ASA5510 VPN Bandwidth Calculations

Were running an ASA5510 with multiple IPSEC VPN clients over a 100Mb leased line. At the moment we have about 10 active clients however we are looking at gearing up to about 100 clients.
Question is, is there a known method for calculating the required bandwidth for this number of clients or indeed obtaining metrics from already connected clients to help with this calculation.
We have tried a few monitoring products, most notably Solarwinds, however none of the products we have tried seems to be able to give us the throughput of the individual VPN connections to assist with our calcs....

Hi Rob,
Check  out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP  monitoring and measuring the traffic load for IPsec  (Site-to-Site,  Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco  ASA. It allows the user to see traffic load on a VPN  tunnel over time  in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is   following: Other (commonly used) software's are working with static OID   numbers, i.e. whenever tunnel disconnects and reconnects, it gets   assigned a new OID number. This means that the historical data,  gathered  on the connection, is lost each time. However, VPNTTG works  with VPN  peer's IP address and it stores for each VPN tunnel  historical  monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com

Similar Messages

  • Bandwidth Calculation based on Network IP Address on SNMP Cisco 3750

    Dear All,
    Instead of getting bandwidth calculation on cisco switch via snmp for total in and out or based on port, is it possible to get the calculation of bandwidth for in and out for the C Class IP on the network ? That mean i can get the calculation for each of my network IP address from the Cisco, what i'm doing now is to get from my bridge server and i run the iptables and some bash script and also MRTG
    Please advice. TQ

    Hi Abhi,
    you're welcome. Thanks for rating & marking as answered!
    I have CISCO 6503 box also with me. Could you please confirm if feature would be supported on 6503 ethernet ports or not?
    Have a look at the Release Notes:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/features.html#wp2800031
    "New Software Features in Release 12.2(18)SXF2
    Support with Supervisor Engine 2 for these features, which are already supported with other Supervisor Engines: 
    - IP unnumbered for VLAN-SVI interfaces
    -VLANs over IP unnumbered sub-interfaces"
    I have to say I've never done this so far on a c6500 but I think you can rely on the RN.
    HTH
    Rolf

  • ASA5510 VPN not working after upgrade from 8.2 to 8.3

    Hi,
    I have recently upgraded a customer ASA5510 to version 8.3.
    After upgrade web access etc is working fine however VPN is down.
    The config looks very different after the upgrade plus what looks to be duplicate entries.
    I suspect its an access list issue but I'm not sure.
    If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password NvZgxFP5WhDo0hQl encrypted
    passwd FNeDAwBbhVaOtVAu encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 217.75.8.203 255.255.255.248
    interface Ethernet0/1
    nameif Inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    management-only
    boot system disk0:/asa832-k8.bin
    ftp mode passive
    clock timezone GMT/IST 0
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup Inside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object network obj-192.168.1.2-04
    host 192.168.1.2
    object network obj-192.168.1.7-04
    host 192.168.1.7
    object network obj-192.168.1.0-02
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0-02
    subnet 192.168.2.0 255.255.255.0
    object network obj-10.1.2.0-02
    subnet 10.1.2.0 255.255.255.0
    object network obj-192.168.1.224-02
    subnet 192.168.1.224 255.255.255.240
    object network obj-192.168.1.9-02
    host 192.168.1.9
    object network obj-192.168.1.2-05
    host 192.168.1.2
    object network obj-192.168.1.103-02
    host 192.168.1.103
    object network obj-192.168.1.7-05
    host 192.168.1.7
    object network NETWORK_OBJ_10.1.2.0_24
    subnet 10.1.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group network obj-192.168.1.2-02
    object-group network obj-192.168.1.7-02
    object-group network obj-192.168.1.0-01
    object-group network obj-192.168.2.0-01
    object-group network obj-10.1.2.0-01
    object-group network obj-192.168.1.224-01
    object-group network obj-192.168.1.9-01
    object-group network obj-192.168.1.2-03
    object-group network obj-192.168.1.103-01
    object-group network obj-192.168.1.7-03
    object-group network obj-192.168.1.2
    object-group network obj-192.168.1.7
    object-group network obj-192.168.1.0
    object-group network obj-192.168.2.0
    object-group network obj-10.1.2.0
    object-group network obj-192.168.1.224
    object-group network obj-192.168.1.9
    object-group network obj-192.168.1.2-01
    object-group network obj-192.168.1.103
    object-group network obj-192.168.1.7-01
    object-group network obj_any
    object-group network obj-0.0.0.0
    object-group network obj_any-01
    object-group service MonitcomUDP udp
    port-object range 3924 3924
    access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
    access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
    access-list Outside_access_in extended permit icmp any any
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
    access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
    access-list Outside_access_in extended permit udp any any eq 4500 inactive
    access-list Outside_access_in extended permit udp any any eq isakmp inactive
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Inside_access_in extended permit ip any any
    access-list Inside_access_in extended permit icmp any any
    access-list RemoteVPN_splitTunnelAcl standard permit any
    access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
    pager lines 24
    logging enable
    logging asdm warnings
    mtu Outside 1500
    mtu Inside 1500
    mtu management 1500
    ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
    ip verify reverse-path interface Outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    icmp permit any Inside
    asdm location 192.168.1.208 255.255.255.252 Inside
    asdm location 192.168.1.103 255.255.255.255 Inside
    asdm location 192.168.1.6 255.255.255.255 Inside
    asdm location 192.168.1.7 255.255.255.255 Inside
    asdm location 192.168.1.9 255.255.255.255 Inside
    no asdm history enable
    arp timeout 14400
    nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional
    nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional
    nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
    nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
    object network obj-192.168.1.2-04
    nat (Outside,Inside) static 217.75.8.204
    object network obj-192.168.1.7-04
    nat (Outside,Inside) static 217.75.8.206
    object network obj-192.168.1.0-02
    nat (Inside,Outside) dynamic interface
    object network obj-192.168.1.9-02
    nat (Inside,Outside) static 217.75.8.201
    object network obj-192.168.1.2-05
    nat (Inside,Outside) static 217.75.8.204
    object network obj-192.168.1.103-02
    nat (Inside,Outside) static 217.75.8.205
    object network obj-192.168.1.7-05
    nat (Inside,Outside) static 217.75.8.206
    access-group Outside_access_in in interface Outside
    access-group Inside_access_in in interface Inside
    route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server DellServerAAA protocol radius
    aaa-server DellServerAAA (Inside) host 192.168.1.4
    key test
    http server enable
    http 62.17.29.2 255.255.255.255 Outside
    http 82.141.224.155 255.255.255.255 Outside
    http 63.218.54.8 255.255.255.252 Outside
    http 213.79.44.213 255.255.255.255 Outside
    http 192.168.1.0 255.255.255.0 Inside
    http 10.1.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection timewait
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ipsec df-bit clear-df Outside
    crypto ipsec df-bit clear-df Inside
    crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
    crypto map Outside_map 1 match address Outside_1_cryptomap
    crypto map Outside_map 1 set peer 89.127.172.29
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 60 match address Outside_cryptomap_60
    crypto map Outside_map 60 set peer 89.105.114.98
    crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
    crypto map Outside_map interface Outside
    crypto isakmp identity key-id nattingreallymatters
    crypto isakmp enable Outside
    crypto isakmp enable Inside
    crypto isakmp policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet 192.168.1.0 255.255.255.0 Inside
    telnet timeout 5
    ssh 82.141.224.155 255.255.255.255 Outside
    ssh 62.17.29.2 255.255.255.255 Outside
    ssh 213.79.44.213 255.255.255.255 Outside
    ssh 192.168.1.0 255.255.255.0 Inside
    ssh timeout 5
    console timeout 0
    management-access Inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy RemoteVPN internal
    group-policy RemoteVPN attributes
    wins-server value 192.168.1.31
    dns-server value 192.168.1.31
    default-domain value freefoam.ie
    username freefoam password JLYaVf7FqRM2LH0e encrypted
    username cork password qbK2Hqt1H5ttJzPD encrypted
    tunnel-group 193.114.70.130 type ipsec-l2l
    tunnel-group 193.114.70.130 ipsec-attributes
    pre-shared-key ******
    tunnel-group 89.127.172.29 type ipsec-l2l
    tunnel-group 89.127.172.29 ipsec-attributes
    pre-shared-key ******
    tunnel-group 89.105.114.98 type ipsec-l2l
    tunnel-group 89.105.114.98 ipsec-attributes
    pre-shared-key *****
    tunnel-group RemoteVPN type remote-access
    tunnel-group RemoteVPN general-attributes
    address-pool VPNPool
    authentication-server-group DellServerAAA
    default-group-policy RemoteVPN
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553

    Hi,
    Many thanks for your reply.
    Finally got access to implement your suggestions.
    Initially none of the VPN's were up.
    After making the change the two VPN's came up.
    However only data via the first VPN is possible.
    Accessing resources on the 10.1.2.0 network is still not possible.
    Attached is the latest config, any input is greatly appreciated;
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password NvZgxFP5WhDo0hQl encrypted
    passwd FNeDAwBbhVaOtVAu encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 217.75.8.203 255.255.255.248
    interface Ethernet0/1
    nameif Inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    management-only
    boot system disk0:/asa832-k8.bin
    ftp mode passive
    clock timezone GMT/IST 0
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup Inside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object network obj-192.168.1.2-04
    host 192.168.1.2
    object network obj-192.168.1.7-04
    host 192.168.1.7
    object network obj-192.168.1.0-02
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0-02
    subnet 192.168.2.0 255.255.255.0
    object network obj-10.1.2.0-02
    subnet 10.1.2.0 255.255.255.0
    object network obj-192.168.1.224-02
    subnet 192.168.1.224 255.255.255.240
    object network obj-192.168.1.9-02
    host 192.168.1.9
    object network obj-192.168.1.2-05
    host 192.168.1.2
    object network obj-192.168.1.103-02
    host 192.168.1.103
    object network obj-192.168.1.7-05
    host 192.168.1.7
    object network NETWORK_OBJ_10.1.2.0_24
    subnet 10.1.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group network obj-192.168.1.2-02
    object-group network obj-192.168.1.7-02
    object-group network obj-192.168.1.0-01
    object-group network obj-192.168.2.0-01
    object-group network obj-10.1.2.0-01
    object-group network obj-192.168.1.224-01
    object-group network obj-192.168.1.9-01
    object-group network obj-192.168.1.2-03
    object-group network obj-192.168.1.103-01
    object-group network obj-192.168.1.7-03
    object-group network obj-192.168.1.2
    object-group network obj-192.168.1.7
    object-group network obj-192.168.1.0
    object-group network obj-192.168.2.0
    object-group network obj-10.1.2.0
    object-group network obj-192.168.1.224
    object-group network obj-192.168.1.9
    object-group network obj-192.168.1.2-01
    object-group network obj-192.168.1.103
    object-group network obj-192.168.1.7-01
    object-group network obj_any
    object-group network obj-0.0.0.0
    object-group network obj_any-01
    object-group service MonitcomUDP udp
    port-object range 3924 3924
    access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
    access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
    access-list Outside_access_in extended permit icmp any any
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
    access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
    access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
    access-list Outside_access_in extended permit udp any any eq 4500 inactive
    access-list Outside_access_in extended permit udp any any eq isakmp inactive
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Outside_access_in remark Allow webmail access
    access-list Outside_access_in remark Allow Hansa Live access
    access-list Outside_access_in remark Monitcom
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark ESS Access
    access-list Outside_access_in remark Allow TMS Web Access
    access-list Inside_access_in extended permit ip any any
    access-list Inside_access_in extended permit icmp any any
    access-list RemoteVPN_splitTunnelAcl standard permit any
    access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
    access-list global_access extended permit ip any any
    access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm warnings
    mtu Outside 1500
    mtu Inside 1500
    mtu management 1500
    ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
    ip verify reverse-path interface Outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    icmp permit any Inside
    asdm image disk0:/asdm-647.bin
    asdm location 192.168.1.208 255.255.255.252 Inside
    asdm location 192.168.1.103 255.255.255.255 Inside
    asdm location 192.168.1.6 255.255.255.255 Inside
    asdm location 192.168.1.7 255.255.255.255 Inside
    asdm location 192.168.1.9 255.255.255.255 Inside
    no asdm history enable
    arp timeout 14400
    nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02
    nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02
    nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
    nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
    object network obj-192.168.1.2-04
    nat (Outside,Inside) static 217.75.8.204
    object network obj-192.168.1.7-04
    nat (Outside,Inside) static 217.75.8.206
    object network obj-192.168.1.0-02
    nat (Inside,Outside) dynamic interface
    object network obj-192.168.1.9-02
    nat (Inside,Outside) static 217.75.8.201
    object network obj-192.168.1.2-05
    nat (Inside,Outside) static 217.75.8.204
    object network obj-192.168.1.103-02
    nat (Inside,Outside) static 217.75.8.205
    object network obj-192.168.1.7-05
    nat (Inside,Outside) static 217.75.8.206
    nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
    access-group Outside_access_in in interface Outside
    access-group Inside_access_in in interface Inside
    access-group global_access global
    route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server DellServerAAA protocol radius
    aaa-server DellServerAAA (Inside) host 192.168.1.4
    key test
    http server enable
    http 62.17.29.2 255.255.255.255 Outside
    http 82.141.224.155 255.255.255.255 Outside
    http 63.218.54.8 255.255.255.252 Outside
    http 213.79.44.213 255.255.255.255 Outside
    http 192.168.1.0 255.255.255.0 Inside
    http 10.1.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection timewait
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ipsec df-bit clear-df Outside
    crypto ipsec df-bit clear-df Inside
    crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
    crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map Outside_map 1 match address Outside_1_cryptomap
    crypto map Outside_map 1 set peer 89.127.172.29
    crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5
    crypto map Outside_map 60 match address Outside_cryptomap_60
    crypto map Outside_map 60 set peer 89.105.114.98
    crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
    crypto map Outside_map interface Outside
    crypto isakmp identity key-id nattingreallymatters
    crypto isakmp enable Outside
    crypto isakmp enable Inside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash md5
    group 5
    lifetime 86400
    crypto isakmp policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet 192.168.1.0 255.255.255.0 Inside
    telnet timeout 5
    ssh 82.141.224.155 255.255.255.255 Outside
    ssh 62.17.29.2 255.255.255.255 Outside
    ssh 213.79.44.213 255.255.255.255 Outside
    ssh 192.168.1.0 255.255.255.0 Inside
    ssh timeout 5
    console timeout 0
    management-access Inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable Outside
    anyconnect-essentials
    svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
    svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy RemoteVPN internal
    group-policy RemoteVPN attributes
    wins-server value 192.168.1.31
    dns-server value 192.168.1.31
    vpn-tunnel-protocol IPSec svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split-tunnel
    default-domain value freefoam.ie
    username freefoam password JLYaVf7FqRM2LH0e encrypted
    username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15
    username cork password qbK2Hqt1H5ttJzPD encrypted
    tunnel-group 193.114.70.130 type ipsec-l2l
    tunnel-group 193.114.70.130 ipsec-attributes
    pre-shared-key ************
    tunnel-group 89.127.172.29 type ipsec-l2l
    tunnel-group 89.127.172.29 ipsec-attributes
    pre-shared-key ************
    tunnel-group 89.105.114.98 type ipsec-l2l
    tunnel-group 89.105.114.98 ipsec-attributes
    pre-shared-key ************
    tunnel-group RemoteVPN type remote-access
    tunnel-group RemoteVPN general-attributes
    address-pool VPNPool
    authentication-server-group DellServerAAA
    default-group-policy RemoteVPN
    tunnel-group RemoteVPN webvpn-attributes
    group-alias Anyconnect enable
    tunnel-group RemoteVPN ipsec-attributes
    pre-shared-key c0nnect10nParameter$
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e

  • Can't connect to a customer when I'm connected to my ASA5510 VPN.

    Hi.
    I need to connect to a remote customer from home via the office's vpn.
    When I am physically at the office, I can connect no problem to my customer's securised gateway using my Internet Explorer browser (https://...).
    (NB - when I go to the site speedtest.net, it indicated that my source IP address is our office's Internet Supplier - Bell.ca 67.70.xxx.x - which is correct).
    When I am home, I connect VPN (with Cisco VPN Client) to my offices' cisco asa5510 . I then open my Internet Explorer browser and enter my customer's  https:// address, unfortunately I get the error message saying I am not authorised to connet to the site.
    I go to the site speedtest.net, and my source IP address is my home's Internet supplier (Videotron.ca 24.200.162.27).
    My customer will only allow me in if the source ip is from  Bell.ca 67.70.xxx.x (office) not Videotron.ca 24.200.162.27 (home).
    How can I resolve my problem? Created a seperate  group policy, tried different Split Tunnel Policy, actually tried all I can think of !!
    I was certain it had to do with the Split Tunnel Policy in the Group Policy but not sure anymore .
    Any suggestions?
    Thanks 

    Your VPN would have to DISALLOW split tunnel, making all your Internet traffic come from the office network when you are VPN-connected.

  • Monitoring Remote SITE TO SITE vpn (Bandwidth - utilized)

    Can somebody say how to know the bandwidth utilized
    by the site to site vpn please
    Tks
    THomas

    Hi Thomas,
    You can use "Interface Graphs" in Pix Device Manager. This is a monitoring tool that will serve the purpose that you mentioned.
    You can get more info at :
    http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixdm_ds.htm

  • ASA5510 VPN in tp mode (not l3)

    Hi guys,
    I am wondering whether the vpn feature of asa5510 can be used in transparent mode
    or not . My expected diagram is included in attachement.
    In the diagram, Both firewall need to be established with vpn peering.
    Sent from Cisco Technical Support iPhone App

    VPN can not be used when the ASA is configured in either Transparent mode or multiple context mode.  The ASA must be in routed mode for the VPN to terminate at the ASA.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#unsupp
    Please rate any helpful posts

  • VPN Bandwidth Utilization

    I have site to site Configuration of VPN 3030 Concentrator ( one At HQ) and VPN 3005 Concentrator ( 14 At Branch Office). I want to measure the Bandwidth Utilization of VPN 3030 Concentrator at HQ.
    Is there any command,network management software tool or utility available so I can measure the Bandwidth ?
    Dinesh

    Hi!
    Opensystems Private I syslog software collects, alerts, reports, and archives VPN (and other syslog) log data.
    Private I can detail the activity going through your VPNs, as well as tell you how much of the network users are using.
    -Collects thousands of messages per second from a variety of network devices
    -Real time alert notification via audio, visual, email, SNMP, or pager
    -Powerful ad-hoc query capability
    -Over 100 canned reports and graphs
    -Easy customization and creation of new reports
    -Scheduled report engine for timely output
    -Offloading aged data for easy access
    Check http://www.opensystems.com
    Br Juha

  • ASA5510 - VPN AnyConnect - Two Part Authentication

    Currently, we have the AnyConnect client authenticating our users to our AD environment.  All is working as desired.  Now our Controll Agency is requiring a two step authentication for VPN access.  Is it possible (and if so how do you do it) to also configure the AnyConnect client login to send a PIN to the AD usres registered Cell Phone and then require that PIN to be input to make complete the VPN login process? 
    This is basically the sequence that I forsee:
    1. The AnyConnect client requests and then validates the User's AD credentials
    2. The ASA 5510 generates and sends a one-time 4 to 6 digit PIN to the AD user's cell phone.
    3. The AnyConnect client presents a dialog box awaiting the PIN to be entered.
    4. The user enters the PIN and completes the login once the ASA validates the PIN.

    Hi,
    You can use secondary authentication:
    http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1452151
    Do you have any external server/vendor for that PIN (one time password) authentication ?
    How user in step 3 should know which PIN to type (if it's one-time generated) ?
    With RSA one time password you could configure it as radius and use secondary authentication feature.
    You could also use ACS as a proxy between ASA and RSA.
    Michal

  • ASA5510 VPN authenticate AD group members

    Hi Forum,
    is there a way to configure an AAA server for Active Directory so that just users that are a member of one certain Active Directory security group get authenticated?
    I don't really know what attributes to map or if this is even possible.
    I found this article, which I might use alternatively, but my preference would be to do it using the group membership.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
    TIA
    Alex

    Alex,
    This is bit tricky, you must have LDAP-attribute map along with a Dummy group-polcicy (noaccess)
    Configuration for restricting access to a particular windows group on AD
    group-policy noaccess internal
    group-policy noaccess attributes
    vpn-simultaneous-logins 0
    address-pools none
    ldap attribute-map LDAP-MAP
      map-name  memberOf IETF-Radius-Class
      map-value memberOf
    aaa-server LDAP-AD protocol ldap
    aaa-server LDAP-AD host
    server-port 389
    ldap-base-dn
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-dn
    ldap-login-password
    server-type microsoft
    ldap-attribute-map LDAP-MAP
    group-policy internal
    group-policy attributes
    vpn-simultaneous-logins 3
    vpn-tunnel-protocol IPSec l2tp-ipsec ...
    address-pools value
    tunnel-group type remote-access
    tunnel-group general-attributes
    authentication-server-group LDAP-AD
    default-group-policy noaccess
    This should work for sure. In case you see any unexpected results, get the below listed debugs.
    debug ldap 255
    Regds,
    Jatin
    Do rate helpful posts-

  • VPN Bandwidth

    Our Office curently has 3MB down & 384k up over a cable modem. I have 10 or so guys connecting into the office using site to site VPN back into the PIX 506e. They use Outlook exclusively. My Question is, if I increase the upload to 1Mb, will that be sufficient to allow for file sharing (word, excel, digital pics, etc) with acceptable performance?

    hello. i have a simular issue. here is my findings. we have a partal t1 (384k up and down) we currently run a asa5505 to 2801router. we have at a range of 1 to 10 users connecting using outlook and light filesharing. we have had no issues at all. i have even ran two or three remote desktop connections over the vpn with no noticable issues.
    hope that helps

  • Boot camp with Cisco VPN client and smart card

    Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
    Thanks

    mrbacklash wrote:
    Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
    I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
    Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
    Message was edited by: BobTheFisherman

  • User from certificate with Cisco VPN client and ASA (and radius)

    Hello,
    we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
    Thanks!
    Santiago.

    mrbacklash wrote:
    Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
    I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
    Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
    Message was edited by: BobTheFisherman

  • Host in DMZ try to access VPN Client.

    ASA5510,
    VPN client 192.168.250.249 have only port 1433 access to DMZ host 192.168.250.8.
    DMZ host 192.168.250.8 have all ports access to VPN Client 192.168.250.249
    I added the following rules into VPN Group policy
    access-list AM_SVR02_EXT extended permit tcp host 192.168.250.249 host 192.168.250.8
    access-list AM_SVR02_EXT extended permit tcp host 192.168.250.8 host 192.168.250.249 eq 1433
    but doesn't work.. VPN client access host 1433 is ok.. but host can't access VPN client ..
    How to do what I want?
    Thanks in advance.

    There is not much point in adding 192.168.22.0/24 to the split tunnel ACL because it is already included in 192.168.0.0/16. It might be helpful to add 192.168.22.0 to the VPN_Routes ACL. Can you tell us what is 192.20.3.0/24 that is currently specified in that ACL?
    Can you verify that devices in the DMZ have a route to the address pool for VPN?
    HTH
    Rick

  • How to calculate network bandwidth for dataguard 11.2

    Hi all,
    have a customer who needs to setup a new data guard environment in release 11.2.0.2. Primary site will be in Italy, standby site will be in New York.
    He would like to know the network bandwidth between primary and standby site needed to obtain the maximum performance in redo transport with or without compression option.
    I found a lot of threads and docs indicating some formulas but none of them explained how to:
    - calculate network bandwidth on a rac system (having a single instance standby database)
    - calculate network bandwidth in case of use redo transport compression
    - calculate cpu consumption if using redo transport compression
    Could you please give any advice?
    A.M.

    Hi,
    customer made ma a lot of technical question just like the following:
    - which are the main factors determining the 30% overhead indicated in the network bandwidth calculation
    Required bandwidth = ((Redo rate bytes per sec. / 0.7) * 8) / 1,000,000 = bandwidth in Mbps
    - how much bandwidth will I gain if I apply redo transport compression and why redo transport compression and why usually the gzip utility gives me 5X less and oracle compression gives me a maximum of 50-60% of compression even if it uses the same engine of zlib compression as indicated below?
    Data Guard redo transport compression uses the same zlib compression engine at level 1 as gzip -1. To estimate the compression ratio you can achieve using Data Guard redo transport compression, first compress an archived redo log file with gzip:
    $ gzip -1 <archive redo logfile>.arc
    Then use the gzip --list option to explicitly display the compression ratio:
    $ gzip --list <archive redo logfile.arc>.gz
    Note: Use gzip version 1.3.3 or later. Refer to www.gzip.org for the latest information on gzip.
    Could anyone give me any direction?
    Thank you
    AM

  • Security Report VPN Graph is Blank

    VPN Bandwidth
    - Even though the VPN Bandwidth Bytes by Day contains data, the graphs are blank.
    - SSL VPN graph is working fine.

    We found the root cause it was because table "task" does not have records in APPSERVER Database.
    Once we updated task table. Security report SEC_LIST_MBR is displaying results correctly.
    Regards,
    Rajesh

Maybe you are looking for

  • In my NWDS "Build EJB Archive" is not actitivated?

    Hi all! I created an EJB project and imported some files in to my EJB project. When i try to build my EJB Archive, it is not activated. I tried even a simple EJB project, for that also Build EJB Archive is not activated. Help me Thanks a lot in advan

  • USB drive and power

    I have a new Air and I plugged my WD Passport into the USB. It did not work. Does the USB port on the Air supply power to the drive like on my MacBook Pro, or do I need an AC adapter for the drive? Thanks, Ken

  • How to load balance Agents across multiple Oracle Management Servers?

    Hi everyone We have the 2 OMS servers in our OEM environment. We would like to set up our management agents to load balance over these 2 servers...Or if not load balance then at least set up the agents so they can access either/or OMS. I've looked th

  • How to remove the gap between OA standard footer & footnote image

    Hi, I have added OAF footnote image through page customization that appears just above the standard footer. now there is little space between standard footer and footnote image should be removed i.e standard footer and footnote image should be merged

  • Plugin customization from crm 4.0 to crm 2013

    Hi, can anyone advice or help me to customize CRM 4.0 plugin code where using Product class, to CRM 2013. There is not product class (crm service) in CRM 2013 and I don't know how to customize below Code to CRm 2013 plugin here i attached snip of CRm