How to configure VPN 3000 Concentrator for remote access
I have inherited a VPN concentrator and want to configure it to provide remote access to my internal laboratory network when I'm traveling. Private interface is configured as 192.168.1.240/24. Public interface is configured as one of my public IP addresses. I have a public IP pool on the back side of a cable modem Roadrunner. I created a pool of addresses for clients such as 192.168.1.200 by 192.168.1.205. I created all group configurations, group and user base.
In the IP Routing tab, I see a default route pointing to my IP address of public gateway - the IP address of my box of roadrunner cable modem gateway.
Since my VPN client, I am able to connect to the VPN concentrator. I get an address from the pool and check the details of the tunnel under the statistics section shows IP address correct pool for the customer and the correct public IP address of my VPN reorga
Jeff,
According to statistics, it seems that the client sends traffic to the hub, but his answer not get back.
We need check the hub settings itself.
I need check the hub settings and that it is a GUI based device so I can't even ask to see the technology and the only option available is to WebEx.
You're ok with webex, pls lemme session comfortable time id and e-mail to send the invitation, it takes no more time and we will carry it out
Thank you
Ankur
Tags: Cisco Security
Similar Questions
-
How to use ACS 5.2 to create a static ip address user for remote access VPN
Hi all
I have the problem. Please help me.
Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.
I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:
1Ajouter step to attribute a static IP address to the user attribute dictionary internal:
Step 2select System Administration > Configuration > dictionaries > identity > internal users.
Step 3click create.
Static IP attribute by step 4Ajouter.
5selectionnez users and identity of the stage stores > internal identity stores > users.
6Click step create.
Step 7Edit static IP attribute of the user.
I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.
so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.
Wait for you answer, no question right or not, please answer, thank you.
There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached
-
Console Cable - Cisco VPN 3000 Concentrator
Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.
Thank you
JP
JP,
Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.
http://www.sealevel.com/product_detail.asp?product_id=787
With regard to the regular cable this hub comes with you can use it.
http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF
Adidtional information for your initial hub seup -.
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260
Concerning
PLS rate useful posts
-
AnyConnect 3.0 supports IPSec VPN for remote access?
Hello world
I've read about Cisco AnyConnect 3.0 issues that it supports IPSec VPN for remote access:
I downloaded and installed the Client AnyConnect Secure Mobility Client 3.0.0629, but I'm not able to get the IPSec VPN works. Also, it has no option to use the previous of Cisco IPSec VPN client PCF files.
Can someone point me in the right direction to get IPSec VPN AnyConnect 3.0 work?
Thank you in advance!
Hello
Takes AnyConnect support IPSEC from version 3.0, but only in combination with IKEv2.
There is no option to use a CPF file with it and the config should be pushed through a profile Anyconnect.
More information on this:
You should also change the ASA config so that it accepts negotiations IKE v2:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_ike.html#wp1144572
Kind regards
Nicolas
-
ASA 5510 VPN for remote access clients are asked to authenticate on box
Don't know what's the matter, but my remote access users are invited to join the ASA before connecting to the tunnel. How can I disable this? Config is attached. Thank you all -
For remote access connections, you can turn off the prompt xauth (user/pass) with the following:
Tunnel ipsec-attributes group
ISAKMP ikev1-user authentication no
-heather
-
How to configure the SMTP server for the osb 10.3.1
Hi all
Anyone can share information on how to configure the SMTP server for the osb 10.3.1
and then how to send an email to OSB 10.3.1
Thanks in advance!See this url:
https://blogs.Oracle.com/christomkins/entry/sending_an_email_from_oracle_s -
How to configure VPN remote access to use a specific Interface and the road
I add a second external connection to an existing system on a 5510 ASA ASA V8.2 with 6.4 AMPS
I added the new WAN using another interface (newwan).
The intention is to bring more internet traffic on the new road/interface (newwan), but keep our existing VPN using the old interface (outside).
I used the ASDM GUI to make changes and most of it works.
That is to say. The default route goes via (newwan)
Coming out of a VPN using a site to character the way previous (out) as they now have static routes to achieve this.
The only problem is that remote incomming VPN access Anyconnect do not work.
I put the default static route to use the new interface (newwan) and the default tunnel road be (outside), but that's the point is will not...
I can either ping external IP address from an external location.
It seems that the external interface doesn't send traffic to the - external interface (or at least that's where I think the problem lies). How can I force responses to remote VPN entering IPS unknown traffic to go back on the external interface?
The only change I have to do to make it work again on the external interface is to make the default static route to use external interface. Calling all internet traffic to the (external connection) original
Pointers appreciated.
William
William,
As it is right now that you will not use the same interface you have road to terminate remote access unless you know their IP addresses by default.
In one of the designs that I saw that we did something like that.
(ISP cloud) - edge router - ASA.
The edge router, you can make PAT within the interface for incoming traffic on port udp/500 and UDP/4500 (you may need to add exceptions to your L2L static) of the router. It's dirty, I would not say, it is recommended, but apparently it worked.
On routers, this kind of situation is easily solved using VRF-lite with crypto.
M.
-
How can I assign the static fixed IP for remote access VPN users
Hi team,
I have a requirement to assign a fixed static IP users VPN remote access in ASA, please help how I can achice this
Thanks in advance
Mikaelusername user1 attributes
VPN-framed-ip-address 10.200.115.78 255.255.0.0
-
How many group Supportepar ASA 5520 vpn for remote access
Hello
Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.
Concerning
1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."
2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.
-
Our company uses a 3000 VPN concentrator for our VPN access.
Is there a way to view a log history of what the user connected to the VPN and what IP address they were assigned? This would be 2 days ago, which was over the weekend.
Thank you.
To obtain this type of information, you must configure an external management server, syslog server and send this info to this server.
You can for example download any freeware like http://www.kiwisyslog.com kiwi syslog server, then configure the hub to send the logs on the server.
Here's how to use the VPN 3 k and syslogs etc...
http://www.Cisco.com/en/us/partner/docs/security/vpn3000/vpn3000_47/configuration/guide/events.html
For information more fancy graphical reporting you can also use Cisco Security Manager http://www.cisco.com/en/US/partner/products/ps6498/index.html
There are also 3rd party sofwware out there who can collect this type of information such as the engine firewall monitor of manage - may also collect newspapers of concentrators Cisco VPN - connections vpn etc...
http://www.ManageEngine.com/products/firewall/distributed-monitoring/index.htmlConcerning
-
authentication 802. 1 x on cisco VPN for remote access
I'm on dial-up VPN (mobile VPN) on cisco ASA5510, now, I want to authenticate remote users via Microsoft IAS (Radius Standard) service. However, I couldn't get through the via protocol PEAP authentication process, and it seems that it only supports PAP that isn't safe.
Any suggestion on how to implement PEAP over VPN remote access?
Thank you
Hello
It may be useful.
Best regards.
Massimiliano.
-
Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator
Hi guys,.
I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.
The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address. We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that. Here is a screenshot of what I tried:
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50name 172.16.1.48 Cust_DVR1
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1
permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1
IP outside X.Y.Z.227 255.255.255.224
IP address inside 192.168.1.1 255.255.255.0location of PDM Cust_DVR1 255.255.255.255 outside
Global 1 X.Y.Z.230 (outside)
Global (dmz1) 1 interface
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
outside_map 30 ipsec-isakmp crypto map
outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">
card crypto outside_map 30 match address centura_map_30
card crypto outside_map 30 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode
part of pre authentication ISAKMP policy 30
ISAKMP policy 30 3des encryption
ISAKMP policy 30 md5 hash
30 2 ISAKMP policy group
ISAKMP duration strategy of life 30 86400
My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network. I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).
THANKS MUCH FOR ANY HELP!
-Mario
Hello
For example, you can NAT your internal via the tunnel network traffic when you go to this customer.
In this way, they will see your unique internal network as an IP address.
Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227
Is this what you need?
Federico.
-
How to configure the partition table for SSD?
Drive: 32 GB SSD
I accidentally delete without backup partition table information and would like to know how to put the partition table, I can access the tools of partition table, but do not know how to define.
Does anyone have any suggestions?
Thanks in advance for your suggestions
Hello
Thanks for posting your query in Microsoft Community.
The SSD could be seen in the disk management window, and you could name and set up as another hard drive internal. To create a partition or volume on a hard disk, you must be logged in as an administrator, and there must be unallocated disk space or free space in an extended hard disk partition. To repartition your hard drive, please consult the following link and check if it helps.
I can I repartition my hard disk?
Additional information:
Create a new Partition on a hard disk in Windows 7
Hope this information is useful. Let us know if you need more help, we will be happy to help you.
-
How to configure an email account for British Colombia?
The site is transferred from MUSE to BC Web + free hosting of images. When I add a new email address an error message is displayed. "I have to put in place in the site" how to create an email account for British Colombia?
Thanks Gaurav.S, I could get assistance via chat. The problem was fixed immediately. It works just as expected. I appreciate your follow-up. You can always check if you wish:
www.jackhillart.com
Thanks again,
Jack
-
NAR restriction for remote access clients
Hello
just a question how to limit access to users for some NAS servers remotely.
We have an AAA ACS2.6 servers and several 3640 based NAS server for remote user access. Users are gathered in a group to the ACS.
We have another group, called ISP. The user in this group can use the internet anywhere in the world, they must dial the local number of the given ISP NAS and all the NAS-you pass the authentication request to our CSA. So we can centrally manage direct RAS users and Internet users.
The problem is that a user to a certain group can use the other dialin facility since all dialin appemps will be authenticated on the same server.
How can I limit that an ISP group cannot use the SNS outside the company and that he can not numbering at our dedicated RAS server? And RAD regulars cannot use the internet (which is given to the users of the ISP)
I applied filters in the ACS on the group settings, but could find no ducuments how configure it exactly. Any help appreciated,
Kind regards
Balázs
Balázs,
Thanks for sharing your experience. I'm sure that it would be useful for others. Yes, browser is a problem for any management software ;-)
Thanks again,
Renault
Maybe you are looking for
-
I am interested in the use of CSS3, particularly the ability to load fonts if necessary off the internet. So, I would know the importance of the support of Firefox for CSS3. I couldn't find all the pages in the help directly responding to that system
-
is it true that if my hotmail account is inactive for a month or more, it is cancelled/eliminated?
is it true that if my hotmail account is inactive for a month or two, it gets cancelled/eliminated? If so how can I get it back, because I relied on it for my accounts on facebook, myspace and photobucket and really need to know whats going on. of co
-
my cursor wanders on different lines, while I type
my cursor wanders on different lines so that I type and no Im not no sweeping on the touchpad.
-
Discover Optiplex 755 service tag Mini-Tower model or what?
Hi, I'm doubting weather my Optiplex 755 is a mini-tower or LTS model. I found the following tagd: Service Tag: ADMIN NOTE: maintain the label removed by privacy policy > Express service code: ADMIN NOTE: kidnapped by the Express service code privacy
-
BlackBerry Curve 8310 Smartphone: calendar (not installed)
Came back from vacation and I noticed that my curve cannot sync with my CRM because my calendar seems to be (not installed). According to BB Desktop Software, on the tab of the Organizer, all other elements of the organiser are present with the excep