getXML('Security8018 alsayed@litani.gov.lbNov 10, 2009, 11:02am PSTHello<br /><br />I m imlementing a scenario like the attached diagram by connection the LAN behind ASA-1 toward network behind ASA-2 and ASA-3 using vpn<br />L2L,the tunnel is in up State between ASA-1 and ASA-2 while it didn't come up between ASA-1 and ASA-3<br /><br />I attached the the config + THE TOpology of each ASA's,so plz guid me for a working and ideal config<br /><br />10xs and Appreciate<br /><br /><br /><b>Attachment Keywords : </b> <br />1) L2L.jpg<br />2) ASA's-CONFIGs.txt<br /> L2L.jpg123438image/pjpegimage4744411/10/2014noASA's-CONFIGs.txt123439text/plaintext963511/10/2014no30 acomiskeyNov 10, 2009, 11:10am PSTThis should help. You don't want to use the same match acl for each of your tunnels. You want to split them up, 1 for each tunnel. You also don't need the icmp lines in your match acl, they won't do anything. You were also missing the nonat for the 2nd tunnel to asa 3.<br /><br />ASA - 1<br />access-list inf extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 <br />access-list inf2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 <br />access-list nonat extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 <br />access-list nonat extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 <br />crypto map MAP 10 match address inf<br />crypto map MAP 20 match address inf2<br /><br />ASA - 3<br />access-list inf extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 <br />access-list nonat extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 <br />crypto map MAP 10 match address inf<br />alsayed@litani.gov.lbNov 10, 2009, 11:28am PSThello<br /><br />Thanks man,u sure like this will work?<br />thanksalsayed@litani.gov.lbNov 13, 2009, 4:01am PSThello <br /> <br /> <br />okay the tunnel came up Just With Command"""sysopt connection permit-vpn""": |<br /> |<br />ciscoasa(config)# sh crypto isakmp sa <br /><br /> Active SA: 2<br /> Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)<br />Total IKE SA: 2<br /><br />1 IKE Peer: 192.1.1.10<br /> Type : L2L Role : initiator <br /> Rekey : no State : MM_ACTIVE <br />2 IKE Peer: 192.168.1.10<br /> Type : L2L Role : initiator <br /> Rekey : no State : MM_ACTIVE <br />ciscoasa(config)# <br /><br /><br /> BUT I COULDN'T ABLE TO PING FROM HOSTS BEHIND ASA-3 toward Hosts behind ASAS-1<br /><br />Pinging 10.11.11.100 with 32 bytes of data:<br /><br />Request timed out.<br />Request timed out.<br />Request timed out.<br />Request timed out.<br /><br /><br />ASA-3 access-list<br />--------------------<br />ciscoasa(config)# sh access-list <br />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<br /> alert-interval 300<br />access-list inf; 1 elements<br />access-list inf line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=1) 0x83edf381 <br />access-list nonat; 1 elements<br />access-list nonat line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x78b10b58 <br />ciscoasa(config)# <br /><br /><br />ASA-1 access-list<br />---------------------<br /><br />ciscoasa(config)# sh access-list <br />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<br /> alert-interval 300<br />access-list inf; 1 elements<br />access-list inf line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=72) 0x3e362915 <br />access-list nonat; 2 elements<br />access-list nonat line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0x1ad3390 <br />access-list nonat line 2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=0) 0x4fe97626 <br />access-list inf2; 1 elements<br />access-list inf2 line 1 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=18) 0x32f7b868 <br />ciscoasa(config)# <br /><br />Ping statistics for 10.11.11.100:<br /> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),<br /><br />Now how can i fix that Please?<br /><br />Thanks and Appreciate acomiskeyNov 13, 2009, 5:43am PSTCan you post the whole configs?alsayed@litani.gov.lbNov 17, 2009, 9:15am PSThello<br />freind,already attached along this post,just added ur suggestion<br /> sicard.jcNov 17, 2009, 8:37am PSTHi, <br /><br />We're deploying webvpn (with secure desktop) on 5520's. The bulk of it is working but I have a few questions:<br /><br />(This is on 8.2.1, CSD 3.4.2048)<br /><br />1- When I connect to the webvpn with a specific browser (IE or firefox), once secure desktop loads, it doesn't always open the login page with the same browser that was used initially. It seems like CSD may be using the default browser instead of the browser used to connect to the webvpn. Is this the designed behavior? <br /><br />2- We have an issue where when users start a RDP session with the RDP activex: the activex starts but sometimes stays in the "loading..." status. If you do a simple page reload, it goes through. Anyone seen this?<br /><br />3- Again, with the RDP ActiveX: is the activex downloaded from the ASA or is invoked from the local machine? If it is downloaded, can it be updated somewhere in the ASA?<br /><br /><br />Thanks,<br /><br />JC<br /> sfanayeiNov 17, 2009, 5:29am PSTHi<br />Is it possible to connect win7 integrated vpn client to connect to Cisco Concentrator using L2TP, PP2P, ipsec or L2TP over ipsec? Many tanks in advance!<br />Sfanayei 30 mopaulNov 17, 2009, 7:03am PSTHi ,<br /><br />To the best of my knowledge you should be able to connect , L2tp , l2tp/ipsec and PPTP client from Win 7 to the Concentrator.<br /><br />You can use PPTP on the Concentrator , with CHAP, MSCHAPV1 AND VERSION 2 authentication protocols.<br /><br />In the base group , under General tab,you can select which tunnel protocols are allowed.<br /><br /><br />Tunneling Protocols <br />PPTP<br />L2TP<br />IPSec<br />L2TP over IPSec<br />WebVPN<br /><br />Hope this helps.<br /><br /><br />Regards<br />M<br /> mopaulNov 17, 2009, 8:01am PSTHi ,<br /><br />To the best of my knowledge you should be able to connect , L2tp , l2tp/ipsec and PPTP client from Win 7 to the Concentrator.<br /><br />You can use PPTP on the Concentrator , with CHAP, MSCHAPV1 AND VERSION 2 authentication protocols.<br /><br />In the base group , under General tab,you can select which tunnel protocols are allowed.<br /><br /><br />Tunneling Protocols <br />PPTP<br />L2TP<br />IPSec<br />L2TP over IPSec<br />WebVPN<br /><br />Hope this helps.<br /><br /><br />Regards<br />M<br /> sfanayeiNov 17, 2009, 5:35am PSTCan I use Cisco AnyConnect VPN to connect to Cisco's vpn Concentrator?<br /><br />Tanks a lot!<br /><br />Sfanayei 30 topulaNov 17, 2009, 7:40am PSTAnyConnect is only supported on the ASA and IOS platforms. There is a legacy SSL VPN client available for the 3k but it does not support 64-bit operating systems.htcesh@htc.netOct 30, 2009, 9:04am PSTHello all,<br /><br />I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.<br /><br />Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!<br /><br /> 30 vpanciscoNov 17, 2009, 2:03am PSThello<br /><br />i'm fighting against the same probleme<br />did you resolve it ??htcesh@htc.netNov 17, 2009, 6:37am PSTUnfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though. vpanciscoNov 17, 2009, 7:07am PSTall right thanks ! ribin.jonesNov 12, 2009, 7:18pm PSTHi,<br /><br />Could someone explain me the steps in configuring remote VPN in Cisco C870 router? I already have two site to site VPN's configured in the same router.<br /><br />Thanks for any help,<br /><br />Ribin 30 ribin.jonesNov 12, 2009, 7:39pm PSTInfact, it is 871 router. ribin.jonesNov 17, 2009, 5:11am PSTAny help, please....linyuxingNov 17, 2009, 7:02am PSTConfiguring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml')">http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml</A><br /><br />HTH.craig.juhasNov 17, 2009, 6:06am PSTHi All,<br /><br />I have a user who is responsible for our security software in the US office. He connects to the Pelco security cameras in the office using the DVR5100 Remote Client. He has asked if it is possible to connect while he is at home when he's using the Cisco VPN Client as at the moment it doesn't work. <br /><br />From what I've read up on it so far it appears to have its own virtual adaptor on the Windows machine when it's installed. My opinion is it won't work as the Cisco VPN Client will not tunnel traffic for it. Has anyone had any experience with this in the past and got it to work? ribin.jonesNov 17, 2009, 5:14am PSTCould some one explain me the basic concept of PFS (Perfect Forward Secrecy)?<br /><br />I do have some VPN's configured in my router with no PFS. What is the extra security feature that PFS provide?<br /><br />Thanks in advance,<br /><br />Ribin 30 andrew.prince@monster.comNov 17, 2009, 5:17am PSTRead the below link:-<br /><br /><A HREF="javascript:newWin('http://en.wikipedia.org/wiki/Perfect_forward_secrecy')">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</A><br /><br />HTH> ribin.jonesNov 17, 2009, 5:20am PSTI did read that link. Any simple/easily understanding explanation is appreciated.<br /><br />Regards,<br /><br />Ribin andrew.prince@monster.comNov 17, 2009, 5:26am PSTDo you know what the Diffie-Hellman key exchange is? ribin.jonesNov 17, 2009, 5:35am PSTYea, I got some basic idea from <A HREF="javascript:newWin('http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange')">http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange</A>.<br /><br />- Ribin andrew.prince@monster.comNov 17, 2009, 5:38am PSTOK - so PFS does NOT use any of the information from the previously negotiated key. <br /><br />They negotiate and generate a completly new key for the session when the previous key expires. ribin.jonesNov 17, 2009, 5:45am PSTOK. So, during the configuration, we need to specify a key once (which will be used for the first negotiation only) and thereafter both the peers will use another key generated using Diffie-Helman? andrew.prince@monster.comNov 17, 2009, 5:55am PSTNo - You need to read the wikipedia on Diffie-Hellman again.<br /><br /><A HREF="javascript:newWin('http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange')">http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange</A><br /><br />Once you understand that - you will understand PFS. karamalomariNov 17, 2009, 1:41am PSTI have setup a Remote VPN connection and its working fine but after establishing the VPN connection i cant access any of the internal server and folders so any help will be appreciated. 30 mopaulNov 17, 2009, 5:09am PSTHi,<br /><br />Client connects fine but can't access the internal resources behind the ASA.<br /><br /><br />$$ Assuming clients are terminating on ASA/PIX $$<br /><br />Try this :-<br />crypto isakmp nat-t 20<br /><br />Also , check if you have a NAT 0 statement for the interesting VPN traffic.<br /><br /><br />Regards<br />M zealandcareNov 17, 2009, 3:57am PSTHi There<br /><br />We have a strange problem with our L2L connection.<br /><br />The tunnel is up and I can ping fine though the tunnel, but if I make a simple telnet to a port I get one or two timeouts in my ping every time there is made a connection.<br />In the VPN consentrator log i can see that Received Packets Dropped increase for every ping timeout I have.<br /><br />Users on this tunnel often get disconnected in their applications.<br /><br />Its only though the tunnel we have the problem, if I use a software vpn client to connect to the pix or to the vpn 3005 we dont have the problem.<br /><br />Anyone who have seen this error before?<br /><br />Regards<br />Martin<br /> ronshusterNov 11, 2009, 7:06am PSTWe need to establish a site to site ipsec vpn tunnel between sites. However there is a major overlap of internal private segments, ie. we both have 192.168.x.x, 10.1.1.0 etc.<br /><br />how can this be resolved? 30 collin_clarkNov 11, 2009, 7:25am PSTYou'll have to NAT one side. Check the Information paragraph for some important restrictions.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml</A><br /><br />Hope that helps. cisco24x7Nov 14, 2009, 8:26am PSTThat is NOT correct. You need to NAT on both sides. NAT just on one side will NOT work. Let me give you an example:<br /><br />LAN_A=192.168.1.0/24 <br />LAN_B=192.168.1.0/24 <br /><br />requirements: establish IPSec VPN between LAN_A and LAN_B<br /><br />As you can see, in this scenario, you need to NAT on both sides, assuming you want bi-directional traffics between LAN_A and LAN_B. Here is how the traffics flow look like:<br /><br />LAN_A ---> LAN_B: In this scenario, when traffics leaving LAN_A going to LAN_B, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.0.0/24 but you also want to say that the destination to 10.1.1.0/24. Traffics will flow from LAN_A to LAN_B.<br /><br />When traffics get to LAN_B, LAN_B will see the source of 10.1.0.0/24 for destination of 10.1.1.0/24. At this point, you want to keep the source address of 10.1.0.0/24 but you want to translate the destination of 10.1.1.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.<br /><br />LAN_B ---> LAN_A:<br />In this scenario, when traffics leaving LAN_B going to LAN_A, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.1.0/24 but you also want to specifiy the destination to 10.1.0.0/24. Traffics will flow from LAN_B to LAN_A.<br /><br />When traffics get to LAN_A, LAN_A will see the source of 10.1.1.0/24 for destination of 10.1.0.0/24. At this point, you want to keep the source address of 10.1.1.0/24 but you want to translate the destination of 10.1.0.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.<br /><br />On LAN_B, it will see the source traffics of 10.1.0.0/24 and on LAN_A, it will see the source traffics as 10.1.1.0/24. That's how you get around overlapping network, by NAT'ing<br />on both sides.<br /><br />NAT on Cisco ASA is quite confusing due to the security level on the interface and you have to be extremely careful about this or you will cause an outtage. <br />Working with NAT like this on Checkpoint firewall, IMHO, is a bit more intuitive because of the UI and object-based firewall.<br /><br />Hope this will help you resolve your issue. Good luck !!! collin_clarkNov 16, 2009, 6:26am PSTPerhaps you should focus on the Checkpoint and Linux forums instead of bashing this one. mopaulNov 16, 2009, 7:28pm PSTHi,<br /><br />Just to add what Collin and cisco24x7 had said, To achieve this we need to do DUAL NAT on ASA(assuming you have ASA/PIX) rather doing just source NAT. Either of the VPN terminating end device can handle NAT which will take care of both Source and Destination NAT for VPN traffic , i.e NAT for the originating traffic and NAT for the decrypted packet resp.<br /><br />For ASA/PIX on either end of the tunnel , please refer the document below:-<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml')">http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml</A><br /><br />If you have Cisco routers this might help<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml')">http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml</A><br /><br />Hope this helps.<br /><br />Regards<br />M sarat1317Nov 16, 2009, 2:10pm PSTHello<br />I am trying to configure active/standby stateful failover setup. Here are my sh ver outputs on the pix units<br /><br />Active PIX (PIX1)<br /><br />sh ver<br />Cisco PIX Security Appliance Software Version 8.0(4) <br />Compiled on Thu 07-Aug-08 19:42 by builders<br />System image file is "flash:/image.bin"<br />Config file at boot was "startup-config"<br />pixfirewall up 5 mins 44 secs<br />Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz<br />Flash E28F128J3 @ 0xfff00000, 16MB<br />BIOS Flash AM29F400B @ 0xfffd8000, 32KB<br />Encryption hardware device : VAC+ (Crypto5823 revision 0x1)<br /> 0: Ext: Ethernet0 : address is 000d.ede9.97a7, irq 10<br /> 1: Ext: Ethernet1 : address is 000d.ede9.97a8, irq 11<br />Licensed features for this platform:<br />Maximum Physical Interfaces : 6 <br />Maximum VLANs : 25 <br />Inside Hosts : Unlimited <br />Failover : Active/Active<br />VPN-DES : Enabled <br />VPN-3DES-AES : Disabled <br />Cut-through Proxy : Enabled <br />Guards : Enabled <br />URL Filtering : Enabled <br />Security Contexts : 2 <br />GTP/GPRS : Disabled <br />VPN Peers : Unlimited <br />This platform has an Unrestricted (UR) license.<br />Serial Number: 807421244<br />Running Activation Key: yyyyyyyyyyyyyyyyyyyyyyy<br />Configuration has not been modified since last system restart.<br /><br />----------------------------------------------------------------------------<br />Failover PIX (PIX2)<br /><br />sh ver<br />Cisco PIX Firewall Version 6.3(1)<br />Cisco PIX Device Manager Version 3.0(1)<br />Compiled on Wed 19-Mar-03 11:49 by morlee<br />pixfirewall up 33 secs<br />Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz<br />Flash E28F128J3 @ 0x300, 16MB<br />BIOS Flash AM29F400B @ 0xfffd8000, 32KB<br />Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5<br />0: ethernet0: address is 000c.30f8.be67, irq 10<br />1: ethernet1: address is 000c.30f8.be68, irq 11<br />2: ethernet2: address is 0002.b3b3.d806, irq 5<br />Licensed Features:<br />Failover: Enabled<br />VPN-DES: Enabled<br />VPN-3DES-AES: Enabled<br />Maximum Interfaces: 6<br />Cut-through Proxy: Enabled<br />Guards: Enabled<br />URL-filtering: Enabled<br />Inside Hosts: Unlimited<br />Throughput: Unlimited<br />IKE peers: Unlimited<br />This PIX has a Failover Only (FO) license.<br />Serial Number: 807101050 (0x301b627a)<br />Running Activation Key: xxxxxxxxxxxxxxxxxxxxxx<br />Configuration last modified by enable_15 at 18:54:58.390 UTC Mon Nov 9 2009<br /><br /><br />I see that I need to take care of the below before the upgrade<br /><br />Upgrade PIX2 to 8.0(4) version to match PIX1 (6.3 -> 7.2 -> 8.0(4)<br />Upgrade ASDM to 6.1 (5) on PIX and PIX2<br />Upgrade to 128 MB RAM on both PIX1 and PIX2 (I believe I have to remove 64MB and add to 128MB stick). Please confirm<br />Add additional interface on PIX1 for LAN based failover PIX-515-MEM-128= and also use the same interface for stateful failover - Can I use this way with v8.0. I read that I cannot use the same interface in v7.0<br />Get 3DES key from Cisco website on PIX1<br /><br />Please advise if I am missing any. <br /><br />I tried to upgrade the PIX2 from 6.3 to 7.2 using copy tftp command. I configured a static IP on eth0 int and on my laptop but I am not able to ping these. Is there any other way on failover firewall to upgarde the firmware?<br /><br /><br /><br /><br /><br /> rsalomon@microstrat.comNov 16, 2009, 12:20pm PSTI need to know if the Cisco 3000 VPN client works with Red Hat Linux 5.3 or SLES 10<br /><br /> 30 hdashnauNov 16, 2009, 12:57pm PSTThe cisco vpn client version 5.x supports RedHat Version 6.2 or later Linux (Intel), or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later<br /><br />Note The VPN Client does not support SMP (multiprocessor) or 64-bit processor kernels. <br /><br />From:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1024664')">http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1024664</A>harthartster09Nov 6, 2009, 11:24am PSTHi,<br />Is Cisco going to discontinue support for IPSec vpn client and support only Annyconect VPN client? <br />What client is best for remote access?<br />Headend device is ASA 5510.<br /> 30 hdashnauNov 6, 2009, 12:01pm PSTWe haven't End of Life (EOL) the 4.8.x and 5.X IPSec VPN Clients yet. <br /><br />Both IPSec and AnyConnect can be used for remote access on an ASA 5510. From a network administrator perspective, I would take into consideration the following: <br />"Q. Does Cisco provide a VPN Client for Windows Vista?<br /><br />A. Cisco VPN Client Version 5 is available for 32-bit Windows Vista. There are no current plans to provide 64-bit support for the Cisco VPN Client but 64-bit support is available for the Cisco AnyConnect VPN Client."<br /><br />From:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_qanda_item09186a00801c2dbe.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_qanda_item09186a00801c2dbe.shtml</A><br /><br />Which is better in terms of security depends on who you ask. Googling for "ipsec vs. ssl" turns up a lot of interesting hits.<br />harthartster09Nov 6, 2009, 2:02pm PSTThanks for the reply. Do you know any means of massive deployment of IPSec client on workstations (XP, Vista, Windows 7 - all 32-bit)?<br />MS Active Directory?vpnhaus_SFNov 16, 2009, 11:58am PSTHartharster09, <br /><br />Have you looked in NCP Secure Enterprise Solution? User data can be imported from existing directory services, including MS Active Directory. It is also compatible with all the operating systems you've listed (and 64 bit). Here is additional information: <A HREF="javascript:newWin('http://www.ncp-e.com/en/solutions/vpn-products/secure-enterprise-solution/secure-enterprise-management.html')">http://www.ncp-e.com/en/solutions/vpn-products/secure-enterprise-solution/secure-enterprise-management.html</A> <br /><br />If you want additional information leave me your contact details and I can have NCP contact you. <br /><br />Hope this helps! <br />linyuxingNov 13, 2009, 1:05pm PSTHi,<br />I am having a problem on VPN routing.<br />The VPN client is connected to ASA5510 properly but can't access the inside network of ASA and Internet either. What I want to reach is,<br />PC@Internet -> ASA5520(Public IP's) -> Inside(172.16.1.0)<br /><br />The VPN address pool is using 172.168.10.0 (I also tried 172.16.1.100-120 with same network of inside).<br /><br /><br /><br />interface GigabitEthernet0/0<br /> nameif outside<br /> security-level 0<br /> ip address a.a.a.a 255.255.255.0<br />!<br />interface GigabitEthernet0/1<br /> nameif inside<br /> security-level 100<br /> ip address 172.16.1.1 255.255.255.0 <br /><br /><br />ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0<br /><br />access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0<br /><br /><br />nat (inside) 0 access-list inside_nat0_outbound<br />nat (inside) 1 0.0.0.0 0.0.0.0<br /><br />crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <br />crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac <br />crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac <br />crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac <br />crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac <br />crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <br />crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac <br />crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac <br />crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac <br />crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac <br />crypto ipsec security-association lifetime seconds 28800<br />crypto ipsec security-association lifetime kilobytes 4608000<br />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1<br />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<br />crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<br />crypto map outside_map interface outside<br />crypto isakmp enable outside<br />crypto isakmp policy 10<br /> authentication pre-share<br /> encryption 3des<br /> hash sha<br /> group 2<br /> lifetime 86400<br /><br />group-policy VPNstaff internal<br />group-policy VPNstaff attributes<br /> dns-server value 4.2.2.2<br /> vpn-tunnel-protocol IPSec <br /><br />tunnel-group VPNstaff type remote-access<br />tunnel-group VPNstaff general-attributes<br /> address-pool vpnpool<br /> default-group-policy VPNstaff<br />tunnel-group VPNstaff ipsec-attributes<br /> pre-shared-key *<br /> 30 hdashnauNov 13, 2009, 1:46pm PSTYour VPN pool in this config is 192.168.10.1-192.168.10.254 mask 255.255.255.0 <br />-Make sure your internal routers (behind the ASA) route the traffic for 192.168.10.x/24 back towards the ASA.<br />-Do "show run access-group" on the ASA and make sure you aren't blocking the traffic in an access-list<br /><br />To reach the Internet while connected you need to configure split tunneling or outside nat...<br /><br />Split:<br /><br />access-list split permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0<br /><br />group-policy VPNstaff attributes<br /> split-tunnel-policy tunnelspecified<br /> split-tunnel-network split<br /><br />*Also consider enabling an internal dns server and split-dns<br /> dns-server value x.x.x.x<br /> split-dns value internaldomain.com<br /><br />(and confirm if you have trouble reaching by ip and hostname)<br /><br />or <br /><br />Outside nat:<br /><br />nat (outside) 1 192.168.10.0 255.255.255.0<br /><br />same-security-traffic permit intra-interface<br /><br /><br />-heather<br />linyuxingNov 13, 2009, 8:56pm PST<br />ciscoasa# sh run access-group <br />access-group Outside in interface outside<br />access-group Inside in interface inside<br /><br />I even added permit ip any any in my earlier test.<br /><br />when I show the route in the VPN client PC, the gateway is 192.168.10.2 if i use 192.168.10.0/24 as VPN pool.<br />While I used the IP's of 172.16.1.0, the gateway IP's is the inside interface of ASA but I can't reach any other hosts.<br /><br />I don't have other route behind this ASA now. All the hosts i want to reach from VPN client are connected to inside network. Do I need to add a route for 192.168.10.0/24? or I can use the spare iP's from inside network?<br />Thank you.<br /> mopaulNov 14, 2009, 8:28pm PSTHi ,<br /><br />As a quick test , try this .<br /><br />-Turn ON nat-t (if its disable)<br />Command : crypto isakmp nat-traversal 20<br /><br />see if it helps.<br /><br />If not,<br />-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .<br /><br />-Time our or ICMP REPLY from inside interface ..?<br /><br />If Time out , then,<br />-Check the number of decrypts using the command " show crypto ipsec sa "<br /><br />If ICMP reply from inside interface is recieved by VPN client.<br /><br />-Run a ping to an internal host behind the ASA.<br />-"Show crypto ipsec sa "<br />IF you have received replies if first test then here you should see decrypts growing in number.<br />-Apply captures on inside interface<br />You can refer the document below<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml')">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml</A><br /><br />-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.<br /><br />In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1<br />If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.<br /><br />route add 192.168.1.0 mask 255.255.255.0 172.16.1.1<br /><br />Please do let me know if this helps.<br /><br />Regards<br />MlinyuxingNov 16, 2009, 9:20am PSTIt works. Thanks a lot.<br />Another qustion I don't understand is how does ASA create the routing for VPN clients?<br />I show the route on ASA, only get<br />S 192.168.10.1 255.255.255.255 [1/0] via x.x.x.x, outside<br /><br /> mopaulNov 16, 2009, 10:47am PST<br />Glad i could help...<br /><br />To be honest with you, i may not be able to give you a right answer on this. The answer resides more in coding of IOS on Cisco devices. <br /><br />All i can say is by design ASA, learns a static route for the dynamic VPN connection when established. <br /><br />Hope this answers your question.<br /><br />Regards<br />MlinyuxingNov 16, 2009, 11:53am PSTThanks, Mohit.<br />I will try to learn it from IOS. thomas.green@cmworks.comNov 14, 2009, 6:00pm PSTWe have an new ASA 5510 configured for IPSEC remote VPN connections. Everything is working well except that telnet sessions to a business system at headquarters timeout while idle. It appears that they time out after about 2 hours. Our idle timeout is set to 4 hours in the group policy for IPSEC users. I don't see any other idle timeout setting that could possibly apply to this issue. Anyone have any ideas on what could be causing this? 30 hebaerteNov 15, 2009, 2:49am PSTThe idle timeout configured in the group-policy is for the tunnel as a whole, i.e. it will bring down the tunnel if there is no traffic for that amount of time.<br /><br />If I understand your description correctly, the problem is not that the VPN tunnel goes down, nut just a single TCP connection times out.<br /><br />ASA will normally time out TCP connection after 1 hour, so 2 hours seems strange (unless you meant that the user works for 1 hour and then is idle for 1 hour - or unless you configured the TCP timeout to be 2hrs).<br /><br />Can you do a telnet and then check "show conn long | inc x.x.x.x" where x.x.x.x is either your client (tunnel) address or the server address.<br />And/or<br />Check the syslogs, there should be a message giving a reason for the connection teardown (not at the time when the user tries to re-active the session, but somewhere before).<br /><br />hth<br />Herbert thomas.green@cmworks.comNov 16, 2009, 5:55am PSTHerbert, <br /><br />The TCP timeout is set to 2 hours and you are correct, the tunnel stays up but the telnet session is unresponsive after it has been idle for the 2 hours. I will look at the logs the next time this occurs. Anyone else? hebaerteNov 16, 2009, 6:03am PSTWell, if the TCP timeout is set to 2 hours, then that means that the ASA will time out a TCP connection that is idle for 2 hours, so this is normal behavior.<br /><br />Check this for a solution:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml')">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml</A><br /><br />hth<br />Herbert thomas.green@cmworks.comNov 16, 2009, 6:16am PSTHerbert,<br /><br />In your suggested solution in the intro, it states that "This feature is not applicable in an IPsec VPN environment." hebaerteNov 16, 2009, 7:31am PSTSorry, I hadn't looked into the doc in detail. I think it says this because in the example, a separate policy named "telnet" is created and this is applied to the outside interface. This will indeed not work for traffic entering over a VPN tunnel.<br /><br />For tunneled traffic, the global policy should be used, so something like this:<br /><br />access-list telnet extended permit tcp any any eq telnet<br /><br />class-map telnet<br /> description telnet<br /> match access-list telnet<br /><br />policy-map global_policy<br /> class telnet<br /> set connection timeout tcp 10:00:00 reset<br /><br />service-policy global_policy global jgadboisNov 15, 2009, 10:07am PSTWell, here goes...I have two T1s going to two different sites coming back to my central site. I also have two firewall devices at these sites for Internet access.<br /><br />I would like to set up two VPNs and sue the T1s as failover. It was suggested that I use OSPF as the failover routing protocol. I setup one connection using DOC ID: 63882 which describes VPN/IPSEC with OSPF and it works great. I've has several instances where the Internet went down and and the T1 kicked in and maintained connectivity with the central site. The problem seems to be it won't scale past one site to site connection.<br /><br />I then though I would try a GRE tunnel to pass OSPF to the other site but without traffic to pass the tunnel will not come up since the T1 is passing all of the traffic in its direction.<br /><br />I am using a ASA5510 at the central site and ASA5505s at the remotes. It almost looks like routers may have been a better choice.<br /><br />Can anyone help me with this? 30 collin_clarkNov 16, 2009, 6:53am PSTRouter would have been easier (IMO), you could have used DMVPN. Anyways, there are multiple configuration example for multiple tunnels. They don't all cover OSPF, but it sounds like you've got that part covered. <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml</A><br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html</A><br /><br />Hope it helps. jgadboisNov 16, 2009, 7:01am PSTI'm getting that impression that I should have gone router but my experience is mostly with firewalls and PIX/ASA. Thanks for your help. Sure wish there was something easier for ASA/PIX. But, after all, they are not routers.lukasz.tarkaNov 12, 2009, 10:08am PSTTopology<br />Branch Office:<br />Pix501 - ass hardware client<br />Lan 192.168.10.0 255.255.255.0<br /><br />HQ<br />ASA5510 - VPN Server<br />Lan 192.168.0.0 255.255.252.0<br /><br />Remote Users<br />VPN CLient 5<br />Address Pool 192.168.95.0 255.255.255.0<br /><br />Hello, i have problem with VPN tunnel for Remote Users<br /><br />I configure VPN1 and VPN2 tunnel using asdm ipsec wizzard<br /><br />First tunnel for Branch called VPN1 (tunel i sup, communication bidirectional is ok, ping, smb,rdp all working).<br /><br />Second tunnel VPN2 for remote users.<br />When user connecting to HQ using VPN Client 5, tunnel is on but client can't ping, smb, rdp local network in HQ.<br /><br />But when i ping or rdp from local computer to remote user i can.<br /><br />i attach asa config please help <br /><br /><b>Attachment Keywords : </b> <br />1) asa5510.txt<br /> asa5510.txt123532text/plaintext672311/12/2014no30 mopaulNov 14, 2009, 7:27pm PSTHi,<br />If i understood it correct , then VPN clients connect fine on ASA. but they are neither able to ping nor able to do RDP/access internal resources.<br />I have reviewed the configuration, <br />RTP- Routing , Translation and Permissions seems to be OK.<br />Can you please make sure nat-t is turned ON ?<br />If you do not see it in " sh run all | in nat-t " , then please configure <br />crypto isakmp nat-traversal 20<br />and let me know if this helps.<br /><br />If above does not help , then as a next step troubleshooting:-<br /><br />Assuming that inside interface is a part of interesting traffic for VPN client.<br />-Turn on management-access inside<br />-Apply captures on inside interface of ASA.<br />-Run a continous ping from client to ASA's inside interface.<br />-Check the output for "show crypto ipsec sa", let me know if you see decrypts there.<br />-Also, reply with capture output taken on inside interface.<br />-output for show vpn-sessiondb remote.<br /><br />You can refer the following document link to apply captures,<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml')">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml</A><br /><br />Regards<br />Moh<br /><br />lukasz.tarkaNov 16, 2009, 12:38am PSTTHX for your help, ASA configuration is OK, fortigate drop all packets mopaulNov 16, 2009, 4:59am PSTOK. gwidloecherNov 13, 2009, 5:16am PSTHello,<br /><br />We are running WebVPN on a VPN 3005 version 4.1.7.R. Every thing was correct until the installation of the last release of JAVA 6 Standard Edition on the client side (Windows XP).<br /><br />This last version of JAVA is 1.6.0-17<br />and when we try to activate the port forwarding (Start Application Access), it fails and the JAVA log displays the following error message :<br /><br />algorithm check failed: MD2withRSA is disabled<br /><br />In the release notes of JAVA 1.6.0.-17, we found that they "disable MD2 in certificate chain validation" (certainly to follow CVE-2009-2049).<br /><br />Has anyone found a solution to circumvent this issue (except to go back to a previous version like 1.6.0-16)<br /><br />Best regards,<br />Guy Widloecher 30 hebaerteNov 15, 2009, 2:59am PSTHello Guy,<br /><br />I've never seen this problem before, but from what you're telling us it seems that the VPN3k is using a certificate that uses MD2 (a hashing algorithm that is not secure, which is why the newest Java disables certificate checking when MD2 is used).<br /><br />So the solution would be to install a new SSL server certificate that does not use MD2 but uses MD5 or SHA.<br /><br />It's also possible that MD2 also used in the CA cert (or in any of the intermediary CA certs if you have a hierarchical PKI infrastructure). In that case you'll need to get a new CA certificate (chain) as well.<br /><br />hth<br />Herbert gwidloecherNov 16, 2009, 4:29am PSTHello Herbert,<br /><br />Thank you for your help but I don't think it's the right way : I checked the SSL certificate and the CA certificate (there is no intermediary CA certificate), they don't use MD2 (they use MD5).<br /><br />Best regards,<br />Guy WidloecherDenverkenNov 14, 2009, 9:00am PSTWork install VPN Client 5.0.03.0560 in my laptop and it worked once and now it is coming back with Failure to enable Virtual Adapter. Any suggestions of why and how to fix it? 30 mopaulNov 14, 2009, 9:04pm PSTHi ,<br /><br /> "Reason 442: failed to enable virtual adapter" error.<br />Is it the complete error message you are seeing there while making a connection ?<br /><br />Are you on Vista ?<br />If you just said YES , then this may be you are running into...<br /><br /> The Reason 442: failed to enable virtual adapter error appears after Vista reports that a duplicate IP address is detected. Subsequent connections fail with the same message, but Vista does not report that a duplicate IP address is detected.<br /><br />To work around error 442, do the following steps:<br /><br />Step 1 Open "Network and Sharing Center".<br /><br />Step 2 Select "Manage Network Connections".<br /><br />Step 3 Enable the Virtual Adapter ("VA"—Cisco VPN Adapter).<br /><br />Step 4 Right-click on Cisco VPN Adapter and select "Diagnose" from the context menu.<br /><br />Step 5 Select "Reset the network adapter Local Area Connection X".<br /><br />Step 6 Windows will again prompt you saying the IP configuration is still invalid, ignore this and just press Cancel.<br /><br />Step 7 Go back to the Network Connections, right-click your VPN Virtual Adapter and Disable.<br /><br />Step 8 Now open Cisco VPN, and you should be able to connect without any issues. <br /><br />The problem will reoccur every time the connection is not cleanly closed - i.e. suspend / hibernate / loss of signal. <br /><br />---------------<br /><br />If this procedure does not work, run the following command from cmd:<br /><br />reg add HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters /v ArpRetryCount /t REG_DWORD /d 0 /f<br /><br />Then reboot.<br /><br />This resolves the issue until Vista reports a duplicate IP address again. Follow the preceding steps to resolve it again.<br /><br />If that doesn't work, you might have UAC enabled. <br />If so, you must run cmd as administrator and repeat the previous registry workaround (CSCsi26106, CSCsl57566). <br /><br />Though these caveats are fixed in the version you are running i.e 5.0.03 but still we may suspect.<br /><br />Vista introduces a new feature called "Receive Window Auto-Tuning". What it does is to adjust the receive windows size continually based upon the changing network conditions.<br /><br />Some people reported that auto-tuning cause network time-out problems with some applications and routers. You can turn it off if you have experienced such problems.<br /><br />Open up an elevated command prompt.<br />Enter the following command to disable auto-tuning netsh interface tcp set global autotuninglevel=disabled If you found that this doesn't fix your problem, you can turn it back on.<br /><br />Open up an elevated command prompt.<br />Enter the following command to enable auto-tuning netsh interface tcp set global autotuninglevel=normal You can use this command to view the states of the TCP global paremeters.<br /><br />netsh interface tcp show global<br /><br />--- Additional Note: Uninstalling the Microsoft Network Monitor has proven to fix the issue in one instance <br /><br />As a last test , i would suggest to upgrade your Ipsec VPN client to latest version 5.0.06.0110 .<br /><br />Or download the client from the link below using your CCO id.<br /><br /><A HREF="javascript:newWin('http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162')">http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162</A><br /><br />Hope this helps.<br /><br />P.S: I would like to have your feedback on the above mentioned troubleshooting steps for my future troubleshooting references.<br /><br />Regards<br />MDenverkenNov 15, 2009, 9:04pm PSTThank you very much. I'm going to have to contact our IT department because my Cisco VPN connection is not there any more. I will let you know once I get them to install that connection back in my computer.skibumatbuNov 15, 2009, 9:21am PSTI obtained an 1811 router for home use. I set up 2 VPN's on it (VLAN 2 as a DMZ for my servers and VLAN 1 for everything else). I'd like to no add a IPSEC VPN server so that I can connect my Mac laptop and iphone remotely. I'd like to do it via command line since the GUI isn't reliable for me. I'm attaching my running config. Can someone help me add the necessary bits to get it to work? There is going to be a lot for me to add aaa, crypto and such. So pointers to documentation would be most helpful as well.<br /><br />Thanks,<br />Scott <br /><br /><b>Attachment Keywords : </b> <br />1) Cleaned config.rtf - running config <br /> Cleaned config.rtf123593text/rtfunknown1277511/15/2014no30jon.marshallNov 15, 2009, 2:14pm PSTScott<br /><br />Start here - <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor15')">http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor15</A><br /><br />there are quite a few example specfic to routers and Cisco VPN client.<br /><br />Jonaz.obioraSep 25, 2009, 9:25pm PSTHi there experts,<br /><br />I am having an issue with the ez vpn that i configured on the 2811 we just newly bought. Actually the thing is that i fully configured it ie ezvpn. It does work, i mean i do have my IKE phase 1 and 2 fully negotiated and it gets to the secure channels and all that it does when ever i connect with my cisco vpn client software. But the issue is that i can't access anything in my LAN i can only ping through to my LAN interface but anything beyond my lan interface i just can't. Please find below the config.<br /><br />version 12.4 <br />no service pad <br />! <br />hostname wisertr <br />! <br />boot-start-marker <br />boot system flash:c2800nm-advsecurityk9-mz.124-3g.bin <br />boot-end-marker <br />! <br />aaa new-model <br />! <br />aaa authentication login wisegroup_DB local <br />aaa authentication login wisegroupvpnclient local <br />aaa authorization exec wisegroup_DB local <br />aaa authorization network wisegroup local <br />! <br />aaa session-id common <br />! <br />resource policy <br />! <br />ip subnet-zero <br />! <br />ip cef <br />! <br />no ip bootp server <br />ip domain name wise.com<br />ip name-server 198.6.1.2 <br />ip name-server 172.16.1.252 <br />! <br />! <br />crypto isakmp policy 100 <br />encr aes <br />authentication pre-share <br />group 2 <br />crypto isakmp keepalive 20 3 <br />! <br />crypto isakmp client configuration group WISE_REM_VPN <br />key sup3rs3cr3t <br />dns 198.6.1.2 172.16.1.252 <br />wins 172.16.1.252 <br />domain wisegroupng.com <br />pool wisepool <br />save-password <br />include-local-lan <br />max-logins 5 <br />acl SPLITREMOTE<br /><br />! <br />! <br />crypto ipsec transform-set WISEREM_VPN esp-aes esp-sha-hmac <br />! <br />crypto dynamic-map WISEVPN_dynmap 10 <br />set transform-set WISEREM_VPN <br />! <br />! <br />crypto map wisemap client authentication list mrsvpnclient <br />crypto map wisemap isakmp authorization list mrsgroups <br />crypto map wisemap client configuration address respond <br />crypto map wisemap 1000 ipsec-isakmp dynamic wisevpn_dynmap <br />! <br />! <br />! <br />interface FastEthernet0/0 <br />description LAN_INT<br />ip address 172.16.1.7 255.255.255.0 <br />ip nat inside <br />duplex half <br />speed 100 <br />! <br />interface FastEthernet0/1 <br />description WAN_INT <br />ip address 217.xx.xx.xx 255.255.255.248 <br />ip nat outside <br />duplex full <br />crypto map wisemap <br />! <br />ip local pool wisepool 10.10.11.20 10.10.11.30 <br />ip classless <br />ip route 0.0.0.0 0.0.0.0 217.xx.xx.xx<br />! <br />ip nat inside source list NAT_ADDRESS interface FastEthernet0/1 overload <br />! <br />ip access-list extended NAT_ADDRESS <br /> deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255<br /> permit ip 172.16.0 0.0.0.255 any<br /><br />ip access-list ext SPLITREMOTE<br /> permit ip 172.16.1.0 0.0.0.255 any<br /><br />end <br /><br />Please i need to know what is the wrong thing i am doing that i can't reach my lan only the LAN interface of my router that i could ping from the remote system. I am having the feeling that it's a routing issue but then i can't say. I Also intend configuring a s2s vpn to with same router and interface. Please advise! 30 jorgemcseSep 26, 2009, 6:56am PSTmodify the SPLITREMOTE tunnel acl and try again, it should be as: <br /><br /><br />deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255 <br />permit ip 172.16.1.0 0.0.0.255 any az.obioraSep 27, 2009, 4:19am PSTHi Jorgemcse,<br /><br />Thank you for your response i would try it and sure do get back to you! I appreciate!<br /><br />Thanx <br />Teddyaz.obioraSep 27, 2009, 5:29pm PSTHi Jorgemcse!<br /><br />Just to let you know that i added the acl as you said still wasn't able to reach my lan. Please any other suggestions. Like i said i am able to ping across my router Lan interface but to ping beyond the router LAN interface is where the problem lies! I do appreciate you suggestion earlier and do look out for more!<br /><br />Thanx <br />Teddy hansyinNov 12, 2009, 9:48pm PSTHi, I think you should to make sure if traffic went through vpn tunnel firstly when you ping beyond the router lan interface. you can check by "show crypto ipsec sa", or even "debug ip packet acl".<br /><br />If packet already reach router through vpn tunnel and did go out, then you should check gw of pc in your lan. if not reaching router at all, you should sniffer on your vpn client, or check its route table, to see why traffic cannot go into vpn tunnel. mopaulNov 14, 2009, 8:09pm PSTHi, <br /><br />Well i am not sure why were you suggested to modify the SPLITREMOTE tunnel acl to make it as:<br />deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255 <br />permit ip 172.16.1.0 0.0.0.255 any <br /><br />With the above suggested acl you are in a way denying the tunnel traffic from client to the router.<br /><br />I have reviewed the configuration , it appears to be good. As a quick troubleshooting i would suggest this:<br /><br />ip access-list ext SPLITREMOTE <br />permit ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255 <br /><br />## By taking destination as ANY in the SPLITREMOTE you are no way splitting the tunnel traffic ##<br /><br />Assuming that client talks to the LAN interface of router through the tunnel.<br /><br />As a quick test , you can connect host to router and add a route using the Windows command prompt<br /><br />## route ADD 10.10.11.0 mask 255.255.255.0 172.16.1.7 ##<br /><br />Please do let me know how it goes...<br /><br />Regards<br />Mbennygao2009Nov 15, 2009, 1:15am PSTHi,<br /><br />I think the Splitremote Tunnel ACL should be:<br />ip access-list ext SPLITREMOTE<br />permit ip 10.10.11.0 0.0.0.255 172.16.1.0 0.0.0.255 mopaulNov 15, 2009, 6:44am PSTNo, the access-list would be with a source of 172.16.1.x and destination 10.10.11.x<br />I know why you might be thinking it the other way because it is used under the client configuration. But its<br />not that way.<br /><br />When you configure a s2s VPN tunnel, you configure ACLs for crypto on both VPN terminating end devices, which<br />are mirror image of each other.<br />For example:<br />local subnet on Site A is 10.10.11.x<br />Local Subnet on Site B is 172.16.1.x<br /><br />On Site A<br />you will specify acl as <br />10.10.11.x >>> 172.16.1.x<br /><br />On Site B , <br />172.16.1.x >>> 10.10.11.x<br /><br />Now,when you create a Dynamic Ipsec VPN .<br /><br />You create crypto ACL , ONLY on the site with Dynamic IP address for the remote site with Static ip on it.<br /><br />So, if Site B has a static public ip address of aa.aa.aa.bb and remote Site A is on dynamic ip...<br />Then a dynamic acl on site B will be created on its own when tunnel is negotiated from Site A .<br /><br />Same is the case with Remote VPNs, they are dynamic Peers, when you make a VPN connection , all attributes under<br />the client configuration are pushed to the clients, a mirror image of the ACL (i.e configured under client <br />configuration) would be learnt by the client on its end, which in turn will take the LAN subnet behind router<br />as the tunnel destination and hence you will add a route in the client's routing table.<br /><br />As a quick recreate you can configure dynamic Ipsec between 2 VPN devices and on the static end , once the VPN is up execute the command <br /><br />show crypto ipsec sa and <br /><br />you will find that your VPN device (on static ip) had learnt a VPN acl i.e reverse of what is defined on the dynamic site.<br /><br />Hope this helps.<br /><br />Regards<br />M jayhowerterNov 12, 2009, 4:36pm PSTHas anyone gotten the 871 SSL VPN to work with the AnyConnect 2.4 Client? I am using Cisco Configuration Professional to configure the SSL CPN but when I try to install the anyconnect-win-2.4.0202-k9.pkg package on the router, I get an error: "Installing or Uninstalling SSL VPN packages on USBFlash is not supported" I am trying to install this on the routers onboard flash, so I don't understand the error message. The Anyconnect client is really my only option since I am using 64-bit and the regular SSL client only supports Windows XP. Please help. Thanks 30 hebaerteNov 15, 2009, 3:04am PSTSounds like a bug, so if you are entitled to TAC access, please open a case.<br /><br />Now, sometimes the error messages are simply not correct, so it could for example mean that you do not have enough space on the flash (a common cause of anyconnect installation issues on IOS).<br /><br />Note that when you install the image, IOS will copy it to another location on the flash (flash:/webvpn/svc_1.pkg), so even though you may already have it on there, you still need enough free space to make a copy.<br />If that turns out to be the problem, then you can either: delete the image and install it directly from another location, or move/rename the pkg file to flash:/webvpn/svc_1.pkg and then install it using "webvpn install svc flash:/webvpn/svc_1.pkg"<br /><br />hth hebaerteNov 15, 2009, 5:13am PSTPlease ignore my "install directly from another location" suggestion - this won't work. So if space is the problem, use the latter suggestion.<br /><br />BTW what IOS version are you using?siddiqui.atifNov 12, 2009, 1:46pm PSTI am trying to create an IPSec tunnel between two 7606 PE routers.. getting this error, when i ping across, and also if I start using the path LDP drops down. <br /><br />Nov 12 16:32:22.801 EST: IPSEC(key_engine): request timer fired: count = 1,<br /> (identity) local= 10.10.135.1, remote= 10.10.135.2, <br /> local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4), <br /> remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)<br />Nov 12 16:32:22.801 EST: IPSEC(sa_request): ,<br /> (key eng. msg.) OUTBOUND local= 10.10.135.1, remote= 10.10.135.2, <br /> local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4), <br /> remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),<br /> protocol= ESP, transform= NONE (Tunnel), <br /> lifedur= 190s and 4608000kb, <br /> spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0<br />Nov 12 16:32:22.801 EST: ISAKMP:(0): SA request profile is test<br />Nov 12 16:32:22.801 EST: ISAKMP: Created a peer struct for 10.10.135.2, peer port 500<br />Nov 12 16:32:22.801 EST: ISAKMP: New peer created peer = 0x5326A08C peer_handle = 0x8000001A<br />Nov 12 16:32:22.801 EST: ISAKMP: Locking peer struct 0x5326A08C, refcount 1 for isakmp_initiator<br />Nov 12 16:32:22.801 EST: ISAKMP: local port 500, remote port 500<br />Nov 12 16:32:22.801 EST: ISAKMP: Unable to allocate IKE SA <br />Nov 12 16:32:22.801 EST: ISAKMP: Unlocking peer struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0<br />Nov 12 16:32:22.801 EST: ISAKMP: Deleting peer node by peer_reap for 10.10.135.2: 5326A08C<br />Nov 12 16:32:22.801 EST: ISAKMP:(0):purging SA., sa=0, delme=532E8364<br />PE2#<br />Nov 12 16:32:22.801 EST: ISAKMP: Error while processing SA request: Failed to initialize SA<br />Nov 12 16:32:22.801 EST: ISAKMP: Error while processing KMI message 0, error 2.<br />Nov 12 16:32:22.801 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)<br />PE2#<br />Nov 12 16:32:52.801 EST: IPSEC(key_engine): request timer fired: count = 2,<br /> (identity) local= 10.10.135.1, remote= 10.10.135.2, <br /> local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4), <br /> remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)<br /><br /><b>Attachment Keywords : </b> <br />1) crypt 10net.txt<br /> crypt 10net.txt123535text/plaintext176211/12/2014no30 hebaerteNov 12, 2009, 11:40pm PSTIPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.siddiqui.atifNov 13, 2009, 3:16am PSTI see. what about on GSR with SIP-601 any Gige SPA will support or it? or need IPSEC SPA as well?<br /><br />Thanks, hebaerteNov 15, 2009, 2:22am PSTTo be honest I don't know (I never work with GSR) but I found this in a security advisory:<br /><br />"GSR (c12000) and CRS-1 routers running IOS-XR software support software-based IPSec for locally sourced and terminated traffic only (used mostly for routing protocols)."<br /><br />src:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html')">http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html</A><br /><br />I suppose this answers the question...<br />Herbert thomas.green@cmworks.comOct 24, 2009, 8:11am PSTWe are moving from a 3005 vpn concentrator to an ASA5510 VPN appliance. On the 3005 concentrator we are able to map drives to Microsoft server's without a problem. After logging in successfully on the ASA we attempt to map to the server's BUT we are prompted to login to get the mapped drive. Once we input the AD account and password, we get the mapped drive. We authenticate via Microsoft's IAS radius service. What am I missing?<br /><br />Thanks 30 cmcbride@perimetercenter.comOct 26, 2009, 8:51am PSTI'm not an expert on the 3005... But it should have worked the same way as the ASA VPN does regarding Windows server authentication. Meaning that it's not involved for the most part. The ASA will authenticate the connection, but won't authenticate the connecting machine to any windows server. That's the job of the windows workstation and the windows server. <br /><br />Normally if the machine is a domain machine, has cached user credentials, then it will authenticate to the destination server without prompting for credentials.... thomas.green@cmworks.comOct 26, 2009, 9:05am PSTI would have thought it would work the same way as the 3005 as well but it is not. The PC's that we have tested are part of the domain. I have tried secondary authentication via Kerbero's but I still get prompted for a login and password after radius authentication occurs.<br /> b-mcdonaldOct 28, 2009, 6:41am PSTYou need to setup Auto Sign On. Open your Group Policy, More Options, and ensure your inherit flags are off.<br /><br />Add the subnets where your authentication servers reside (eg. 10.10.10.0) and it should work.<br /><br />Cheers,<br />Brian thomas.green@cmworks.comOct 28, 2009, 7:22am PSTB-Mcdonald,<br /><br />Isn't auto sign on for Clientless SSL VPN? This problem is occurring with the Cisco IPSEC clients. thomas.green@cmworks.comNov 14, 2009, 5:52pm PSTSolution was to upgrade the ASA to version 8.0(4)32 and to add the AD DNS name to the split tunneling DNS name field. francisco_1Nov 13, 2009, 8:16am PSTI am planning to change VTP mode from server to transparent on 2 switches linked via L3. The switches also have indirect layer 2 link via trunking between 2 other switches! (sorry no diagram). VTP advertisment is via that vlan 2. Both switches exchanging vtp advertisement via vlan 2. <br /><br />Both switches also have trunking with DTP enable to other switches. My concern is chanding vtp to transparent and that affecting DTP on trunk ports to other directly connected switches!!!. i know trunking is needed for VTP but not sure if changing vtp will affect DTP!! I'm not it doesnt but the switches are in production! 30 andrew.prince@monster.comNov 14, 2009, 2:10am PSTDTP is used for the dynamic creating of trunks.<br /><br />VTP runs OVER trunks.<br /><br />Changing the VTP from server to transparent will change how the switches interact in the VTP domain.<br /><br />HTH> robert-hoNov 12, 2009, 7:13pm PSThey all, have a simple question.<br /><br />the page below indicates that it can handle up to 10 vpn connections with a base license. does it mean that we can only configure 10 vpn user/pass credentials? or, we can create, say 50 user/pass accounts, but only 10 can remote in at the same time.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html')">http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html</A><br /><br />thanks for the help.<br />-robert 30 jorgemcseNov 12, 2009, 8:22pm PSTRobert, <br /><br />That is correct.. 10 VPN connections means is the maximun concurrent vpn connections with base license.. you may create as many users in local asa database but only 10 RA VPN client sessions can be stablished, that said, this also includes L2L VPNs, say if you have 1 site to site vpn and 9 RA vpn that counts towards to total of 10 VPN sessions.<br /><br />Regards<br /> robert-hoNov 13, 2009, 10:32am PSThey jorge, thanks for the response. it is exactly what we are looking for! jorgemcseNov 13, 2009, 3:15pm PSTGlad to help.. - thanks for rating .<br /><br />Rgds<br />reginaldjohnsonNov 13, 2009, 9:32am PSTI would like to configure a VPN connection to Cisco 2811 Security IOS to a PIX 515e in a lab enviroment. I would lie to use a crossoer cable between the interfaces. i do have 2 extra router and 2 switch if there needed. I'm trying to get a bette understanding of the VPN security. 30 topulaNov 13, 2009, 11:41am PSTThere are different ways that this can be configured. Below are a few examples for your reference from CCO.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml</A><br /><br /><A HREF="javascript:newWin('https://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml')">https://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml</A><br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml</A>reginaldjohnsonNov 13, 2009, 12:15pm PSTDo suggest using a crossover cable or using a router as the cloud between the pix & router?jon.marshallNov 13, 2009, 12:18pm PSTReginald<br /><br />Personally i would use at least one of the spare routers to represent the cloud. This will actually simulate a more real world environment that just using a crossover cable and there will always be routing involved in this type of scenario in the real world.<br /><br />Joncraig.juhasNov 12, 2009, 7:10am PSTHi All,<br /><br />I've been asked to configure a Cisco router to one of our partners using a method I'm unfamiliar with. Hence I'm hoping someone from here can guide me in the right direction. Essentially the set up needs to be like this:<br /><br />At one end there is a firewall with an IP address of 123.123.123.1 (all fake IP's). This is to be the VPN termination point. Behind this firewall is a server with a private IP address of 172.16.1.1. This private IP is NAT'd to 123.123.123.2. <br /><br />Now at the other end is a VPN router with an IP address of 234.234.234.1. This is the other VPN termination point. There is another internal server with IP address of 10.0.0.1. I don't really want to create an external NAT for this internal IP address if possible. <br /><br />Essentially I need to get 172.16.1.1 and 10.0.0.1 to communicate with each other over a VPN but NOT use their IP addresses in the VPN tunnel. <br /><br />What is the best way to achieve this? Any help would be much appreciated!<br /><br />Craig 30 topulaNov 12, 2009, 2:43pm PSTYou can use NAT to hide the source IP using an Internet routable address. You will then build the crypto ACL for the tunnel based on the post-NAT IP address. I had uploaded an example using PAT at the link below but you can also use static NAT in your case.<br /><br /><A HREF="javascript:newWin('http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Network%20Management&topicID=.ee6b2ba&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40')">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Network%20Management&topicID=.ee6b2ba&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40</A>^1%40%40.2cd3f992/2#selected_message craig.juhasNov 13, 2009, 3:04am PSTThanks for that! I'll give it a try and let you know. <br /><br />Craigcraig.juhasNov 13, 2009, 3:49am PSTI have made a variation of the attachment from the other thread. What I'm looking to achieve with this is a VPN tunnel only using a publicly NAT'd IP address. Let me know if this makes sense and more importantly if it will work!<br /><br /><b>Attachment Keywords : </b> <br />1) Sample L2L Config w NAT v2.txt<br />Sample L2L Config w NAT v2.txt123521text/plaintext183711/13/2014no topulaNov 13, 2009, 7:42am PSTThis config should do the trick for you... hansyinNov 12, 2009, 10:33pm PSTI cannot fully understand this. vpn client already know its lan subnet, although it took default network from server side by mode-cfg, it can still exclude its local lan subnet by itself for encryption. Why does it need server side to configure "include-local-lan" to enable client local lan access? <br /><br />for security? if server side don't have include-local-lan, then all traffic from client must go through vpn tunnel? I think client can still change its routing table to workaround this very easily after tunnel established.<br />Anybody can give me an idea about this? ')