Problem router Cisco and Checkpoint VPN

Similar Questions

• Cisco and Checkpoint VPN clients on a single PC

  Hello

  I'm in the following fix:

  I had used customer Checkpoint SecuRemote 4.1 SP - 5 VPN in the past.

  Now, I have installed the Cisco VPN client version 4.0.4 on my PC to access IPSec VPN for the PIX in our headquarters.

  According to Cisco VPN release notes http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel404/404clnt.htm#wp1346340 , it should be possible to have clients both Cisco and Checkpoint VPN installed on the same machine.

  But I am not able to connect to my PIX, I receive the following error message:

  "Secure the complete VPN connection locally by the Client.

  Reason 403: failed to contact the security gateway. »

  When I'm looking for signs of PC control-> system-> hardware-> device Administration-> network cards, I can see Cisco Systems VPN Adapter disabled.

  After you activate manually, I always get the same error when you try to connect to the Cisco VPN client.

  After PC restart the Cisco VPN adapter is disabled later.

  I tried to uncheck Check Point SecuRemote form my Dial-up connection (bypassing CSCea31192 of bug, but the bug does not affect NAT - T connection which I use).

  I noticed the same situation on three different computers, one running Windows XP, both running Windows 2000.

  After uninstalling the client Checkpoint completely (including Windows registry manual removal), the Cisco VPN client works very well.

  It seems to me, therefore, that there is a profound mismatch between Cisco and Checkpoint VPN clients.

  Does anyone know of a workaround?

  Thank you

  Milan

  We had the same problem with some of our users who need to use the two clients to connect to customer sites.

  If I remember the cisco client does not start automatically, but the client of checkpoint 4.1 don't.

  We by-passed by deleting the registry entry point control that starts the client at startup. fwenc.exe is the entrance and it is in

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  After that make a shortcut to the executable file that is stored in the directory \bin to relevant checkpoint on the client (it is different from NT & 9 client x) and then only start when it is necessary.

  Hope that's a help

• Cisco and Checkpoint - no selected proposal

  Hello

  We had a working IPSEC VPN between router IOS and Checkpoint FW group. Now, after you add host entries in the ACL, we did get "no selected proposal.

  My question:

  => Can we use more than an entry in an ACL, attached to a card encryption?<>

  Like this for example:

  access-list 125 allow ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

  access-list 125 allow ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

  access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.14.6.243

  access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.50.50.4

  access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.26.13.5

  ...

  Hi Richi

  Hi Richi,

  Yes, you can use more than one ACL entry, but the ACL must be symmetric across the VPN.

  Thus, for example

  access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.26.13.5

  should be on the other side:

  access-list 125 permit host ip 4.26.13.5 172.17.18.0 0.0.0.31

  Have you checked that you have symmetrical access lists?

  It will be useful,

  Paulo

• No Ping response from Site to Site connection between 876 of Cisco and CheckPoint Firewall

  Hello!

  We try to create a Site-to-Site - connection IPSec between a Cisco 876 (local site) and a control-firewall station (remote site). Cisco 876 is not directly connected to the internet, but it is behind a router ADSL with port-forwarding, redirection of ports 500 and 4500. The configuration of the Cisco 876 running is attached to this thread. Unfortunately, I get no results when debugging the connection with the command "debug crypto isakmp" and "debug crypto ipsec".

  From the point of view of Checkpoint firewall the connection seems to be implemented, but there is no response from ping.

  The server in the local site to be achieved since the network behind the firewall Checkpoint has a routing entry "PEI route add [inside the ip-net Remote] 255.255.255.0 [inside the premises of intellectual property]" (see also annex current config name ip addresses).

  Establishing a VPN Cisco Client connection to the same router Cisco 876 works very well.

  Any help would be much appreciated!

  Jakob J. Blaette

  Hi Jakob,

  Add my two cents here.

  You should always verify that the following ports and Protocol are open:

  1 - UDP port 500--> ISAKMP

  2 - UDP port 4500--> NAT - T

  3-protocol 50---> ESP

  A LAN-to-LAN tunnel will never establish a TCP session, but it could use NAT - T (if behind a NAT). Remember that a single translation isn't a port forwarding, a LAN-to-LAN tunnel is not good unless you have a one-to-one translation of the NATted device, which I think, in your case the router is working.

  HTH.

  Portu.

  Please note all useful messages and mark this message as a response.

• Tunnel GRE / IP Sec VPN firewall between the router Cisco and Fortigate

  Hello

  Can I do GRE Tunnel / VPN IP Sec between Cisco router and Fortigate Firewall?

  Thank you

  Hi zine,.

  As long as the Fortigate device support GRE over IPSEC, you will be able to create the tunnel between these 2 devices.

  Here is the config for the Cisco Site:

  https://supportforums.Cisco.com/document/16066/how-configure-GRE-over-IPSec-tunnel-routers

  Happy holidays!

  -Randy-

• connection problems router WRT310N and wrt54gs * with DSL

  Until I can return to my apartment and after IPconfig etc. returns I wanted to see if anyone has had the following problem.

  I had a home wireless network set up with a wrt54gs v 5... I think it was BOM.

  A few days ago I tried to get the network key for the new smartphone and my roommate kind of stupidly locked myself and disconnected my phone then my Office Wireless adapted. passing through the standard power recycles and resets all him remains disconnected in the apartment as well.

  I have DSL through verizon, a toshiba satellite a135 with vista installed, all updates of drivers, and a westell 6100 dsl modem provided by my phone company.

  highlights include:

  (1) two nights now troubleshooting and browsing the forum. I have already exhausted simple corrections of linksys on his questions and help section.

  (2) new router, I wanted anyway a new and estimated that he was the problem. So I bought a wrt310N, hung, and he now obtained, there no longer updated set of firmware

  (3) internet connection is fine when I connect to my laptop directly to a dsl modem.

  router 4) implements the home network wireless very well, but with no internet connectivity

  (5) computer wired to the modem connects to the internet. wired computer for router modem does not connect to the internet. with two routers. If it connects not wired and wireless won't be better.

  I'm getting a little tired and tired, not to mention, I didn't my XBOX live fix to remove the stress of working in a military office all day lol

  everything seems to work until the router tries to connect to my dsl provider, at least as far as I can tell.

  and I'll be on the phone/forums with my ISP as well to make sure that I am not he mess up simply forgetting to fill in an optional field with info mandatory lol.

  so... help?

  still, when I go home for lunch I'll post information and specifications of real hardware if someone a little more savvy I know what to ask.

  Any ideas on where I'm wrong now?

  Fixed issue...

  in the end, it's a problem between the ISP's modem and the router that they helped me understand.

  My DSL service had changed their service, so TRP was no longer how they did the connections. Automatic DHCP was the current form. Following configurations of router DSL online provided inaccurate information. I didn't have the time to check with the ISP until yesterday afternoon when I was finally able to make a phone call and clarify things.

  We put the modem into bridge mode, checked some settings on the router, and then everything is back up now.

• How to solve this problem of ASDM and Anyconnect VPN with same java version?

  Hi two things that I can't the same Java version. I want to launch ASDM and also be able to connect on the web page through web browser (SSL vpn). Java is a pain. If my PC uses java 1.6.0.32. the ASDM is easily accessible, but cannot open my web page through web browser. If I install java 7, the Web page can be opened, but ASDM cannot be opened. Can someone tell how to solve the problem? Thank you

  Hello

  You can probably try 2 things here: -.
  Please go to control panel > Java > go to the Security tab > lower to medium security.
  You can also use Java version 45.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• The router 851 and 871 VPN issues still

  Main site

  1 - all connectivity-all thin - Web - database-email Mail - Proxy - ETC.

  2 - VPN Tunnel to the TOP

  Remote sites

  1 - VPN Tunnel to the TOP and tests

  1 cannot ping the main location of the 192.168.0.X (Yes any IP address)

  2 - could not get out to the Internet (GO HOLLOW PROXY SERVER 192.168.0.3 even if I could ping)

  3 could connect to the database but crashes right after the login screen. Can ping the address of 192.168.0.11 to this fine location database but the connection hangs and does not

  * HAND CONFIG

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 3

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  XXX address X.X.X.X isakmp encryption key

  XXX address X.X.X.X isakmp encryption key

  ISAKMP crypto keepalive 5 20

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  bssn 10 ipsec-isakmp crypto map

  Description VPN for PARK

  defined peer X.X.X.X

  Set transform-set RIGHT

  match address 100

  bssn 20 ipsec-isakmp crypto map

  VPN for Corneilia description

  defined peer X.X.X.X

  Set transform-set RIGHT

  match address 102

  bssn 30 ipsec-isakmp crypto map

  Description VPN to OAK

  defined peer X.X.X.X

  Set transform-set RIGHT

  match address 103

  bssn 40 ipsec-isakmp crypto map

  Description VPN to Herbert George Wells

  defined peer X.X.X.X

  Set transform-set RIGHT

  match address 104

  interface FastEthernet4

  WAN

  IP address 216.x.x.x 255.255.255.128 secondary

  IP 216.x.x.x 255.255.255.128.

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  IP virtual-reassembly

  route IP cache flow

  automatic duplex

  automatic speed

  card crypto bssn

  !

  interface Vlan1

  Entry door

  IP 216.X.X.X 255.255.255.248 secondary

  IP 192.168.0.11 255.255.255.0

  no ip redirection

  no ip unreachable

  IP nat inside

  IP virtual-reassembly

  route IP cache flow

  IP tcp adjust-mss 1452

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 216.x.x.x.

  !

  IP nat inside source overload map route interface FastEthernet4 sheep

  !

  recording of debug trap

  access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

  access-list 101 permit ip 192.168.0.0 0.0.0.255 any

  access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

  not run cdp

  sheep allowed 10 route map

  corresponds to the IP 101

  * REMOTE SITE

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  XXX address X.X.X.X isakmp encryption key

  ISAKMP crypto keepalive 5 20

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  bssn 10 ipsec-isakmp crypto map

  Connect to main BSSN description

  defined peer X.X.X.X

  Set transform-set RIGHT

  match address 100

  interface FastEthernet4

  IP 216.X.X.X 255.255.255.224

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  card crypto bssn

  !

  interface Vlan1

  Entry door

  IP 192.168.1.2 255.255.255.0

  IP directed broadcast to the

  IP nat inside

  IP virtual-reassembly

  IP tcp adjust-mss 1452

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 X.X.X.X

  IP http server

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  IP nat inside source overload map route interface FastEthernet4 sheep

  !

  access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

  access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

  access-list 101 permit ip 192.168.1.0 0.0.0.255 any

  not run cdp

  sheep allowed 10 route map

  corresponds to the IP 101

  Thank you

  Laughing out loud

  On the remote router access list 100 should look like:

  access-list 100 permit ip 192.168.1.0 0.0.0.255 any

  On the main router, the 100 access list should look like:

  access-list 100 permit ip any 192.168.1.0 0.0.0.255

  HTH,

  Kind regards

  Kamal

• VPN - PC (vpn client) problem-&gt; router-&gt; (site to site vpn)-&gt; local network

  Hello

  is it possible to install?

  I have a pc and I want to connect to the Remote LAN.

  PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site

  How can I connect to a remote server? Is there an easy way?

  I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).

  Please advise! Thanks in advance.

  Looks like I've not well explained.

  On ROUTER1

  ===================

  1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.

  2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude

  IP 192.168.133.0 allow 0.0.0.255 0.0.0.255

  You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL

  The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.

• Router w / Tunnel dynamic L2L and Clients VPN

  I have a 7200 router currently configured w / vpn clients. I'm looking to add a tunnel dynamic l2l. When I do, I am more able to connect using the vpn client. I following the configuration the following URL.

  http://Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml

  As soon as I add...

  Crypto-map dynamic dynmap 5

  Define VPNclient isakmp-profile

  the vpn client no longer works. Have not access to the config right now as I took it. Someone at - it it works correctly?

  Okay, mhhh I think that this is a problem with the configuration, give a shot at one of the L2L bouncing, set it to the profile and the keychain, which is the result.

• Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue

  Hello

  Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).

  The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.

  Please, what missing am me?

  A few exits:

  ISAKMP crypto to show her:

  isakmp crypto #show her

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  Crypto ipsec to show her:

  Interface: GigabitEthernet0/0

  Tag crypto map: QRIOSMAP, local addr 62.173.32.122

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

  current_peer 62.173.32.50 port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50

  Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0

  current outbound SPI: 0x4D7E4817 (1300121623)

  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:

  SPI: 0xEACF9A (15388570)

  transform: esp-3des esp-md5-hmac.

  running parameters = {Tunnel}

  Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP

  calendar of his: service life remaining (k/s) key: (4491222/1015)

  Size IV: 8 bytes

  support for replay detection: Y

  Status: ACTIVE

  Please see my config:

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  encryption... isakmp key address 62.X.X... 50

  ISAKMP crypto keepalive 10 periodicals

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS

  !

  QRIOSMAP 10 ipsec-isakmp crypto map

  peer 62.X.X set... 50

  transformation-TS-QRIOS game

  PFS group2 Set

  match address 100

  !

  !

  !

  !

  !

  interface GigabitEthernet0/0

  Description WAN CONNECTION

  62.X.X IP... 124 255.255.255.248 secondary

  62.X.X IP... 123 255.255.255.248 secondary

  62.X.X IP... 122 255.255.255.248

  NAT outside IP

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  card crypto QRIOSMAP

  !

  interface GigabitEthernet0/0.2

  !

  interface GigabitEthernet0/1

  LAN CONNECTION description $ES_LAN$

  address 192.168.20.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  !

  IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length

  IP nat inside source list 1 pool mypool overload

  overload of IP nat inside source list 100 interface GigabitEthernet0/0

  !

  access-list 1 permit 192.168.20.0 0.0.0.255

  access-list 2 allow 10.2.0.0 0.0.0.255

  Note access-list 100 category QRIOSVPNTRAFFIC = 4

  Note access-list 100 IPSec rule

  access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

  access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122

  access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122

  access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122

  access-list 101 deny ip any any newspaper

  access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

  access-list 110 permit ip 192.168.20.0 0.0.0.255 any

  !

  !

  !

  !

  sheep allowed 10 route map

  corresponds to the IP 110

  The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?

  Here are the things I see in your config

  I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?

  IP route 0.0.0.0 0.0.0.0 62.X.X... 121

  IP route 0.0.0.0 0.0.0.0 62.172.32.121

  This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?

  IP route 10.2.0.0 255.255.255.0 192.168.20.2

  In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.

  IP route 172.17.0.0 255.255.0.0 Tunnel20

  IP route 172.17.2.0 255.255.255.0 Tunnel20

  And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?

  IP route 172.18.0.0 255.255.0.0 Tunnel20

  IP route 172.18.0.0 Tunnel20 255.255.255.252

  HTH

  Rick

• Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

  Hi all

  I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

  Any suggestions are appreciated

  That's what I get:

  Router (config) #crypto?
  CA Certification Authority
  main activities key long-term
  public key PKI components

  SEE THE WORM

  Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2010 by Cisco Systems, Inc.
  Updated Thursday, March 10, 10 22:27 by prod_rel_team

  ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

  The availability of router is 52 minutes
  System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
  System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
  Last reload type: normal charging
  Reload last reason: reload command

  This product contains cryptographic features...

  Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
  Card processor ID FTX142281F4
  2 gigabit Ethernet interfaces
  2 interfaces Serial (sync/async)
  Configuration of DRAM is 64 bits wide with disabled parity.
  255K bytes of non-volatile configuration memory.
  254464K bytes of system CompactFlash ATA 0 (read/write)

  License info:

  License IDU:

  -------------------------------------------------
  Device SN # PID
  -------------------------------------------------
  * 0 FTX142281F4 CISCO1941/K9

  Technology for the Module package license information: "c1900".

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Configuration register is 0 x 2102

  You need get the license of security feature to configure the IPSec VPN.

  Currently, you have 'none' for the security feature:

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Here is the information about the licenses on router 1900 series:

  http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

• Client VPN router IOS, and site to site vpn

  Hello

  Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

  So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

  IM using a router 800 series with 12.4 ios

  Thank you very much

  Colin

  ReadersUK wrote:
  Hi
  Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
  So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
  im using a 800 series router with 12.4 ios
  Many thanks
  Colin
  

  Colin

  It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

  https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

  Jon

• VPN router Cisco 2611XM VPN client

  I have 2611XM router on a Central site with two FastEthernet interfaces? XA; (FastEthernet0/0 and FastEtherne0/1). FE0/0 has private ip address?xa;192.168.1.1/24 and it connects on LAN 192.168.1.0/24. FE0/1A public? XA; address x.x.x.x/30 and his connects to Internet. There on this NAT router? XA; with overload. ? XA; This router is to give customers remote access with Cisco VPN client on? XA; Internet to the LAN and at the same time, the users local access to the Internet. ? XA; I did a config that establish the tunnel between the clients and the router but? XA; I can't ping all devices on the local network. ? XA; The router must also give remote access and LAN in the scenarios from site to site? XA;

  I can establish the tunnel between my PC and the router via a dial-up Internet connection. But when the tunnel is established that except my public IP address of the router, I can't ping any public IP address. I can ping all other customers who owns the ip address of the pool for customers.

  Addition of the sheep route map should not make you lose the connection to the router.

  Are the commands that you will need to put in

  access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 101 permit ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 101

  You need to delete translations of nat or remove commands 'ip nat outside' and 'ip nat inside' temporarily while you are taking the following off the coast

  no nat ip inside the source list 7 pool internet overload

  and add the command

  IP nat inside source map route sheep pool internet overload

  Make sure that you reapply the "nat inside ip' and ' ip nat outside of ' orders return of your internal users will not be able to go to the internet.

  You can search this config in the link that sent Glenn-

  http://www.Cisco.com/warp/public/707/ios_D.html

  I pasted the lines that you should look into setting up the example below

  ! - Except the private network and the VPN Client from the NAT process traffic.

  access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 110 permit ip 192.168.100.0 0.0.0.255 any

  ! - Except the private network and the VPN Client from the NAT process traffic.

  sheep allowed 10 route map

  corresponds to the IP 110

  -Except the private network and the VPN Client from the NAT process traffic.

  IP nat inside source map route sheep interface FastEthernet0/0 overload

  Thank you

  Ranjana

• Cisco ASA and dynamic VPN L2L Fortigate configuration

  I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

  I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

  However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

  6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
  5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
  6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
  5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
  4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
  3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
  6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

  Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

  then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

  You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

  Assuming that you have configured the dynamic map and assign to the card encryption.

  Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  Hope that helps.