3015 Concentrator - vpn in

Similar Messages

• Maximum session VPN 3015

  Good morning,
  It was just brought to our attention that we have reached max sessions on the VPN 3015 concentrator (100 max sessions). I would like to swap this out with a VPN 3030 (1500 max sessions). But I have a couple of questions.
  1. Which entry on the group will disconnect personnel after, let's say, 20 minutes of inactivity?
  2. Can I basically just back up the configurations of each concentrator and restore so that all we lose is the time it takes to make the physical swap out?
  Thanks
  Dwane

  I think to configure auto disconnect after an idle period first go to Configuration | User Management | Groups | Modify IPSec TAB.Check what is the IPSec SA. Then go to Configuration | Policy Management | Traffic Management | Security Associations | Modify. Configure the Time Lifetime to required time. Apply the changes
  Then take a look on the IKE Proposal, Go to Configuration | Tunneling and Security | IPSec | IKE Proposals, Select and modify the proposal in order to use Time Lifetime= required time. For second question, I think you can copy the same configuration to new concentrator.

• How do you keep your VPN clients up to date?

  Hi, how do you keep your Cisco VPN clients up to date? Our users connect to a Cisco 3015 Concentrator. It needs to be as automatic as possible.
  Thanks

  Check this link,
  http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_cli
  ent46/administration/guide/vcAch3.html
  Example:
  Steps to perform an automatic update for VPN client :
  ===================================================
  1. Download update-4.8.00.0440-major-K9 file on your PC from the link below and unzip it.
  http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des
  It will have the following files::
  - binary_config.ini
  - sig.dat
  - vpnclient-win-is-8.00.0440-k9.exe
  - vpnclient-win-msi-8.00.0440-k9.exe
  2. Create a webserver with a folder and move all the above files to this folder on webserver.
  3. Now on your vpn client create a new profile. This profile file will appear in the profiles folder of the vpn client. Copy this file to your desktop and zip it. Name the
  zipped file as profiles.zip. Delete the profile from the client.
  4. Make a copy of your binary_config.ini on your desktop. Rename it to new_update_config.ini. This is just to make sure its not saved as a txt file.
  Open the above file and write the following on it:
  [Autoupdate]
  Required=1
  5. Now move the new_update_config.ini and profiles.zip to the webserver. Once we browse to the webserver it should look like --
  http://webserver/~razshah/vpn_profile_update462/
  Index of /~razshah/vpn_profile_update462
  Name Last modified Size Description
  Parent Directory 09-Mar-2005 13:24 -
  binary_config.ini 09-Mar-2005 13:26 1k
  new_update_config.ini 11-Mar-2005 11:35 1k
  profiles.zip 09-Mar-2005 13:26 1k
  sig.dat 09-Mar-2005 13:26 2k
  vpnclient-win-is-4.6..> 09-Mar-2005 13:26 7.6M
  vpnclient-win-msi-4...> 09-Mar-2005 13:26 10.3M
  6. The concentrator is configured as follows:
  Client Type is Windows
  URL http://webserver/~razshah/vpn_profile_update462
  Revisions 4.6
  7. On your PC go to the VPN Client > updates folder. Delete the update_config file if its already there. This folder should have only autoinstall (this file will be added if update works) autoupdate header files.
  The update does take about 5 mins. To see the new file we have to close and reopen the client. Once connected make sure you are able to browse to the webserver and see all the files.
  1- Auto update runs only on Windows 2000 and Windows XP, all other client types update manually. Windows NT users get notified and can get an update manually from the update server.
  2- Remote users must have the VPN Client for Windows 4.6 or greater installed on their PCs to use the automatic update feature.
  Regards,
  ~JG

• Getting Mircosoft DHCP to work with 3015

  I'm having trouble setting up a WIN2K DHCP server to hand out addresses to my VPN clients (client v.3.5.3, 3015 concentrator v3.6.3). The Private subnet of the Concentrators is on the same network as the DHCP server. The DHCP addresses only exist for the clients, so there isn't a physical network that uses the same subnets. This setup is currently working by using the local pools on the Concentrators, but when I try to point the Concentrators to the active DHCP scopes, it gives me an error saying that it cannot retrieve an address from DHCP. On the Concentrators, I've added the server IP into the DHCP server section as well as enabling "DHCP Parameters". I've setup superscopes on DHCP which combine 2 class C's to hand out to the "router" (which is the Concentrator's private interface IP), but I don't know why it's failing!!!
  Please help!!!

  Already answered under the VPN - Security section, check there for results if interested.

• 3015 certificate

  The certificate on my 3015 concentrator is due to expire in a couple days. When I try and renew it, it prompts me for the pword for the cert. I have no clue what that would be.
  What else can I do to renew it ??
  Thanks for any relies !!!

  Hello,
  a rather complete guide for dealing with certificates in a VPN concentratot is found in "Certificate Management" at http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a00803ef352.html
  In the text it gives (hopefully) an answer to your question:
  "Challenge Password — Use this field according to the policy of your CA:
  –Your CA might have given you a password. If so, enter it here for authentication.
  –Your CA might allow you to provide your own password to identify yourself to the CA in the future. If so, create your password here.
  –Your CA might not require a password. If not, leave this field blank.
  Note This field (and the Verify Challenge Password field) display if you are requesting a certificate using SCEP. This field does not apply to manual certificate requests."
  So depending on your certificate you can leave it empty or define it here or have to match a preset password during CA creation.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Concentrator cannot ping to router

  Hi,
  I have a Cisco 1700 VPN router connection to a concentrator VPN 3005 located in overseas via a 256k lease line.
  The concentrator can ping to the Cisco 1700 VPN router ethernet port (private IP) during office hours 0900 - 1800 hrs but cannot ping after 1800 hrs, but it can ping to the router serial port (public IP).
  Pls advice how can I resolve this issue.
  Thanks

  There's obviously a time bound filter applied here, check for any time based filter in the concentrator.

• IP Pool assigned by the ACS

  Hi,
  We are implementing the VPN 3015 Concentrator and using ACS to assign IPs to the VPN clients. Want to use 10.200.200.0/24 subnet as a pool, but I can not find the way to assign the right mask. I guess, the ACS detects that this is a class A network and assigns 255.0.0.0 mask to the clients. Is there any way to hardcode it to 255.255.255.0?
  Thank you,
  Evgueni

  It is recommended to reconfigure the settings in the VPN concentrator and the ip pools on the ACS:
  On the VPN Concentrator, choose Configuration > System > Address Management > Assignment > Use Address from Authentication Server > Apply in order to choose the authentication server option for IP address assignment.
  On the Cisco VPN 3000 Concentrator, choose Configuration > System > Servers > Accounting Servers.
  Add the details for the ACS in order to specify the ACS as an Accounting Server. This allows the ACS to see what IP addresses are in use and assign free IP addresses.
  In the ACS, go into either the User Setup or the Group Setup in order to provide the IP address.
  Choose VPN Client IP Address Assignment.
  Choose Assigned from AAA server pool. An IP address pool on the Authentication Authorization Accounting (AAA) server assigns the IP address.

• Is there a servicec contract for device

  Hi,
  sorry I can't find a more appropriate category...
  My problem: I am not sure if there is an active (non expred) service (contract) for our ciscp vpn 3015 concentrator. So I have the serial but how can I search for a suitable contract. Maybe cisco is able to get the information if the concentrator is under service or not - but in which way?
  thank you
  kind regards
  daniel

  Hi Daniel,
  you can try if you have access to this tool:
  http://apps.cisco.com/CustAdv/ServiceSales/smcam/requestStatusDispatch.do?methodName=onDashboardAction
  If not, and you bought the device from a Cisco Partner or Reseller, you can ask them and they should be able to look it up.
  Or you could simply call or email the TAC and ask, I suppose.
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  hth
  Herbert

• Recording internal IP addresses using Microsoft Client

  Hello
  Some of my users are using the Microsoft built in Client in Windows to intiate VPN connections into a 3015 Concentrator.
  However, using this Client I do not seem to be able to get the 3015 to log the internal IP address the 3015 has issued from the configured pool. I need this in order to fulfil audit trail requirements but only log the username and their external (ISP) address.
  I notice that with the Cisco Client both the internal and the external IP address is recorded fine, providing an audit trail.
  The environment I work in does not allow me to specify a client type to use as this would be restricting users!
  Can anybody help me find a way to record the assigned internal IP addresses for users using non-Cisco Clients? The data I need is available in real-time from the Concentrator, but I cannot find a way to send it to a syslog server.
  thanks
  Bryn

  Try a ping broadcast - for example if your network were 192.168.1.xxx (netmask of 255.255.255.0) try this from a Termnal.app window (located in /Applications/Utilities):
       ping 192.168.1.255
  If you have a different type netmask, you need to put 255's where the 0's are in your netmask.
  Everyone on the local network (the 192.168.1.xxx network) should reply that is up and running unless you have them setup to not respond to pings (the WAN port on your TC should not reply cause it's in a different network) and you have your list of clients on the network. If you setup the TC to dedicate a range of addresses for WiFi clients you can even identify which of them are wired and which are wireless.
  good luck.

• Disable warning message of firewall optionnal

  hi ,
  i have configured firewall setting  ,on concentrator vpn for optionnal and this setting give a warning message one connected on the client vpn ,
  i want to disable this warning fro users .
  is it possible ?
  thank for your  help
  best regards            

  that error is comming for ur Config, So u cannt Skip that message from  BAPI returns, try to change CostCenter or Docuent Type.
  regards
  Prabhu

• I wish for a VPN concentrator with cmd-line IOS!=HELP on public IP blocmove

  If you have the time, I would like to run a problem past u that I am sure there is an easy answer to, but I keep running into a major brick wall, every way I go. It basically has to do with changing to a new ISPand new T1, losing the IP block, moving to and a new T1/IP block. Both old and new are up right now on separate 2600 routers, although no traffic is on the “new” T yet. All my remote sites (around 25)VPN back to a concentrator (3015) which has an outside public address from the ISP that is going away.(as soon as I get them all switched over) The problem is the fact that, like I would normally do, I can’t have a one time “cut-over” and change all the sites. I need to find a way to migrate, slowly, over a few weeks, these satellite sites, which must stay up 24/7. I thought that it was going to be as simple (since I brought the second T up on a seperate router), as adding a secondary address from the “new” block onto the concentrators public interface...??? Then slowly pointing each client (hard 3002s and some soft) to this address, then, when all were moved, dropping the old T and the $1,000.00 a month it is costing. Of course,there is no “IP address secondary” command on the 3015. Could I utilize the 3rd interface for the new block?? I wish it had the same command-line as router IOS. By the way, the old T is dedicated, the new is frame-relay. My solution of last resort is to build a shadow VPN config. from the 3015 onto a PIX515R I have, and terminate on it. Then put the new public ip address on the away the 3015 and move them back one at a time………..ANY…I mean ANY suggestions u might have would be appreciated.

  See if you can demo a linkproof for 30-45 days.
  www.radware.com. We ran accross the same thing, put it in place, showed the VP, bought it and then put in 5 more T1's for higher throughput.
  Takes about 2-1/2 hours to get where you need it.
  Its either that or BGP, which if your ISP is managing the routers, then I dont think you even want to look down that road.
  With the linkproof you can have both T's running and move people over when you feel like it.
  Basic Linkproof LT 10mbs thougput is about $6500. Demos are free though.

• LDAP ON VPN CONCENTRATOR

  I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
  For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
  but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
  Thanks

  The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html

• Concentrator 3015 - Can you lock clients down by PORT?

  I have a 3015 setup and have created a tunnel, which works fine. I also have it locked down to specific IP addresses.
  My question is, Can you lock the cleints down to only a few specific ports? (ex. port 3389 only)

  Yes, you can. There are a few steps that you need to take in order to do this. In a nutshell, you need to define a set of rules, create a filter, and then apply the filter to the group.
  To create the rules, go to: Configuration->Policy Management->Traffic Management->Rules
  Here is a link that discusses rules within the concentrator. If you scroll down the page a bit, the section below this one walks you through the process to create the rules. Take a look at some of the default rules that are configured. One thing to keep in mind is that you need to define rules for the return traffic as well unless you want to use some of the default rules to allow all outbound traffic going back to the clients.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/polmgt.htm#1321359
  Once you have your rules defined, you need to setup a filter. The filter is nothing more than a group that allows all of the rules you have defined to be associated together. The link below talks about filters and the section below talks about adding a new filter. To create the filter go to Configuration->Policy Management->Traffic Management->Filters
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/polmgt.htm#1321359
  Once you have your filter defined, you need to associate it to a group. This is done in Configuration->User Management->Groups, selecting the group to apply the filter to and modifying the group. On the General tab for the group being modified, there is an option to associate a filter to the group. Select the filter you setup and apply your changes.
  I would setup a test group to allow you to get comfortable with setting up the rules/filters before implementing them on a production group where you could impact users. This will let you make sure the rules/filter you have setup works the way you expect it to while not impacting any of the production users.
  HTH
  -Steve

• 3015 VPN & Password expiry

  Hi, I am currently using a 3015 (ver3.5.5), ACS (3.1) & the VPN client (3.5.1).
  I would like to implement password expiry however I do not use the windows domain for authentication - I use the ACS internal database. I don't seem to be able to find anyone else doing this or config examples. Does anyone know if this is possible?
  Thanks, John.

  John,
  ACS (3.1) supports Password expiry configuration.
  Cisco Secure ACS supports MS CHAP-based password aging feature which works with the Cisco VPN client (version 3.0 or greater). This feature prompts a user to change his or her password after a login where the user password has expired.
  You will need to configure ms-chapv2 password expiration in ACS, and choose "RADIUS with Expiry" on the VPN concentrator.
  Oscar

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684