have been imported for the PIX from a snap-in with the software component CEP Protocol Windows CA server by following the instructions described here: http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263 .

  It all works very well, the configuration has been saved, certificates registered cases using "ca save all", everything works well except the certificates that have been imported have not been replicated for the PIX failover - the command 'Show the ca certificate', shows not all certs.

  Private keys show 'sh ca mypubkey rsa' are the same on both devices.

  I'm not able to find any documentation about how certificates must be replicated on the PIX failover, and it is not possible to write certificates again on the PIX failover using the commands they were initially imported by:

  PIX - fw # conf t
  WARNING *.
  Configuration of replication is NOT performed the unit from standby to Active unit.
  Configurations are no longer synchronized.

  PIX - FW (config) auth ca ca
  WARNING *.
  Configuration of replication is NOT performed the unit from standby to Active unit.
  Configurations are no longer synchronized.

  Everyone knows a similar issue or how to get the PIX failover with the new ca certificates?

  Kind regards

  Sarunas

  Hello Sarunas

  PIX 6 indeed do not synchronize keys and certificates automatically.

  However, you should be able to do this first, forcing a failover (i.e. secondary image make it active), then register (now active) high school with the certification authority.

  HTH

  Herbert

• RV042 v3 &amp; RV082 v3: WAN Failover + restore VPN

  We have a v3 RV082 and RV042 v3 with latest firmware.

  They have all two Dual WAN (backup active Smartlink).

  They connect with each other via the VPN (with VPN enabled and configured backup Tunnel).

  When primary internet (WAN1) fails, and it switches to the internet backup (WAN2),

  We have to manually replace the VPN of WAN1 WAN2 interface to restore

  the VPN tunnel.

  We tried to create a second instance of VPN using WAN2, however it will not save

  due to a conflict of network with VPN original (even if we move the destination VPN

  IP and VPN backup tunnel IP).  I imagine that the conflict is the destination network.

  How do we automate the VPN interface change an outage of the internet?

  Or about what work can be done to ensure the VPN is restored after a

  failover of the Internet (WAN interface change).

  To address scenarios, you need the two operating sites in the double-wan load-balancing mode. The main tunnel is formed with two interfaces WAN1 and the backup tunnel is formed with two interfaces to WAN2.

• Cisco VPN Client behind PIX 515E,-&gt; VPN concentrator

  I'm trying to configure a client as follows:

  The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

  Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

  You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

• 3015 VPN concentrator Version help

  The 3015 comes not only as no redundant hw together? If not, how do I know which version I have?

  I don't have the CD of VPN client supplied with the appliance, can it be downloaded or bought?

  Thanks for any help.

  Jeff

  The 3015 comes with no card encryption HW (SEPs). This is the same chassis as the 3030, 3060 and 3080, the only difference between the models is the memoy in the box and how many MS and feeds they included. The 3015 allows you to upgrade to a more powerful area by simple addition of MS, but as is, it's basically empty.

  The client code and the VPN concentrator here are downloadable from EAC:

  http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml

  You will need a CCO login that has access to this page.

• BW policy on VPN concentrator

  I've got a 3030 VPN concentrator with 4.0.1 B. I OS release have implemented a policy of BW for the VPN site - to many. Is it possible to check/see if the policy is applied (for example, deleted if traffic over the limit)?

  Thank you, Meg

  Monitoring - statistics - bandwidth Mgmt should give you some details.

• Download the firmware from the 3030 VPN concentrator?

  Hello

  I would like to download a newer firmware our vpn concentrator but wish to download a copy of the old firmware. Is this possible and how can I do? It seems that the only option is to download, as well as a fall on a document that indicate how to go back but still doesn't explain not how can I get a copy of the old firmware. Thank you

  I think that Cisco pulls some of the older minor revisions out of the web for major versions when the image becomes a bit old. 3.5 (3), you should be fine with 3.6 (which is available for download). You cannot copy the picture from the hub as far as I know.

• Ports open VPN concentrator

  I'm running the port scan (Angry IP Scanner) against VPN concentrator. Sometimes it shows the port as open 21. I have disabled ftp under "Management protocols" sometimes it shows the port 389 & 1002 as open. What wrong with my VPN concentrator?

  I activated only IPSEC protocol Tunneling.

  When I run the scan of port which ports are should be included amongst them open?

  Thank you

  Hello avilt,

  VCA means Cluster Virtual Agent. This is used mainly when the VPN 3000 pair is configured for load balancing,... when doing so cells communicate with each other on VCA and we must normally allow this on the filters...

  My question is, u have allowed this filter on the public interface? you see the ports via the VPN concentrator or you make a sweep WILL and see these ports (such as FTP) to be opened on the VPN concentrator?

  REDA

• Redundancy of VPN concentrator

  Hello

  I have some doubts on the VRRP process in VPN concentrators.

  (1) the shared address group (private and public) is the same as addresses real Ip of the master, correct?

  For example, if I have it set up like this:

  Master: public (10.10.10.1); private (20.20.20.1)

  Backup: public (10.10.10.2); private (20.20.20.2)

  Shared group address must be: public (10.10.10.1) and private (20.20.20.1), correct?

  (2) if I already have a configured VPN concentrator and I would like to had another one for redundancy, and I maintain the same IP address as before for the master, I don't need to change anything to the neighbors of the VPN concentrator, right?

  (3) if the master goes down, the backup will take over VPN connections, users will always use the same IP address that before to connect by VPN. However if I want to access the administration of backup should I always access the correct 20.20.20.2?

  Thank you.

  Best regards

  Norberto

  Yes, you are absolutely right with your 3 statements.

  With your second question, if you want to add another VPN hub for redundancy, you can actually use the other VPN concentrator configuration and simply change the ip address that you assign to the public and private interfaces is unique. Everything must be the same it is the shared group addresses, as well as the role as a slave instead of master.

  Here is more information about VRRP for your reference:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

  Hope that helps.

• VPN concentrator 3005 - problem of IP attribution

  I have a strange problem with the VPN concentrator 3005. I have the private interface configured with 192.168.3.3/24 as the ip address. For all the users I assign an ip address from the same network (for example) 192.168.3.105/24 or use an IP address pool (192.168.3.100 - 192.168.3.150) the connection fails and the hub will specify that it cannot assign an ip address to the client.

  However, if I configure the user address pool or a client on a subnet different it works and the user GET connected. For example, 192.168.2.105/24. I hit him a back-end switch and do not really want to have to add a router to talk between subnets.

  Am I missing something?

  Any help is appreciated!

  Alan,

  It is recommended to assign another pool of IP addresses for VPN clients to internal network.

  Although it is not recommended, you should be able to assign a Pool of IP addresses that is part of the same internal network and it should work. The only thing that you must be aware of, is that this range of IP addresses assigned to customers should not be used on the internal network

  You can post the VPN3000 logs when its not able to assign an IP address to the VPN Client.

  Let me know if it helps.

  Kind regards

  Arul

  * Please note all useful messages *.

• What has replaced the vpn concentrator?

  Greenhorn here, I was not to sit in this place.  We have three remote sites, sister of institutions, we share an app with.  Host us the app.  A site has a configuration of vpn concentrator, the other two use a leased from point to point line. They each have a router that connects to a single router.  They want to replace the lines leased by using a vpn.  Do the digging, I see that the hubs are EOL.

  So, what is used to replace the hub today?  What is a solution today from leased lines? They are all poor profit. My guess is that they will say look on Ebay for a hub if the solution is too expensive.

  Thanks Jim

  Jim

  The package of security (CISCO2901-SEC/K9 or CISCO2921-SEC/K9) is the convenient way to get the combination of the router, the software and licenses you will need. I don't think that you need something more elaborate than one of these security packages.

  I think one of these would be a good choice for you. It's been a while since I looked at the details of these routers. My recollection is that the 2921 offers more power, more interfaces and a few other benefits and would be attractive to many of us. But I think I understand your needs, I believe that the 2901 router cheaper and quite adequate for you.

  HTH

  Rick

• Problem with VPN

  I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.

  1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.

  2. cannot access other networks except the network associated with the inside interface natively.

  3. I can not ping to the internet from inside, be it on the VPN or not.

  I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.

  Here is the config:

  Output of the command: "sh run".

  : Saved

  :

  ASA Version 8.4 (1)

  !

  hostname BVGW

  domain blueVector.com

  activate qWxO.XjLGf3hYkQ1 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 10

  IP 5.29.79.10 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 172.17.1.2 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 172.19.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain blueVector.com

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  the subject of WiFi network

  172.17.100.0 subnet 255.255.255.0

  WiFi description

  the object to the Interior-net network

  172.17.1.0 subnet 255.255.255.0

  network of the NOSPAM object

  Home 172.17.1.60

  network of the BH2 object

  Home 172.17.1.60

  the EX2 object network

  Home 172.17.1.61

  Description internal Exchange / SMTP outgoing

  the Mail2 object network

  Home 5.29.79.11

  Description Ext EX2

  network of the NETWORK_OBJ_172.17.1.240_28 object

  subnet 172.17.1.240 255.255.255.240

  network of the NETWORK_OBJ_172.17.200.0_24 object

  172.17.200.0 subnet 255.255.255.0

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  the DM_INLINE_NETWORK_1 object-group network

  network-object BH2

  network-object NOSPAM

  Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group

  Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0

  mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static source EX2 Mail2

  NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination

  NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination

  NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28

  !

  the object to the Interior-net network

  NAT (inside, outside) dynamic interface

  network of the NOSPAM object

  NAT (inside, outside) static 5.29.79.12

  Access-group Outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1

  Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1

  Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1

  Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1

  Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1

  Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server blueVec protocol ldap

  blueVec AAA-server (inside) host 172.17.1.41

  LDAP-base-dn DC = adrs1, DC = net

  LDAP-group-base-dn DC = EIM, DC = net

  LDAP-scope subtree

  LDAP-naming-attribute sAMAccountName

  LDAP-login-password *.

  LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net

  microsoft server type

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 172.17.1.0 255.255.255.0 inside

  http 24.32.208.223 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  Outside_map interface card crypto outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 172.17.1.0 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd address 172.17.1.100 - 172.17.1.200 inside

  dhcpd 4.2.2.2 dns 8.8.8.8 interface inside

  dhcpd lease interface 100000 inside

  dhcpd adrs1.net area inside interface

  !

  a basic threat threat detection

  threat detection statistics

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  WebVPN

  internal blueV group policy

  attributes of the strategy of group blueV

  value of server WINS 172.17.1.41

  value of 172.17.1.41 DNS server 172.17.1.42

  Ikev1 VPN-tunnel-Protocol

  value by default-field ADRS1.NET

  internal blueV_1 group policy

  attributes of the strategy of group blueV_1

  value of server WINS 172.17.1.41

  value of 172.17.1.41 DNS server 172.17.1.42

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  adrs1.NET value by default-field

  username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA

  username gwhitten attributes

  VPN-group-policy blueV

  rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username

  attributes of username rparker

  VPN-group-policy blueV

  username mhale encrypted password privilege 0 2reWKpsLC5em3o1P

  username mhale attributes

  VPN-group-policy blueV

  VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password

  username VpnUser2 attributes

  VPN-group-policy blueV

  Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password

  username Vpnuser3 attributes

  VPN-group-policy blueV

  username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb

  username VpnUser1 attributes

  VPN-group-policy blueV

  username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS

  username dcoletto attributes

  VPN-group-policy blueV

  username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0

  username jmcleod attributes

  VPN-group-policy blueV

  rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username

  rhanna attributes username

  VPN-group-policy blueV

  username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk

  username rheimann attributes

  VPN-group-policy blueV

  username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo

  username jwoosley attributes

  VPN-group-policy blueV

  2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username

  kdavis username attributes

  VPN-group-policy blueV

  username mbell encrypted password privilege 0 adskOOsnVPnw6eJD

  username mbell attributes

  VPN-group-policy blueV

  bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username

  bmiller username attributes

  VPN-group-policy blueV

  type tunnel-group blueV remote access

  tunnel-group blueV General-attributes

  address VPN2 pool

  authentication-server-group blueVec

  Group Policy - by default-blueV_1

  blueV group of tunnel ipsec-attributes

  IKEv1 pre-shablue-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  HPM topN enable

  Cryptochecksum:2491a825fb8a81439a6c80288f33818e

  : end

  Any help is appreciated!

  -Roger

  Hey,.

  Unfortunately, I do not use ASDM myself but will always mention things that could be done.

  You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active

  You have the following line under the "group policy"

  Split-tunnel-policy tunnelspecified

  You will also need this line

  Split-tunnel-network-list value

  Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?

  To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT

  VPN-CLIENT-PAT-SOURCE network object-group

  object-network 172.17.200.0 255.255.255.0

  NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE

  In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work

  I could myself try the following configuration of NAT

  object-group, network LAN-NETWORKS

  object-network 10.2.0.0 255.255.255.0

  object-network 10.3.0.0 255.255.255.128

  object-network 10.10.10.0 255.255.255.0

  object-network 172.17.100.0 255.255.255.0

  object-network 172.18.1.0 255.255.255.0

  object-network 192.168.1.0 255.255.255.0

  object-network 192.168.11.0 255.255.255.0

  object-network 192.168.30.0 255.255.255.0

  object-group, network VPN-POOL

  object-network 172.17.200.0 255.255.255.0

  NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL

  Add ICMP ICMP Inspection

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  or alternatively

  fixup protocol icmp

  This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.

  -Jouni

• VPN concentrator - using several authentication servers

  Hello

  I have a question regarding the use of more than one authentication server to authenticate users connecting to a VPN concentrator.

  Is it possible to add several, different (for example: SDI and RADUIS) servers for authentication in the list and make sure that users authenticate to each other to establish the VPN. It seems just a user to authenticate through one of them to establish a VPN. Can you make the user to authenticate through multiple servers?

  Thank you

  Cam

  Cam

  I have no experience with this issue, so I have an opinion but no facts. I suppose that it is possible to separate the authentication of the user of the NAC/posture validation.

  Perhaps someone with experience with this or the necessary expertise for this can help us with some facts.

  HTH

  Rick