Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this
OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this. I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location. I have a vWAAS at this branch site, so I'm going WCCP. I got the license upgrade to enable to the WCCP feature set. Now Im confused on the WCCP setup. There is only 1 VLAN at the branch. I have the WAAS setup to do WCCP GRE.
Question is: Would I do the redirect 61,62 on the VLAN1 internface? I think I would, but Im used to dropping the 62 on the serial interface of my MPLS. I.E.:
int vlan1
ip wccp 62 redirect in
ip wccp 61 redirect in
HERE IS THE CURRENT CONFIG
ip wccp 61 redirect-list branch-waas
ip wccp 62 redirect-list branch-waas
interface Vlan1
description Branch Data VLAN
ip address 10.22.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn Corporate-client inside
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny tcp any any eq telnet
deny tcp any any eq 22
permit ip any any
wccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:
ip wccp 62 redirect out
There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough. Also, I prefer to put my WAAS device on its own VLAN. However, if it is going to be on VLAN 1, your access list will need:
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny ip any host (WAAS IP)
deny ip host (WAAS IP) any
permit ip any any
To make sure you do not loop WCCP traffic.
Just edited to change from TCP to IP in access list.
Similar Messages
-
Ipsec VPN site to site, best settings for optimal data transfer
I have a ISA570 at work and have set up an ipsec VPN site to site connection with my router at home which is a RV180. I'm trying to do large backups from my office to my home storage. Can you tell me what are the most efficient settings as far as the VPN connection is concerned to optimize the transfer rate? Also any settings that I may make on my Windows 7 workstation at work. I'm transferring from a worstation to the terrastation that I have at my home.
Hi Daniel,
I noticed that your post was located in the VPN Site to Site instead of the Small Business Security area. I have moved your post to the correct area so that you will get some help. As a Cisco customer with a service contract, you can call the small business support center to speak with an engineer. The phone numbers are located here:
https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport -
having trouble loading ATT and CenturyLink sites with safari now, anyone else having this problem?
Howdy MacRocker,
Thanks for using Apple Support Communities.
To start with troubleshooting an issue like this where you're unable to load certain websites in Safari, I suggest that you clear out your browser history and website data.
Safari 8 (Yosemite): Clear your browsing history
Happy Holidays!
Alex H. -
Best practice with WCCP flows for WAAS
Hi,
I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
WAAS# sh interface gi 1/0
Internet Address : 10.0.1.1
Netmask : 255.255.255.0
Admin State : Up
Operation State : Running
Maximum Transfer Unit Size : 1500
Input Errors : 0
Input Packets Dropped : 0
Packets Received : 20631
Output Errors : 0
Output Packets Dropped : 0
Load Interval : 30
Input Throughput : 239 bits/sec, 0 packets/sec
Output Throughput : 3270892 bits/sec, 592 packets/sec
Packets Sent : 110062
Auto-negotiation : On
Full Duplex : Yes
Speed : 1000 Mbps
WAAS# sh interface gi 2/0
Internet Address : 10.0.2.1
Netmask : 255.255.255.0
Admin State : Up
Operation State : Running
Maximum Transfer Unit Size : 1500
Input Errors : 0
Input Packets Dropped : 0
Packets Received : 86558
Output Errors : 0
Output Packets Dropped : 0
Load Interval : 30
Input Throughput : 2519130 bits/sec, 579 packets/sec
Output Throughput : 3431 bits/sec, 2 packets/sec
Packets Sent : 1580
Auto-negotiation : On
Full Duplex : Yes
Speed : 100 Mbps
The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
Is there a best practice recommended by Cisco on this ?
Thanks.
StéphaneHi Stephane,
We usually advise the following in such scenario with an internal module:
"ip wccp 61 redirect in" the LAN interface.
"ip wccp 61 redirect in" on the WAN one.
"ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
That way, we are sure that no loops are created because of the WCCP redirection.
Regards,
Nicolas -
Web site with java benchmarks for various cpus?
Is there a web site that shows java benchmarks run on various P4 and AMD cpus, so that it is possible to see the relatively speed at which java runs on these cpus?
You'll find a few if you search around, but none will be meaningful. The problem with Java, or any other Virtual Machine type runtime language is you can not design a benchmark that really has meaning, in any context but the benchmark itself. First off, you're not benchmarking "Java" you're benchmarking the "JVM". I try to convince people to not waste so much time on these speed issues. Your time would be better learning how to write better code, which would give a much bigger speed increase then switching from a P4 to an Athlon. Developers often make mistakes and oversites in their work that slows a program down by an order of magnitude. You're never going to see that kind of performance difference in CPUs. So get a good deal on machine, the most "bang-for-your-buck" if you will, and go to town, and stop worrying, hotspot is fast.
Sparc Chips are different story because a little thing called register coloring... but you didn't mention sparc chips, so I won't tell the story.
Spinoza -
Help with DNS setup for LAN only
I have a Mac Mini SNS 10.6.8 as our company's local standalone fileserver.
Everything has ran great for the past year (still is), but now I want to try and setup DNS for more control and services.
The server host name is servername (no FQDN), which shows up in Server Admin as servername.local.
I read and followed Hoffman Labs great step-by-step, but must have missed something, since I still cannot get DNS resolution.
Here is a brief summary of the Server Admin settings:
Host Name servername
Host (Server) IP 192.168.4.2
Router IP (also default public DNS IP) 192.168.4.1
Bonjour Wide Area = Not enabled
Settings Accept recursive queries = localnets
Settings Forwarder IPs = 8.8.8.8 & 8.8.4.4 (Google Public DNS)
now... Zones 1 Primary Zone = companyname.net (we own the domain)
Primary Zone Name = companyname.net
Nameserver Zone = companyname.net
Nameserver Host Name = servername.companyname.net
2 A Records:
servername 192.168.4.2
user1 192.168.4.3
Reverse mapping - automatic - OK
Testing Ran sudo changeip -checkhostname
Results:
Primary address = 192.168.4.2
Current hostname = servername
The DNS hostname is not available. Please repair DNS and re-run this tool.
I must be doing something wrong, but I don't know what it is. Please help.Did you intend to have both "example.com" and "example.net" listed there? Are those domains really different? I'm going to assume that was an obfuscation error. (This is part of the "fun" of obfuscation, unfortunately. Of having to differentiate errors in the actual configuration from errors that were introduced during the obfuscation.)
>Oddly, even though I had manually assigned our Comcast gateway's DNS to Google DNS IPs, the gateway summary still shows up as Comcast's DNS server IPs. So I removed the manually assigned Google DNS IPs from the gateway.
The gateway (or whatever you're using as your DHCP server) should be configured with the DNS server address of 192.168.4.2. All other hosts on your network (if you're planning to use your local DNS everywhere on your LAN) should also reference 192.168.4.2, either through an explicit static configuration, or as the address that was received from the DHCP server.
And as for IP routing, are all your hosts, network printers, network gateways, DHCP servers, etc., all in the range of 192.168.4.1 to 192.168.4.254? (They should be, if you're using a /24-class 255.255.255.0 subnet mask.)
But then I don't know where this configuration has gone off the rails... (Over the years, I've seen and have made my own configuration errors, I've been "bagged" by DNS caches, and I've hit various bugs in DNS implementations.) What you have stated here should work.
I'd start at the top of the DNS configuration article, and not stray from what is written there. That there has been Google DNS and have had ISP DNS configured at the gateway does mean there were some areas that have strayed from the article. I'd suggest following the DNS server configuration directions exactly.
Setting up DNS services with OS X Server isn't difficult, but it can be a little fussy.
If you don't understand something that's written in that article -- or if you believe you need to enter something different than what's listed there -- then please stop and ask about it. Either ask here, or ask over there. (This feedback also helps improve that article.)
Straying from what's written in that article is certainly and entirely feasible, but that's something best left until after the adminstrator is more familiar with running a DNS server. Once you know how and why and where you can stray, there are all sorts of things you can do within a DNS configuration. -
All,
when I tried to open a website I am getting request timed out after few minutes ,I have done a wireshark capture but unable to identify the problem particularly the url /timetracking/home.asp is not working ,can you help out here. please find attached capture from source to destination and vice versa.
Thanks in advance.Yes, I tried that. It did not work for me.
I have 4 site collections. The main site collection is the only one that I receive the error.
When the user clicks on the email link and opens the document for approval, they receive the following error when they click on "Open This Task".
Element '{http://www.w3.org/1999/xhtml}a is unexpected according to content model of
parent element '{http://schemas.microsoft.com/office/infopath/2009/WSSList/dataFields}Body'.
There is nothing wrong with the task list itself, just the link from the Office 2010 client.
I am wondering if there is a web config or other file on the server that is specific to the site collection??
Tracey -
Help with ODBC setup for MySQL
I am having issues understanding what is needed for ODBC setup on OSX. I need to setup a MySQL connection. Are the drivers included on Snow Leopard or if not were can I get them. Are they free or do you have to purchase them. I keep find documentation that assumes to much. Would appreciate any help.
Will have to repeat this for my Lion server after I get this to work.Thank you for your very quick reply!
I have read through the Disk Setup page, and it has cleared up a couple of points.
Now, from what I understand - running the Media on a RAID 0 arrangement, doesn't seem to be a great idea due to no redundancy - however, I'm confused as to whether storing the media on 1 HDD would make for stable streaming of multiple streams of HD footage in Premiere sequence...
I found the comparison between the SSD & HDD interesting too, in the sense that running two large HDDs in RAID 0 for the Media Cache & Previews is actually 'quicker' than running them off a single SSD - and that no redundancy isn't so much of an issue here, as they're just the previews, not the actual media.
So, am I right in saying the setup below would offer a much more efficient solution than my current disk setup, whilst still keeping costs low by using software RAID, rather than buying large SSDs?
Disk 1: OS & Programs (SSD)
Disk 2: Media & Projects (HDD)
Disk 3/4: Media Cache & Previews (2x HDD in RAID 0)
Many thanks, once again! -
Awesome Site with Example Code For All Classes
Very cool site that has example code for all the Java classes and APIs. You can submit example code yourself too!
http://www.kickjava.com/kevjava wrote: Some things that I think would be useful:
Suggestions reordered to suit my reply..
kevjava wrote: 2. Line numbering, and/or a line counter so you can see how much scrolling you're going to be imposing on the forum readers.
Good idea, and since the line count is only a handful of lines of code to implement, I took that option. See the [line count|http://pscode.org/stbc/help.html#linecount] section of the (new) [STBC Help|http://pscode.org/stbc/help.html] page for more details. (Insert plaintiff whining about the arbitrary limits set - here).
I considered adding line length checking, but the [Text Width Checker|http://pscode.org/twc/] ('sold separately') already has that covered, and I would prefer to keep this tool more specific to compilation, which leads me to..
kevjava wrote: 1. A button to run the code, to see that it demonstrates the problem that you wish for the forum to solve...
Interesting idea, but I think that is better suited to a more full blown (but still relatively simple) GUId compiler. I am not fully decided that running a class is unsuited to STBC, but I am more likely to implement a clickable list of compilation errors, than a 'run' button.
On the other hand I am thinking the clickable error list is also better suited to an altogether more abled compiler, so don't hold your breath to see either in the STBC.
You might note I have not bothered to update the screenshots to show the line count label. That is because I am still considering error lists and running code, and open to further suggestion (not because I am just slack!). If the screenshots update to include the line count but nothing else, take that as a sign. ;-)
Thanks for your ideas. The line count alone is worth a few Dukes. -
Need help with correct setup for SuiteLink - Get ACE error message 7078
When I enable SuiteLink via:
ace_set_mode( g_ah, ACE_MODE_ENABLE_SUITELINK, TRUE );
ace_set_file( g_ah, ACE_DIR_SUITELINK, "D:
PW
201108
SuiteLink" );
ace_set_file( g_ah, ACE_DIR_NAME_PARSING_FILES, (char*)"D:
PW
201108
ncoalink");
Right after
ace_open( g_ah );
I get the following ACE error: 7078
where the description is: an incompatible version of the name parsing library required to run was found.
1) I'm not entirely sure where ACE_DIR_NAME_PARSING_FILES should be pointing to. We don't use NCOA but the documention says both SuiteLink and NCOALink use the same parsing files.
Inside NCOALink\ there is parsing.dct with a datestamp of 1/13/2009 which seems old.
I am running ACE800cRev5, just downloaded the July 2011 directories. ace32.dll version 8.4.5.0
Thanks!Michael,
A regular ACE job with Suitlink enabled would also use the same parsing files located in ncoalink\. The parsing.dct included with my ACE 8.00c.05 is also dated 1/13/2009.
I have little expertise with ACE RAPID, but I would guess that ACE_DIR_NAME_PARSING_FILES should also be set ncoalink\
Regards,
Brandon -
Help with initial setup for AirPort Express
Now, before we decided to go wireless, our internet was configured like this: cable cord to router, ethernet cable connecting the router to CPU. This worked fine and our internet has never really had any sort of problems. However, we have had problems with our new AirPort Express. I've tried taking the ethernet cable that's connecting our router to our CPU, and using it to connect the router to the AirPort Express.
However, I keep getting the flashing amber light. When I go into the diagnostics, it says that it cannot pick up an internet connection, even though I'm able to get internet when I plug in directly. If I try to ignore this and set up the account anyway, I can get my computer to connect to the AirPort Express, but I can't get the AirPort Express to connect to the internet.
Please help!pen22, Welcome to the discussion area!
Did you configure the AirPort Express (AX) to use the same settings as your CPU to connect to the internet? -
Inter-VPN routing with export map for host routes
Hi,
I am trying to export host routes from a connected network from one VRF to multiple other VRFs. This is to allow the leaking specific host routes for management purposes. However, I suspect that the /32 host route(s) actually need to be present in the management VRF so the RTs are added accordingly, rather than just specified in the match clause of the MGMT VRF export map.
Ideally here, I only want to export 10.111.111.254/32 from the connected network 10.111.111.0/24 in the MGMT VRF. The only way around this I can see it to move 10.111.111.0/24 behind another device, and add specific host route(s) within the MGMT VRF for the 10.111.111.X/32 host routes (which are redistributed into the MGMT VRF), using the additional device as the next-hop.
ip vrf MGMT
rd 1:1
export map MGMT-EXPORT-MAP
route-target export 1:1
route-target import 1:1
route-target import 1:1001
ip vrf CUST-B
rd 1:2
export map CUSTOMERS-EXPORT-MAP
route-target export 1:2
route-target import 1:2
route-target import 1:1000
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding MGMT
ip address 10.111.111.1 255.255.255.0
interface FastEthernet0/0.200
encapsulation dot1Q 101
ip vrf forwarding CUST-B
ip address 10.96.2.1 255.255.254.0
router bgp 65000
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
address-family ipv4 vrf CUST-B
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf MGMT
redistribute connected
no synchronization
exit-address-family
ip prefix-list CUSTOMERS seq 5 permit 10.96.2.0/23
ip prefix-list ONPREMISE seq 5 permit 10.111.111.0/24
ip prefix-list ONPREMISE seq 10 permit 10.111.111.254/32
route-map CUSTOMERS-EXPORT-MAP permit 10
match ip address prefix-list CUSTOMERS
set extcommunity rt 1:1001 additive
route-map MGMT-EXPORT-MAP permit 10
match ip address prefix-list ONPREMISE
set extcommunity rt 1:1000 additive
Cheers,
MattHi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma -
When I try to get onto YouTube, the site is completely white with the words "Authorization Error" in the top left corner. For a while, all I had to do was reload YouTube and it was fine. Now it just won't work at all. I have Internet Explorer on my computer as well and YouTube works fine on there. When this error occurs, the icon in the address bar changes back to YouTube's old icon.
I have tried:
-Updating Firefox
-Restarting the computer
-Closing and re-opening Firefox
-Typing https instead of http before the address
-Googling and clicking Google's link to the site (yes, a feeble attempt, I know)
Does anyone know what I can do to get YouTube back on my favorite browser? I'd like to stop having to run to Internet Explorer to use this site.
Thanks!Clear the cache and the cookies from sites that cause problems.
"Clear the Cache":
*Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
"Remove Cookies" from sites causing problems:
*Tools > Options > Privacy > Cookies: "Show Cookies" -
The pop up that asks if I want to save this login name and password everytime I login to a site. It is huge and annoying as hell. I just want to have an option to stop it. I know it's there, I don't need to be reminded everytime and if I wanted it to remember I would use it. Give me a break.
For anyone coming in to find this, I located my answer here:
[Special Applet Attributes|http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/special_attributes.html#codebase]
Thanks for reading.
Sorry for the interruption. -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit
Maybe you are looking for
-
EFS, password change denies access to encrypted data
Hi, Has anyone had the issue with admin changing users password in Console One resulting in users not being able to access their encrypted data. Laptop users are using EFS to encrypt their data. These users have WinXPPro SP2 and we are running ZfD 6.
-
Anonymizer Bean is not working XML file -- ABAP Proxy scenario.
Hi Experts, Can anybody please help, How can add this line <ns0:ROOT xmlns:ns0="urn:XXX:snc:productactivedata"> to my input xml file? </ns0:ROOT> to the end of the input xml file. One more thing please, how to remove "standalone="yes" " from this l
-
SOAP Sender to RFC Scenario WSDL File
Hi, I am working on SOAP -> PI -> RFC Scenario. I generated WSDL from sender agreement and gave to the client that can consumed by the third party system. But client is not ready to consume the WSDL. He provided WSDL and asking me to use that. Could
-
Help If anybody can try this and tell me how it works I would be forever grateful. I can not seem to get the FIND command to find timecodes of clips in a sequence. I have copied all my clips from my bin and pasted them into a new sequence I'll name s
-
OCZ Vertex 3 not showing up on Disk Utility (2011 17" Macbook Pro)
I have a problem with my 120GB Vertex 3 installed on my 2011 Macbook Pro. It wouldn't boot after the apple logo after using it for a while...I tried starting up my mac with safe mode, commad+c,command+v,and command+option+p+r but it didn't help. So I