getXML('Remote Access3077 marioderosa2008Nov 16, 2009, 6:51am PSTHi Guys,<br /><br />I am trying to set up my ASA 500 to authenticate remote users against our internal Domain Controllers.<br /><br />I have found a guide on the net which has advised me how to create an AAA Server group which tests out to query the servers fine.<br /><br />I have then created a Connection profile which uses the new AAA group for authentication.<br /><br />However, I am a bit confused as the details that need to be entered in to the Cisco VPN client.<br /><br />I enter the group name and password but get an error in the syslog saying that the tunnel group nae is unknown.<br /><br />Can any one point me in the right direction?<br /><br />Thanks again<br /><br />Mario De Rosa 30 hdashnauNov 16, 2009, 7:08am PSTIt sounds like you created a new tunnel-group in order to apply the authentication server. <br /><br />If you are using the IPSec client, you need to click on your profile and hit "modify" and change the group authentication section. The group-name would be the name of the tunnel-group/connection profile on the ASA (show run tunnel) and the group-password would be the pre-shared-key key that you defined in the tunnel-group/connection profile ipsec-attributes section.<br /><br />If you are using AnyConnect, you need to enable the group-drop-down list or a group-url in order to get the client to connect using the new tunnel group:<br />conf t<br />webvpn<br />tunnel-group-list enable<br /><br />tunnel-group <newgroup> webvpn<br /> group-alias mynewgroup enable<br /><br /><br />-heathermarioderosa2008Nov 16, 2009, 7:21am PSTThanks for the reply heather.<br /><br />I have double checked that I am typing in the group name and pre shared key correctly. But i am still missing something.<br /><br />Is there anything you think that I may be missing?<br /><br />Do you know of any other guides out there that may help me?<br /><br />Mario hdashnauNov 16, 2009, 8:45am PSTCollect the debugs on the ASA:<br />debug cry isa 127<br />debug cry ipsec 127<br /><br />Collect the VPN client logs (set to 3-high for all)<br /><br />If you see anything about invalid hash theres still a problem with the password you have configured.<br /><br />Even if you dont see a problem with the hash the above logs should give you an idea why its failing. Not everything will make sense to someone who doesnt read these all day, but just try to glance them over and see if you see anything that jumps out or compare them to a working set of logs and you should be able to find the problem.<br /><br />-heathermarioderosa2008Nov 16, 2009, 8:06am PSTsorted that out now heather thanks.<br /><br />I am now having a slight issue with the firewall not being able to forward a DHCP request to my dhcp server inside my internal LAN.<br /><br />On the connection profile I have entered the IP address of my internal DHCP server.<br /><br />I have also set a global DHCP relay server and set the Outside interface to act as a DHCP relay.<br /><br />Is that right?<br /><br />WHen i monitor an incomming VPN connection it advises that there are "no viable DHCP servers found for tunnel group"<br /><br />ANy Ideas? I cannot actually tell whether the dhcp relay is working.<br /><br />Would I have to confgure any firewall rules to allow DHCP requests/replies to and from the internal LAN???<br /><br />Mario hdashnauNov 16, 2009, 8:43am PSTPlease rate the authentication post answer if it resolved the issue.<br /><br />This DHCP question shouldve been posted in a new topic thread so others are able to easily find it if they also need help on the same thing. <br /><br />About "I have also set a global DHCP relay server and set the Outside interface to act as a DHCP relay. Is that right?"<br /><br />You should not configure a DHCP relay server for the VPN (please remove it if possible).<br /><br />The only things needed to get dhcp working for the VPN are <br />1) Defining the DHCP server in the group and <br />2) Making sure that "vpn-addr-assign dhcp" is enabled (show run all | i vpn-addr-assign dhcp) <br />and 3) (optional) set up a network-scope in the group-policy on the ASA if you want to assign an address from a particular range on the dhcp server.<br /><br />Here is more information about DHCP for vpn laid out in a pretty format:<br /><A HREF="javascript:newWin('http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K12412196')">http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K12412196</A><br /><A HREF="javascript:newWin('https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml')">https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml</A><br /><br />-heathermarioderosa2008Nov 16, 2009, 8:50am PSTHi Heather,<br /><br />so,<br /><br />I have to remove the DHCP Relay agent on the outside interface AND the global setting?<br /><br />I have already defined the internal IP of the DHCP server in the Connection profile, so thats OK.<br /><br />is there a way of making the vpn-addr-assign dhcp setting enabled in the ASDM?? I do not have telnet access at the moment.<br /><br />do i have to set up the network scope on the ASA as well as my internal DHCP server.<br /><br />COnfused or what!!<br /><br />Sorry.marioderosa2008Nov 17, 2009, 8:38am PSTremoving the DHCP relay agent on both the outside interface AND as a global setting has resolved this issue with DHCP address not being assigned.<br /><br />No i have a problem with the VPN throughput, but thats in another post.<br /><br />Thanks Heather!marioderosa2008Nov 17, 2009, 2:03am PSTHi all,<br /><br />I have a cisco ASA 5505 which has 2 different connection profiles configured. 1 of them is an old connection profile which used a local user database for authentication and a local DHCP IP pool for giving out IP addresses.<br /><br />I have created a new profile which now authenticates remote access clients to our internal LDAP server and hands out DHCP addresses from our internal DHCP server.<br /><br />The problem now is that there is no throughput. I.e. I cannot ping anything on the LAN. The only IP i can ping is the internal IP of the ASA.<br /><br />A point to note is that I want to fade out the old connection profile once I have the new one working sweetly. At the moment, both are handing out IPs from the same subnet, would that confuse the firewall in any way? Or is it just a case of ACLs need to be configured to allow the traffic from the VPN clients to the rest of the network?<br /><br />Mario 30 andrew.prince@monster.comNov 17, 2009, 5:34am PSTCheck to see what IP address subnets are configured to be "protected"<br /><br />HTH>marioderosa2008Nov 17, 2009, 5:52am PSTHi ANdrew,<br /><br />the old connection profile uses a local DHCP pool of 192.168.10.100 - 192.168.10.200. this profile is working absolutely fine.<br /><br />Now, because the LAN on the inside interface is using the same subnet 192.168.10.0/24 I have to configure a second profile so that DHCP leases for remote access clients come from our internal DHCP server, also giving out addresses on the same subnet causing problems until I eliminate the old connection profile.<br /><br />I have been reading a couple of guides that Heather posted in my post yesterday and they take me through setting up crypto maps and nat 0 policies which seems a bit beyond me.<br /><br />Out internal LAN is 192.168.10.0/24<br />DMZ is 192.168.20.0/24<br /><br />What do you mean by checking to see what IP subnets are protected?<br /><br />Mario andrew.prince@monster.comNov 17, 2009, 6:00am PSTMario,<br /><br />The fact that a device other than the PIX/ASA is allocating DHCP addresses is the issue. When the PIX/ASA issues the addresses - it then knows what needs to be encrypted etc.<br /><br />When you have another device doing that job - you need to tell the PIX/ASA what needs to be encrypted and what does not.<br /><br />Read the below config example - pay attention to "Split Tunneling"<br /><br />HTH>marioderosa2008Nov 17, 2009, 6:09am PSTthanks Andrew,<br /><br />I do not think you posted the sample config.<br /><br />Thanks for your help so far!! andrew.prince@monster.comNov 17, 2009, 6:13am PSTSorry!<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml')">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml</A><br /><br />marioderosa2008Nov 17, 2009, 6:44am PSTThanks Andrew,<br /><br />I will try that. Will this work in conjunction with the existing local DHCP pool configured on the old connection profile?<br /><br />The problem I have is that I cannot disable the old profile until I am sure the new one is working.<br /><br />Thanks again! andrew.prince@monster.comNov 17, 2009, 7:13am PSTyes - you can have multiple profiles that will work seemlessly side by side.marioderosa2008Nov 17, 2009, 7:57am PSTHi Andrew,<br /><br />given the security concerns in enabling split-tunneling. Are there ways to achieve the same thing without comprimising security?<br /><br />Mario andrew.prince@monster.comNov 17, 2009, 8:01am PSTMario,<br /><br />I posted "Read the below config example - pay attention to "Split Tunneling""<br /><br />That does not read - you must configure split tunneling.<br /><br />I said to use it as an example to what you need to check.marioderosa2008Nov 17, 2009, 8:19am PSTHi Andrew, sorry about that.<br /><br />I dont quite understand how the config code on that page relates to my original query but I am going to read a couple of the referal documents listed on that page about restricting access to local LAN only and the PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for IPSec.<br /><br />I'll let you know how it goes!!<br /><br />Mario campbell.thompson@etonbridge.comNov 16, 2009, 1:21pm PSTAfter much dabbling, I have my Cisco 871W working perfectly with ezvpn to a central ASA5505. Wireless is all good and the tunnel to the main office is reliable. Sorted!!<br /><br />I have one last thing that I can't figure out. I want to manage the router from the main site through SSH or HTTPS and have tried all sorts on the firewall to get this sorted. The subnet that I will manage from will be 10.1.10.0/23 if that helps...<br /><br />I've attached the config for reference.<br /><br />Any pointers would be much appreciated so I can draw a line under the config and ship it out to the customer.<br /><br />Thanks in advance...<br /><br />Campbell Thompson<br /><br /><b>Attachment Keywords : </b> <br />1) rtr11-confg<br /> rtr11-confg123655text/plaintext804011/16/2014no30 p.bevilacquaNov 16, 2009, 1:49pm PSTI would begin with:<br /><br />interface FastEthernet4<br /> no zone-member security out-zone<br /><br />interface Vlan1<br /> no ip tcp adjust-mss 1452<br /><br />interface BVI1<br /> no zone-member security in-zone<br /> no ip tcp adjust-mss 1412<br /><br />no ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp<br /><br /><br />You could remove more commands, I've indicated what jumps to the eye. campbell.thompson@etonbridge.comNov 16, 2009, 2:04pm PSTOkay, that works, but ideally, I'd like to make use of the zone based firewall. Which zone would I need to change and how? p.bevilacquaNov 16, 2009, 2:10pm PSTNot sure, I've seen ZBFW only cause problems but never do any good.<br /><br />You have NAT, nobody can attack you from outside. At least that is my experience in 12 years on installing routers with NAT.<br /><br />Please remember to rate useful posts with the scrollbox below. campbell.thompson@etonbridge.comNov 16, 2009, 4:16pm PSTI really appreciate he help. I agree that I'm more than secure, especially as the 871 is sitting in the client's own firewalled network, so there's limited risk.<br /><br />I know that Cisco claim that the ZBF is supposed to make things more logical an simpler! I'm not sure that I agree!!!<br /><br />Thanks again for the help...<br /><br />Campbell Thompson<br /><A HREF="javascript:newWin('http://www.etonbridge.com/')">http://www.etonbridge.com/</A> p.bevilacquaNov 17, 2009, 5:30am PSTNo problem, thank you for the nice rating and good luck!pemasiridOct 4, 2009, 6:49am PSTHi,<br /><br />I have 1841 router with following specs;<br />IOS: ipbasek9-mz.124-24.T1<br />HWIC-8A/S-RS232 in slot0<br />WIC-1AM-V2 in Slot 1<br /><br />Console cables are connected from 0-3 on 1st port of 8A/S-RS232 to 04 devices starting Cable 0 to Switch and cable 1 to ASR router etc.<br /><br />WIC-1AM-V2 modem is configured as Asyn in order to dial the server to access via analog line.<br /><br />The issue I'm having is that I can connect only to 1st port (which is port 0 connected to switch) by giving host name with port 2002.<br /><br />When I try connecting other devices such as asr router (with port 2003) I can see the port is open but I cant log-in to the devices.<br /><br />Attached is the running configuration and connection/session/lines informaitons. <br /><br />Can someone advise me why I cant log-in to the other ports (except port 2002).<br /><br />Thanks in advance.<br /><br /><br /><br /><b>Attachment Keywords : </b> <br />1) gn-qdc-pw1xxx-con1.txt<br /> gn-qdc-pw1xxx-con1.txt121811text/plaintext2908010/04/2014no30 p.bevilacquaOct 4, 2009, 1:04pm PSTRemove flowcontrol hardware from 0/0/x lines. There, you will want also modem out, transport input none, no exec. baiba@latnet.lvNov 12, 2009, 11:16pm PSTHello, i have similar, not to say exact (same router/card), problem, i have tried almost everything, googled for week, but no solution jet, please tell if you have found solution for this.pemasiridNov 13, 2009, 4:10am PSTHi,<br /><br />I made it working after giving no-exec and exec-timeout 0 0 under line command.<br /><br />Pls share your configuration so that I can figure out.<br /> baiba@latnet.lvNov 13, 2009, 6:32am PSTMy config<br /><br /><b>Attachment Keywords : </b> <br />1) 1841-config.txt<br />1841-config.txt123546text/plaintext641611/13/2014no baiba@latnet.lvNov 16, 2009, 11:52pm PSTas I found out, configuration with interface card: HWIC-8A/S-232 (with two physical interfaces for cable) with cable CAB-HD8-ASYNC works as follows:<br />on both interface slots only first 4 even console cables (starting with 0) works thus making for first slot (labeled 0-3) P0,P2,P4 and P6 working. accordingly serial nubers are Sx/x/0(1,2,3). and for second slot (labeled 4-7) same P0,P2,P4 and P6 working, and serial numbers are Sx/x/4(5,6,7)<br />in conclusion for full 8 console cables you need two cables (CAB-HD8-ASYNC) and you can use only half of 16 cable ends (as described above) prachaya_kNov 16, 2009, 9:01am PSTHi there, Can anyone help me with CEF load balance. I have 2 ADSL connections on the router 2811 and I am trying to load balance over these 2 links. Please see the attachment for my current configuration. The problem is I tried to browse the internet some website is not accessible and if it can access it take a long time to change from page to page. What is the problem here? I understand that the router see the 2 default route with the same cost and CEF will load balance the traffic using per-destination by default.. But the problem is exists.. Anyone has any idea what I did wrong.. <br /><br />Thanks in advance.. <br /><br /><b>Attachment Keywords : </b> <br />1) LB CEF ADSL.txt<br /> LB CEF ADSL.txt123654text/plaintext177511/16/2014no30 p.bevilacquaNov 16, 2009, 12:52pm PSTUnder both dialer interfaces:<br />ip mtu 1492<br /><br />Under FastEthernet0/0:<br />ip tcp adjust-mss 1452<br /><br />Optionally:<br />sub-interface are not needed with PPPoE<br /> aroehlichNov 12, 2009, 3:17am PSTHi,<br /><br />as a default, Cisco IOS expects exactly the same passwords on both Devices that are doing PPP CHAP authentications between them.<br /><br />What i need is a mutual authentication of both sides using a different password for each authentication. Assuming two routers,R1 and R2, R1 should authenticate R2 using password 1 and R2 should authenticate R1 using password 2.<br /><br />Is there any way in IOS to do this?<br /><br />Thank's for your Help in Advance! 30 andrew.prince@monster.comNov 14, 2009, 9:45am PSTAre you running ISDN or point-to-point links? aroehlichNov 16, 2009, 1:36am PSTHi,<br /><br />i am running point-to-point links over async serial lines. Does that make a diffenrence? Thank's for your Help! andrew.prince@monster.comNov 16, 2009, 2:16am PSTYes - over isdn you can use the host name of the devices, or specific passwords in dialer map statements!<br /><br />over pt-pt links, I'm not sure if you can have anything other than a static password - but I'm not 100%.<br /><br />You should test it out.<br /><br />zillah2004Nov 15, 2009, 5:01pm PSTHi<br /><br />I would like to use a Cisco VPN client with a Netgear FVS318 V3 ,,,,,I know how to configure Netgear FVS318 V3 for IPsec,,,because I am using TheGreenbow client now with it.<br /><br />But I do not know how to configure Cisco VPN (some client does not have TheGeenBow VPN utility)<br /><br />I just want to find out how to do that ? specially with the option "Group Authentication" which it asks about username and password.<br /><br />Thanks 30 hdashnauNov 15, 2009, 6:48pm PSTQuick Breakdown -- There are of course variations, but for a basic config, there are 3 things minimum when making a connection entry on the VPN client:<br /><br />1. Connection Entry -- This is just a name. It is only locally significant so you can identify the connection. Doesnt need to match anything on the headend<br /><br />2. Host -- This is the public ip address of the headend (in your case the netgear ip)<br /><br />3. Group Authentication -- This needs to match the headend configuration. On the headend there should be a group name defined for the VPN connections. The group contains the parameters for the VPN to connect such as which authentication servers to use, which policies, and which pre-shared-key. The pre-shared-key that you define in the group on the headend is what you use for the "password" for group authentication.<br /><br />The rest of the stuff can usually be left at its defaults on the client side.<br /><br />For more information also check our vpn client admin guide:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vAc.html')">http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vAc.html</A><br /><br />-heatherzillah2004Nov 15, 2009, 9:28pm PST>>3. Group Authentication -- This needs to match the headend configuration. On the headend there should be a group name defined for the VPN connections. The group contains the parameters for the VPN to connect such as which authentication servers to use, which policies, and which pre-shared-key. The pre-shared-key that you define in the group on the headend is what you use for the "password" for group authentication. <br /><<<br />Thanks heater,,,,I do not have within netgear router what is called "Group Authentication" (to bundle policies, pre-shared-key, etc )please see the link below to have an idea what options I have got with FVS318 V3 <br /><br /><A HREF="javascript:newWin('http://www.scribd.com/doc/3800516/Netgear-FVS318-GreenBow-IPsec-VPN-Configuration')">http://www.scribd.com/doc/3800516/Netgear-FVS318-GreenBow-IPsec-VPN-Configuration</A><br /><br />for instance within Cisco VPN client under "Authentication Group" I have got username ,,,,,,,what would the cisco VPN's username match on the netgear router (compare to the link that I have posted) ?<br /><br />under "Authentication Group" I have got a password ,,,,,,,what would the cisco VPN's password match on the netgear router (compare to the link that I have posted)?<br /><br /><br /> hdashnauNov 15, 2009, 6:52pm PSTJust want to add one more thing for extra clarification...<br /><br />Group authentication is not the same thing as user authentication (xauth). There is a group name and password (pre-shared-key)that should be configured on the headend and in addition to this there is a username and password. You configure the group name and password (pre-shared-key) when youre setting up the connection profile. You won't be prompted to enter the username and password until you actually initiate the connection. urfankhaliq@hotmail.comSep 26, 2009, 2:41pm PSTHi All,<br /><br />I have an 837 and also an 877 set up in two different locations and seem to have the same issue with both...the issue is that I cannot launch the wizard even tho the button is available...<br /><br />I press the button and nothing happens at all...<br /><br />Can anyone give me an idea why?<br /><br />Regards<br /><br />Urfan 30 tprendergastSep 28, 2009, 2:24pm PSTWhat IOS are you running on your routers (show version)? Make sure both IOS images support easy vpn (I'm pretty sure all available 12.4 for those models has this support).<br /><br />Also -- make sure Java is properly installed on your system and that you aren't popup-blocking the configuration window for EasyVPN. <br /><br />Latest SDM requires your client to support:<br />•Firefox 1.0.6 and later versions <br />•Internet Explorer 5.5 and later versions <br />•Netscape 7.1 and 7.2 <br />Cisco SDM 2.4.1 requires Sun Java Runtime Environment (JRE). The following versions are supported: <br />•JRE 1.5_09 <br />•JRE1.4.2_08 <br />•JRE 1.5.0_06 <br />•JRE 1.5.0_07 <br /><br />Hope that helps...<br /><br />Thanks,<br />Tim urfankhaliq@hotmail.comSep 29, 2009, 11:38am PSTHi Tim, Thanks for that,details as follows...<br /><br />The 837 is running c837-k9o3sy6-mz.124-21.bin with Java 6 and IE8...<br /><br />The 877 is running <br />c870-advsecurityk9-mz.124-4.T7.bin, with Java 7 and IE 6 on windows server 2003...<br /><br />Just cant figure out why the button does nothing! Please help<br /><br />Urfan urfankhaliq@hotmail.comOct 4, 2009, 1:54pm PSTAnyone got any ideas??<br /><br />Urfan urfankhaliq@hotmail.comOct 13, 2009, 1:16pm PSTbump...im surprised no one can help??<br /><br />Please kabeck@compro.netOct 14, 2009, 6:30pm PSTSorry I can not help but will add that I am seeing the same issue. So this is to keep it at the top BUMP...<br /><br />SDM 2.5<br />Cisco 3745<br />IOS 12.4<br /><br />Java Ver 6 update 7 (build 1.6.0_07-b06)ryan.anthonyOct 28, 2009, 8:32am PSTI'm having the same issue here. I have IOS Version 12.4(22)T and SDM version 2.5 on a Cisco 871. <br /><br />Java 6 Update 15 (build 1.6.0_15-b03).<br /><br />It's becoming quite frustrating having the SDM be unresponsive to simple button clicks. Does anyone have any idea why this is? I assume it's because there's some state where the SDM doesn't know what to do with the existing config. But I don't really want to go rebuilding my whole config just because this button can't handle it. joowens@gstboces.orgOct 29, 2009, 6:59am PSTI ran into the same issue recently. I was able to configure easy VPN by connecting my laptop (not running version 6 of JRE). The workstation that I was trying to connect with had SDM install locally and was updated to the newest JRE. Hope this helps you a bit. I can't narrow down the exact issue just yet, but it is a combination of JRE and whether SDM is install locally.zspencer@mpe.caNov 6, 2009, 7:35am PSTI had the exact same issue. To resolve, I uninstalled Java 6 Update 15 and 7. The only Java that remained was Java 5 update 16, wizard now properly launches in SDM. urfankhaliq@hotmail.comNov 15, 2009, 2:41pm PSTI managed to sort this also by uninstalling java completely and downloading an older version <br /><br />Version 1.5.0 (build 1.5.0_21-b01)<br /><br />UrfanBlindsideOct 15, 2009, 8:26am PSTI'm usin the VPN client 4.9.01 on Mac OX 10.6 and I can not activate the advanced mode in order to set up or configure connections. The software starts in simple mode, CMD+M does not doe anything and if I click on 'Options' the Advanced Mode is greyed out. I already tried uninstall and reinstall but the situation doesn't change. It's unbelievable frustrating, how can I resolve this? 30eline_arnoldyNov 15, 2009, 6:10am PSTI have exactly the same problem and also tried uninstall and reinstall but nothing works. How to solve this? bsingaraNov 15, 2009, 12:32am PSTCould please light me what is best option for SHDSL point to point connectivity.<br /><br />Alos please comapre the WAN interface card below which should I choose for SHDSL connection:<br /><br />Cisco 1-Port G.SHDSL WAN Interface Card (part number WIC-1SHDSL-V3)<br />Cisco 2-Pair G.SHDSL HWIC (HWIC-2SHDSL)<br />Cisco 4-Pair G.SHDSL HWIC (HWIC-4SHDSL)<br /><br /><br /><br /><br /><br /> 30 p.bevilacquaNov 15, 2009, 6:02am PSTAlready replied in another thread, please do not open duplicates. bsingaraNov 15, 2009, 1:00am PSTPlease give me best solution and cost effective solution for SHDSL routers for Point to Point Connectivity. 30 p.bevilacquaNov 15, 2009, 6:02am PSTAlready replied in another thread, please do not open duplicates. campbell.thompson@etonbridge.comNov 12, 2009, 5:14am PSTI'm having some issues with configuring DHCP on the WAN port (Fa4) on a Cisco 871W. Basically, I want to configure this unit locally, so I can ship it to an existing broadband user to just plug in to their Broadband modem and hey presto, it will work!!!<br /><br />I've configured the WAN port for DHCP, and had some minor success getting an IP and default route etc for the next hop to the existing DSL router, but now I'm getting no IP address assigned, whatever I try.<br /><br />The DSL router is a Netgear and it's happily chugging out IP's to other DHCP clients...<br /><br />Am I doing something really, really stupid?!<br /><br />Thanks in advance <br /><br />Campbell Thompson 30 p.bevilacquaNov 13, 2009, 7:13am PSTSometime IOS DHCP client just don't work.<br />Try upgrading IOS. campbell.thompson@etonbridge.comNov 13, 2009, 7:51am PSTI'm up to the latest IOS on this router.<br /><br />I've managed to make some progress... I think...<br /><br />I removed the:<br /><br />zone-member security out-zone <br /><br />from the fastethernet4 config and can then get DHCP traffic...<br /><br />So, leads me to the question, can I leave that on and add an exception to all DHCP traffic to the zone? p.bevilacquaNov 13, 2009, 8:01am PSTTo be honest, I think you can do without ZBFW in 99.9% of the cases. campbell.thompson@etonbridge.comNov 13, 2009, 8:03am PSTThat's what I was hoping you would say!!<br /><br />Right, I'm going to reset to default and get my EzVPN up and running and then apply the DHCP.<br /><br />I'll let you know how I go...<br /><br />Campbell<br /><A HREF="javascript:newWin('http://www.etonbridge.com/')">http://www.etonbridge.com/</A> luisrolocqNov 11, 2009, 4:54pm PSTI'm using the latest version of VPN client in windows 7 for several users and all of them are having problems, they get connected apparently but when trying to access the internal network to browse no connection is established, any one experiencing the same issue, nothing has been released in microsoft site regrading this issue they claim it should work just fine but aparently is not.<br /><br />Any help will be greatly appreciated 30 rburtsNov 13, 2009, 7:34am PSTLuis<br /><br />You say you are using the latest version of VPN client. Perhaps you could post the exact version that you are using?<br /><br />Have you enabled logging in the VPN client for one of the Windows 7 PCs? Perhaps there are some log messages that would shed light on the problem.<br /><br />HTH<br /><br />RickRoundfordNov 10, 2009, 9:31am PSTcan anyone give me clear and simple instructions on how to allow a client PC on our lan authenticate with a remote PPTP server on a public IP address. 30locus2007Nov 11, 2009, 12:21pm PSTSame here, till 12.4.15T6 it goes that you give out to in zone and add source IP addres of pptp server and add service gre... now on IOS 15 it doesnt work or I got groped in server site, now investigating that. hasmurizalNov 11, 2009, 7:37am PSThi guys,<br /><br />need your advice on this one, as i search on cisco.com and netpro but unable to find the exact info that i required.<br /><br />First, can anyone confirm the following calculation to find out MSS size.<br />Mss size = MTU size - encapsulation size - tcp header size<br /><br />So for normal case;<br />MSS = 1500 - 48 (48 is the tcp/ip header)<br />so MSS = 1452<br /><br />Thus in my case GRE tunnel over DSL connection;<br />MSS = 1492 - 24 - 48 (24 is the GRE encap; 48 is the tcp/ip header)<br />MSS = 1420<br /><br />is this correct? <br /><br />Secondly, where should the ip tcp mss-adjust to be implemented. Is it at the Dialer(DSL) interface or at Tunnel interface? 30 collin_clarkNov 11, 2009, 8:33am PSTI don't use the math (it doesn't work for me probably b/c I miss something). Here's how I do it-<br /><br />C:\\>ping 10.125.0.250 -f -l 1600<br /><br />Pinging 10.125.0.250 with 1600 bytes of data:<br /><br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),<br /><br />C:\\>ping 10.125.0.250 -f -l 1500<br /><br />Pinging 10.125.0.250 with 1500 bytes of data:<br /><br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),<br /><br />C:\\>ping 10.125.0.250 -f -l 1400<br /><br />Pinging 10.125.0.250 with 1400 bytes of data:<br /><br />Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />Approximate round trip times in milli-seconds:<br /> Minimum = 19ms, Maximum = 19ms, Average = 19ms<br /><br />C:\\>ping 10.125.0.250 -f -l 1450<br /><br />Pinging 10.125.0.250 with 1450 bytes of data:<br /><br />Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1450 time=20ms TTL=251<br />Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />Approximate round trip times in milli-seconds:<br /> Minimum = 19ms, Maximum = 20ms, Average = 19ms<br /><br />C:\\>ping 10.125.0.250 -f -l 1475<br /><br />Pinging 10.125.0.250 with 1475 bytes of data:<br /><br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br />Packet needs to be fragmented but DF set.<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),<br /><br />C:\\>ping 10.125.0.250 -f -l 1470<br /><br />Pinging 10.125.0.250 with 1470 bytes of data:<br /><br />Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251<br />Reply from 10.125.0.250: bytes=1470 time=22ms TTL=251<br />Reply from 10.125.0.250: bytes=1470 time=20ms TTL=251<br />Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251<br /><br />Ping statistics for 10.125.0.250:<br /> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />Approximate round trip times in milli-seconds:<br /> Minimum = 19ms, Maximum = 22ms, Average = 20ms<br /><br />C:\\><br /><br />1470 works and has a little bit of extra room. The tcp mss-adjust should be done on the LAN interface.<br /><br />Hope it helps. hasmurizalNov 11, 2009, 9:13am PSTHi collin,<br /><br />thank you for your response. perhaps i did not explain a little bit more on this. since i'm on the provider side, that is why i cannot test this from the user/LAN side via ping test.<br /><br />Our customer bring up this matter as one of their application unable to work. This only happens if the router using the backup line (primary serial down). If we were to apply into the LAN interface that it would interfere with other apps. (LAN interface = MTU of 1500)<br /><br />So that is why i wanted to know on the calculative part rather than trial-and-error type guessing mss size. anybody have ideas on this? collin_clarkNov 11, 2009, 9:21am PSTYou should not change the MTU on your side, it will be on their side only. They can decrease the MTU, but you should not. They can test using my example above. I understand you're trying to help your customer, but by decreasing the MTU in your network you may break other customers. Your one customer should reduce their MTU to fit inside your network MTU. If you reduce your MTU, the customer would have to reduce theirs even more or experience more fragmentation. Their packets with the additional header(s) need to fit in your MTU so you can transfer them without fragmenting them. hasmurizalNov 11, 2009, 9:39am PSTwell, i dont think that changing the MTU size at customer part is doable, since this happen at a particular application (site to HQ via GRE tunnel) and on our MPLS cloud. So we can only see the change to be done on CE router and only to MSS size, not to MTU.If CE main link (leased line/metro-e)is in working state, there are no problem, but only when link is on DSL, only then customer can see the problem. <br /><br />Any chance you have several test routers to test? From my side i cant since it is a live network. hasmurizalNov 11, 2009, 10:05am PSTjust remember one of the links with respect to tcp mass-adjust<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml')">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml</A><br /><br />if taken example of the given link above; i could conclude that:<br /><br />if tunnel MTU is 1400 then<br />MSS = 1400 - 40 -24 (40 is tcp/ip header;24 GRE encap)<br />MSS = 1336<br />and this to be place on Tunnel interface (DSL CE router) campbell.thompson@etonbridge.comNov 10, 2009, 3:51pm PSTHi,<br /><br />I'm currently setting up a remote user with a Cisco 871W connecting using ezvpn to a ASA 5505 at the main site. I've basically got this working fine, the VPN connects automatically when it's switched on and I can ping all networks.<br /><br />The trouble that I'm having is that laptops and PC's on the remote side aren't able to authenticate against the DC's, located in the main site. If I try to add a laptop to the domain from the remote site I get the message: An Active Directory Domain Controller (AD DC) for the domain could not be contacted.<br /><br />Should I be doing anything on either side to resolve this? 30 collin_clarkNov 11, 2009, 7:34am PSTSounds like a DNS issue. Can you ping the DC by name and by FQDN?coletempleNov 10, 2009, 10:44am PSTHi all,<br /><br />I am trying to work out how NAS allocate IPs to customers in a PPPoe environment.<br /><br />Lets say that I have a pool named pooltest with different ranges:<br /><br />peer default ip address pool pooltest<br /><br />ip local pool pooltest 10.0.0.10 10.0.0.50<br />ip local pool pooltest 20.0.0.10 20.0.0.50<br />ip local pool pooltest 30.0.0.10 30.0.0.50<br /><br />I am trying to work out how the NAS will operate here...randomly or using the addresses in the range 10 and when addresses are all used there jump to the range of 20..and then 30...?<br /><br />I need help understanding that.<br /><br />Would be great if someone can come up with some links or docs.<br /><br />Thanks NSG_POLARISOct 29, 2009, 6:22pm PSTAll,<br />I have configured the router and modem as per the config given in the below link but it is not working. I am able to dial and successfully connect the modem but there is no display on the hypertrm.Is there anything I need to check. I am using cisco 2821 router and modem USRobotics(USR5686E).Tried with two modems and two router with all the combination but the result is same. All pls put in your inputs to resolve my problem. <br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00800941c9.shtml')">http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00800941c9.shtml</A> 30 lgijsselOct 30, 2009, 12:30am PSTHave you used a rolled cable as described?<br />This is required to connect the RX and TX leads properly. <br />From your description, it looks as if you have a straight cable. <br />Best is to test first with a terminal or datatester to check the V24 interface.<br /><br />regards,<br />Leo NSG_POLARISOct 30, 2009, 3:15am PSTLeo, I am using rolled cable only.I am not Suspecting the problem with the Router configuration.Expecting some modem configuration.If any one using USRobotics modem pls share the modem init string which is working. collin_clarkNov 2, 2009, 12:42pm PSTYou should not need the initialization string. Make sure you have the correct cable (usually marked 'modem' on the DB25 end). Also make sure you dial and connect to the modem at baud rate 9600 with 8/None/1.remakerNov 9, 2009, 8:23pm PSTHello! Are you on the AUX or the Console port with the modem? What speed is the port to which the modem is attached? <br /><br />A few quirks to be aware of:<br /><br />- The speed of the modem interface has to match the speed of the serial interface of the router. If you send AT commands to the modem from a PC, the modem will lock to the speed of the interface of the PC - so when you move it, it may not re-adapt. The best way to configure the modem is by reverse telnet (if it is on AUX) because that assures that the speed is matched.<br /><br />- The flowcontrol has to match the port. The console port does may assert "ready" signals, best to check with a breakout box - but if you can disable flowcontrol that is a good check.<br /><br />Are there any lights on the modem? Does the DTR light up when you plug in the cable to the console port? matthew@jpci.netNov 9, 2009, 7:43am PSTHi,<br /><br />Im looking at switching providers for DSL in the UK. However the login will change on the dialer interface, I still need to gain remote access to the 877 but if the line drops and is live on the new DSL provider this wont be possible. Is there anyway to configure two dialer interfaces with different logins so when the line gets switched the dialer with the correct login will get authenticated. Is this possible? It will have a single ATM interface.<br /><br />thanks 30 lgijsselNov 9, 2009, 7:58am PSTThe dialer is mapped to the atm vc. <br />When this is a different one, you may have some routing problems but otherwise you can have both dialers active. ;-)<br />When the atm vc is the same, trying this will cause unpredictable behavior.<br /><br />Best is then to write the new config to startup-config and reboot. You will obviously have little margin for error when taking this road.<br /><br />regards,<br />Leo<br /> matthew@jpci.netNov 9, 2009, 8:02am PSTWhen I did a bit of testing I couldnt get both dialers to work, it would always take the first dialer and not bother with the rest, i.e. dialer 0 was fine and dialer 1 wasnt.<br /><br />I could do the reboot thing but most of the customers dont know what a router is, or where it is (usually hidden in a dark corner) :)<br /><br />I was trying to see if there was a way of doing it so it would just connect with new credentials when the line dropped and came back on the new provider, then I could get back in and remove the old details.<br /><br />cheers<br />matt<br /> p.bevilacquaNov 9, 2009, 8:38am PSTThat is not possible ASAIK.<br /><br />What you can do is prepare a config file with the new settings, save in startup-config, schedule a reload on the day it is supposed to take place.<br /><br /> matthew@jpci.netNov 9, 2009, 8:44am PSTYup seems that is my only option and cross fingers :)<br /><br />thanks p.bevilacquaNov 9, 2009, 10:50am PSTYou are welcome.<br /><br />A side note, please review your use of the rating system, because the information given to you was 100% complete and correct, and even if it doesn't meet your hopes, is not fairly rated with "3". rrfieldNov 6, 2009, 7:39am PSTI'm having a conceptual problem with ASA Group Policies, specifically relating to SSL VPN. <br /><br />From what I can tell, all group policies inherit attributes from the Default Group Policy (DfltGrpPolicy). When creating a new Policy lets call this NewPolicy1, I can override the inherited properties. Fine, no problem. I am cool with assigning users to NewPolicy1 via RADIUS attribute 25. <br /><br />Lets say DfltGrpPolicy has two bookmarks assigned to it, <A HREF="javascript:newWin('http://site1')">http://site1</A> and <A HREF="javascript:newWin('http://site2')">http://site2</A>.<br /><br />NewPolicy1 has two more bookmarks, <A HREF="javascript:newWin('http://newsite1')">http://newsite1</A> and <A HREF="javascript:newWin('http://newsite2')">http://newsite2</A>.<br /><br />Lets say User1 is assigned to NewPolicy1.<br /><br />Is it possible for User1 to be presented links to all 4 bookmarks WITHOUT creating a bookmark list that is applied to NewPolicy1 that contains all 4 links? <br /><br />Moving on, can I create a policy called NewPolicy1CHILD and have it inherit properties from NewPolicy1? Or are we stuck with two levels of policies, Default and an infinite number of child policies?<br /><br />Thanks... 30 hdashnauNov 6, 2009, 9:23am PST<br />Group-policy priority inheritance goes in this order:<br />1. USER level: Values passed from authentication (ie your assigning group-pol from radius) or if you were using a local username on the ASA and had a group-pol assigned in the user-attributes<br />2. TUNNEL level: Value that is defined on the tunnel-group using the "default-group-policy" command<br />3. DEFAULT level: If an attribute is not assigned on the user level, nor the tunnel level, the values that are defined in the DfltGrpPolicy will be used<br /><br />With group-policies alone, you can only have one value per attribute (ie only one bookmark list will ever be applied).<br /><br />If you want to assign multiple bookmarks (from one or more "policies"), you should use Dynamic Access Policies (DAP) to accomplish this instead or in addition to your group-policy assignment. DAP concatinates attributes. So if you match two DAPs each with their own bookmark list, DAP would add them together and display one bookmark list with both sets or URLS combined. DAP can also work together with your group-policies. If you have a value set in DAP and the group-policy that cannot be concatenated then DAP will take precedence. For more information about DAP and how it add things together check this link:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml')">http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml</A><br /><br />-heather rrfieldNov 6, 2009, 10:32am PSTGreat, that's what I want...I just wasn't looking in the right place. <br /><br />Question, I don't see a place within DAP for Smart Tunnels, which I was hoping to utilize. Does anyone have an idea of when Smart Tunnels can be assigned with DAP? hdashnauNov 7, 2009, 5:49am PSTYou can configure a bookmark list which has URLS setup to be smart tunneled, but the smart tunnel option to tunnel a process is not available in DAP yet.<br /><br />There is an enhancement feature request to allow DAP to configure everything that you can configure on a group-policy level that would cover this request as well. You can track it with ID CSCsi54718<br /><br /><br />-heather<br /> ryan.bachmanNov 6, 2009, 9:45am PSTI am sure I am overlooking something very simple, so I am hoping for a second set of eyes that will clue me in on where I am going wrong. <br /><br />Basically I have a cisco client remote accessing into a 5510. Authentication works fine, secured routes info show correctly in my client, client reports that traffic is being encrypted, but I can't access any of the resources over the tunnel. Attached is a file of the configuration and an output of a #sh crypto ipsec sa peer x.x.x.x command that shows traffic is not being passed. Thanks for the help in advance. <br /><br />btw l2l configuration works fine. <br /><br /><b>Attachment Keywords : </b> <br />1) VPN110509.txt<br /> VPN110509.txt123278text/plaintext939611/06/2014no30 hdashnauNov 6, 2009, 9:52am PSTI see (from your split tunnel acl) that you are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.<br /><br />Other common causes:<br />-your internal routers may not have a route towards the ASA for the VPN client pool<br />-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients<br />-Configure split-dns under the group-policy for your internal domain names<br /><br />-heather ryan.bachmanNov 6, 2009, 12:21pm PSTHeather<br /><br />Thanks for your input<br /><br />The 2 users that were testing (myself and another coworker) were both behind nat devices. I thought cisco by default allowed nat-t over udp, but I guess not. <br /><br />Adding the ipsec-udp enable under my group policy fixed my issue. hdashnauNov 6, 2009, 12:41pm PSTTraditional Nat-traversal (on UDP 4500) IS enabled by default on the ASA. You did not have nat-t disabled on the headend -- If you had it turned off manually you wouldve seen "no crypto isakmp nat-traversal" in your show run output. <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067')">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067</A><br /><br /><br />Since you were not able to pass traffic with traditional NAT-T this leads me to believe something may have been blocking or dropping UDP 4500 along the path. <br /><br />There are two other options for nat-traversal, one of which you discovered...<br /><br />The "ipsec-udp" is another form of nat-traversal which operates on UDP 500. The port number cannot be changed.<br /><br />There is a third option for nat-traversal enabled with "crypto isakmp ipsec-over-tcp" This allows nat-traversal on tcp 10000. You can change the port with "crypto isakmp ipsec-over-tcp port <#>"<br /><br /><br />-heatherk.gillespieNov 4, 2009, 10:46am PSTI am able to get a connection through a VPN Client to a 515 PIX, but packets are not going across the VPN connection. Attached is PIX and VPN client log.<br /><br />Thanks Keith <br /><br /><b>Attachment Keywords : </b> <br />1) VPN.txt<br /> VPN.txt123195text/plaintext2303011/04/2014no30 slmansfieldNov 6, 2009, 6:54am PSTYour VPN address pool overlaps with the inside address on the PIX. I would change the address pool to a different range and see if it works better for you.<br /><br />HTHdaniel.colicovNov 3, 2009, 8:53am PSTHello,<br />I have a router 2811 and a vpn client 5 and I want to auth client with certificate. After almost 4 days of researching on google I didn't find any howtows regarding my problem. All are with PIX/ASA equipments.<br />When I insert the token, I select the right certificate and click connect. The token ask me for PIN and the is disconnecting. The token is enrolled on a xp station with smartcard template certificate.<br />the enrollment server is a MSCA and is subordonate, not ROOT CA. In the attached file is my config. Any advice is welcome.<br />Thanks in advance.<br /><br /><br /><b>Attachment Keywords : </b> <br />1) vpn2811-confg.txt<br /> vpn2811-confg.txt123111text/plaintext927011/03/2014nopintopatrickNov 2, 2009, 11:07am PSTHello All,<br /><br />I have never configured a site to site vpn tunnel with a Cisco router. I have done plenty with pix to pix but never a Cisco router. I am hoping for a little direction.<br /><br />We have a site that just got Verizon Business grade Fios. I am a little confused on how I would set this up. It was suggested in another post that I would connect a cable from the Fa0/0 on thr 2811 to one of the switchports of the FIOS router...is this correct? What ip would I assisgn the Fa0/0? And then I assume the Fa0/1 would have an ip address of the internal lan? <br /><br />Can someone post any sort of example of how the config would look on the 2811?<br /><br />Thank you so much for any help or guidance you can provide.<br /><br />Patrick 30 lgijsselNov 2, 2009, 11:33pm PSTThere is some info available on that:<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml')">http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml</A><br /><br />Hope this helps you out.<br /><br />regards,<br />Leobodo.bellutNov 2, 2009, 7:05am PSTHi,<br /><br />I'm trying to replace an AS5300 with a 2811. One problem I encountered during this work is, that the 2811 doesn't recognise the "aaa preauth" command.<br />As I'm running a toll-free number over this device I have to reject unknown or unwanted numbers during the call setup phase to ovoid unnessesary costs. Picking up and then dropping the call is no alternative as the calls will be billed starting with the first second.<br /><br />I would prefer authorizing the calls via the already existing radius server but would accept any working solution.<br /><br />The 2811 is running with IOS 12.4(15)T9 strmarinosOct 28, 2009, 3:28am PSTGood morning from Greece…<br />I am new to this forum and happy to see that I can find people that share their interest in networking… So I need your help-advice-opinion PLEASE give it…<br />I have configured 2 Cisco 876 with an Ipsec tunnel (to communicate over dsl 24/1Mbps)<br />The matter is that I can ping the edge of my tunnels BUT when I try to copy from Win or ftp I get some errors (see the attachment)…and the transfer is TOO slow…(I have no problem with www)…Please HELP me…<br />My two networks are 192.168.1.0/24 and 192.168.2.1/24, I use static IPs…<br />THANK you all<br /><br />Attachments<br />1. sh run <br />2. sh dsl int atm 0<br />3. <A HREF="javascript:newWin('http://www.flickr.com/photos/44045127@N03/4049731432/')">http://www.flickr.com/photos/44045127@N03/4049731432/</A> <br /> (link of the error while transfering)<br /><br /><br /><b>Attachment Keywords : </b> <br />1) sh_run.txt<br />2) sh_dsl_int_atm.txt<br /> sh_run.txt122868text/plaintext545510/28/2014nosh_dsl_int_atm.txt122869text/plaintext322210/28/2014no30 lgijsselOct 29, 2009, 6:31am PSTTwo remarks:<br />1: Your DSL only has an upstream bandwidth of 1Mb. This puts a limit on the VPN transfer speed.<br />2: You should modify the ACL's to accept all ip traffic from the VPN peer, not just a subset of protocols.<br /><br />regards,<br />LeostrmarinosOct 29, 2009, 7:32am PSTthank you Leo,<br />i know that i have this limited BW but i cant even achive 768kbit/sec while transfering<br />2. what do u mean?<br />i use the <br />access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 which allows everything... isnt it correct?<br />3.Do u know what may causes the error (see the link)<br />4. The mtu size on my Dialer should be 1492?<br />do u think the configuration is correct?<br /><br /><br />THANK YOU<br /> lgijsselOct 30, 2009, 12:49am PSTReplace this:<br />access-list 102 permit ahp host R.R.R.R any<br />access-list 102 permit esp host R.R.R.R any<br />access-list 102 permit udp host R.R.R.R any eq isakmp<br />access-list 102 permit udp host R.R.R.R any eq non500-isakmp<br /><br />with this:<br />access-list 102 permit ip host R.R.R.R host (your-public-ip)<br /><br />MTU of 1492 should be fine.<br /><br />regards,<br />LeostrmarinosOct 30, 2009, 8:36am PSTWell,<br />My new configuration according to Leos advice is in the attachment…<br />I still have problem with the transfer I increased the throuput (but not yet to max) but I still get errors. Please check the link…thank you all…<br />strmarinosOct 30, 2009, 8:42am PSTWell,<br />My new configuration according to Leos advice is in the attachment…<br />I still have problem with the transfer I increased the thgrouput (but not yet to max) and I still get errors. Please check the link…thank you all…<br />REALLY THANK YOU FOR HELP<br /><A HREF="javascript:newWin('http://www.flickr.com/photos/44165167@N07/4058018945/')">http://www.flickr.com/photos/44165167@N07/4058018945/</A><br /><br /><b>Attachment Keywords : </b> <br />1) sh run4CSCO.txt<br />strmarinosOct 31, 2009, 2:22am PSTSorry, this is the attachmnet of sh run, please check te error at <A HREF="javascript:newWin('http://www.flickr.com/photos/44165167@N07/4058018945/sizes/l/')">http://www.flickr.com/photos/44165167@N07/4058018945/sizes/l/</A><br />thank you all<br /><br /><b>Attachment Keywords : </b> <br />1) sh run4CSCO.txt<br />sh run4CSCO.txt122975text/plaintext342610/31/2014no lgijsselNov 2, 2009, 4:52am PSTThis may very well be what it says:<br />Please check the network adapter settings on the end-nodes to see if perhaps TCP-offload is configured there.<br />It is not likely that this problem is related to your config because the router typically operates at IP level (layer 3) and does very little with the rest of the packet. <br /><br />regards,<br />LeoivarstrandbergOct 28, 2009, 1:56am PSTI have a Cisco ASA 5520 running software version 8.0(4), which serves as an endpoint for quite a few IPSec L2L-tunnels, and as an endpoint for up to 300 simultaneous VPN clients. Most of the clients use Cisco VPN Client, but 64-bit Windows-users - and 32-bit users that can't get the Cisco VPN client to work - use L2TP/IPSec.<br /><br />Some users - regardless of OS, I've heard the same for users of XP, Vista and 7 - complain that they get disconnected every now and then, and that sometimes they can't reconnect for the next 20 or so minutes, even though they are able to ping the VPN endpoint.<br /><br />Is there something wrong with the setup on my ASA? Or is this a known bug in 8.0(4)? 30ivarstrandbergNov 2, 2009, 3:44am PST*** bump ***<br /><br />Anyone got any ideas? The L2TP settings is pretty much default. mklemovitchOct 30, 2009, 7:09am PSTI have inherited a system that has a terminal server set up for remote connections. How do I get into the individual lines?<br /><br />It is a:<br /><br />dc4-tsv-02#sh inv<br />NAME: "2821 chassis", DESCR: "2821 chassis"<br />PID: CISCO2821 , VID: V04 , SN: FTX1222A00S<br /><br />NAME: "High Speed Wan Interface card with 16 RS232 async ports(HWIC-16A)", DESCR: "High Speed Wan Interface card with 16 RS232 async ports(HWIC-16A)"<br />PID: , VID: V01 , SN: FOC12114NTR<br /><br />NAME: "High Speed Wan Interface card with 16 RS232 async ports(HWIC-16A)", DESCR: "High Speed Wan Interface card with 16 RS232 async ports(HWIC-16A)"<br />PID: , VID: V01 , SN: FOC12114NXH<br /><br />NAME: "Virtual Private Network (VPN) Module", DESCR: "Encryption AIM Element"<br />PID: AIM-VPN/EPII-PLUS , VID: V02 , SN: FOC12184MGV<br /><br />and is running:<br /><br />dc4-tsv-02#sh ver<br />Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(18a), RELEASE SOFTWARE (fc3)<br /><br />I looked at the confguration guide at javascript:newWin('<A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml')">http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml</A>') and my TS does not have any of the "ip host" commands. <br /><br />Is this important given that my connections are all async consoles? What is the syntax for connecting to the individual async lines? I tried connect, etc. to no avail. The lines are all set up like this one:<br /><br />interface Async0/0/0<br /> no ip address<br /> encapsulation slip<br /><br />The lines appear to be live:<br /><br />dc4-tsv-02#sh line <br /> Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int<br /> 0 0 CTY - - - - - 0 0 0/0 -<br /> 1 1 AUX 9600/9600 - - - - - 0 0 0/0 -<br /> 0/0/0 2 TTY 9600/9600 - - - - - 4 0 0/0 -<br /> 0/0/1 3 TTY 9600/9600 - - - - - 1 0 0/0 -<br /> 0/0/2 4 TTY 9600/9600 - - - - - 1 0 0/0 -<br /> 0/0/3 5 TTY 9600/9600 - - - - - 1 0 0/0 -<br /> 0/0/4 6 TTY 9600/9600 - - - - - 4 12674 0/0 -<br /> 0/0/5 7 TTY 9600/9600 - - - - - 1 140 0/0 -<br /> 0/0/6 8 TTY 9600/9600 - - - - - 1 0 0/0 -<br /> 0/0/7 9 TTY 9600/9600 - - - - - 2 0 0/0 -<br /> 0/0/8 10 TTY 9600/9600 - - - - - 2 2619168 0/0 -<br /> 0/0/9 11 TTY 9600/9600 - - - - - 2 0 0/0 -<br /> etc. <br /><br /><br />Thanks in advance! 30 m.parry@skynetsystems.co.ukOct 30, 2009, 9:17am PSTHi<br /><br />You should execute a reverse telnet session to the line the connection is attached to.<br /><br />For example if your connection is on line 15 you need to telnet to the router on port 2015.<br /><br />eg: telnet 10.1.1.1 2015<br /><br />Hope this helps<br /><br /> mklemovitchOct 30, 2009, 10:30am PSTYes, that helped. I found the information through another source in the meantime (<A HREF="javascript:newWin('http://books.google.com/books?id=UbuEHLfhNmMC&pg=PA370&lpg=PA370&dq=connect+async+line+cisco+console&source=bl&ots=J5mBA0_clW&sig=fpvGz6W_xikAzImRdnaWZNMIoHs&hl=en&ei=aBnrSoqsHI2zlAfE9YCABQ&sa=X&oi=book_result&ct=result&resnum=8&ved=0CCcQ6AEwBzgU#v=onepage&q=connect%20async%20line%20cisco%20console&f=false')">http://books.google.com/books?id=UbuEHLfhNmMC&pg=PA370&lpg=PA370&dq=connect+async+line+cisco+console&source=bl&ots=J5mBA0_clW&sig=fpvGz6W_xikAzImRdnaWZNMIoHs&hl=en&ei=aBnrSoqsHI2zlAfE9YCABQ&sa=X&oi=book_result&ct=result&resnum=8&ved=0CCcQ6AEwBzgU#v=onepage&q=connect%20async%20line%20cisco%20console&f=false</A>)<br /><br />The "gotcha" here was to note that I needed to execute the telnet x.x.x.x zzzz from the terminal server host (x.x.x.x) itself.<br /><br />Thanks for the assist though - I rated your post accordingly.cargiant1tOct 30, 2009, 12:28am PSTHello <br />I have PIX515 as internet gateway where I configured static NAT to ASA<br />static (inside,outside) "public IP" “ASA IP” netmask 255.255.255.255<br />On ASA VPN I set route outside 0.0.0.0 0.0.0.0 192.168.1.1 where 192.168.1.1 is PIX<br />With that configuration I’m not able to access ASA VPN or WebVPN from external host <br />BUT <br />On my network is another internet line (backup) and is based on Cisco 877<br />When i change gateway on asa to 192.168.1.254 (Cisco 877 backup gateway) and on that router will create NAT for port 443 or any other one and pointing to ASA IP then is working without any problems (problem is so that line is not performing as fast as PIX one )<br />Any Idea why PIX with static NAT not allowing accessing ASA while any other host is accessible on this NAT configuration on PIX Firewall<br /> 30 lgijsselOct 30, 2009, 12:34am PSTYou must also add an acl permitting this traffic on the PIX:<br />access-list outside permit any host "public IP".<br />int outside<br />access-group outside in<br /><br />regards,<br />Leocargiant1tOct 30, 2009, 1:34am PSTHi Leo <br />Thanks for your reply <br />At the moment i have about 7 static NAT and ACL running on that PIX and they are fine , but as son as I put ASA on that internal IP instead of www, pop or any other server , then is no response at allcargiant1tOct 30, 2009, 2:25am PSTI resolved that issue , it was problem on ISP site komuja1Oct 28, 2009, 2:30pm PSTHi,<br /><br />I have a following configuration:<br /><br />Router AUX port -> FW Console<br /><br />If there is something problem in the FW I can log the FW from cisco aux but the problem is now that the aux port is sending character's to FW's console port and now if the FW is rebooting it will go bootloop because when the FW boot's there is situation where is something "press any key" and now cisco router sends characters and the FW boots again.<br /><br />Router AUX port config is following:<br />line aux 0<br /> no exec<br /> transport input all<br /> stopbits 1<br /><br />Which aux-port config the Cisco won't send any character to FW's console.<br /><br />br<br />J<br /><br /> 30 jlemoineOct 29, 2009, 10:58am PSTAdd "no logging console" to your configuration and see if that clears things up. komuja1Oct 30, 2009, 12:58am PSTHi Jody,<br /><br />Thanks for your reply.<br />Actually I have no logging console configured at router but I will configure this also to the FW..I forgot to configure this at FW :)<br /><br />')