Question of VPN & ACS

Similar Questions

• Questions of VPN tunnel

  People,

  You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

  BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

  Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

  But the three things I don't understand:

  1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

  2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

  3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

  Then...:

  Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

  I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

  I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

  I appreciate your time to help. I was scratching my head a lot in the last two days.

  Timothy

  Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

  Your 100 access list is incorrect, remove it and add in the following:

  access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

  access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

  That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

  Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

  no card crypto clientmap 1

  You just need to have dynamic instance map (number 20) crypto left in your config file.

• vpn ACS 5.8 using AD and external server OTP authentication

  Hello

  is it possible to authenticate a user by using Active Directory, the internal database and server OTP for password?

  what I want to achieve is:

  -If the VPN user belongs to a specific group of our communication... to search for the user in this group and if the user exist that apply to an external server (activeidentity) password OTP

  -If the user belongs to the internal ACS group, authenticate internally.

  until now, I've been able to authenticate users with just the OUTER (active identity) but search AD server is not performed.

  Thank you.

  Yes!

  Go to the access policies > Access default network > identity > select an option button "rule basis of selection of result. Here, you can use more storage of identity based on the State that you have.

  It will be useful. -Jousset

• Question of VPNS and router

  Hello

  I currently have a RV042G in my company.  It works fine, but I was looking for a solution that would allow me to use VPN so that I can tunnel inside and then again connect to the internet via the tunnel.  I want to have a way secure to connect to internet from my laptop while I am travelling and prefer to build my own VPN and do it myself.

  If I understand correctly, the RV042G does not allow this and it only access to the local network via the tunnel. What would be the next router allowing him to fill this purpose?

  Thank you!

  Hi rodman

  These devices work fine, you can also use third-party software not only software from Cisco to use the VPN features. On subscriptions, IAPH supports more special features such link Protect and IP addresses and you can have and buy a subscription in order to add these features to your device, however, if Don t you want what they you don t have to buy.

  Cisco provide one of the best support, it has plenty of support, it is possible via chat, email or telephone, it also provide assistance free of charge for the users of this forum if you don t buy a warranty

  I hope you find this answer useful,

  * Please answer question mark or note the fact other users can benefit from the TI *.

  Greetings,

  Johnnatan Rodriguez Miranda.

  Support of Cisco network engineer.

• Basic question Anyconnect VPN

  Hi I'm new Anyconnect VPN. These are fundamental questions. The first step to set up the vpn is download image. What is this image? I noticed that the configuration of the VPN does not contain some general vpn configuration steps such as crypto isakmp policy and crypto ipsec etc. Maybe the image contains all of this information? If so, how to get the image? Thank you

  IPsec is not a kind of SSL. It's a total different encryption mechanism.

  IPsec uses pre-shared keys (almost always) and is so symmetric cryptography (the two peers have the same "secret"). Until there are 4-5 ears it was predominant VPN technology and is still widely used, particularly in site-to-site VPN connections.

  SSL uses a PKI (PKI) with a private key ('secret') not shared between peers and therefore asymmetric. More new remote access VPN in recent years are based on SSL. SSL does not use lines of configuration of ipsec crypto or crypto isakmp but instead relies on certificates and trustpoints.

  Complicating the landscape there is a new safer type of VPN IPsec is IKEv2. It is not widely adopted in my experience, but is increasingly used by organizations and agencies who need to comply to strict government standards.

• Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts

  Hello

  I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...

  Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?

  Thanks in advance

  WM

  I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system

  In order to change the multiple/all documents for internal users, the following approach can be taken:

  1. Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
  2. Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
  3. To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish

  Afetr imort is completed, all records of internal user should now display "Enabled".

• New for mapping SSL VPN ACS ASA - ASA groups

  Greetings,

  I am new to ASA, so any help is greatly appreciated.

  I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.

  Current config-

  ASA 5520 v8.3

  ACS 4.0

  Field of Windwos 2003

  I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.

  Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department

  Any help is greatly appreciated.

  Thank you

  Tim

  Hello

  I think that you need to activate locking group.

  In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy.  For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.

• Question about VPN

  When you set up a private network virtual on the PIX, you use the command of "ip local pool" for many IP addresses to clients on the 'outside '.

  I'm confussed on these addresses. They need to be part of the local subnet on the inside interface of the PIX? i.e. If the inside of the interface subnet was 192.168.1.0 use you a lot a group of address for VPN connections as 192.168.1.10 - 15? Or are they just a distinct group of IPs?

  Probably a basic question, but I'm still confused. L2TP / IPsec is that much harder to work then PPTP?

  Thanks for any clarification.

  In fact if his readers any mapping desired, it can be done - a site and remote access. For remote access, things are much easier, because you can assign dns, wins, etc. through your vpn group settings. Your question is how do you get remote users to access things like files or applications servers. There, I think you're talking to users that VPN to and not from site to site? It is possible to be. But if you are referring to access remote vpn when a user connects, just assign wins and dns on the remote site, and when the VPN user, it's as he sits on this network (if no restrictions are applied to the VPN). For the site to site, it depends on your configuration. You have several Windows domains on each site? To make things easier to use, you would most likely want to replicate the wins databases on the site-site and creating domain trusts. It is a more complex method of implementation as the method for remote access. Let me know if you need help, setting this up. I have several configs saved from the past that I made it work with (for the piece of remote access and the site).

• On the Question of VPN S2S source NAT

  Currently we have a number of implementation of VPN with various clients.  We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems.  It is an example of a current virtual private network that we have configured:

  outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

  outside_map 5 peer set 99.99.99.99 crypto card

  card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

  card crypto outside_map 5 the value reverse-road

  SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

  NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  the APP_CLIENT_Hosts object-group network

  network-object, object SITE1_APP_JCAPS_Dev_VIP

  network-object, object SITE1_APP_JCAPS_Prod_VIP

  network-object, object SITE2_APP_JCAPS_Dev_Host

  network-object, object SITE2_APP_JCAPS_Prod_VIP

  network-object, object SITE1_APP_PACS_Primary

  network of the SITE1_APP_JCAPS_Dev_VIP object

  Home 10.200.125.32

  network of the SITE1_APP_JCAPS_Prod_VIP object

  Home 10.200.120.32

  network of the SITE2_APP_JCAPS_Dev_Host object

  Home 10.30.15.30

  network of the SITE2_APP_JCAPS_Prod_VIP object

  Home 10.30.10.32

  network of the SITE1_APP_PACS_Primary object

  Home 10.200.10.75

  network of the CLIENT_Host_1 object

  host of the object-Network 192.168.15.100

  network of the CLIENT_Host_2 object

  host of the object-Network 192.168.15.130

  network of the CLIENT_Host_3 object

  host of the object-Network 192.168.15.15

  network of the CLIENT_Host_1_NAT object

  host of the object-Network 10.200.192.31

  network of the CLIENT_Host_2_NAT object

  host of the object-Network 10.200.192.32

  network of the CLIENT_Host_3_NAT object

  host of the object-Network 10.200.192.33

  My question revolves around the Source NAT configuration.  If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed.  I think I would need to add this:

  network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

  Home 88.88.88.81

  network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

  Home 88.88.88.82

  network of the SITE2_APP_JCAPS_Dev_Host_NAT object

  Home 88.88.88.83

  network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

  Home 88.88.88.84

  network of the SITE1_APP_PACS_Primary_NAT object

  Home 88.88.88.85

  NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  Is that correct, or is at - it an easier way to do this without having to add all statements of NAT?  Moreover, any change would be to do on the access list?

  Hello

  To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

  To better explain, take a look at your current ' object-group ' that defines your source addresses

  the APP_CLIENT_Hosts object-group network

  network-object, object SITE1_APP_JCAPS_Dev_VIP

  network-object, object SITE1_APP_JCAPS_Prod_VIP

  network-object, object SITE2_APP_JCAPS_Dev_Host

  network-object, object SITE2_APP_JCAPS_Prod_VIP

  network-object, object SITE1_APP_PACS_Primary

  Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

  I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

  As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

  For example, you might do the following

  network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

  Home 88.88.88.81

  network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

  Home 88.88.88.82

  network of the SITE2_APP_JCAPS_Dev_Host_NAT object

  Home 88.88.88.83

  network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

  Home 88.88.88.84

  network of the SITE1_APP_PACS_Primary_NAT object

  Home 88.88.88.85

  the APP_CLIENT_Hosts_NAT object-group network

  network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

  network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

  network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

  network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

  network-object, object SITE1_APP_PACS_Primary_NAT

  Then you add the following configurations of "nat"

  NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

  NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

  Then you can remove the "old"

  no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

  no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

  no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

  This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

  Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

  If you do not want to make the changes without affecting the connections too so I suggest

  • Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
  • Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
  • When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.

  Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

  Hope this made sense and helped

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• IOS router + VPN + ACS downloadable IP ACL

  I want to use the function "Downloadable IP ACL" 3825-router VPN (OI 12.4 T) in combination with a CBS.

  In many documents and discussions, I read that it is possible to use the DACLs on "devices Cisco IOS version 12.3 (8) T or higher.

  Authentication and authorization by the AEC works and the device gets some settings of the av-pair-feature.

  I have tried several things to apply the DACL as the use of av pairs or ACS "Downloadable IP ACL" function, but nothing works.

  In the debug log, I see that the av pair is transmitted to the device, but it is not used.

  --> Can you tell me, is it possible to use the DACLs on the IOS routers?

  --> How does it work? What can I change?

  --> Is there a good manual to apply it?

  Thanks for your help!

  Martin

  It would be useful to know the PURPOSE of what you're trying to do...

  AFAIR client config mode requires no ACL for filtering short tunnel split ACL... and I have no way to test right now.

  If you want to allow or not some clients access to certain subnets why not investigate tunneling ACL and vpn-filter in combination with ACS split will rather than for the DACL.

• SA520 and Question IPSec VPN RVS4000

  Hello

  I installed an IPSec VPN for one of my friends for his company. At its principal office, I installed a Cisco SA520 and he uses to connect devices such as the iPhone and iPad via the IPSec VPN. He uses this fact because he travels abroad a lot and he has problems with services such as Skype is blocked in some countries. This configuration works very well.

  It also has a Cisco RVS4000, which he would like to install at his place of business to the Mexico. He would like the RVS4000 VPN configuration to the SA520 in his office. The SA520 in his office has a static IP address. The RVS4000 to the Mexico does not work.

  Is it possible to Setup IPSec VPN between a SA520 with a static IP and RVS4000 address that does not have a static IP address? If so, examples of configuration would be greatly appreciated.

  Thank you!

  Hi William, simply sign up for a dyndns account or similar service, the RVS4000 configuration will be the same, instead of the IP, you'd be using the dyndns name.

  -Tom
  Please mark replied messages useful

• Question of cert ACS 4.1 (2048 bits)?

  I am trying to install a cert .p7b on our ACS, I get "certificate file is invalid or not supported."

  I know 2048-bit CERTS were not supported in 3.3, is this always the case?

  Yes, it's always the case. Watch this doc and do a search for key size-1024 *.

  The doc says:

  Note: Windows 2003 Enterprise certification allows above 1024 key sizes. But the use of a key greater than 1024 does not work with the PEAP Protocol. Authentication may seem pass GBA, but the client blocks just as he attempts authentication.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

• Question of VPN Client

  As far as I know that VPN (anyconnect or ipsec) clients or the firewall is not a restriction that each client that connects and establishes a VPN session must have a single public ip address. Let explain me, if we have 10 people (contractors) works in an office behind a firewall remotely, share one public IP address and we do not want to create a site to site vpn connection, then these 10 people can always use anyconnect VPN in the seat.

  They all share the public IP address same, single address when they VPN in HQ.

  Hello

  Yes, all people in a remote region will be able to connect to the Central Office with the AnyConnect client, even if they have the same public IP address.
  This is the case, because different clients AnyConnect sessions will be different source TCP ports.

  What IPsec and old Cisco VPN Clients? The situation should be the same, the VPN Clients because Cisco are behind NAT. Thus, they will have to use NAT-traversal and UDP 4500 to encapsulate the session of ESP. And UDP there is also used different source port numbers.

• Classic question: SSL VPN Client and Vista 64 - bit OS

  Material: 64-bit software architecture: Windows Vista Home Cisco Hardware (64-bit): 871w router Cisco Software: base of 12.4 T having a challenge with Windows Vista (64) using the SSL VPN. Use of IE, I can navigate to the url, both using the DNS name and IP address. I do not have a signed certificate, so I get the standard warning screen where you will need to click on the red x to continue. At this point, the progress bar moves for a fraction of a second and it's there. For troubleshooting I tried: - clearing cookies, cache, etc. - add url and IP to the Zone of confidence - reset areas rest default - disabled options window popup and phisher IE7 - off all 3rd party Manager BHO - withdrawal of MacAfee software suite - disable User Control that allowed me to make the sign in page, but after the signature - I had a blank white screen. Then, I downloaded Firefox 3.0 (newer) and tried to connect. After a series of guests to accept and download the certificate, I was able to connect and click on the Start button to start the session. The next little screen came as expected and he chose Java. I received a message that it could not install the Cisco AnyConnect Client's and I had to download it manually. Downloaded and installed the client software. Logging out of the browser and its closure - I could not access the page again. It appeared to hang again with a progress bar. I went to empty cache, cookies, passwords etc in Firefox and reloaded the application. Still, I was able to connect. However, I always received the message that the customer could not install and download manually. For fun, I exported the certificate on the desktop and imported into Internet Explorer. I tried the connection with IE, but he had a similar problem. I was told there was no client IPSEC for OS 64 bit (Vista at startup), but most of the new machines are 64 - bit OS systems. I would appreciate any support. Lucky me, the computer to which it is impossible to connect to the VPN is the home of the CEO of the company. The last person that wants to make him miserable.

  Cisco AnyConnect VPN Client is now available for the Windows operating systems, which includes Vista 32 and 64 bit. The Cisco AnyConnect VPN Client, Version 2.2 supports SSL and DTLS. It does not support IPSec at the moment.

  See the url below for more information on troubleshooting anyconnect vpn client:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00809b4754.shtml

  See the following url for the release notes for the version of the client anyconnect vpn 2.2 for use with windows vista:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect22/release/notes/anyconnect22rn.html#wp815989

• Question of VPN traffic

  Well, this happens to be the strangest thing I've seen. Here is the configuration. I have a Pix 515e firewall. I have setup VPN on my users can connect remotely from across the country.

  I have a set of users who can not connect. Let me be clear. The VPN client connects, we give them an IP address by the firewall, but they cannot send traffic over the tunnel. I tried ping all of the inside interface of the firewall to the servers behind it and nothing. Now, all of the users who do not work all exist in the same location, current running on the same network and behind their firewall. And they worked until a week ago. Their provider said it has not changed anything on his firewall and I know that I have not changed anything on my own. So, any help would be greatly appreciated.

  Pls turn on nat-traversal on your PIX Firewall:

  ISAKMP nat-traversal crypto

  That would incorporate the ESP in UDP/4500. Looks like it fails because that behind the NAT device to that particular place.

  Hope that helps.