US Army hub sites

Similar Questions

• Media hub site not here

  Since Friday afternoon, I was not able to get to my hub on the internet. Sign on behalf of hub and then more nothing. Does anyone else have this problem. How long can we get this free? a month or so, I got this place and work.

  It says here > https://ciscomediahub.com/faq/faq-en.html you have 1 year free remote access service, and then afterwards, you will have to pay $9.99 a year. Maybe you just need to restart the hub or reboot your router for remote access to work again.

  See you soon.

• ASA Site, Remote Site cannot access DMZ to the Hub site

  So I've been scratching my head and I just can't visualize what I what and how I want to do.

  Here is the overview of my network:

  Headquarters: ASA 5505

  Site1: ASA 5505

  Site2: ASA 5505

  Training3: ASA 5505

  All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.

  Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.

  Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.

  What should I do?

  My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?

  I enclose the show run from my ASA HQ

  See the race HQ ASA

  For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.

  For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.

  HTH

  PS. If you found this post useful, please note it.

• Star redirect speaks IPSEC traffic on hub site

  I'm sure it can be done. I have Cisco PIX appliances in a few branches as well as a main to the central PIX firewall. I'm all talk to each other via IPSEC tunnels. I would like to direct all IP traffic from the branches to go through the IPSEC tunnels and on the Internet from Headquarters. Basically Disable tunneling split at all locations and force traffic into the main office using IPSEC tunnels and road back to the Internet. I hope this makes sense and I'm not sure how the routing part will work. Could someone please help me understand this part.

  Thank you.

  This is possible on the v7, not v6.x.

  Take a look on this cisco doc:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml#diag

• Hub topology and talk: can I traffic Internet road to PC at a radius of the site through the tunnel and NAT outside in the world on the 5520 hub?

  I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.

  I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.

  PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.

  I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.

  Is that what I want to accomplish even possible with the ASA?

  Hi Neal,

  Yes, it's quite possible! below is a loss of things you need to do:

  (1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.

  (2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.

  (3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:

  NAT (outside) 1 192.168.1.0 255.255.255.0

  NAT (outside) 1 192.168.2.0 255.255.255.0

  Global 1 interface (outside)

  Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.

  I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.

  Let me know if it helps!

  Thank you and best regards,

  Assia

• Site of initiation of tunnel site

  Is there any way to start phase 2 without sending the data from the workstation inside.

  Once the tunnels are rising, they are good to go unless they drop for some unforeseen reason, or if the SA is reset. The problem is that it is not much sourcing of traffic to the remote site to bring the tunnel back up if the drop however, the hub site must be able to reach and touch the remote sites.

  Remotes sites are configured with a static cryto card defined in orginate only and has two defined counterparts. The hub site uses a dynamic encryption card.

  Thanks for the tips.

  A way around this is to have a machine on the remote end or the remote pix itself uses a server local syslog, server etc. This traffic would be near the top of the tunnel without user intervention.

• IPSEC TUNNEL... HUB & SPOKE problem

  Hi all

  I am facing a problem of site to site VPN HUB-and-spoke topology.

  Scenario: Deficit (2811) HUB makes Ipsec tunnel with 100 spokes (851). with a common pre shared key. About 90 tunnels are up but 10 tunnels do not come to the top. Same config there spoke an IOS in each router.  DPD is enabled on the HUB site.

  HUB crypto config is the same for all sites and access lists are reflected in the structure in Star...

  During debugging one of the rays, I got following messages...

  * 09:37:59.847 Mar 2: ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding

  * 2 Mar 09:37:59.847: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

  * 2 Mar 09:37:59.847: ISAKMP: (0): built the seller-07 ID NAT - t

  * 2 Mar 09:37:59.847: ISAKMP: (0): built of NAT - T of the seller-03 ID

  * 2 Mar 09:37:59.847: ISAKMP: (0): built the seller-02 ID NAT - t

  !

  !

  * 2 Mar 09:37:59.887: ISAKMP: (0): package to x.x.x.x my_port 500 peer_port 500 (I) sending MM_SA_SETUP

  * 09:37:59.887 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.

  * 09:37:59.887 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

  * 09:37:59.887 Mar 2: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

  !

  * 2 Mar 09:38:01.887: ISAKMP: (0): package of phase 1 is a duplicate of a previous package.

  * 2 Mar 09:38:01.887: ISAKMP: (0): retransmission due to phase 1 of retransmission

  * 2 Mar 09:38:04.203: ISAKMP: (0): transmit phase 1 MM_SA_SETUP...

  * 09:38:04.203 Mar 2: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1

  ! (5 attempts)

  * 09:38:04.887 Mar 2: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:38:04.887 Mar 2: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_SA_SETUP (peer x.x.x.x)

  * 09:38:04.887 Mar 2: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_SA_SETUP (peer x.x.x.x)

  * 09:38:04.887 Mar 2: ISAKMP: Unlocking counterpart struct 0 x 82182080 for isadb_mark_sa_deleted(), count 0

  * 09:38:04.887 Mar 2: ISAKMP: delete peer node by peer_reap for x.x.x.x: 82182080

  * 09:38:04.887 Mar 2: ISAKMP: (0): node-653888495 error suppression FALSE reason 'IKE deleted.

  * 09:38:04.887 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

  * 09:38:04.887 Mar 2: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_DEST_SA

  It is showng NAT - T in debugging, but there is no nating passing between the two... ??

  Please share your thoughts and your conclusions on that.

  Concerning

  SAHKI

  Hello

  Yes, it helped to confirm that you are limited to 100 SA IKE. The number of DH is most of the time a construction internal, so you do not have to worry too much about it. I hope this helps.

  Thank you

  Wen

• VPN from Site to Site subnets overlap

  Hello everyone,

  I have little of ASA with Site to Site tunnels for 1 Hub Site.

  All sites through the tunnel to all traffic to the Hub ASA. (0.0.0.0/0)

  Internet access is provided via the Hub of ASA.

  Now, I need to create VPN site from each location to a different Hub ASA 10.10.0.0/16 destined.

  During the creation of the tunnel, I get the error of overlapping subnets via the previous tunnel (0.0.0.0/0).

  How can I possibly have 2 tunnels?

  A 0.0.0.0/0 - Interesting traffic tunnel-

  B - Interesting traffic - 10.10.0.0/16-tunnel

  Thanks in advance!

  Hello

  I'm not 100% sure about from this that I have not been tested or had to do a similar before mounting.

  But you can try several things

  • Add an ACL statement at the TOP of the existing VPN L2L as a Deny statement. The ASA will give an error/warning message after that.
    • access-list deny ip 10.10.0.0 255.255.0.0
  • Configure the specific highest order number in the "crypto map" configurations and see if that helps
    • 10 set peer crypto card
    • map 1 set crypto peer

  You can naturally use 'packet - trace' and other commands of diagnosis to confirm that the current VPN L2L does not account the destination network 10.10.0.0/16

  Hope this helps

  -Jouni

• How to install the VPN Client and the tunnel from site to site on Cisco 831

  How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator?  I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward.  I could only put on the side of the hub.  If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

  Thank you.

  The dynamic map is called clientmap
  The static map is called mymap

  You should have:

  no card crypto not outmap 10-isakmp ipsec dynamic dynmap
  map mymap 10-isakmp ipsec crypto dynamic clientmap

  interface Ethernet1
  crypto mymap map

  Federico.

• DMVPN double pivot on-site battery

  Hello

  I have a stacked double DMVPN hub site, VPN for IPv4 or IPv6 ether works correctly, but not both at the same time.

  If peers IPv4 connects first, then IPv6 peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP phase 1 is built correctly.

  A "crypto ipsec to show his ' on the hub shows than her for the kind of peers connecting first. A "crypto ipsec to show his" on the ray that is unable to form a security with the Hub shows association, an association of security, but with none of the proposals and send to the counters of errors:

  SA speaks (IPv4)

  Interface: Tunnel1

  Tag crypto map: my-profile-v4-head-1, local addr 2.2.2.1

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (2.2.2.1/255.255.255.255/47/0)

  Remote ident (addr, mask, prot, port): (1.1.1.1/255.255.255.255/47/0)

  current_peer 1.1.1.1 port 500

  PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  #send errors 23255, #recv errors 0

  endpt local crypto. : 2.2.2.1, remote Start crypto. : 1.1.1.1

  text path mtu 1500 mtu 1500 gross, ip mtu 1500, ip mtu BID (no)

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)

  I'm in IOS Version 15.3 (2) T, is there some kind of known bug or workaround for this?

  Configuration of the interface

  interface GigabitEthernet0

  Description * outside *.

  IP 1.1.1.1 255.255.255.0

  automatic duplex

  automatic speed

  IPv6 2001:1:1:1:1 address / 64

  Encryption configuration

  crypto ISAKMP policy 10

  BA aes 256

  preshared authentication

  Group 14

  key cisco address 0.0.0.0 crypto ISAKMP xauth No.

  ISAKMP crypto key cisco ipv6 address: / 0 no.-xauth

  ISAKMP crypto keepalive 10 periodicals

  Crypto ipsec transform-set My - Set esp - aes 256 esp-sha512-hmac

  tunnel mode

  Crypto ipsec v4-profile-My profile

  Description * fuer profile IPsec peers IPv4 *.

  the transform-set My - Set value

  PFS group2 Set

  Crypto ipsec profile My-profile-v6

  Description * fuer IPsec peer IPv6 profile *.

  the transform-set My - Set value

  PFS group2 Set

  Tunnel configuration

  Tunnel1 interface

  Description * DMVPN Intranet IPv4 *.

  bandwidth 1000

  IP vrf forwarding VPN

  IP 10.0.10.1 255.255.255.0

  no ip redirection

  IP mtu 1416

  no ip next-hop-self eigrp 65351

  no ip split horizon eigrp 65351

  PIM sparse-mode IP

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  property intellectual PNDH holdtime 360

  property intellectual shortened PNDH

  the PNDH IP forwarding

  IP tcp adjust-mss 1360

  load-interval 30

  Shutdown

  KeepAlive 10 3

  source of tunnel GigabitEthernet0

  multipoint gre tunnel mode

  key 1 tunnel

  Shared protection my-profile-v4 ipsec tunnel profile

  !

  interface tunnels2

  Description * DMVPN Intranet IPv6 *.

  bandwidth 1000

  IP vrf forwarding VPN

  10.0.12.1 IP address 255.255.255.0

  IP mtu 1416

  no ip next-hop-self eigrp 65351

  no ip split horizon eigrp 65351

  PIM sparse-mode IP

  dynamic multicast of IP PNDH map

  PNDH network IP-2 id

  property intellectual PNDH holdtime 360

  property intellectual shortened PNDH

  the PNDH IP forwarding

  IP tcp adjust-mss 1360

  load-interval 30

  KeepAlive 10 3

  source of tunnel GigabitEthernet0

  gre tunnel mode multipoint ipv6

  tunnel key 2

  Shared protection ipsec mon-profile-v6 tunnel profile

  Kind regards

  Thomas

  Thomas,

  Design interesting, I understand that you test this by double stacked spoke?

  I wish you a few things:

  (1) absolutely remove "keepalive 10 3" love interfaces (with protection tunnel!)

  It is not supported.

  (2) you say 'shared' on profiles, but in fact you do NOT share the profile, that is, you use two different profiles.

  Seems strange. Here are my suggestions:

  (a) either use the same profile for both IPv6 and IPv4 OR tunnels

  (b) separate use two usage profile different transform sets for two profiles (i.e. try to use 3des instead of AES, since it is a laboratory test).

  I can't find the reference at the moment, but I think that number 2 option might be what you're looking for.

  M.

• Tunnel VPN site to Site with DDNS

  I have a hub site that has a static ip address and a remote site with DDNS.  I am building a Site to Site tunnel between them, I can do this with the static ip address, but when he changes the tunnel breaks down, so I need a way to the ASA to know when this ip address changes.  How can I do this?

  Thank you

  To my knowledge, DDNS for VPN is supported only on router IOS not on ASA.

  If you use ASA on the head of network, you may need to use EasyVPN

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080912cfd.shtml

  EasyVPN VPN must be started from the remote site.

• The configuration of the coast DMVPN speaks with higher bandwidth for traffic shaping

  Dear all,

  We have the unusual situation that on our sites talking DMVPN has a higher bandwidth (33 Mbps) that our

  DMVPN Hub Site.

  Therefore, we must apply to 10 Mbps on the interface of tunnel on the radius of traffic shaping.

  The following link describes only how to make an application in the form at the end of the hub, but not on the site of end spoke:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_per_tunnel_qos.PDF

  How to proceed with this on the router spoke?

  Creating a service policy and applying then to the tunnel interface will do the job? Put in shape will be before or after encrypting the traffic?

  And then we would need to increase the buffer size of 1024 to something more replay window?

  The following example would work? We would apply the outbound policy to the Tunnel interface:

  class-map match-any CLASS_ANY

   match any 

  policy-map POLICY_SHAPE10MEG

   class CLASS_ANY

    shape average 10000000

  
  
  interface Tunnel 0
  
  service-policy output POLICY_SHAPE10MEG
  
  

  Thanks for your help,

  Thorsten

  I see on the hub strategy is applied successfully on the tunnel. The political POL_SHAPE10MEG is applied on the tunnel you wanted, this way the rays won't be able to consume even if the bandwidth of the hub it has higher bandwidth.

• tunnel upward but not ping of the asa inside interface

  Dear all

  I am establishing a tunnel vpn between cisco asa 5510 and a cisco router. The tunnel is up, and I can ping both cryptographic interfaces. Also, from the console of the asa I can ping to the router lan interface but the router I can not ping the lan interface of the asa, this message appears in the log

  % ASA-3-713042: unable to find political initiator IKE: Intf liaison_BLR, Src: 128.2

  23.125.232, DST: 129.223.123.234

  Here is the config of the equipment.

  I was able to successfully establish an ipsec with an another ROUTER 1841 tunnel. I have 1 hub site and 3 remotes sites with asa as a hub.

  Help, please.

  Your crypto that ACLs are not matching. They must be exact mirror of the other.

  In addition, you can consider setting the levels of security for the interfaces. They are all at 0. The value internal/private those a higher value.

  Let me know how it goes.

  PS. If you find this article useful, please note it.

• talk to speaks VPN without GRE

  Our current VPN based on IPSec with several sites of SOHO, connection to the company via the IPSec tunnels.  Routers on these sites have no Routers compatible GRE.  However, we still try to have connectivity between sites speaks using the company as a routing hub site.

  The only thing I've tried is to use larger subnets on the ACL defines interesting traffic but it did not work.  I also tried messing with static with no luck.

  Is that going to be possible?

  Thank you
  Diego

  Hi Diego,.

  The rays should have a route to reach other rays (I guess that the hub already have all the roads to join the rays). Then as you say, the ACL crypto on the rays and the hub router must match the traffic has spoke-to-spoke.

  In this case, it should work but the hub will decrypt and encrypt the package again so be careful with the impact on performance.

  HTH

  Laurent.

• Crypto ACL question

  Hello

  I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.

  Two of the rays also have an IPSec VPN between them.

  The hub site connects to a WAN.

  The sites of two rays have the following ranges

  Spoke 1 = 10.154.10.0/24

  Spoke 2 = 10.156.10.0/24

  Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.

  I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.

  If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?

  So we talked 1.

  !

  allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0

  IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0

  !

  outside_map 100 ipsec-isakmp crypto map
  card crypto outside_map 100 match address to-speaks-2
  card crypto outside_map 100 peer set 1.2.3.4
  transform-set set card crypto outside_map 100 standard
  outside_map 200 ipsec-isakmp crypto map
  card crypto outside_map 200 correspondence address to hub
  peer set card crypto outside_map 200 8.9.10.11
  transform-set set outside_map 200 crypto card standard

  !

  Any thoughts?

  Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL