Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)
Hello,
I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4
https://supportforums.cisco.com/docs/DOC-1230
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos
The tunnel is being defined by the following commands:
crypto map prdmay 20 match address vpn_1
crypto map prdmay 20 set peer 61.172.142.222
crypto map prdmay 20 set transform-set TS
access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any
access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any
tunnel-group 61.172.142.222 type ipsec-l2l
tunnel-group 61.172.142.222 ipsec-attributes
pre-shared-key *
Is the following what I need to do in order to accomplish what I want:
priority-queue outside
class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000
service-policy police-priority-policy interface outside
Thank you for your help.
I don't think the ASA will let you match on ACL and tunnel group at the same time.
Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).
Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK
Similar Messages
-
Customer wants a public IP address for RDP after VPN Tunnel
I have a customer that wants to set up a VPN tunnel with me with a Public IP address and a Public address for the host. I am completely at a loss as to how to accomplish this. The customer states that it against his company policy to have a remote host to connect to that is not in the public address space. I have given him a public Peer address to connect to for the establishment of the VPN Tunnel. However he states that he needs the host to be in the public address space as well.
What is my customer asking for? Surely he does not want me to put RDP on a public address?The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel. Because if we are getting the local IP into the public pool then it we don't need VPN tunnel. We can access it directly over internet too.
-
SNMP Monitor PIX throught VPN tunnel
I have two Cisco PIX 515e firewalls configured in fail-over. The primary PIX has private address 192.168.1.5 and the secondary PIX (standby) has a private address 192.168.1.6. The PIX firewalls are running IOS 6.3.3. I'm connecting to the PIX firewalls through a VPN tunnel (PIXes terminate VPN tunnel) and my monitoring system uses SNMP to monitor devices behind the PIX firewalls and the primary PIX private IP address. I would also like to monitor the standby IP address 192.168.1.6 from the tunnel and have been unsuccessful thus far. I can do this from behind the PIX, but not through the tunnel (only the primary PIX).
Is there a way I can SNMP monitor (and PING) the IP address of the standby PIX through the VPN tunnel?
Please send email to [email protected]
Thank you,
frankPaul,
Thank you for your email. Yes, we currently use this command to monitor the active private IP of the active PIX firewall through the VPN tunnel. What I would like to be able to monitor is the private IP address of the standby PIX firewall (has a different IP address while in standby mode) would like to make sure that it too is up and running (I can do this today for other PIX firewalls from the inside, but not through the tunnel.
Best regards,
Frank Pikelner
Hi Frank,
Dont think you are going to get that to work due to the routing issues. Sending syslog messages to the snmp server is the only way Ive done it in the past. Have you given this a try?
http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1052111
http://cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide09186a00800896ac.html
I hope this is of some help.
Cheers,
Paul. -
How to build 2 L2L vpn tunnels pointing to the same peer.
I have a Cisco ASA 5505 on one side and a VMware device on the remote. I have a vpn tunnel currently. I need to establish a second tunnel to the same peer. Because VMware is used on the remote side they can't have the more than one subnet on the tunnel. I need two internal subnets to communicate to the remote peer. Please help.
Thanks,
KenHi Tzy,
Two tunnels for same traffic on a same device is not possible but you can configure a redundancy for the 2 cellular links for the same traffic.
But if the traffic are different for both the ACLs, the the tunnels should come up but you need to define routes as to which traffic would use what interface.
if there is a def route pointing to interface cell0/0/1 then all traffic will be taken using that interface, and you would then need to define either a static route for access-list 102 or a route-map to direct the traffic to the cell0/0/2 interface.
On the ASA, you just need to configure the settings for a dynamic VPN tunnel.
Hope that helps.
Cheers,
Abhi -
WRED+bandwidth allocation algorithm ?
Dear Gurus!
Plese tell me what is the bandwidth allocation algorithm:
I have 3 flows within 1 class-map.
WRED is enabled on the output ATM pvc(the total bandwidth of pvc is 2000kbps).
Flows have dscp marks af11(10) af12(12) af13(14).
When the pvc is congested the flows get the following bandwidth share in outgoing interface: af11(dscp 10) - 59% ; af12(dscp 12) - 40%; af13(dscp 14) - 1%; + bulk traffic with dscp 0.
Total bandwidth allocated for flows 10,12,14 is near 1500000bits per sec (75% of 2000kbps)
All flows have same packet sizes - 1400 bytes
Plese tell me how 7200 calculates bandwidth allocation between flow with dscp 10 , 12 and 14.
I have the following
router 7206
IOS (tm) 7200 Software (C7200-JK8S-M), Version 12.2(13), RELEASE SOFTWARE (fc1)
cisco 7206VXR (NSE-1) processor (revision A)
ATM PA - OC3
config:
class-map match-all af11
match ip dscp af11 af12 af13
policy-map gold
class af11
bandwidth percent 65
random-detect dscp-based
random-detect dscp 10 28 45 10
random-detect dscp 12 28 43 10
random-detect dscp 14 28 40 10
class class-default
bandwidth percent 10
interface ATM2/0.34 point-to-point
description RBNet
bandwidth 2000
ip address 10.0.4.1 255.255.255.252
pvc rbnet 15/64
vbr-nrt 2000 1500 50
tx-ring-limit 3
encapsulation aal5mux ip
service-policy output gold
Thanks in advance, AndreiOk Andrei,
Here's my thinking about what is happening...
You are transmitting a total of 300*1400*8 = 3.36Mbps into a circuit that is configured for 2Mbps. Since this traffic is being sent at a continuous rate, that means that the queue is in a state of constant congestion. In fact, the size of the queue is going to be sitting around the maximum of 45 packets pretty much all the time. The only time that space is created in the queue is when:
1. A packet is scheduled out of the queue
2. Packets are dropped due to RED
Now, if the queue is always around the 45 packet mark, that means that once the queue reaches that point, all packets for DSCP 14 are going to be dropped since the queue depth is greater than the maximum threshold of 40 for DSCP 14.
Considering the DSCP 10 traffic now...Both the DSCP 10 and DSCP 12 traffic is operating in the RED drop zone since the queue size is much higher than their minimum threshold of 20. Therefore, roughly 1/10 packets are getting dropped for each of these flows. 1/10 of each flow would give you roughly 2 packets of each based on the fact that very little of the DSCP 14 traffic is getting through. Every time RED drops these packets, space is created in the queue and if at that point, the queue size is less than 43, packets for DSCP 12 are accepted. The queue size is always going to be less than or equal to 45, so slightly more of the DSCP 10 packets are accepted.
I hope that explains the behaviour adequately.
Pls do remember to rate posts.
Paresh -
Bandwidth allocation | default class|CBWFQ
Hi everybody
Let say we have 100 mig circuit. Max -reserved bandwidth is 100 mig as well. We make following allocations:
Class A
bandwidth 20
Class B
bandwidth 60
Class Default.
1)We did not make any bandwidth allocations for default class. Assuming We are congested ( i.e class A, class B ), What is the maximum bandwidth Class Default can use?
2) Let say we are congested ( classA,classB) but there is no traffic in default class. How will this unused 20 mig will be distributed among these classA and class B?
++++++++++++++++++++++++++++++++++
I am getting confusing answers:
For example:
From one of theblog ( Dont want pick on author so did not quote it)
You'll want to configure a bandwidth command under the class class-default Otherwise, IOS will divide any unallocated bandwidth equally among all classes; this can result in the class-defaulthaving a very small amount of bandwidth.
Cisco QOS Documentation says:
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_cr.pdf
From the above link:
The following output from theshow policy-map interfacecommand on serial interface 3/2 shows that 500 kbps of bandwidth is guaranteed for the class
named voice1. The classes named class1 and class2 receive 50 percent and 25 percent of the remaining bandwidth, respectively. Any unallocated bandwidth
is divided proportionally among class1, class2, and any best-effort traffic classes
Which One is true statement?
If Cisco documentation is correct, then what proportion of unallocated bandwidth is given to default class as there is no bandwidth percentage configured under default class.
ThanksDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
#2 If there's just traffic for classes A and B, they will proportionally share it 20:60 or 1:3 (or 25%:75%). (NB: the former is assuming they want "more". If not, actual usage might not reflect bandwidth allocation. For example, if class B only used/wanted 50% of link, class A could obtain the other 50%.)
#1 recall finding some blog that really went deep into what class-default gets when you don't explicitly allocate bandwidth. I also recall it may have been IOS version dependent and whether FIFO or FQ was defined in class-default (this also was pre-HQF).
It was very complicated, and IMO, best avoided by defining bandwidth in class-default, if class-default usage, relative to other defined classes, is important to your QoS policy.
Generally, if something isn't clearly documented as expected behavior, I avoid relying on "discovered" actual behavior, because it might change with next IOS release. -
Router-to-PIX VPN Tunnels fade in and out
Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
Crypto isakmp keepalive 10 5
crypto ipsec secutity-association lifetime seconds 28800
I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
Thank you,
ChrisTry using the debug commands and see if you are getting any error messages that might give us some idea.
-
Multiple Site-Site VPN Tunnel on a Single PiX Firewall
I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Site HK - PIX1(192.168.0.1)
crypto ipsec transform-set chevvie esp-des esp-md5-hmac
(crypto map for existing VPN (VPN1)
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.2
crypto map transam 1 set transform-set chevvie
(New Crpto Map for new VPN (VPN2)
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 101
crypto map transam 2 set peer 192.168.0.3
crypto map transam 2 set transform-set chevvie
crypto map transam interface outside
isakmp enable outside
isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
Site - Leeds PIX2 (192.168.0.3)
crypto ipsec transform-set ford esp-des esp-md5-hmac
crypto map VPNHK 2 match address outside_crypto_acl
crypto map VPNHK 2 set peer 192.168.0.1
crypto map VPNHK 2 set transform-set ford
crypto map VPNHK interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 ipsec-attributes
pre-shared-key ev0lut10n
sysopt connection permit-ipsec
Your assistance will be grately appreciated.How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
Peter -
EZVPN Router to PIX - vpn tunnel fails after xauth
I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
KenThank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source list Lan_Addresses interface Ethernet0 overload
ip access-list standard Lan_Addresses
permit 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
This didn't change things. Also, things behave differently when I use a bad username/password, for example:
AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
Username: baduser
Password:
AADDAA#
*Mar 14 06:27:07.891: xauth-type: 0
*Mar 14 06:27:07.895: username: baduser
*Mar 14 06:27:07.895: password:
*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
XX. ID = -475558296
*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
0 peer_port 500 (I) CONF_XAUTH
*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
"Done with xauth request/reply exchange"
*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
TTR
*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
= IKE_XAUTH_REPLY_SENT
*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
500 sport 500 Global (I) CONF_XAUTH
*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
XXX.XX. message ID = 559535353
*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
= IKE_XAUTH_REPLY_AWAIT
*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
llowing command:
*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
Thanks again,
Ken -
Can QoS be implemented when VPN tunnel bandwidth is unknown?
Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?
Hey Martin,
Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
I Hope I wrote it understandable ;).
Regards -
Multiple VPN tunnels on Multiple interfaces on PIX
We have a PIX 515 with 5 interfaces in it, I have 2 different ISPs connect to 2 different interfaces on the PIX. I want to create 2 different ipsec tunnels from our office on Toronto. Toronto have 2 different ISPs int there router. How can I create 2 different ipsec tunnels on to different interfaces on a PIX 515?
Thank you for the reply -
So if I had Internet---router---PIX---inside. I have a router for each ISP and then the routers are connected to the PIX. I would then terminate the VPN tunnels on the routers? How would I route the traffic from the inside to the outside for the VPN tunnels? -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx -
VPN tunnels for multiple sites
Hi, i am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.
I am thinking of using getvpn to do it, am i thinking correct ????? can i use DMVPN ???? what is else there ???
thanksIs there a need for branch to branch communication? If so, I would go with the DMVPN option using a single tier, dual DMVPN cloud topology which will allow for spoke to spoke communication.
Matt -
Which wireless router do I need for multiple VPN tunnels?
I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
Message Edited by nolesworld on 11-27-200606:38 PMhi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....
-
I am looking at turning up an amazon AWS windows server 2008 r2 datacenter instance and want to enable failover for a VPN tunnel in case one ISP goes down. 2 VPN tunnels from the server to a Dual WAN cisco router over 2 different ISPs - so that
if one ISP goes down, the other will work - while still providing for RDP access over the WAN IP.
How can this be done cost efficiently.Not sure you'll get an answer here, this forum is for the Microsoft product Virtual Server 2005.
A forum that deals with AWS would be a better place to ask.
Maybe you are looking for
-
Finder window unresponsive after a search on external drive.
Hi guys, I have an odd problem. I have an external HD full of music and whenever I want to play one, I just search for it in finder and drag&drop it to iTunes. However, I'm having issues with it on my new MacBook Air. Whenever I search the drive for
-
Once iPhone - phone plan is terminated, can I use this device as a iTouch?
Once iPhone - phone plan is terminated, can I use this device as a iTouch?
-
Insufficient Disk Space error during installation of OEPE
I tried to install OEPE under Oracle Linux 5. During the installation, I got the "Insufficient disk space error" saying there is only 0MB available at my home directory. I checked my disk space and found that was not the case. I have no clue why I go
-
I've downloaded iOS 7.0.2 on my Iphone and am not satisfied with the calendar application. Can I reset my Iphone to it's original settings ?
-
Trying to run a query on 10g database using vbscript
Hi, We have recently upgraded from oracle 8 to 10g and have been very impressed with the superb performance. However, we use vbscript applications on occasions to connect to our DB using ADO which now no longer work: Set dbUser = CreateObject("ADODB.