Relay DHCP over VPN

Hi guys,.
I have a problem with the implementation of DHCP relay mode on my VPN.
The VPN works fine and I can access the remote router, printers, no etc. via their internal IP (192.168.0.xxx) no problem. My setup is as follows.

A SRX5308 based in the United Kingdom with DHCP activated using ip/subnet addresses varies 192.168.0.50 - 192.168.0.100/255.255.255.0. The router has an ip address 192.168.0.1 and a reserved/static parameters of 192.168.0.2 to 192.168.0.40.

A SRXN3205 based in France with initial settings of DHCP enabled using ip/subnet addresses varies 192.168.10.2 - 192.168.10.20/255.255.255.0. The router has 192.168.10.1 IP address.

The VPN is set up through 2 COMPLETE domain name addresses using th VPN wizzard ends in order to define the policies and works fine without errors or school drop-outs.

The problem of the french side. When I enable DHCP relay mode in the SRXN3205 it starts ok but do not relay the IP addresses of the United Kingdom.

Any ideas?

Just be aware that it is not really a good idea to run DHCP via a VPN, as if for some reason any VPN breaks down, computers on the remote site will not be able to get an IP address & the entire network it could enter the crisis...

Personally, I use DHCP on the site with the server and I use static, remote sites. I could probably use a local DHCP server on each site, but for the number of computers involved, using static has been easier.

Tags: Netgear

Similar Questions

Using to relay DHCP on LAN remote IPSec VPN WRVS4400N

Hello

I have a WRVS4400N. I want to know if it is possible to configure the remote relay DHCP WRVS4400N to find a DHCP server on the local network. The local network is 192.168.2.0/24, and the Remote LAN is 192.168.1.0/24. I am entered the field of relay DHCP server 192.168.1.100 but my local PC does not get an IP address. So, I would like to than the local PC to get an IP from DHCP address 192.168.2.x server remote (LAN) through the IPSec VPN tunnel. Is this possible?

The IPSec tunnel works. I ping the 192.168.1.100 remote DHCP server, if the local PC, a static IP address 192.168.2.x I have the configuration of the DHCP server with an IP of 192.168.2.x/24 range.

The remote VPN router is a Netgear FVS114.

Thank you

NIC

The wrvs4400n, you cannot do the dhcp relay in the vpn tunnel. You may need to get a business for which solution or a connection point to point for both networks on the same local network configuration.

SIP over VPN tunnel

We have VPN tunnel in our firewall with the other partner peer. We use ASA 5520 with IOS "asa825-k8" and ASDM version 6.4.

our partner has several services running in this tunnel VPN, including the SIP.

other services work very well only SIP connections cannot come.

the question is we allowed any IP service on the inside and outside interfaces, but this topic could not come to the top.

is - there any SIP over VPN option must be configured on ASA?

Hello

As you can see in the newspapers, it is denied to the inside interface.

If you just need to allow this by opening an ACL for this traffic on port 5060.

I would like to know if it works.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

SGE2000 relay DHCP problem

I'm looking for more help with DHCP relay on a switch SGE2000.

I have configured the two VLAN on the switch, (192.168.10.x/24) VLAN2 and VLAN3 (192.168.9.x/24). I have the Layer 3 switch. I configured the 192.168.10.4 DHCP and the DHCP Interfaces like VLAN3 relay server. All static IP Routes have been generated by the switch.

If I put a client computer on a port which is Untagged VLAN 3 and try to get a DHCP address from the server on a port that is not tagged VLAN 2 I never get a response.

I made a few captures package and here is what I found:
1. I see the DHCP on the client computer
2. I see the DHCP Request to the DHCP server from the IP shown in the switch to VLAN 3 (192.168.9.254)
3. I see the server DHCP responds with a DHCP offer
4. The DHCP offer never gets the client computer
I can't get a DHCP address to any system not on the same VLAN as the DHCP server. 82 option is disable, and tried him, that made no difference.

Any help would be great.

Thank you

Phil

Hi phil,.

Have you created a static route on the DHCP server that points to the network 192.168.9.0/24.

The entry door for this network, in the perspective of relay DHCP servers, is the IP address of the switch SGE2000 VLAN2.

I think that if you tried to ping to the IP address of the switch VLAN3 with the DHCP server now, you will not get a response.

When you create a static route to be persistent in the DHCP server, you should then be able to address IP VLAN3 ping of the switch.

Best regards, Dave

SIP over VPN and 1.0.2.6 Firmware RV120W

Updated 1.0.2.6 and all of a sudden devices SIP works via the VPN no longer work. Downgrade from version 1.0.1.3 and they work again. Any ideas? My guess is that some ports are blocked on the VPN in 1.0.2.6

I thought the whole idea was that fixed bugs rather than introduce firmware ugrades.

Suggestion for Cisco:-Zip downloads of image of the firmware, or have an upgrade process which includes a CRC check, as it at least the poor punter will have an indication if they have been damaged. I had a subtle memory problem that corrupts certain files. Download of the firmware seems to fill in correctly and you can log on OK but some menu choices resulted in a deadlock with the "Please wait... the page is loading" message. Thorough check of the file sizes revealed that the file I'm downloading in the router is different in size to those on the site, a few hundred bytes must have been corrupted during the download. But the download was normal with no indication of any errors. It's a pretty basic protection measure that should be there as a no-brainer with the router was conducting a CRC check and showing an error if it fails.

Hello Michael,

Maybe you have active SIP Application layer gateway. Please try to disable this SIP over VPN works great.

Firewall--> avancΘs--> remove the checkbox of the SIP ALG.

Thank you

Nero - UNITED Arab Emirates

Relay DHCP VPN site-to-site

I am trying to configure DHCP relay by VPN, I've read various articles, but I can't understand it:

The configuration is the following:

Site1:

DHCP server: 192.168.200.21

ADSL Cisco 877 router
Internal IP address: 192.168.200.12
External IP address: 194.99.99.194

Site2:

Cisco ASA 5505 (behind a router ADSL 192.168.1.1, forwarded ports 500 and 4500 vpn to ASA)
Internal IP address: 192.168.2.1
External IP address: 192.168.1.2

There is a working ipsec site to site vpn between site1 and 2.

I want customers to get an ip address from the dhcp server in site1 site2.

On the Cisco ASA:
dhcprelay Server 192.168.200.21 outside
dhcprelay allow inside
Fixed route must be on or off?

Cryptomaps:
permit 192.168.2.0 192.168.200.0 (origin crypto)
permit of 192.168.1.2 (added) 192.168.200.21
192.168.2.1 permit 192.168.200.21 (added)

Site1:

On the Cisco 877:

Cryptomaps:
Allow 192.168.200.0 192.168.2.0 (origin crypto)
Allow 192.168.200.21 (added) 192.168.1.2
Allow 192.168.200.21 (added) 192.168.2.1

What NAT entries should I use on the SAA and 877?

This configuration will still work?

Greetings Henk

Hello Henk,

First of all, Yes, it should work. I have seen work before and you have configured this way.

Looks like you manage to solve the trickiest part, which is the definition of interesting traffic. It must include the ASA outside IP address and the address of the DHCP server as one ITS (Security Association) at both ends, and the description, you provided it seems that interesting traffic is already set up like that.

On the side of the router, you will need to add a rule of NAT-Exemption of the DHCP address IP address external to ASA. It should be something like this:

deny ip host 192.168.200.21 192.168.1.2

Finally, the 'set road' command is used to change the default gateway sent from the DHCP server. Basically, if you set the 'road together' ASA will override default gateway sent by the DHCP server by its IP address of the interface inside. If you want that to happen then turn it on.

Let me know if you have any doubts.

Daniel Moreno

Please note all messages that will be useful

VPN 3020 - relay DHCP and reservations

Hi all

I have a VPN concentrator 3020 in my structure and I am setting up allocation of an IP address by an external DHCP server.

There is no problem in that: the client authenticates and then receives its IP address...

the problem is that I need to configure a reservation on the DHCP server... the question is: which is the mac address, use the booking?

I saw on the server the mac address of the dhcp request is something like this 0003a08a5308020e7f28f4e9a82000, which is the mac address of the external interface of the vpn concentrator, as well as many other characters, which does not seem to be related to the client or any other part of the network and change each time we connect...

I think that I can not assign the static IP address on the hub, or GBA, because users authenticate to the VPN through MS Active Directory hub, so that they do not really exist on these devices...

Anyone know how I can do this job?

Thank you very much

Marco

You can do that with the ip address of the DHCP server.

You can configure the LDAP server to assign the individual ip address depending on whether the user authenticates to the access customer vpn.

You must configure the LDAP server for permission in the VPN concentrator, but also to enable 'Use authentication server address' for the assignment of an ip address.

DHCP with VPN

I work with an ASA 5505. I configured a connection IPsec remote access profile. This profile is set to give customers a virtual ip address via DHCP as shown in this example configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

When the DHCP request is sent from the ASA to the DHCP server, the hostname in the query is set to the name of the IPsec connection profile and a number. Is it possible to have the host name, set the host name of the client who initiated the connection?

The ASA takes by receiving a host name in a request for Config Mode IKE?

Thank you

Mark

Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for IPV4 address!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for IPV4 net mask!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for DNS server address!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for WINS server address!

    Aug 11 07:06:27 [IKEv1]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Received unsupported transaction mode attribute: 5

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Banner!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Save PW setting!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Default Domain Name!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Split Tunnel List!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Split DNS!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for PFS setting!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Client Browser Proxy Setting!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for backup ip-sec peer list!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for Application Version!

    Aug 11 07:06:27 [IKEv1]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Client Type: WinNT  Client Application Version: 5.0.05.0290

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for FWTYPE!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, MODE_CFG: Received request for DHCP hostname for DDNS is: PD1-STATIC-WXP!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Obtained IP addr (192.168.1.4) prior to initiating Mode Cfg (XAuth enabled)

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Sending subnet mask (255.255.255.0) to remote client

    Aug 11 07:06:27 [IKEv1]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Assigned private IP address 192.168.1.4 to remote user

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, constructing blank hash payload

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Send Client Browser Proxy Attributes!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, Send Cisco Smartcard Removal Disconnect enable!!

    Aug 11 07:06:27 [IKEv1 DEBUG]: Group = IPSEC-Test, Username = cisco, IP = 20.20.20.1, constructing qm hash payload

    Aug 11 07:06:27 [IKEv1]: IP = 20.20.20.1, IKE_DECODE SENDING Message (msgid=fa774da7) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 206

Version above. The Tunnel-Group and the host name. Also make sure you have "Register this connection in DNS" setting checked under Advanced properties of WILL. It comes default Cisco VPN client. If StrongSwan has one GOES then it must follow the rules in the Windows API, this parameter expected to be here than if she one WILL, in the case where it is a sort of driver setup miniport (shim), she has no one will

Here is the package:

Frame 9 (590 bytes on wire, 590 bytes captured)

    Ethernet II, Src: Cisco_d7:74:dd (00:25:45:d7:74:dd), Dst: Vmware_ad:75:1b (00:50:56:ad:75:1b)

    Internet Protocol, Src: 11.12.12.5 (11.12.12.5), Dst: 11.12.12.25 (11.12.12.25)

    User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)

    Bootstrap Protocol

        Message type: Boot Request (1)

        Hardware type: Ethernet

        Hardware address length: 6

        Hops: 0

        Transaction ID: 0x011b5678

        Seconds elapsed: 7

        Bootp flags: 0x0000 (Unicast)

            0... .... .... .... = Broadcast flag: Unicast

            .000 0000 0000 0000 = Reserved flags: 0x0000

        Client IP address: 0.0.0.0 (0.0.0.0)

        Your (client) IP address: 0.0.0.0 (0.0.0.0)

        Next server IP address: 0.0.0.0 (0.0.0.0)

        Relay agent IP address: 11.12.12.5 (11.12.12.5)

        Client MAC address: Cisco_d7:74:dd (00:25:45:d7:74:dd)

        Client hardware address padding: 00000000000000000000

        Server host name not given

        Boot file name not given

        Magic cookie: (OK)

        Option: (t=53,l=1) DHCP Message Type = DHCP Discover

            Option: (53) DHCP Message Type

            Length: 1

            Value: 01

        Option: (t=57,l=2) Maximum DHCP Message Size = 1152

            Option: (57) Maximum DHCP Message Size

            Length: 2

            Value: 0480

        Option: (t=61,l=45) Client identifier

            Option: (61) Client identifier

            Length: 45

            Value: 00636973636F2D303032352E343564372E373464642D5044...

        Option: (t=12,l=15) Host Name = "PD1-STATIC-WXP"

            Option: (12) Host Name

            Length: 15

            Value: 5044312D5354415449432D57585000

        Option: (t=55,l=6) Parameter Request List

            Option: (55) Parameter Request List

            Length: 6

            Value: 01060F2C0321

            1 = Subnet Mask

            6 = Domain Name Server

            15 = Domain Name

            44 = NetBIOS over TCP/IP Name Server

            3 = Router

            33 = Static Route

        End Option

        Padding

The only thing that is new is the 'register this connection in DNS' thing you can find in the Advanced AV. properties

Try to send all traffic over VPN

Hello

I have a Cisco 871 router on my home cable modem connection. I am trying to set up a VPN, and I want to send all traffic over the VPN from connected clients (no split tunnel).

I can connect to the VPN and I can ping/access resources on my home LAN when I'm remote but access to the internet channels.

If its possible I would have 2 Configuration of profiles according to connection 1 connection sends all traffic to the vpn and the connection on the other split tunneling but for now, I'd be happy with everything just all traffic go via the VPN.

Here is my config.

10.10.10.xxx is my home network inside LAN

10.10.20.xxx is the IP range assigned when connecting to the VPN

FastEthernet4 is my WAN interface.

Kernel #show run
Building configuration...

Current configuration: 4981 bytes
!
version 12.4
service configuration
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname-Core
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
Passwords security min-length 6
forest-meter operation of syslog messages
no set record in buffered memory
enable secret 5 XXXXX
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint Core_Certificate
enrollment selfsigned
Serial number no
IP address no
crl revocation checking
rsakeypair 512 Core_Certificate_RSAKey
!
!
string Core_Certificate crypto pki certificates
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
no ip source route
!
!
!
!
IP cef
no ip bootp Server
name of the IP-server 75.75.75.75
name of the IP-server 75.75.76.76
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
password username privilege 15 7 XXXXXXXXXXXXX XXXXXXXX
username secret privilege 15 XXXXXXXX XXXXXXXXXXXXX 5
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP client configuration main group
key to XXXXXXX
DNS 75.75.75.75 75.75.76.76
pool SDM_POOL_3
Max-users 5
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
main group identity match
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto ctcp port 64444
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh version 1
!
!
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
Description $ETH - WAN$ $FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
Description $FW_INSIDE$
IP unnumbered FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Vlan1
Description $FW_INSIDE$
IP 10.10.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
local IP SDM_POOL_1 10.10.30.10 pool 10.10.30.15
local IP SDM_POOL_2 10.10.10.80 pool 10.10.10.85
local IP SDM_POOL_3 10.10.20.10 pool 10.10.20.15
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 permanent FastEthernet4
IP http server
access-class 2 IP http
local IP http authentication
no ip http secure server
!
!
the IP nat inside source 1 list the interface FastEthernet4 overload
!
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 10.10.5.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 Note HTTP access class
Note access-list category 2 CCP_ACL = 1
access-list 2 allow 10.10.10.0 0.0.0.255
access-list 2 refuse any
not run cdp

!
!
!
!
!
control plan
!
connection of the banner ^ CThis is a private router and all access is controlled and connected. ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line vty 0 4
access-class 2
entry ssh transport
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end

Kernel #.

Thanks for your help!

Hi Joseph,.

You need a configuration like this:

customer pool: 10.10.20.0

local networkbehind router: 10.10.10.0

R (config) #ip - list extended access 101
R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

type of interface virtual-Template1 tunnel
Description $FW_INSIDE$
political IP VPN route map

R (config) #ip - list extended access 103
R (config-ext-nacl) #permit ip all 10.10.20.0 0.0.0.255

R (config) #route - map allowed VPN 10
Ip address of R #match (config-route-map) 101
R (config-route-map) #set interface loopback1
R (config) #route - map allowed VPN 20
Ip address of R #match (config-route-map) 103
R (config-route-map) #set interface loopback1

You must now exonerated NAT for VPN traffic:

===================================

R (config) #ip - 102 extended access list
R #deny (config-ext-nacl) ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
R (config-ext-nacl) 10.10.10.0 ip #permit 0.0.0.255 any
R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

overload of IP nat inside source list 102 interface FastEthernet4

Let me know if this can help,

See you soon,.

Christian V

Relay DHCP WAG325N

Hello

What I have;

2601 ZyXEL router connected to the DSL line, wireless with DHCP activated

Linksys router connected to the Zyxel router through the LAN 1 port and 1. LAN port configured as WAN

Linksys router is able to get the IP address and the DNS server of the Zyxel router Info

Connect to the Linksys router with IP and static DNS = server works Internet access, LAN access is not

Connection to the router Linksys with Dynamic IP and DNS = no. IP/DNS addresses are assigned and so not Internet / LAN access.

So it seams the releay DHCP does not work?

Can someone help me with this? What I really want to do, is extend my Zyxel network with the Linksys router.

Thank you

If you configure the port 1 WAN port and connect port 1 to the Zyxel you use the WAG as a router. This means that there must be a separate LAN IP subnet on his side LAN.

You can configure the WAG with 192.168.2.1/255.255.255.0 IP LAN address. Customer LAN connected to the WAG need IP addresses * 192.168.2 to work.

The DHCP server on the Zyxel can do that. You can only use the function of relay in the WAG, if you have an advanced DHCP server who knows what IP addresses to assigned according to the source.

You must enable the DHCP server in your configuration.

It is probably best to put in place the WAG as a simple access point instead:

1. do not configure port 1 port WAN.
2. set the address LAN IP of the WAG on 192.168.1.2.
3. turn off the DHCP server on the WAG.
4. connect one of the WAG LAN ports to your Zyxel.

Now you have a local network and the WAG as access point.

Jabber/MOVI routing over VPN on VCS-E calls

Hi all

I have a problem with the situation to follow.

-2 Movi Client via VPN Tunnel on the motorway-VCS connectet

-the two VPN tunnel on the same subnet.

-Ice set up NO!

Now the problem is that the traffic is passing through the VCS-E but goes multimedia traffic, which is in this situation via VPN would not be allowed.

Is it possible to configure something that all signaling and media traffic is going through the VCS-E if the two MOVI Client on the same subnet?

Best regards

Georg

The call between the Jabber bot and video customers have the same contact address of sip and IP source address, then VCS will treat as non-traversal call (client is not behind the firewall).

That's why VCS won't stay in media routing.

You are able to configure the VPN client DHCP range for the different subnet IP address?

Pool of dhcp NAT VPN to the LAN on router 2911

I need nat the ips assigned by dhcp vpn to my LAN pool. My problem is that I do not know which interface to set my nat statement on since there is no interface that is in the same subnet as my dhcp pool. Any help would be appreciated.

For remote client ipsec, you must have DVTI according to configuration described here:

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm...

'use ip nat inside' on the virtual model and 'ip nat outside' on the inside of the interface.

HTH

Averroès.

NetBios Over VPN

Hi all

I have configured the site to site vpn b\w ASA 5510 ASA 5505.Its works fine, I can able to ping on the host of both sides.

But I have the following problem

1.I can access the shared folder of the peer host using its IP address.but I can't able to access it with the name of the computer for ex: \\akl13

I think that maybe that's the problem with the NetBios/WINS by VPN service

My question is how can I enable NETBIOS via VPN (site to site)

I enclose the configuration

ASA Version 7.0 (8)

!

ciscoasa hostname

domain default.domain.invalid

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

192.168.2.6 IP address 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

IP 172.16.1.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

access extensive list ip 172.16.1.0 inside_pnat_outbound allow 255.255.255.0 192

. 168.4.0 255.255.255.0

outside_cryptomap_20 to access extended list ip 192.168.3.0 allow 255.255.255.0 19

2.168.4.0 255.255.255.0

pager lines 24

asdm of logging of information

management of MTU 1500

Outside 1500 MTU

Within 1500 MTU

no failover

ASDM image disk0: / asdm - 508.bin

don't allow no asdm history

ARP timeout 14400

public static 192.168.3.0 (inside, outside) - inside_pnat_outbound access list

Route outside 0.0.0.0 0.0.0.0 192.168.2.6 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00

Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

dileep STkzljfDxlzWJX9D encrypted privilege 15 password username

Enable http server

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 20 match address outside_cryptomap_20

peer set card crypto outside_map 20 192.168.2.7

outside_map crypto 20 card value transform-set ESP-3DES-SHA

life safety association set card crypto outside_map 20 28800 seconds

card crypto outside_map 20 set security-association life kilobytes 4608000

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

tunnel-group 192.168.2.7 type ipsec-l2l

IPSec-attributes tunnel-group 192.168.2.7

pre-shared-key *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

dhcpd lease 3600

dhcpd ping_timeout 50

enable dhcpd management

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the dns-length maximum 512

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

Waiting for your valuable response

In order to achieve a workstation through WINS name resolution, there must be a WINS server shared on two workgroups networks if you want. NetBIOS over TCP is a feature that is enabled in the settings of real network on the PC and not on the firewall.

Routing over VPN between ISA550W and RV215W

Hello all I have a problem with the VPN between my two office

I have an ISA550W at the head office (chcnorth)

I have a RV215W to the remote desktop (chcsouth)

the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

and vice versa however when client computers on the remote end are trying to connect to the

Main office to access the database, they can't.

the problem started last week I received a call from the remote desktop that they can connect to our database

on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

at the plant, including the firmware

I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

the remote desktop, however my remote clients still cannot access my server at the main office

I realized after I have everything set up, I had a backup of my original installation and thinking I had

just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

RV215W I've had. still no dice

So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

are blurred,

any ideas, workarounds for solutions would be greatly appreciated

Thanks in advance

John G

John,

It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

In your case, it might look more at:

192.168.1.200 sqlsvr

Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

Answer please if you have any questions.

-Marty

NAT over VPN IP Pool

Hello

I just want to ask if it is possible to NAT pool users to remote access ip VPN to the router is outside the IP address? The router is a Cisco1841.

Thank you!

Patricia,

Are you referring to Polo your RA IP pool using your external interface just like you with your LAN subnets in ip nat overload?, if so this link illustrates similar example using the road map, PLS let know us if this isn't what you're looking for and if you could perhaps develop as that is what you try to accomplish.

http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Concerning

Relay DHCP over VPN

Similar Questions

Maybe you are looking for