Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)

Similar Messages

• Customer wants a public IP address for RDP after VPN Tunnel

  I have a customer that wants to set up a VPN tunnel with me with a Public IP address and a Public address for the host. I am completely at a loss as to how to accomplish this. The customer states that it against his company policy to have a remote host to connect to that is not in the public address space. I have given him a public Peer address to connect to for the establishment of the VPN Tunnel. However he states that he needs the host to be in the public address space as well.
  What is my customer asking for? Surely he does not want me to put RDP on a public address?

  The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel.  Because if we are getting the local IP into the public pool then it we don't need VPN tunnel. We can access it directly over internet too.

• SNMP Monitor PIX throught VPN tunnel

  I have two Cisco PIX 515e firewalls configured in fail-over. The primary PIX has private address 192.168.1.5 and the secondary PIX (standby) has a private address 192.168.1.6. The PIX firewalls are running IOS 6.3.3. I'm connecting to the PIX firewalls through a VPN tunnel (PIXes terminate VPN tunnel) and my monitoring system uses SNMP to monitor devices behind the PIX firewalls and the primary PIX private IP address. I would also like to monitor the standby IP address 192.168.1.6 from the tunnel and have been unsuccessful thus far. I can do this from behind the PIX, but not through the tunnel (only the primary PIX).
  Is there a way I can SNMP monitor (and PING) the IP address of the standby PIX through the VPN tunnel?
  Please send email to [email protected]
  Thank you,
  frank

  Paul,
  Thank you for your email. Yes, we currently use this command to monitor the active private IP of the active PIX firewall through the VPN tunnel. What I would like to be able to monitor is the private IP address of the standby PIX firewall (has a different IP address while in standby mode) – would like to make sure that it too is up and running (I can do this today for other PIX firewalls from the inside, but not through the tunnel.
  Best regards,
  Frank Pikelner
  Hi Frank,
  Don’t think you are going to get that to work due to the routing issues. Sending syslog messages to the snmp server is the only way I’ve done it in the past. Have you given this a try?
  http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1052111
  http://cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide09186a00800896ac.html
  I hope this is of some help.
  Cheers,
  Paul.

• How to build 2 L2L vpn tunnels pointing to the same peer.

  I have a Cisco ASA 5505 on one side and a VMware device on the remote.  I have a vpn tunnel currently.  I need to establish a second tunnel to the same peer.  Because VMware is used on the remote side they can't have the more than one subnet on the tunnel.  I need two internal subnets to communicate to the remote peer.  Please help.
  Thanks,
  Ken

  Hi Tzy,
  Two tunnels for same traffic on a same device is not possible but you can configure a redundancy for the 2 cellular links for the same traffic.
  But if the traffic are different for both the ACLs, the the tunnels should come up but you need to define routes as to which traffic would use what interface.
  if there is a def route pointing to interface cell0/0/1 then all traffic will be taken using that interface, and you would then need to define either a static route for access-list 102 or a route-map to direct the traffic to the cell0/0/2 interface.
  On the ASA, you just need to configure the settings for a dynamic VPN tunnel.
  Hope that helps.
  Cheers,
  Abhi

• WRED+bandwidth allocation algorithm ?

  Dear Gurus!
  Plese tell me what is the bandwidth allocation algorithm:
  I have 3 flows within 1 class-map.
  WRED is enabled on the output ATM pvc(the total bandwidth of pvc is 2000kbps).
  Flows have dscp marks af11(10) af12(12) af13(14).
  When the pvc is congested the flows get the following bandwidth share in outgoing interface: af11(dscp 10) - 59% ; af12(dscp 12) - 40%; af13(dscp 14) - 1%; + bulk traffic with dscp 0.
  Total bandwidth allocated for flows 10,12,14 is near 1500000bits per sec (75% of 2000kbps)
  All flows have same packet sizes - 1400 bytes
  Plese tell me how 7200 calculates bandwidth allocation between flow with dscp 10 , 12 and 14.
  I have the following
  router 7206
  IOS (tm) 7200 Software (C7200-JK8S-M), Version 12.2(13), RELEASE SOFTWARE (fc1)
  cisco 7206VXR (NSE-1) processor (revision A)
  ATM PA - OC3
  config:
  class-map match-all af11
  match ip dscp af11 af12 af13
  policy-map gold
  class af11
  bandwidth percent 65
  random-detect dscp-based
  random-detect dscp 10 28 45 10
  random-detect dscp 12 28 43 10
  random-detect dscp 14 28 40 10
  class class-default
  bandwidth percent 10
  interface ATM2/0.34 point-to-point
  description RBNet
  bandwidth 2000
  ip address 10.0.4.1 255.255.255.252
  pvc rbnet 15/64
  vbr-nrt 2000 1500 50
  tx-ring-limit 3
  encapsulation aal5mux ip
  service-policy output gold
  Thanks in advance, Andrei

  Ok Andrei,
  Here's my thinking about what is happening...
  You are transmitting a total of 300*1400*8 = 3.36Mbps into a circuit that is configured for 2Mbps. Since this traffic is being sent at a continuous rate, that means that the queue is in a state of constant congestion. In fact, the size of the queue is going to be sitting around the maximum of 45 packets pretty much all the time. The only time that space is created in the queue is when:
  1. A packet is scheduled out of the queue
  2. Packets are dropped due to RED
  Now, if the queue is always around the 45 packet mark, that means that once the queue reaches that point, all packets for DSCP 14 are going to be dropped since the queue depth is greater than the maximum threshold of 40 for DSCP 14.
  Considering the DSCP 10 traffic now...Both the DSCP 10 and DSCP 12 traffic is operating in the RED drop zone since the queue size is much higher than their minimum threshold of 20. Therefore, roughly 1/10 packets are getting dropped for each of these flows. 1/10 of each flow would give you roughly 2 packets of each based on the fact that very little of the DSCP 14 traffic is getting through. Every time RED drops these packets, space is created in the queue and if at that point, the queue size is less than 43, packets for DSCP 12 are accepted. The queue size is always going to be less than or equal to 45, so slightly more of the DSCP 10 packets are accepted.
  I hope that explains the behaviour adequately.
  Pls do remember to rate posts.
  Paresh

• Bandwidth allocation | default class|CBWFQ

  Hi everybody
  Let say we have 100 mig circuit. Max -reserved bandwidth is 100 mig as well.  We make following allocations:
  Class A
  bandwidth 20
  Class B
  bandwidth 60
  Class  Default.
  1)We did not make any bandwidth  allocations for default class.  Assuming We are congested ( i.e class A, class B ), What is the maximum bandwidth Class Default can use?
  2) Let say we are congested ( classA,classB) but there is no traffic in default class. How will this  unused 20 mig will be distributed among these classA and class B?
  ++++++++++++++++++++++++++++++++++
  I am getting confusing answers:
  For example:
  From one of theblog ( Dont want pick on author so did not quote it)
  You'll want to configure a bandwidth command under the class class-default Otherwise, IOS will divide any unallocated bandwidth equally among all classes; this can result in the class-defaulthaving a very small amount of bandwidth.
  Cisco QOS  Documentation says:
  http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_cr.pdf
  From the above link:
  The following output from theshow policy-map interfacecommand on serial interface 3/2 shows that 500 kbps of bandwidth is guaranteed for the class
  named voice1. The classes named class1 and class2 receive 50 percent and 25 percent of the remaining bandwidth, respectively. Any unallocated bandwidth
  is divided proportionally among class1, class2, and any best-effort traffic classes
  Which One is true statement?
  If Cisco documentation is correct, then what proportion of unallocated bandwidth is given to default class as there is no bandwidth percentage configured under default class.
  Thanks

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  #2 If there's just traffic for classes A and B, they will proportionally share it 20:60 or 1:3 (or 25%:75%).  (NB: the former is assuming they want "more".  If not, actual usage might not reflect bandwidth allocation.  For example, if class B only used/wanted 50% of link, class A could obtain the other 50%.)
  #1 recall finding some blog that really went deep into what class-default gets when you don't explicitly allocate bandwidth.  I also recall it may have been IOS version dependent and whether FIFO or FQ was defined in class-default (this also was pre-HQF).
  It was very complicated, and IMO, best avoided by defining bandwidth in class-default, if class-default usage, relative to other defined classes, is important to your QoS policy.
  Generally, if something isn't clearly documented as expected behavior, I avoid relying on "discovered" actual behavior, because it might change with next IOS release.

• Router-to-PIX VPN Tunnels fade in and out

  Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
  When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
  I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
  Crypto isakmp keepalive 10 5
  crypto ipsec secutity-association lifetime seconds 28800
  I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
  Thank you,
  Chris

  Try using the debug commands and see if you are getting any error messages that might give us some idea.

• Multiple Site-Site VPN Tunnel on a Single PiX Firewall

  I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
  On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
  On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
  Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
  Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
  Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
  Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  sh crypto isakmp sa
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 192.168.0.1
  Type : L2L Role : initiator
  Rekey : no State : MM_ACTIVE
  Site HK - PIX1(192.168.0.1)
  crypto ipsec transform-set chevvie esp-des esp-md5-hmac
  (crypto map for existing VPN (VPN1)
  crypto map transam 1 ipsec-isakmp
  crypto map transam 1 match address 101
  crypto map transam 1 set peer 192.168.0.2
  crypto map transam 1 set transform-set chevvie
  (New Crpto Map for new VPN (VPN2)
  crypto map transam 2 ipsec-isakmp
  crypto map transam 2 match address 101
  crypto map transam 2 set peer 192.168.0.3
  crypto map transam 2 set transform-set chevvie
  crypto map transam interface outside
  isakmp enable outside
  isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
  isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption des
  isakmp policy 1 hash md5
  isakmp policy 1 group 1
  isakmp policy 1 lifetime 1000
  isakmp am-disable
  floodguard enable
  sysopt connection permit-ipsec
  no sysopt route dnat
  Site - Leeds PIX2 (192.168.0.3)
  crypto ipsec transform-set ford esp-des esp-md5-hmac
  crypto map VPNHK 2 match address outside_crypto_acl
  crypto map VPNHK 2 set peer 192.168.0.1
  crypto map VPNHK 2 set transform-set ford
  crypto map VPNHK interface outside
  isakmp identity address
  isakmp enable outside
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption des
  isakmp policy 1 hash md5
  isakmp policy 1 group 1
  isakmp policy 1 lifetime 1000
  isakmp am-disable
  tunnel-group 192.168.0.1 type ipsec-l2l
  tunnel-group 192.168.0.1 ipsec-attributes
  pre-shared-key ev0lut10n
  sysopt connection permit-ipsec
  Your assistance will be grately appreciated.

  How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
  Peter

• EZVPN Router to PIX - vpn tunnel fails after xauth

  I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
  Ken

  Thank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
  ip nat inside source list 100 interface Ethernet0 overload
  ip nat inside source list Lan_Addresses interface Ethernet0 overload
  ip access-list standard Lan_Addresses
  permit 192.168.5.0 0.0.0.255
  access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
  access-list 100 permit ip 192.168.5.0 0.0.0.255 any
  This didn't change things. Also, things behave differently when I use a bad username/password, for example:
  AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
  Username: baduser
  Password:
  AADDAA#
  *Mar 14 06:27:07.891: xauth-type: 0
  *Mar 14 06:27:07.895: username: baduser
  *Mar 14 06:27:07.895: password:
  *Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
  XX. ID = -475558296
  *Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
  0 peer_port 500 (I) CONF_XAUTH
  *Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
  *Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
  "Done with xauth request/reply exchange"
  *Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
  TTR
  *Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
  = IKE_XAUTH_REPLY_SENT
  *Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
  500 sport 500 Global (I) CONF_XAUTH
  *Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
  *Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
  XXX.XX. message ID = 559535353
  *Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
  *Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
  *Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
  *Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
  = IKE_XAUTH_REPLY_AWAIT
  *Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
  llowing command:
  *Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
  Thanks again,
  Ken

• Can QoS be implemented when VPN tunnel bandwidth is unknown?

  Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?

  Hey Martin,
  Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
  What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
  Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
  My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
  It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
  Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
  I Hope I wrote it understandable ;).
  Regards

• Multiple VPN tunnels on Multiple interfaces on PIX

  We have a PIX 515 with 5 interfaces in it, I have 2 different ISPs connect to 2 different interfaces on the PIX. I want to create 2 different ipsec tunnels from our office on Toronto. Toronto have 2 different ISPs int there router. How can I create 2 different ipsec tunnels on to different interfaces on a PIX 515?

  Thank you for the reply -
  So if I had Internet---router---PIX---inside. I have a router for each ISP and then the routers are connected to the PIX. I would then terminate the VPN tunnels on the routers? How would I route the traffic from the inside to the outside for the VPN tunnels?

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• VPN tunnels for multiple sites

  Hi, i am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.
  I am thinking of using getvpn to do it, am i thinking correct ????? can i use DMVPN ???? what is else there ???
  thanks 

  Is there a need for branch to branch communication?  If so, I would go with the DMVPN option using a single tier, dual DMVPN cloud topology which will allow for spoke to spoke communication.
  Matt

• Which wireless router do I need for multiple VPN tunnels?

  I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
  Message Edited by nolesworld on 11-27-200606:38 PM

  hi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....

• 2 VPN tunnels for failover

  I am looking at turning up an amazon AWS windows server 2008 r2 datacenter  instance and want to enable failover for a VPN tunnel in case one ISP goes down. 2 VPN tunnels from the server to a Dual WAN cisco router over 2 different ISPs - so that
  if one ISP goes down, the other will work - while still providing for RDP access over the WAN IP.
  How can this be done cost efficiently.

  Not sure you'll get an answer here, this forum is for the Microsoft product Virtual Server 2005.
  A forum that deals with AWS would be a better place to ask.