Question of VPNS and router

Hello

I currently have a RV042G in my company. It works fine, but I was looking for a solution that would allow me to use VPN so that I can tunnel inside and then again connect to the internet via the tunnel. I want to have a way secure to connect to internet from my laptop while I am travelling and prefer to build my own VPN and do it myself.

If I understand correctly, the RV042G does not allow this and it only access to the local network via the tunnel. What would be the next router allowing him to fill this purpose?

Thank you!

Hi rodman

These devices work fine, you can also use third-party software not only software from Cisco to use the VPN features. On subscriptions, IAPH supports more special features such link Protect and IP addresses and you can have and buy a subscription in order to add these features to your device, however, if Don t you want what they you don t have to buy.

Cisco provide one of the best support, it has plenty of support, it is possible via chat, email or telephone, it also provide assistance free of charge for the users of this forum if you don t buy a warranty

I hope you find this answer useful,

* Please answer question mark or note the fact other users can benefit from the TI *.

Greetings,

Johnnatan Rodriguez Miranda.

Support of Cisco network engineer.

Tags: Cisco Support

Similar Questions

SSL VPN and routing problem

Hi all

I have a strange architecture including VPN and I have a few problems that I am not able to solve:

-J' use the ssl vpn gateway to allocate internal IP addresses of the local network described in the schema (8.8.2.0 or 8.8.3.0 according to the tunnel-group network.

-The purpose is for vpn clients directly access the internal network.

This works very well if there are strictly internal communications within the network. But recently, we have installed an application that needs to access both networks. No problem, I thought, but I was wrong, there seems to be a problem of routing inherent in the architecture in place.

Let me explain the problem:

-When I access the VPN, for example I will gave the 8.8.3.5 ip address.

-Im running the application that needs to open a page on the web server, located at 8.8.2.120

-l'asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)

-the web server returns the response, but he sends on its default gateway which is the cisco 6509.

-6509 it sends its vlan svi 2000

- and finally the ASA it receives on its interface fa0/2 but seems he falls as she opened a tcp on fa0/1 connection and receives the response on fa0/2.

I want it's traffic by tunnel to bypass the connected roads and transmit it to a default gateway of tunnel. This would ensure that the path for the request and the response would be the same.

I would like to know if there are orders of debugging for routing decisions validate my theory?

Do you know of any response to solve this problem?

Thanks a lot for your help.

When you configure the TCP State derivation always think ' which way is the SYN package coming?

Routing failed messages always have source and destination, are of course copied the entire message?

BTW, instead of letting clients SSL addresses attributed to vlan2000? Why not give them a separate subnet and the road back via correct interface?

I would also check your config and the routing :-) table

Marcin

The IPSec VPN and routing

Hello

I was polishing my PSAB on since I am currently in a job where I can't touch a lot of this stuff. By a laboratory set up a site to IPSec VPN between two routers IOS.

For example:

https://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

The routers must specify how to route to the protected network. Although I guess they could just use a default route to 172.17.1.2 as well.

for example IP road 10.10.10.0 255.255.255.0 172.17.1.2

172.17.1.2 won't have the slightest clue as to how to route for 10.10.10.0

Even in an example with a tunnel between the ASA and the router IOS ASA failed to indicate a direct route to the subnet protected from 10.20.10.0, but it must still have a default route configuration. (https://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI)

So it is basically saying, to reach the protected subnet to resolve the next hop on a device that has no idea where this subnet is anyway. Shouldn't all the peer IP-based routing, and not on a subnet that routers between the two should have no idea they exist?

The main hypothesis that I have here is that the protected subnets are not accessible unless the VPN tunnel is up. Most of my experience of the VPN site-to-site is with PIX / ASA, and I've never had to specify a route towards the protected subnet (for example 172.16.228.0). I guess he just used his default gateway that has an Internet IP belonging to the ISP. However the ISP has no idea where is 172.16.228.0.

Edit: I found a thread, do not report with Cisco but IPSec in general, this seems to be the question in case I don't have a lot of sense:

http://comments.Gmane.org/Gmane.OS.OpenBSD.misc/192986

He still does not seem logical to me. If I have a tunnel linking the two class C networks by internet, the only routers having knowledge of these networks are the two counterparts. Why a course should be (static, dynamic, default etc,) which seems to send traffic to a device that do not know where is the class C networks? Although I have to take in my example with the 172.17.228.0 my ASA was not actually sends out packets to my ISP gateway with 172.17.228.0 in them.

The purpose of the trail is * not * to send traffic to your next jump. You are right that the next hop router has no idea what to do with this package. This way is important for the local operation. The router must find the interface of output for the package. 'S done it with the road to the next-hop-router. If you remember that the road to your peer IPSec, your router must do a recursive search routing. After the outging interface is found, traffic is sent to this interface, the card encryption on this interface jumps and protects your traffic that is routed to your IPSec peer.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

VPN and router cisco 887

Hello

I just bought a router from Cisco 887 and I deployed to replace my existing client ADSL router. I configured using Cisco CP, and it does not work properly. I'm trying to configure the router for VPN connectivity, so that users who use laptops can work from outside our office. I went through the wizard to set up an easy VPN client access server and I install the pre-shared key and the range of IP addresses. I tried to download the easy VPN client than the site says that I need some sort of agreement to be added to our account of partnership existing. I was able to find links to download after a few searches on Google, but none of the customers, during the configuration of the connection request a pre-shared key. So I know I'm wrong somewhere.

I'm a newbie at this, any kind of help would be really appreciated.

Thank you

Arun

Arun,

You must have a valid account of EAC with download rights for the VPN client.

If you already have the client, you must set the group name and the password (pre-shared key) to connect.

Federico.

Issue of ASA NAT and routing

Hello

I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?

Thanks for the help.

Todd

The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.

You just need to add lines like the following:

static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x

for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.

list of allowed inbound tcp access any host 209.x.x.x eq smtp

list of allowed inbound tcp access any host 209.y.y.y eq http

Access-group interface incoming outside

Site to Site between ASA VPN connection and router 2800

I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.

I first saw the following errors in the debug logs on the side of the ASA:

Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
ITS P1 is complete.

I see the following on the end of 2800:

ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
ISAKMP: (0): provider ID is NAT - T v3
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
ISAKMP (0): provider ID is NAT - T RFC 3947
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): treatment of frag vendor id IKE payload
ISAKMP: (0): IKE Fragmentation support not enabled
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
ISAKMP: (0): sending a packet IPv4 IKE.
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)

MM_SA_SETUP
ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

ISAKMP: (0): processing KE payload. Message ID = 0
ISAKMP: (0): processing NONCE payload. Message ID = 0
ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID is the unit
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
ISAKMP: (2345): provider ID is XAUTH
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): addressing another box of IOS!
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
ISAKMP: receives the payload type 20
ISAKMP (2345): sound not hash no match - this node outside NAT
ISAKMP: receives the payload type 20
ISAKMP (2345): no NAT found for oneself or peer
ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3

ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)

MM_KEY_EXCH

----------

This is part of the configuration of the ASA:

network of the ABCD object
10.20.30.0 subnet 255.255.255.0

network of the ABCD-Net object
172.16.10.0 subnet 255.255.255.0

cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list

access list abc-site extended permitted ip object-group XXXX object abc-site_Network

ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60

NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network

NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network

XXXX-20

object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group

XXXX_127

object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group

ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60

Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list

Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1

object-group network XXXX
ABCD-Net network object
object-abcd-Int-Net Group

------------------------

Here is a part of the 2800:

!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key r2374923 address 72.15.21.xxx
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
card crypto cry-map-1 1 ipsec-isakmp
the value of 72.15.21.xxx peer
game of transformation-ESP-3DES-SHA
match address VPN
!
type of class-card inspect match class-map-vpn
game group-access 100
type of class-card inspect cm-inspect-1 correspondence
group-access name inside-out game
type of class-card inspect correspondence cm-inspect-2
match the name of group-access outside
!
!
type of policy-card inspect policy-map-inspect
class type inspect cm-inspect-1
inspect
class class by default
drop

type of policy-card inspect policy-map-inspect-2
class type inspect class-map-vpn
inspect
class type inspect cm-inspect-2
class class by default
drop
!

!
interface FastEthernet0
IP address 74.25.89.xxx 255.255.255.252
NAT outside IP
IP virtual-reassembly
security of the outside Member area
automatic duplex
automatic speed
crypto cry-card-1 card
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP nat inside source overload map route route-map-1 interface FastEthernet0
!
IP access-list extended inside-out
IP 172.16.10.0 allow 0.0.0.255 any
IP nat - acl extended access list
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
allow an ip
outside extended IP access list
allow an ip
list of IP - VPN access scope
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 23 allow 192.168.0.0 0.0.255.255
access-list 23 allow 10.200.0.0 0.0.255.255
access-list 23 allow 172.16.10.0 0.0.0.255
access-list 123 note category class-map-LCA-4 = 0
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!

!
route-map-1 allowed route map 1
match the IP nat - acl
!

Hello

I quickly browsed your config and I could notice is

your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.

in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.

LAN to lan vpn between ASA and router 7200

Hi friends,

I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

I will have the following configuration:

7200 router:

crypto ISAKMP policy 80

the enc

AUTH pre-shared

Group 1

life 3600

ISAKMP crypto key cisco123 address 192.168.12.2

Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

map VPNTunnel 80 ipsec-isakmp crypto

defined by peer 192.168.12.2

game of transformation-VPNtrans

match address 110

int fa0/0

IP add 10.10.5.2 255.255.255.192

IP virtual-reassembly

no ip route cache

Speed 100

full duplex

card crypto VPNTunnel

access-list 110 permit ip any 192.135.5.0 0.0.0.255

ASA:

int e0/0

nameif inside

security-level 100

192.135.5.254 Add IP 255.255.255.0

int e0/1

nameif outside

security-level 0

IP add 192.168.12.2 255.255.255.240

access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

"pre-shared key auth" ISAKMP policy 10

ISAKMP policy 10-enc

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP duration strategy of life 10-3600

Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

card crypto VPN 10 matches the ACL address

card crypto VPN 10 set peer 10.10.5.2

card crypto VPN 10 the transform-set VPNtran value

tunnel-group 10.10.5.2 type ipsec-l2l

IPSec-attributes of type tunnel-group 10.10.5.2

cisco123 pre-shared key

card crypto VPN outside interface

ISAKMP allows outside

dhcpd address 192.135.5.1 - 192.135.5.250 inside

dhcpd dns 172.15.4.5 172.15.4.6

dhcpd wins 172.15.76.5 172.15.74.5

dhcpd lease 14400

dhcpd ping_timeout 500

dhcpd allow inside

Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

Please advise...

Thank you very much...

Where it fails at the present time?

Can you share out of after trying to establish the VPN tunnel:

See the isa scream his

See the ipsec scream his

Please also run the following debug to see where it is a failure:

debugging cry isa

debugging ipsec cry

PIX 501 and VPN Linksys router (WRV200)

I inherited a work where we have a Cisco PIX 501 firewall to a single site and Linksys WRV200 Router VPN on two other

sites. Asked me to connect these routers Linksys firewall PIX via the VPN.

According to me, the Linksys vpn routers can only connect via IPSec VPN, I'm looking for help on the configuration of the PIX 501 for the linksys to connect with the following, if possible.

Key exchange method: Auto (IKE)

Encryption: Auto, 3DES, AES128, AES192, AES256

Authentication: MD5

Pre Shared Key: xxx

PFS: Enabled

Life ISAKMP key: 28800

Life of key IPSec: 3600

The pix, I installed MDP and I tried to use the VPN wizard without result.

I chose the following settings when you make the VPN Wizard:

Type of VPN: remote VPN access

Interface: outside

Type of Client VPN device used: Cisco VPN Client

(can choose customer of Cisco VPN 3000, MS Windows Client by using the client MS Windows using L2TP, PPTP)

VPN clients group

Name of Group: RabyEstates

Pre Shared Key: rabytest

Scope of the Client authentication: disabled

Address pool

Name of the cluster: VPN - LAN

Starter course: 192.168.2.200

End of row: 192.168.2.250

Domain DNS/WINS/by default: no

IKE policy

Encryption: 3DES

Authentication: MD5

Diffie-Hellman group: Group 2 (1024 bits)

Transform set

Encryption: 3DES

Authentication: MD5

I have attached the log of the VPN Linksys router VPN.

This is the first time that I have ever worked with PIX so I'm still trying to figure the thing to, but I'm confident with the CCNA level network.

Thanks for your help!

Hello

Everything looks fine for me, try to have a computer in every network and ping between them. Check the newspapers/debug and fix them.

Let me know.

See you soon,.

Daniel

Private of IPSec VPN-private network between ASA and router

Hello community,

This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

Headquarters ASA summary.

Peer IP: 111.111.111.111

Local network: 10.0.0.0

Branch

Peer IP: 123.123.123.123

LAN: 192.168.1.0/24

Please can someone help me set up the vpn.

Hello

This guide covers exactly what you need:

Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

Tunnel VPN - ASA to the router configuration:

http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

Kind regards

Jimmy

RVL200 - SSL VPN and firewall rules

Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen. I have the basics of the VPN set up in config, but now move the firewall rules. We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic. This leads to my questions:

(1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?

(2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?

(3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?

(4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?

Here are some other details:
- The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
- All hosts on this network have a static IP address on a single subnet.
- The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
- DHCP has been disabled on the RVL200
- Authentication to the device will use a local database.
- There is no such thing as no DNS server on the local network
- The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
- Several database of local users accounts were created to facilitate the SSL VPN access.
I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft. Any help will be greatly appreciated.

aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.

Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.

Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.

Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.

It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.

'Transfer' of the GRE is configured with PPTP passthrough option.

'Transfer' of the ESP is configured with IPSec passthrough option.

VPN and MTU issues

Recently, I have set up a 1721 running IOS c1700-k9o3sy7 - mz.122 - 15.T5.bin

This router terminated a VPN with another router, a 1721 with the exact same version of IOS. This router has initially been connected via a WAN link on eth0 wireless. We moved their on a t1 as the main interface with the wireless as a backup. Then we had to

-Configure a loopback - its ip address device would end the vpn

-make the source of the vpn packages come from the loop

-Configure static routes w / higher administrative distance

Do all this we tested VPN - they worked. Unplugged at t1 connection and traffic moves on the wireless. We checked the vpn clients could connect. Everything worked ok...

Except when you move large files between hosts behind fa0 via the vpn to the guests at the bottom. To prove the vpn worked and routing was in place, we could telnet from a host behind fa0 via the vpn to a remote host and you connect... Then, we would try an ftp files more. We could connect to the ftp server BUT once a file transfer started things would hang.

We opened a Cisco tac case and it turned out that the addition of

IP tcp adjust-mss 1300

the interface fa0 fixed all - file transfer worked.

My question why would be reduced aid package size? The vpn add some packages generals cauing more large packages to remove?

A clue was here, BUT it's PPPoE - no VPN...

http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122newft/122tcr/122twr/wftbrda.htm#1064471

I'm looking to explain why this reduced MTU size worked. I would of never figured this out on my own...

Here's the running-config, we used. Don't forget that everything worked (switching between WAN, vpn, NAT connectivity link) except the transfer of files and when large amounts of data was pushed over the line as MS-sharing files/printers, emails with attachments (a few hundred k). The only change is a line at the fa0 interface.

version 12.2

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

hostname HPARFD

!

queue logging limit 100

logging buffered debugging 8192

enable secret 5

enable password 7

!

abc username password

clock timezone CST - 6

clock to summer time recurring CDT

AAA new-model

!

!

AAA authentication login userauthen local

AAA authorization groupauthor LAN

AAA - the id of the joint session

IP subnet zero

!

!

no ip domain search

IP domain name blahblah.net

IP-name server

IP-name server

!

audit of IP notify Journal

Max-events of po verification IP 100

property intellectual ssh time 60

!

!

!

!

crypto ISAKMP policy 1

md5 hash

preshared authentication

!

crypto ISAKMP policy 2

md5 hash

preshared authentication

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

test3030 key crypto isakmp address No.-xauth

ISAKMP crypto key address 0.0.0.0 test3131 0.0.0.0

crypto ISAKMP client configuration address pool local ourpool

!

ISAKMP crypto client configuration group whatever

key

pool ourpool

ACL 101

!

!

Crypto ipsec transform-set esp - esp-md5-hmac rptset

Crypto ipsec transform-set esp - esp-md5-hmac trans2

Crypto ipsec transform-set esp-3des esp-md5-hmac v35clientset

!

Crypto-map dynamic dynmap 10

Set transform-set v35clientset

Crypto-map dynamic dynmap 20

Set transform-set trans2

!

!

card crypto rtp-address Loopback0

crypto isakmp authorization list groupauthor rtp map

client configuration address card crypto rtp initiate

client configuration address card crypto rtp answer

RTP 1 ipsec-isakmp crypto map

defined by peers

Set transform-set rptset

match address 115

map rtp 50-isakmp ipsec crypto dynamic dynmap

!

!

!

!

interface Loopback0

Description loopback address is NOT dependent on any physical interface

IP 255.255.255.255

no ip proxy-arp

NAT outside IP

No cutting of the ip horizon

!

interface Ethernet0

secondary description - wireless WAN link

255.255.255.252 IP address

no ip proxy-arp

NAT outside IP

No cutting of the ip horizon

Half duplex

crypto rtp map

!

interface FastEthernet0

Description connected to EthernetLAN

IP 255.255.255.0

no ip proxy-arp

IP tcp adjust-mss 1300

^ ^ ^ Tac added cisco work around

IP nat inside

automatic speed

!

interface Serial0

first link description WAN - t1

255.255.255.252 IP address

no ip proxy-arp

NAT outside IP

random detection

crypto rtp map

!

router RIP

version 2

passive-interface Loopback0

passive-interface Serial0

passive-interface Ethernet0

network

No Auto-resume

!

IP local pool ourpool

IP nat inside source overload map route sheep interface Loopback0

IP classless

IP route 0.0.0.0 0.0.0.0 Serial0

IP route 0.0.0.0 0.0.0.0 Ethernet0

IP route 255.255.255.0 Serial0

IP route 255.255.255.0 Ethernet0 200

IP route 255.255.255.0 Serial0

IP route 255.255.255.0 Ethernet0 200

IP route 255.255.255.0 Serial0

IP route 255.255.255.0 Ethernet0 200

no ip address of the http server

no ip http secure server

!

!

!

remote_access extended IP access list

permit tcp any any eq 22

permit tcp 0.0.0.255 any eq telnet

TCP refuse any any eq telnet

allow an ip

!

access-list 1 permit 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 host

access-list 100 permit ip 192.168.0.0 0.0.0.255 host

access-list 100 permit ip 192.168.0.0 0.0.0.255 host

access-list 101 permit ip 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255

access-list 199 permit tcp a whole Workbench

access-list 199 permit udp any one

access-list 199 permit esp a whole

access-list 199 permit ip 192.168.0.0 0.0.0.255 0.0.0.255

!

sheep allowed 10 route map

corresponds to the IP 110

!

Enable SNMP-Server intercepts ATS

RADIUS server authorization allowed missing Type of service

alias exec sv show version

alias exec sr show running-config

alias exec ss show startup-config

alias con exec conf t

top alias show proc exec

alias exec br show ip brief inter

!

Line con 0

exec-timeout 0 0

password 7

line to 0

line vty 0 4

exec-timeout 0 0

password 7

Synchronous recording

transport input telnet ssh rlogin udptn stream

!

NTP-period clock 17180059

NTP server

end

You can check the following site for more explanation:

http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

HTH...

On the Question of VPN S2S source NAT

Currently we have a number of implementation of VPN with various clients. We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems. It is an example of a current virtual private network that we have configured:

outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

outside_map 5 peer set 99.99.99.99 crypto card

card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

card crypto outside_map 5 the value reverse-road

SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

network of the SITE1_APP_JCAPS_Dev_VIP object

Home 10.200.125.32

network of the SITE1_APP_JCAPS_Prod_VIP object

Home 10.200.120.32

network of the SITE2_APP_JCAPS_Dev_Host object

Home 10.30.15.30

network of the SITE2_APP_JCAPS_Prod_VIP object

Home 10.30.10.32

network of the SITE1_APP_PACS_Primary object

Home 10.200.10.75

network of the CLIENT_Host_1 object

host of the object-Network 192.168.15.100

network of the CLIENT_Host_2 object

host of the object-Network 192.168.15.130

network of the CLIENT_Host_3 object

host of the object-Network 192.168.15.15

network of the CLIENT_Host_1_NAT object

host of the object-Network 10.200.192.31

network of the CLIENT_Host_2_NAT object

host of the object-Network 10.200.192.32

network of the CLIENT_Host_3_NAT object

host of the object-Network 10.200.192.33

My question revolves around the Source NAT configuration. If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed. I think I would need to add this:

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Is that correct, or is at - it an easier way to do this without having to add all statements of NAT? Moreover, any change would be to do on the access list?

Hello

To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

To better explain, take a look at your current ' object-group ' that defines your source addresses

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

For example, you might do the following

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

the APP_CLIENT_Hosts_NAT object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE1_APP_PACS_Primary_NAT

Then you add the following configurations of "nat"

NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

Then you can remove the "old"

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

If you do not want to make the changes without affecting the connections too so I suggest
- Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
- Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
- When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.
Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

Hope this made sense and helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

PIX-to-client VPN and how to reach on other interfaces systems

Hi all

I've implemented a Pix-to-Client VPN and it seems works ok.

As you can see, customer gets the same inside the class address (192.168.100.x) so I can reach across systems.

My questions are:

If I give different subnet pool addresses, how can 1 I still reach inside systems?

2 if I have other systems on these interfaces such dmz1 (192.168.10.0) dmz2 (192.168.20.0) how to get to these systems of the

even the client vpn access?

Concerning

Alberto Brivio

IP local pool vpnpool1 192.168.100.70 - 192.168.100.80

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0

NAT (inside) - 0 102 access list

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac trmset1

Crypto-map dynamic map2 10 set transform-set trmset1

map map1 10 ipsec-isakmp crypto dynamic map2

map1 outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup address vpnpool1 pool test

vpngroup split tunnel 102 test

vpngroup test 1800 idle time

test vpngroup password *.

It is generally preferable to use another range of IP addresses. The PIX will know that the VPN Client uses that vary and route it properly whitch is not the case when you are using the same IP range as the inside interface.

To access another interface use the SHEEP (your ACL 102) access list which disables NAT between the VPN and the neworks to which you want to connect.

Example of config:

access-list allowed SHEEP Internalnet ISubnetMask VPN-pool 255.255.255.0 ip

access-list allowed SHEEP DMZnet DMZSubnetMask VPN-pool 255.255.255.0 ip

NAT (inside) 0 SHEEP

AAA-server local LOCAL Protocol

AAA authentication secure-http-client

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS

Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS

card crypto 65535 REMOTE ipsec-isakmp dynamic outside_dyn_map

REMOTE client authentication card crypto LOCAL

interface card crypto remotely outside

ISAKMP allows outside

ISAKMP identity address

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

IP pool local VPNPool x.y.z.1 - x.y.z.254

vpngroup VPNGroup address pool VPNPool

vpngroup VPNGroup dns-server dns1 dns2

vpngroup VPNGroup default-domain localdomain

vpngroup idle 1800 VPNGroup-time

vpngroup VPNGroup password grouppassword

username, password vpnclient vpnclient-password

sincerely

Patrick

Connect to VPN and then log on to the domain by using different credentials.

I have a laptop user who will take care of various remote sites.

In XP, you had to first use DUN/VPN and then you can log in the field with different credentials that the VPN end point.

With Vista if I use the method user to switch on the logon screen and the log in the VPN it also attempts to use these credentials for the domain. The VPN device has its own separate authentication of the AD. How to restore the loss of functionality that Vista has?

I have to first connect to the VPN appliance and authenticate to that I do the network connection. Then, I need vista to propose real logon to the computer or to the domain.

I appreciate the help.

Computers in discontinuous bench

Hi StapleBench,

The question you have posted is related to the VPN and domain environment is better suited in the TECHNET forums, and as I see that you already post your query in the TECHNET forum in the following link:

http://social.technet.Microsoft.com/forums/en-us/itprovistanetworking/thread/f8579344-07f1-4855-8599-e55a0430c5f8

I suggest you wait for a response on the TECHNET itself thread.

Halima S - Microsoft technical support.

Visit our Microsoft answers feedback Forum and let us know what you think.

Assistance of Nexus 5 k with VPC and routing

Hello guys,.

We are trying to implement a new solution for one of our customers who have purchased a pair of devices 5596UP nexus.

We have this topology attached in jpeg format. They want to use the pair of 5 k for LAN and WAN connectivity.

Background

Customer wants a VPC configuration between the pair of nexus 5 k beucase at some point they will want to buy modules FEX and VPC servers directly, in which case it will take the VPC (VPC VLAN L3 ends the 5 k using HSRP).

Quesitons

1. can I have the same vlan with SVI built on each link and go through the vlan the link peer in order to build IBGP and EBGP peers according to the diagram. Will this work?

2. is it possible to build a bond of layer 3 of each link to remote device of PE and then configure other IVS on each link, allowing through the link peer? This configuration would work and traffic would pass through the link of peers for IBGP connectivity?

3. where can I I directed by question 1 above and use a separate port channel (non - vpc) between the two Nexus 5 k trunk vlan everywhere?

What is the best design around this kind of solution?

The alternative is to have the layer switch 2 plug to two Nexus 5 k without port-channel and make tree covering to the loop. In this case I have to build another trunk between the 5 k or could simply allow to the vlan through the link Peer VPC.

Thank you very much in advance.

Hello

The 5ks have cards daughter layer-3 installed? The 5K support BGP, but the maximum amount of BGP routes, you can have is 8000.

HTH

Question of VPNS and router

Similar Questions

Maybe you are looking for