Advice with Site-toSite VPN Setup
Hi all
I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site. I need help selecting the right hardware.
At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection. At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300. The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
My central site is a static IP, but the remote site is not.
Can anyone suggest the right peace of kit. The rv042 looks like it may be OK, but I need to be certain. Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
TIA
Hi Nigel,.
I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the lower priced Cisco Small Business products.
1.SR520-FE-K9
A very very low cost Cisco IOS based router.
it offers the advantages of Cisco IOS CLI in a low low price
excellent debugging
excellent counters
can be managed by the free utility Cisco Configuration Assistant
supported by Cisco TAC
Allows for site to site IPSec VPN tunnels
There are two ADSL variants SR520-ADSL-K9 SR520-ADSLI-K9
Wireless versions as well..but check datasheet.
2. RV220W or RV120W (relatively new)
Gui only configuration
provides IPSec tunnel between gateways
enhanced software compared to older WRV2XX
VLAN and trunk support
PPTP server (with RV220W)
Gig wan and LAN ports on the RV220w
supported by Cisco Small Business Support Center
3. RV042 (refresh of a popular router , newly released Version 3 hardware and new firmware)
Gui only configuration
provides IPSec tunnel between gateways
impoved software
VLAN and trunk support
PPTP server as well
supported by Cisco Small Business Support Center
Moving up in features and price, you could check out the;
4. SA500 series ( with newly released version 2 firmware)
A very capable box offering IPSec tunnels as well as
termination for SSL client vpn tunnels
option for IPS, content filtering , trend integration
But spend some time and really and check out the dataheets on all these products.
Also, If you are a cisco partner there is a management GUI emulator for the RV220W, RV120W, SA500. It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
regards Dave
Similar Messages
-
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
Simple VPN Setup Fails with "NOTIFY PROPOSAL_NOT_CHOSEN protocol"
Hi,
This is pulling my hair out! Must be overlooking something very simple!
Simple lab setup with 3 routers. VPN setup between R1 & R3 with static routing. R2 connects R1 & R3. All interfaces are reachable, including loopbacks. I am trying to encrypt traffic between loopback on R1 (69.69.69.69) to loopback on R3 (192.168.100.223).
With no Crypto Map applied to outgoing interfaces on R1 and R3 ping is successful (sourced via local loopback) between the loopbacks. As soon as I add the Crypto Map the same ping fails and and I get the following debug messages.
When ping initiated via outgoing interface, ping successful!
*Oct 6 11:44:26.121: ISAKMP: set new node 0 to QM_IDLE
*Oct 6 11:44:26.125: SA has outstanding requests (local 103.13.216.8 port 500, remote 103.13.215.236 port 500)
*Oct 6 11:44:26.129: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE )
*Oct 6 11:44:26.133: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -1381344893
*Oct 6 11:44:26.137: ISAKMP:(1002):QM Initiator gets spi
*Oct 6 11:44:26.145: ISAKMP:(1002): sending packet to 172.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 6 11:44:26.145: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Oct 6 11:44:26.149: ISAKMP:(1002):Node -1381344893, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 6 11:44:26.153: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Oct 6 11:44:26.301: ISAKMP (0:1002): received packet from 172.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Oct 6 11:44:26.305: ISAKMP: set new node -1825528760 to QM_IDLE
*Oct 6 11:44:26.313: ISAKMP:(1002): processing HASH payload. message ID = -1825528760
*Oct 6 11:44:26.317: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2376679447, message ID = -1825528760, sa = 670DD6A4
*Oct 6 11:44:26.317: ISAKMP:(1002): deleting spi 2376679447 message ID = -1381344893
*Oct 6 11:44:26.321: ISAKMP:(1002):deleting node -1381344893 error TRUE reason "Delete Larval"
*Oct 6 11:44:26.325: ISAKMP:(1002):deleting node -1825528760 error FALSE reason "Informational (in) state 1"
*Oct 6 11:44:26.329: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 11:44:26.329: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 172.1.1.1
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
crypto map CRYPTO 1 ipsec-isakmp
description IPSec Peer to R3
set peer 172.1.1.1
set transform-set TEST
match address ACL1
interface GigabitEthernet1/0
ip address 192.250.156.6 255.255.255.0
no ip route-cache cef
no ip route-cache
negotiation auto
crypto map CRYPTO
ip access-list extended ACL1
permit ip host 69.69.69.69 host 192.168.100.223
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.1.1.1 192.250.156.6 QM_IDLE 1002 0 ACTIVE
R3
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 192.250.156.6
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
crypto map TEST 1 ipsec-isakmp
description Primary IPSec Peer to R1
set peer 192.250.156.6
set transform-set TEST
match address ACL1
interface GigabitEthernet1/0
ip address 172.1.1.1 255.255.255.0
no ip route-cache cef
no ip route-cache
negotiation auto
crypto map CRYPTO
ip access-list extended ACL1
permit ip host 192.168.100.223 host 69.69.69.69
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.1.1.1 192.250.156.6 QM_IDLE 1002 0 ACTIVE
Any help appreciated,
Thanks.Hi Paul,
"processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3" indicates the remote VPN peer rejected the phase 2 proposal.
The configuration snippet you have shared here seems fine, ISAKMP and IPSec debugs (debug crypto isakmp and debug crypto ipsec) from the remote VPN peer will be helpful in troubleshooting further.
Following is a useful doc on VPN troubleshooting:
IPsec Troubleshooting: Understanding and Using debug Commands
Cheers,
Rudresh V -
I think I have it working on my iPhone 5. But, I do not see how I can control the exit point that I would like for the VPN. Are all the exit points shown in the VPN setting now going to work with Open VPN, or do they remain PPTP? If I am reading correctly, they look like they remain PPTP. If I cannot control the exit point for open VPN, which exit point is the default in the profile you provided me?I note that Open VPN Connect does not work with any of the new 64 bit devices like the iPhone 5S, the iPad Air, and the new iPad MIni. Is there any chance that you guys will come up with an update for your app so that open VPN can be made to work on all iOS devices? That would be nice, particularly if the Open VPN Connect app does not give me a choice of exit points.Thanks,
I do not see where to enter IP addresses in the Open VPN setup. Also, how can I set it up so that I can choose different servers in the same way as I can currently choose them with my VPN app but for PPTP?
Just a quick note to tell you that Open VPN has updated their app so that it is compatible with 64 bit ARM devices like the iPhone 5S, the iPad Air, and the iPad Mini Retina.That does not resolve the problem of how to easily choose among the various possibilities for the exit server. We need to find an easy way to choose.Thank you for trying the new Firefox. I'm sorry that you’re unhappy with the new design.
I understand your frustration and surprise at the removal of these features but I can't undo these changes. I'm just a support volunteer and I do not work for Mozilla. But you can send any feedback about these changes to http://input.mozilla.org/feedback. Firefox developers collect data submitted through there then present it at the weekly Firefox meeting
I recommend you try to adjust to 29 and see if you can't make it work for you before you downgrade to a less secure and soon outdated version of Firefox.
Here are a few suggestions for restoring the old design. I hope you’ll find one that works for you:
*Use the [https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ Classic Theme Restorer] to bring back the old design. Learn more here: [[How to make the new Firefox look like the old Firefox]]
*Use the [https://addons.mozilla.org/en-US/firefox/addon/the-addon-bar/ Add-on Bar Restored] to bring back the add-on bar. Learn more here: [[What happened to the Add-on Bar?]] -
Setup Sunray 3G with Cisco 3005 VPN concentrator
hi,
I first explain the setup situation:
Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
Is there some info about what IKE proposal i need to select in the Cisco 3005?
Any help would be appreciated
ThxI have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.
-
How to nat subnets before establishing site to site ipsec vpn tunnel?
Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me. -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
Hello Support,
I have a question regarding a remote access VPN setup with the following. I have a Cisco 6500 with multiple VLANs, and an FWSM setup in mutliple context mode. Each of our clients sits behind their own context, and has their own associated VLANs. Each context has a shared interface, so that one network (our management network) can see all of the networks. We are using a Cisco ASA to terminate P2P VPNs as the FWSms cannot do so, but I would like to setup a remote access VPN from the ASA, but I will need to connect in and have access to all networks. Currently the ASA has an outside interface for internet, two client inside interfaces, and one interface on the shared network.
If I setup a remote access VPN from the ASA with a separate scope will I be able to see all the networks that I setup routes and nonats for or is there more to it?
I provided a brief diagram showing all the vlans, I will need to be able to access all of the 6500s vlans when connected using the VPN.
Thanks in advance for all ideas, suggestions, and assistance.Hello John,
You will need to configure the respective IP Address pool for the Anyconnect users,
Then create the no_nat rules from all of the internal subnets to the Anyconnect Pool.
That should do it bud . I mean just make sure the internal network (core) knows that in order to reach the anyconnect pool must send the traffic to the ASA.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com -
Is it possible to this with remote-access vpn?
Hi
I have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.
But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.
Is it possible?
If yes what shoud I consider to make it work?
My setup looks like
enterprise network: 10.1.1.0/24
remote vpn clients get ip adresses from: 10.0.5.0/28
remote branch 1 network: 10.1.10.0/24
remote branch 2 network: 10.1.20.0/24
remote branch 3 network: 10.1.30.0/24
there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24
All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go. Please help!
Thanks in advance!
ZoranYes you can..
Let's take 1 remote branch network as an example: branch 1 network (10.1.10.0/24):
On Enterprise ASA:
- If you have split tunnel configured for the VPN Client, you would need to also add the remote branch network in the list (10.1.10.0/24).
- Crypto ACL between the Enterprise ASA and remote branch 1 ASA needs to have the following added:
access-list permit ip 10.0.5.0 255.255.255.240 10.1.10.0 255.255.255.0
- "same-security-traffic permit intra-interface" needs to be configured
On remote branch 1 ASA:
- Crypto ACL between remote branch 1 ASA and Enterprise ASA needs to have the following added:
access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
- NAT exemption rule to exempt the traffic:
access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
Clear the tunnels from both end, and test the connectivity.
Hope this helps. -
I have a current machine Windows 7 Pro with a Cisco VPN 3.5v client that currently connects with access to a customers network.
They shipped a second machine Windows 8.1 Pro without adding local accounts, that is pre-joined to a sub-domain the first system has access to.
Would it be possible to use the first machine as a ICS or Router to allow the second machine to see or access for log in, without returning to the customer site and plugging in for a log in point?
Trying to save a 3 to 4 hr trip and lugging a system back for myself and the rest of the team.
ThanksHi,
Please refer to this part
http://windows.microsoft.com/en-hk/windows/using-internet-connection-sharing#1TC=windows-7
ICS and VPN connections
If you create a virtual private network (VPN) connection on your host computer to a corporate network and then enable ICS on that connection, all Internet traffic is routed to the corporate network and all of the computers on your home network
can access the corporate network. If you don't enable ICS on the VPN connection, other computers won't have access to the Internet or corporate network while the VPN connection is active on the host computer
Yolanda Zhu
TechNet Community Support -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
Problem with Site Studio sites unde Linux - Ubuntu 9.10
Hello all,
I installed UCM under Linux (Ubuntu 9.10). As part of the setup I configured the installed Apache server by adding to apache2.conf:
LoadModule IdcApacheAuth /opt/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so
IdcUserDB idc "/opt/oracle/ucm/server/data/users/userdb.txt"
Alias /idc "/opt/oracle/ucm/server/weblayout"
<Location /idc>
Order allow,deny
Allow from all
DirectoryIndex portal.htm index.htm
IdcSecurity idc
</Location>
UCM interface works as expected and all was working ok.
I then followed the Site Studio Tutorial Setup Guide and added some lines to the apache2.conf and it now looks like:
LoadModule IdcApacheAuth /opt/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so
IdcUserDB idc "/opt/oracle/ucm/server/data/users/userdb.txt"
Alias /idc "/opt/oracle/ucm/server/weblayout"
<Location /idc>
Order allow,deny
Allow from all
DirectoryIndex portal.htm index.htm
IdcSecurity idc
</Location>
UseCanonicalName off
<Location "/">
IdcSecurity idc
</Location>
Afterwards I installed the Ravenna Hosting Tutorial. It appears ok in the site studio configuration pages. But when I try to view the site I get a 404. In apache access.log I see:
172.18.0.160 - - [01/Mar/2010:10:25:58 +0000] "GET /RVH/index.htm HTTP/1.1" 404 499 "http://ucm/idc/idcplg?IdcService=SS_GET_SITES_ADMIN_PAGE" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-PT; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTB5 (.NET CLR 3.5.30729) WIT Toolbar 2.0.17 for Firefox"
And in error.log I have:
[Mon Mar 01 10:28:05 2010] [error] [client 172.18.0.160] File does not exist: /var/www/RVH, referer: http://ucm/idc/idcplg?IdcService=SS_GET_SITES_ADMIN_PAGE
Can someone give me a hand at what I'm doing wrong?Managed to solve this.
The problem was with SSUrlMapPlugin.so not being loaded because of a missing dependency in the OS. I had to install libstdc++2.10-glibc2.2_2.95.4-24_i386.deb that is no longer on the Ubuntu 9.10 repositories so one has to fetch it from older releases.
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
dpkg -i libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
And then restart apache and the content server. -
RV120W VPN Setup - basic help needed
Hi all,
I've recently bought a RV 120W Wireless-N VPN Firewall hoping it would ease me in creating VPN and remote connectivity. But I seems to be struggling with this.
Here is my situation.
When I bought my Cisco router I didn't know it had an ethernet port for WAN. I thought it would have a RJ11 compliant port. So now I am having to put the router behind my modem.
I gave my modem's LAN 192.168.2.1 and to RV120W I gave 192.168.2.2.
All PC's are not connected to internet via RV120W. For RV120W, the local IP network is 192.168.1.0. I've set 192.168.1.1 as the management IP of the Cisco RV120W. All the PC's can get internet from the above layout arrangement.
With frustration, I've portforwared all my ports on the modem (except 1 port) to RV120W i.e to IP 192.168.2.2.
If I enable PPTP on RV120W I can ping its port (1723 i remember) from outside. If I connect to port 80 from outside my network, I can get the managemnt interface of the RV120W.
With the help of the RV120W's userguide I managed to create VPN policy stuff via the 'basic VPN Setup' menu. The guides says to use a wizard but there is no wizard for VPN setup.
With that I have even created users (of every type) but I just can't make the connection.
When I use the QuickVPN to connect... its goes from "Connecting", "Activating Policy" again "Connecting" and then a big error saying a couple of things that might have caused the error.
I want to start from the beginning.
Can somebody please help me.
First... what I am I supposed to put in the fields of the following screenshot. Especially the fields "Remote WAN's IP Address", "Local WAN's IP Address" and "Local LAN IP Address".Once I knew about the bridge mode thing from this discussion, I started reading the manual of the modem in regard to the brigde mode setup.
According to the manual, the 'Data' bulb on the modem would be off if the modem is in bridge mode. and I've successfully put the modem on bridge mode I guess. It was pretty easy. I just deleted all the WAN setup rules/configs and began with the initial setup wizard which basically had the option to set the modem to bridge mode. After so, the 'Data' bulb got off meaning the modem is now in bridge mode. I am happy about that
But... still not done.
I put one ethernet cable into of the LAN ports of the modem and put the other end in RV120W WAN port. Logged into to RV120W, configured new PPPoE profile (I have the user and pass details) and attached it to the WAN internet setup config.
I went back to the dashboard of RV120W to see if WAN was up. It didn't. I gave some time. It didn't work. It says 'connecting' but never connects.
What am I doing wrong? Am I putting the cable between the modem and router the right way?
...and also, when the modem is in bridge mode will it forward all packets from lan to wan and vice versa or is it like forwarding packets to all ports once recieved.
(I am learning so much with this RV120W ) -
Hi,
I have a NetGear DGND 3700v2 adsl modem/router. The firmware is v1.1.00.14_1.00.14 which has built in VPN functionality.
I am trying to establish a VPN connection to it from various MBP-15 (2011) running OSX 10.6.8 and 10.7.x - this is so that I can facilitate use of AppleRemoteDesktop to access various other iMac / old MacPros from outside the office.
In simple terms I have tried almost everything I can think of, including IPSecuritas & VPN tracker - but don't seem to have found the right combinations. I have also seen/copied the various postings for the FVS318G without success.
Does anyone have any experience with the Netgear VPN and Mac OSX settings?
Any help or suggestions will be much appreciated!!
Thanks,
ScinTillaHi
With the current setup in place you can try either try configuring PPTP or MPPE on your router and establish the connectivity to access the remote lan.
For more info you can refer this link..
http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
regds -
Secured server with SSH and VPN?
Hi,
Have an Archbox at home and when I'm traveling I would like to connect to my Archlinux box at home to grab files and such things.
Using ADSL with a static IP and a D-Link router.
If I create a portfowarding rule of port 443 to my Archlinux box and user it to connect with SSH and VPN is that secured enought?
I have family photos and stuff on the server that I don't want to be hacked or spread. Not a high target for hackers but for scriptkiddies!
So, will a portforwarding rule and a use of SSH daemon and a VPN Server software make me secure all the way, the VPN and SSH is encrypted right?
Any suggestions of a good VPN application?
Server daemon for the "archserver" and clients for my laptop with dualboot, vista and archlinux.Yeah, SSH or OpenVPN should be perfectly fine.
However, why port 443? If someone is scanning a large range of IP-addresses for commonly open ports to find active servers, they will most likely scan port 21, 22, 25, 80, 110, 443, etc. as these ports usually run the most interesting services.
Since it has no impact on the usability, choose a high port, between 10000-65000, which is not commonly used. That way your system will not be identified as active by a simple portscan searching for active servers.
You don't have to be worried about attacks targeted directly against you, if you don't have anything interesting on your system, a cracker wouldn't spend time on manually breaking into your system. Just mask yourself from worms etc. by using uncommon ports. Using SSH or OpenVPN will handle encryption, which ensures data integrity, even when you're connected to an unencrypted hotspot somewhere in the world on your vacation
If you setup OpenVPN, you'll also have the possibility of routing all your Internet traffic throught your home system, which can be very handy in terms of surfing and checking mail from unencrypted hotspots around the world.
Maybe you are looking for
-
Passing CPM variable value to BW report/query
Is it possible to pass CPM variable values from SEM scorecard to BW supporting reports.
-
Static text in textfields renders differently when published in CS4/CS5
Hi I am experiencing an issue where legacy files I created in Flash CS4 look different when published in CS5. Fonts are rendered differently. I have noticed it so far on DIN and Goudy Modern. The output when published in is CS5 is markedly different
-
Hello, I am doing a project that uses MS Access to access data about a baseball team . The MS Access Database provides the names, addresses, and age of the players. All the players are 12, 13, or 14 years old. I need to display the average age for th
-
No sound during fullscreen playback iTunes.
After updating my iTUNES to Version 12.1.2.27. There is no audio during fullscreen video playback. Audio is normal during windowed playback. I'm using a Macbook Pro retina 13" with OS X 10.8.3. Even after increasing or decreasing the audio level in f
-
Thumbnails in New Tab Page are not resizing
Hey, Since the latest update (33.0.2), the thumbnails for the websites on the 'New Tab Page' do not resize when the window is resized, so I cannot see all the thumbnails unless the window is full screen. It used to be that if I dragged the corner of