local policy IP - router head DMVPN

Similar Questions

• How to change Local policy setting programmatically

  I need to change the local policy setting [user rights assignment and security policy] & Service settings programmatically for Windows XP I need to customize the settings for our client workstations.   I was watching in Secedit.exe but looking for other options using the Windows API.  Thank you

  Hello

  I suggest to take a look at this following thread and check if it helps.

  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-Group-Policy-objects-programmatically-determining-registry-values-to-enable-disable-set-a-specific-policy.aspx

  Important this section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs.

• The local policy of this system does not open an interactive session

  I can't log on by using windows xp. (Not remotely). Error Msg: "the local policy of this system you cannot open an interactive session. But I can't enter using administrator. Only local users can not enter. Can someone help me?

  This problem may occur if the policy 'Deny local logons' is set on your computer.

  Go to local security policy.
  Go to security settings
  Local strategies
  User right assignment

  Find the refusal to logon locally. Remove users who are unable to connect.
  However, do not add Everyone group as then nobody would be able to log on locally.
  You will need to sign out and then sign back in before it takes effect.

  Let us know if that helps.

• Accidentally deleted local policy that allows interactive logon and enter now canoe for window, Help

  I accidentally deleted the local policy that allows the connection of users all the interactively, so I can't, how can I replace this policy or to get to the system restore and restore to an earlier date?

  Here's how to invoke the system restore:
  1. keep tapping F8 during the first phase of startup.
  2. select Repair from the menu.
  3. Enter the administrator password when you are prompted. It is often empty.
  4. When you are prompted, select System Restore.
  5. set Windows to a point before you yourself painted into a corner.

• Local policy does not allow you to connect interactively?

  I can only log on my account that is not the admin account! so I can't do anythin to change the settings for the other people can connect po... someone knows how to fix this?

  Hello

  1. have you made changes on the computer recently?
  2. your computer connected to a domain is?
  3. you try to use the remote desktop connection?

  If you use Remote Desktop connection, and then click the link below for assistance.
  Remote Desktop connection "the local policy of this system you cannot open an interactive session.
  http://support.Microsoft.com/kb/289289

  I hope this helps.

  Thank you, and in what concerns:
  Shekhar S - Microsoft technical support.

  Visit our Microsoft answers feedback Forum and let us know what you think.
  If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

• SE error message: the local policy of this system does not log in an interactive way, trying to access a remote desktop connection.

  Original title: the local policy of this system does ot allows you to open an interactive session

  I get this error message when you try to access a remote desktop connection.  The local policy of this system does ot allows you to open an interactive session

  Hi CamilleHolt,

  1. were you able to use the before remote desktop connection?

  You can try the following steps and check if it helps.

  a. Click Start, point to settings and then click Control Panel.

  b. double-click System and select the remote settings and then click the Remote tab.

  c. click Select users, and then add the name of the user account

  d. click Add and then click OK.

  Note: Adding users to the remote desktop group requires that you are connected via an administrator account.

  Hope this information is useful.

  Jeremy K
  Microsoft Answers Support Engineer.

• Policy Based Routing Configurations 6500 and 4948 Switches

  Hello!

  I'm looking for good examples of the strategy for the 6509 and 4948-based routing Configuration.

  I have installation of base ACB, but can not find good IPSLA configurations to pair with them.

  The 4948 has IPSLA, but doesn't seem to have orders to attach it to the ACB roadmap.

  I'm not find effective IPSLA configurations for the 6500 as well.

  My hope is that someone has config IPSLA I can use, or direct me to an example of configuration is complete.

  This is for the redirection of a WAN accelerator to monitor.

  What I have so far for the 4948:

  interface GigabitEthernet1/11
  Description to_dis_pri:g2/0/11
  No switchport
  IP 11.11.11.10 255.255.255.252
  political ownership intellectual-card route Silverpeak
  Speed 1000
  full duplex

  SilverpeakACL extended IP access list
  IP enable any 12.12.12.0 0.0.0.255

  ALS IP 99
  ICMP echo - 14.14.14.14
  Timeout 2000
  frequency 10
  Annex IP SLA 99 life never start-time now

  Silverpeak allowed 10 route map
  corresponds to the IP SilverpeakACL
  IP 14.14.14.14 jump according to the value

  I don't see how this will stop Policy Based Routing in the event where the WAN Accelerator dies.

  If you know where I can get the config, or give it here, I would be very happy!

   Hi Ganesh, It did take that command, and this is the output:: #sho track 99 Track 99 IP SLA 99 reachability Reachability is Up 1 change, last change 00:00:16 Latest operation return code: OK Latest RTT (millisecs) 1 Will this tie it all together? Also, will this be the same config for the 6509?

  Hello

  I think that you apply IP SLA on edge device where you want automatic failover, if she applies then the 6509.

  Once this output is ok then apply the command track with map of the route according to the first post.

  It could be that useful...

  -GI

  Rate if this can help...

• Cannot connect with active domain Directory, because the local policy of this system does allow you to log on interactively.

  Cannot connect with active domain Directory, because the local policy of this system does allow you to log on interactively.

  You will need to create a new post on the TechNet forum for assistance in the field of related issues:
  http://social.technet.Microsoft.com/forums/en/category/w7itpro/

• MPLS BGP route push DMVPN rays

  I have an MPLS with BGP. I have sites that are not connected directly to the SPLM, also, but need a VPN s2s hub sites that are connected to the SPLM and in this way they access resources MPLS. I need to communicate the changes to itinerary for the SPLM when the DMVPN fails on another hub.

  Currently, this is my config:

  Datacenter (MPLS only)

   interface GigabitEthernet0/1 description MPLS ip address 192.168.0.34 255.255.255.252 interface Vlan2 ip address 192.168.96.2 255.255.255.0 router bgp 65511 bgp log-neighbor-changes network 192.168.96.0 neighbor 192.168.0.33 remote-as 65510

  Hub site 1 (MPLS + internet)

   interface Tunnel200 ip address 10.99.99.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication auth ip nhrp map multicast dynamic ip nhrp network-id 12345 ip nhrp holdtime 600 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 200 tunnel protection ipsec profile dmvpn interface GigabitEthernet0/1 description MPLS ip address 192.168.1.2 255.255.255.0 secondary ip address 192.168.0.2 255.255.255.252 router bgp 65001 bgp log-neighbor-changes network 192.168.1.0 network 192.168.21.0 !10.99 clients are DMVPN spokes neighbor 10.99.99.3 remote-as 99010 neighbor 10.99.99.3 route-reflector-client neighbor 10.99.99.21 remote-as 99001 neighbor 10.99.99.21 route-reflector-client !as 65000 is the MPLS PE neighbor 192.168.0.1 remote-as 65000

  Hub 2 site, has the same configuration, except for the local ip address and the router BGP ID.

  Spoke site:

   interface Tunnel200 ip address 10.99.99.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication auth ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1 ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2 ip nhrp network-id 12345 ip nhrp holdtime 600 ip nhrp nhs 10.99.99.1 priority 1 ip nhrp nhs 10.99.99.16 priority 5 ip nhrp nhs fallback 60 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 200 tunnel protection ipsec profile dmvpn interface GigabitEthernet0/1 description Internal ip address 192.168.3.1 255.255.255.192 router bgp 99010 bgp log-neighbor-changes network 192.168.3.0 neighbor 10.99.99.1 remote-as 65001 neighbor 10.99.99.16 remote-as 65013

  This site speaks

   #sh ip route B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01

  which is the network of HUBS, but the rest of the MPLS roads are not "learned".

  What Miss me?

  Thank you!

  192.168.21.0 is another spoke, sorry for Terseco not that. Same configuration as the op 192.168.3.0. So I make a record of the domain controller and it will the first hub and not backup

  The difference is that your hubs are advertising the subnet 192.168.21.0/24 IE. you have configured it as a statement of network under your BGP configuration on the hubs and not the rays where this subnet is actually which brings me to my next point.

  The hub will switch to backup when I mannualy closed the internet interface, but not the entire router. This could be a problem?

  Yes because the Hub 1 site still has its MPLS connection until 192.168.21.0/24 advertising to the domain controller is.

  If this subnet was announced by speak it that it belonged and not the hubs then it should be announced only by hub site 2 because the Hub 1 site is more would receive it on the site talks about.

  So why are advertising a route speaks on hubs instead of reception by spoke them and transmit to the MPLS network?

  Edit - for this subnet to advertise you must have a route in the IP routing for her table.  How are getting you this route in the routing table, it with a route static and if yes, what is the exact route you entered?

  Jon

• Connect to the result of local wireless only router and can not go to the internet

  My fujitsu laptop (Windows Vista) to connect to the router wireless home successfully during a month and suddenly 'local only' and cannot access the internet. force wireless is strong and my other laptop with Window XP connect to the internet successfully with the same router.

  And my laptop can connect to the internet using the wifi system in my school without any problems.

  Please help to restore my laptop to the internet via my wireless router.

  Thank you!

  Geofg,

  I have a similar problem after the most recent update of Windows. My IPv4 network properties manually configured outside the range of the DHCP from my router. This is so that I do not receive IP addresses different natted attributed to my computer.

  After the update of Windows, the IP address of the GATEWAY is cleared after each restart of the operating system.

  If you use the manual IP settings, check to see if this can happen to you.

  HTH!

• GETVPN with local policy deny

  Hello

  I am applying GETVPN in an operational company with more than 150 branches. The only way to migrate a branch by branch without interrubting others, is to deny each local branch through deny political at the GM in the domain controller.

  The local ACL deny is 600 lines long, and when it is applied, the CPU usage reaches 97%, which is expected.

  The question is: this 97% use cites the router or its neighborships eigrp at some point? could affect the hardware of the router if left like this for 2 weeks for example.

  Thanks in advance

  Kind regards

  AMR

  CPU should be 97% only for a few seconds to a few minutes [process of Crypto ACL taking all resources during the creation of the internal classification structure.

  600 lines of local political refusal is HUGE, and I don't know if we're still testing at Cisco.

  You can check with show proc CPU sorted to see what process is guilty. CRYPTO ACL process and routing [such a eigrp] have the same priority [normal] and under normal conditions, things shouldn't Rabat.

  The way in which you are migrating is a little weird.

  Generally, customers are the following:

  1 - installation of the servers receive only [no encryption] mode key

  gdoi crypto group dgvpn1

  .....

  local server

  ......

  his only reception

  Of course, there is already an ACL defined here [for example that of step 3-]. It does not matter since we turn off encryption.

  2 deploy GETVPN on all GM since there is no encryption. not to worry much about the consequences on the data path.

  The objective here is to check if the control plan [alias GDOI] works well [everyone receives her generate a new key?] Y at - it drops in the path for the new keys generated? If necessary the qos parameters.

  3 - Select a small amount of sites to which you encrypt [of course that its reception only is deleted]

  Datacenter <->small site

  Datacenter <->average site

  Datacenter <->Big site

  Create an ACL includes only subnets of theses. Test the datapath [applications...]. If all goes well and all your sites are consistent in the flow of network they use, then you have pretty confident for the next step. This should work for a few days - weeks

  4 - Big bang...  Enable encryption for all sites. [amending accordingly the ACL KS------]

  If step 3 - was a success, and if all the routers are properly sized for encryption, it will manage, then you're ready for success.

  A good read:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF

• local policy of this system error (the guest account is disabled)

  I tried a search, but I don't know how the phrase even the problem.

  Objective, transform a physical PC to be used on the external hard drive with the VM Fusion on a Mac.

  Process so far.  Transfer PC to HD converter.  So far so good.

  Create the new virtual machine

  When connecting my PW and user name is accepted.

  According to the instructions to say no to the certification windows up to VM tools installed.

  VM stops.

  I need to log in as a guest

  Guest account has been disabled in physical PC so that the account is not active.

  Issue.  Can be activated after the fact?  Or I need to transfer PC again?

  Should I delete VM?  (Takes 30GB)

  If the guest account is disabled until you'd P2V and then it is always disabled now. You should activate on the physical computer, make sure that the local security policies allow you to connect and then re P2V it.

  or, at your own risk, you can try to use this utility to reset the password and activate the account

  Offline NT Editor

  If you found this helpful, please consider awarding points

• IP over different WAN, source routing ip range? [cisco 891]

  Hi all!

  Here I am again asking for help! :)

  Here's the goal: I want a set of computers to use a WAN and another using the other WAN based on the IP address range.

  I use a router cisco 891. Fastethernet0 is a WAN, GigabitEthernet8 is the other WAN and gigabitethernet 0 to 7 are 8 switch of the router ports.

  From now on, I have my two internet access works very well, each of them is connected to a WAN port on my router. I have no problem have all my computers using a WAN or the other, or even load balancing between them, but what I want is to fix some computers with internet access and the other computer to use other internet access.

  I don't know how to do this, I looked in the delivery by source IP address, but I don't really know how to do. I saw something on the basis of routing policy, but I can only apply these policies on incoming packets that I seem not to be able to apply these policies to one of the switch port of the router. I would need to use the WAN port to connect my incoming LAN in, but then I would not be enough WAN port for both of my internet connections.

  Internet gateway #1 is 172.26.2.254

  #2 connection gateway is 192.168.1.254

  Here is my current config:
  I understand why I have bad connection whith this config since it is load balancing between the road two default and send only one of my two wan according to the INVESTIGATION period, but I don't know what to do to say precilesy Beach, the beach of IP #2 and IP #1 to go go here.

   Cisco891(config)#do sh run Building configuration... Current configuration : 3833 bytes ! ! Last configuration change at 15:11:43 UTC Tue Oct 20 2015 by *********** ! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by *************** ! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by ************** version 15.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco891 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! enable secret 5 ************************/ enable password ************************ ! no aaa new-model ! ! ! ! ! ! ! ip dhcp excluded-address 172.26.1.1 172.26.1.49 ip dhcp excluded-address 172.26.1.100 172.26.1.254 ip dhcp excluded-address 10.10.20.1 10.10.20.49 ip dhcp excluded-address 10.10.20.100 10.10.20.254 ! ip dhcp pool vlan1pool network 172.26.1.0 255.255.255.0 default-router 172.26.1.254 dns-server 208.67.222.222 208.67.220.220 ! ! ! ip domain name lnc360.fr ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C891F-K9 sn ******************************* ! ! username ******************** privilege 15 secret ************************************* ! ! ! ! ! no ip ftp passive ip ssh time-out 60 ip ssh logging events ip ssh version 2 ! ! ! ! ! ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0 switchport mode trunk no ip address ! interface GigabitEthernet1 switchport mode trunk no ip address ! interface GigabitEthernet2 switchport mode trunk no ip address ! interface GigabitEthernet3 switchport mode trunk no ip address ! interface GigabitEthernet4 switchport mode trunk no ip address ! interface GigabitEthernet5 switchport mode trunk no ip address ! interface GigabitEthernet6 switchport mode trunk no ip address ! interface GigabitEthernet7 switchport mode trunk no ip address ! interface GigabitEthernet8 ip address 172.26.2.10 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 ip address 172.26.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 10.10.10.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async3 no ip address encapsulation slip ! ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list LAN_PCs interface GigabitEthernet8 overload ip nat inside source list LAN_servers interface FastEthernet0 overload ip route 0.0.0.0 0.0.0.0 172.26.2.254 ip route 0.0.0.0 0.0.0.0 192.168.1.254 ! ip access-list extended LAN_PCs deny ip 172.26.1.0 0.0.0.31 any deny ip 172.26.1.112 0.0.0.15 any deny ip 172.26.1.240 0.0.0.15 any permit ip 172.26.1.0 0.0.0.255 any ip access-list extended LAN_servers permit ip 10.10.10.0 0.0.0.255 any permit ip 172.26.1.0 0.0.0.31 any permit ip 172.26.1.112 0.0.0.15 any permit ip 172.26.1.240 0.0.0.15 any ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line 3 modem InOut speed 115200 flowcontrol hardware line vty 0 4 privilege level 15 password 7 ****************************************** login local transport input ssh transport output ssh line vty 5 15 password 7 *********************************************** login local transport input telnet transport output telnet ! scheduler allocate 20000 1000 ntp update-calendar ntp server 0.europe.pool.ntp.org ! end

  Thank you!

  Hello

  Apply the ACB on the SVI strategy ' sof the VLAN

  int vlan 1
  intellectual property policy map route ACB

  int vlan 2
  intellectual property policy map route ACB

  RES

  Paul

• Cannot access a local network of off Site 2 Site VPN

  I have cisco ASA 5515-X and 8818 cisco router device

  I configured vpn site-to-site. the cisco ASA is a new device but the router is a device in another location and contain several tunnel work, now the tunnel is up but I can't ping LAN on the site of the ASA firewall and some time tunnel at the end of the asa will disappear while it will show again at the end of the router

  Here is the config of the SAA.

  # show running-config
  : Saved
  :
  ASA 9.1 Version 2
  !
  CITGroup hostname
  activate the encrypted password of V9WHcFD3Zaeul5Lr
  names of

  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  address IP A.A.A.A 0.0.0.0
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  address IP B.B.B.B 0.0.0.0
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa912-smp - k8.bin
  passive FTP mode
  network obj_any object
  subnet 0.0.0.0 0.0.0.0

  OFFICE of extended access list permit ip (IP local ASA) (local IP of the router)
  outside extended access list permit tcp any any eq ssh
  outside allowed extended access list tcp any host (local IP address of ASA) eq ssh
  outside extended access list permit icmp any one
  outside extended access list permit tcp host (the router's local IP) host (local IP address of ASA) eq ssh

  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 713.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  Route outside 0.0.0.0 0.0.0.0 D.D.D.D 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec transform-set esp-aes-256 TEST esp-sha-hmac ikev1
  Crypto ipsec pmtu aging infinite - the security association
  crypto map outside_map 1 is the OFFICE address
  card crypto outside_map 1 set k.k.k.k counterpart
  outside_map 1 set transform-set TEST ikev1 crypto card
  outside_map interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 2
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  lifetime 28800
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH 0.0.0.0 0.0.0.0 inside
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  username admin password encrypted JtdUVwNnMzvEjPfJ
  nairtime Fyp1BJjsayu55viz username encrypted password
  tunnel-group k.k.k.k type ipsec-l2l
  k.k.k.k group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:e658de2652c6702c61a0cc854a47415f
  : end

  You are missing a nat exemption, follow the example below, replace IP subnet object-group, depending on your environment.

  object-group network local-ASA-lan
  object-network 10.10.1.0 255.255.255.0

  object-group network remote-router-lan
  object-network 10.200.0.0 255.255.255.0

  NAT source (indoor, outdoor) static local-ASA-lan lan-ASA-local destination distance-router-lan lan-router-remote control no-proxy-arp static

  Thank you

  Rizwan James

• Site to site VPN with router IOS

  I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

  I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

  Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

  My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

  Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

  And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

  Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

  I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

  We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

  I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

  Thank you in advance.

  Pete.

  Pete

  I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

  -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

  -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

  -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

  -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

  -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

  -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

  -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

  -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

  I hope that your application is fine and that my suggestions could be useful.

  [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

  HTH

  Rick