Allow IPSEC traffic thru 871?

I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
How can I allow IPSEC traffic to pass thru the 871?

If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
try this on your 871 router.
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
apply acl-101 to your outbound interface
access-group 101 in
HTH
Jorge

Similar Messages

  • WRVS4400N Won't allow L2TP traffic to passthrough

    The latest in a series of issues with the WRVS4400N:
    As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN.  That leaves us with one of two options:
    1)  Obtain iPSecuritas and configure an IPSec tunnel with it.  Problematic for many, but it can be done.  I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi.  This leaves you with solution 2:
    2)  Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
    I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N.  I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
    After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
    L2TP is a problem, though.  Nothing I try gets through this 4400N.  As stated above I have L2TP passthrough enabled.  I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address.  No go, no traffic gets through.
    Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone.  Voila!  L2TP traffic connects as expected.  This proves it is the WRVS4400N not doing its thing.
    I have checked the logs on the WRVS4400N and nothing appears at all.  I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check. 
    I am using Firmware v1.0.16 because v1.1.03 is not stable on my router.  Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
    Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
    /rant:  I have to say I am begining to hate the WRVS4400N.  This temperamental beast has a lot of frustration and long hours over the past two years;  in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.  

    gv wrote:
    1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
    2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
    3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
    Thanks for the reply.  Comments/follow-up on each of your numbered responses:
     1)  Port 1701 is off.  Plenty of sites insist it must be open, so I tried it out of desperation.  Lots of bad information on the internet, as we all know.
     2a)   My IPSec server has always been the NAT gateway itself (the WRVS4400N).  That's not the problem.  My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN.  QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N.  THis leaves me with having to use 3rd partyclient  solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.  
    I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel.  THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network.  I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable.  Very frustrating.
    I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.  
    If it's so problematic, and such a bad idea, why allow it?   Especially on devices marketed to SOHO consumers who are bound to have less networking savvy?  In fact, the Linksys products ship with these options ENABLED by default. 
    3)  I've done all that.  
    Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
    Passthrough disabled, ports forwarded
    Dec 7 07:38:40 - Drop by Port Scan UDP
    Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
    Dec 7 07:41:30 - [VPN Log]: shutting down
    Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
    Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
    Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
    Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
    Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
    Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
    Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
    Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
    Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
    Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
    Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
    Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
    Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
    Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
    passthrough enabled, ports not forwarded
    Dec 7 07:47:28 - [VPN Log]: shutting down
    Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
    Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
    Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
    Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
    Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
    Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
    Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
    Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
    Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
    Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
    Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
    Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
    Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
    Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
    passthrough enabled, ports forwarded
    BLANK LOG!  Not a single entry in the WRVS4400N's log files.
    Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N.  L2TP connections work fine until the WRVS4400N is in the mix. 
    So, I'm back to the same original question:
     How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...? 
    Message Edited by DistortedLoop on 12-07-2008 08:02 AM

  • IPSEC pass-thru

    Does the newest IOS allow IPSEC to pass-thru??
    Here is my situation. I have have a 2514 with many internal addresses overloaded to one public address and Cisco VPN client doesn't work many to one translation. What is my best bet??

    Yes, 12.2(13)T should support this now. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatesp.htm
    That command reference is horrible though, I think what it's trying to tell you is that you don't need to do anything on the router other than configure NAT overload, the router should do the rest for you automatically.

  • Allow external traffic to access internal computers

    We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
    ASA Version 8.4(3)
    hostname ciscoasa
    domain-name default.domain.invalid
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.2.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 152.18.75.132 255.255.255.240
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object network a-152.18.75.133
    host 152.18.75.133
    object network a-10.2.1.2
    host 10.2.1.2
    object-group network ext-servers
    network-object host 142.21.53.249
    network-object host 142.21.53.251
    network-object host 142.21.53.195
    object-group network ecomm_servers
    network-object 142.21.53.236 255.255.255.255
    object-group network internal_subnet
    network-object 10.2.1.0 255.255.255.0
    access-list extended extended permit ip any any
    access-list extended extended permit icmp any any
    access-list extended extended permit ip any object-group ext-servers
    access-list acl_out extended permit tcp any object-group ecomm_servers eq https
    access-list outside_in extended permit ip any host 10.2.1.2
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo-reply inside
    icmp permit 10.2.1.0 255.255.255.0 inside
    icmp permit any echo-reply outside
    icmp permit any outside
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
    route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.2.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 10.2.1.2 255.255.255.255 inside
    ssh 122.31.53.0 255.255.255.0 outside
    ssh 122.28.75.128 255.255.255.240 outside
    ssh timeout 30
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.2.1.2-10.2.1.254 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
    : end
    ciscoasa(config)# sh nat
    Manual NAT Policies (Section 1)
    1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
        translate_hits = 1, untranslate_hits = 112
    ciscoasa(config)# sh nat
    Manual NAT Policies (Section 1)
    1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
        translate_hits = 1, untranslate_hits = 113
    ciscoasa(config)#

    Okay I will bite.
    Assuming you have
    a.  dynamic pat rule for lan users-devices to reach the internet
    (missing ???????????????
    (should look like a nat rule that makes two entries when you make the one rule)
    (with router set at defaults it may make this rule for you already in place)
    -object bit  
    object network obj_any_inside
    subnet 0.0.0.0 0.0.0.0
    and rule bit
    object network obj_any_inside
    nat (inside,outside) dynamic interface
    b.  route rule - tells asa next hop is IP gateway address
    route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
    c.  Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
    object bit
    object network natforward4server
    host 10.2.1.2
    Nat bit
    object network natforward4server
    nat (inside,outside) static interface service tcp 443 443
    d. Nat for translated ort.
    If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
    object bitobject network natfortransl4server
    host 10.2.1.2
    Nat bit
    object network natfortransl4server
    nat (inside,outside) static interface service tcp 443 80

  • ACL to allow SNMP traffic

    I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
    ip access-list extended ABC-ACL
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
    permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
    Additional permit statements omited.

    HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
    permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
    HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
    permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
    permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
    Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
    Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
    Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
    permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
    etc..
    Jon

  • RV016 Router Allow All Traffic For Outside IP

    Hi,
    I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
    thanks.

    Hi Jonathan,
    I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
    I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
    The Aastra VOIP phones continually loose their  registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up,  and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
    We used to have an RV016 v2 router and VOIP traffic worked  OK,  with a similar Firewall Rule.  We replaced the v2 router  because its CPU crashed. 
    I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off.   We want to use the RV016 because it provides a larger number of ports for our LAN.
    Any suggestions ?
    Kirk

  • Allow DNS Traffic

    Hi!
    We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
    Thanks.

    access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
    access-list 101 extended permit udp net_lan sub net_wan sub eq 53
    access-list 101 extended deny any any
    interface Serial 0/0
     ip access-group 101 out
    N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny  

  • Firewall Allow all traffic on lan

    Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

    dtich wrote:
    thx dean, yes, i had certainly looked at the log, which shows these entries:
    Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
    but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
    traceroute gives me:
    traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
    1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
    so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
    if i allow 169.254.x.x, i still get no joy.
    mean anything else to you?
    yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
    Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

  • Firewall blocks Airplay (even under 'allow all traffic')

    Hi every body,
    I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
    a) all airplay traffic and
    b) 'reading Airport confirguration' requests
    even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
    Any help would really be appreciated.
    Thanks a lot.
    Nonresidentalien
    P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

    Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
    There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
    First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65000          0          0 deny ipv6 from any to any
    65535          6        306 allow ipv6 from any to any
    As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
    reptilehouse:~ sascha$ sudo ip6fw delete 65000
    To confirm, show the rule table again and you should see 65000 is gone:
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65535          6        306 allow ipv6 from any to any
    Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
    What I don't know if whether this is sticky, e.g. survives a reboot.

  • IPSEC Cisco VPN connection. Modifying default VPN gateway allows internet traffic but loses access to VPN

    Hello!!
    I'm using the IPSEC Cisco VPN Network property to connect to my company.
    Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
    If I modify the default getaway in the routing table, with this command
    route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
    I gain access to internet, but I lose access through the VPN tunnel.
    I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
    Could you please help me?
    thanks in advance!!

    Hi Norbert,
    I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
    http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Cisco ASA 5515 - Anyconnect users can't ping other Anyconnect users. How can I allow icmp traffic between Anyconnect users?

    ASA configuration is  below!
    ASA Version 9.1(1)
    hostname ASA
    domain-name xxx.xx
    names
    ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    ip address 192.168.11.1 255.255.255.0
    interface GigabitEthernet0/1
    description Interface_to_VPN
    nameif outside
    security-level 0
    ip address 111.222.333.444 255.255.255.240
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    management-only
    nameif management
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
    domain-name www.ww
    same-security-traffic permit intra-interface
    object network LAN
    subnet 192.168.11.0 255.255.255.0
    description LAN
    object network SSLVPN_POOL
    subnet 192.168.12.0 255.255.255.0
    access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
    route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    webvpn
      url-list none
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.5.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpoint ASDM_TrustPoint5
    enrollment terminal
    email [email protected]
    subject-name CN=ASA
    ip-address 111.222.333.444
    crl configure
    crypto ca trustpoint ASDM_TrustPoint6
    enrollment terminal
    fqdn vpn.domain.com
    email [email protected]
    subject-name CN=vpn.domain.com
    ip-address 111.222.333.444
    keypair sslvpn
    crl configure
    crypto ca trustpool policy
    crypto ca certificate chain ASDM_TrustPoint6
    telnet timeout 5
    ssh 192.168.11.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    no ipv6-vpn-addr-assign aaa
    no ipv6-vpn-addr-assign local
    dhcpd address 192.168.5.2-192.168.5.254 management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint6 outside
    webvpn
    enable outside
    csd image disk0:/csd_3.5.2008-k9.pkg
    anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    group-policy VPN_CLIENT_POLICY internal
    group-policy VPN_CLIENT_POLICY attributes
    wins-server none
    dns-server value 192.168.11.198
    vpn-simultaneous-logins 5
    vpn-session-timeout 480
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_CLIENT_ACL
    default-domain value mycomp.local
    address-pools value VPN_CLIENT_POOL
    webvpn
      anyconnect ssl dtls enable
      anyconnect keep-installer installed
      anyconnect ssl keepalive 20
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect dpd-interval client 30
      anyconnect dpd-interval gateway 30
      anyconnect dtls compression lzs
      anyconnect modules value vpngina
      customization value DfltCustomization
    group-policy IT_POLICY internal
    group-policy IT_POLICY attributes
    wins-server none
    dns-server value 192.168.11.198
    vpn-simultaneous-logins 3
    vpn-session-timeout 120
    vpn-tunnel-protocol ssl-client ssl-clientless
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_CLIENT_ACL
    default-domain value company.com
    address-pools value VPN_CLIENT_POOL
    webvpn
      anyconnect ssl dtls enable
      anyconnect keep-installer installed
      anyconnect ssl keepalive 20
      anyconnect dtls compression lzs
      customization value DfltCustomization
    username vpnuser password PA$$WORD encrypted
    username vpnuser attributes
    vpn-group-policy VPN_CLIENT_POLICY
    service-type remote-access
    username vpnuser2 password PA$$W encrypted
    username vpnuser2 attributes
    service-type remote-access
    username admin password ADMINPA$$ encrypted privilege 15
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool VPN_CLIENT_POOL
    default-group-policy VPN_CLIENT_POLICY
    tunnel-group VPN webvpn-attributes
    authentication aaa certificate
    group-alias VPN_to_R enable
    tunnel-group IT_PROFILE type remote-access
    tunnel-group IT_PROFILE general-attributes
    address-pool VPN_CLIENT_POOL
    default-group-policy IT_POLICY
    tunnel-group IT_PROFILE webvpn-attributes
    authentication aaa certificate
    group-alias IT enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    : end

    Hi,
    here's what you need:
    same-security-traffic permit intra-interface
    access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
    nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
    Patrick

  • Possible to allow any traffic from a certain IP?

    Basic question:
    I'm using Snow Leopard and want to be able to allow any incoming traffic from a certain IP. I'm not concerned about what ports because it's a local device (PS3) behind the router. Is there a way to accomplish this without resorting to ipfw?
    Additional info:
    I have tried to add the PS3 Media Server program to the firewall list but even though it's set to allow, the firewall blocks incoming connections for it. I confirmed this through the console logs. I think it's something to do with being a Java based program.
    Console:
    8/29/09 3:37:59 PM 0x0-0x85085.PS3 Media Server1106 main TRACE 15:37:59.547 Created socket: /10.0.1.2:5001
    8/29/09 3:37:59 PM Firewall1028 JavaApplicationS is listening from 10.0.1.2:5001 proto=6
    8/29/09 3:38:04 PM Firewall1028 Deny JavaApplicationS connecting from 10.0.1.3:50680 to port 5001 proto=6

    Don't know anything about the topic, but this might help.
    http://forums.macrumors.com/showthread.php?t=774875

  • ACE 4710: Config Allows all traffic except large HTTP downloads

    Hi Folks,
    Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
    I've attached the current config
    As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
    If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
    I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
    Cheers
    Alan

    I've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
    exceed-mss allow
    or
    no normalization
    commands.
    In our case, a linux web server was whose replies wouldn't keep to the MSS limit.

  • ACE to bypass IPSec traffic

    HI All,
    we are getting ready to do a POC with ACE, Hurray !!!!!!!!!
    One problem though. The customer (who is a service provider) is going to loadbalance traffic to a web proxy, but wants to bypass IPSec VPN traffic from getting loadbalanced to proxies.
    I think we can do this if the clients are using IPSec tunnel mode, but it seems there would be a problem in identifying the traffic if the clients are using IPSec transport mode or transparent tunneling. Any idea how i can prevent all of the VPN traffic from going to the proxies ?
    Thanks

    If you only loadbalance traffic with destination port 80 or port 8080 than there is no problem.
    I don't think ipsec would use those ports.
    Gilles.

  • Security zone for IPSec traffic

    Hi.
    Suppose i have classic static IPSec with remote site like this:
    crypto map CRYPTOMAP 10 ipsec-isakmp set peer x.x.x.x set transform-set TS match address crypto_aclip access-list extended crypto_acl  permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255interface Fas0/0  ip address <some internet address>  crypto map CRYPTOMAP !interface Fas0/1 ip address 10.1.0.1 255.255.0.0!ip route 10.2.0.0 255.255.0.0 <ISP address>
    Now i want to establish zone-based-firewall.
    I create zones
    zone security INETzone security REMOTE_SITEzone security LAN!zone-pair blah-blah...!interface Fas0/0 zone-member INET!interface Fas0/1 zone-member LAN
    How do i put traffic passing through IPSec tunnel to zone REMOTE_SITE ???
    Note: this is NOT ASA, this is IOS.
    Note2: remote site is not Cisco and i connot create Tunnel interface.

    Hello Utair,
    You need only 2 interfaces,
    The one that connects to the internal devices
    The one that connects to the outside interface (where the crypto-map is usually applied)
    Just match the traffic from the internal interface to the outside interface and apply the right action
    Same thing for the traffic that will be generated in the other site to the Local Area Network
    Do you follow me?
    For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
    Cheers,
    Julio Carvajal Segura

Maybe you are looking for