Cisco CP (ccp) on different subnets

Hello!
We currently have lots of branches around the world (at about 20) using a class A subnet segmented in many different subnets.
The point is that we would like to use Cisco CP (professional) to perform some monitoring on our routers, but once they are in different subnets and ccp technical datasheet says that it'd work only within the same subnet (client/PC and router).
I'd like to know if someone know how to make CCP works accessing different subnet router's.
If it's not possible, you guys now another tool that may help us to provide some monitoring options of remote routers similar to CCP?
We are currently using CLI for everything and sometimes we need to kind of meshup everything to have a graphic, etc.
Thanks in advance.
Daniel

Thanks.
I managed to make it works and now its running well... i can open CCP and see some graphics.
But i'm trying to view TOP TALKERS and TOP PROTOCOLS using netflow and even after prepairing netflow as requested by CCP it stills getting no answer... no data.
All grapchis and info that i can reach by SNMP (fan speed, cpu, cache, memory, etc) is showing up, but all that i need to get by netflow is empty.
I'm testing on following router:
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(3)T4, RELEASE SOFTWARE (fc1)

Similar Messages

How to map two different subnets to one SSID

Hi Experts ,
we have two offices in same city at different location however we are planning to bring both the office at same location.
Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.
Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....
I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet....
How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :
I can not create new SSID for site B since same will be broadcasting even in Site A AP's
Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
Your suggestions will be really helpful for me to go ahead and understand in better manner ...

Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
Makes sense
Sent from Cisco Technical Support iPhone App

Management and AP Manager on Different Subnets ...

Hello,
I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets. I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
"The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order. The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route? Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
Thanks for all your help in advance!

You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
"The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
for WLC discovery is included in Appendices C, D, and E of this document.
Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure.

Is it possible to cluster appliances across different subnets?

We are attempting to cluster two appliances across different subnets in order to provide greater survivability. Although we were able to cluster the appliances, the manageability of the appliances has become somewhat impaired. We've opened ports 443, 22 and 2222 between the two appliances. The appliances are C350s running AsyncOS 7.1.3-010. Are we missing something?
Thanks,
Rob

Rob,
Are these appliances communicating using IP addresses? If yes, in order to a join cluster,using IP addresses there must be a reverse DNS (PTR) record configured in DNS server for the Cisco IronPort appliance.Please check that if the the reverse lookup works. If not, it might be another issue.
Regards,
Jyothi Gandla
Customer Support Engineer

ASA5510 RA VPN, ACS assigned address different subnet than inside interface

Currently we have our RA tunnels set up with IP Address pools that are in the same subnet as the ASA inside interface and that works to give the clients connectivity.
I have seen that this is not the best way to go with this and also have seen some config snippets.
But I have not seen exactly how this should be done, and I don't really see anything in the config examples.
For example, If my ASA is 10.10.10.1 and I want to assign each person a specific IP Address in an address pool and I want each group to be in a different subnet:
Eng = 192.168.100.0
Bob = 192.168.100.1
Bill = 192.168.100.2
Sales = 192.168.200.0
Sue = 192.168.200.1
Sam = 192.168.200.2
I have two core switches with the SVIs configured for these subnets.
But, I don't see how the routing is accomplised in the ASA.
Also, I can configure the ACS to give each person an IP Address, but not sure what is needed in the ASA.
Do the pools still need to be configured in the ASA and the ACS hands the client an address that I specify in that pool?

Better to reset an IP pool and reclaim all its IP addresses:
Use this User Guide for Cisco Secure Access Control Server 4.1 System Configuration: Advanced
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html

ACS 5.0 having issues with different subnet AAA Clients

Dear All,
I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
I have checked the firewall between them, Its allow any any with all services.
One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
Working Switch with Same configuration:
SW-A#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
SW-A#
*Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
*Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
*Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
*Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
*Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
SW-A#
*Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
*Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
*Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
*Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
*Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
*Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
*Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
SW-B#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
SW-B#
*Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
*Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
*Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
*Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
SW-B#
*Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
*Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
*Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
*Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
*Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Waiting for your responses.
Regards,
Anser

Ok, cool,
So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
I would guess that the ACS is reporting unknown NAS...
Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ASA 5510 context base configuration in HA Mode with two different subnet

Hi
Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
interface Ethernet0/1
no nameif
security-level 0
no ip address
interface Ethernet0/1.101
description INSIDE1
vlan 101
nameif INSIDE1
security-level 90
ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
interface Ethernet0/1.102
description INSIDE2
vlan 102
nameif INSIDE2
security-level 80
ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
interface Ethernet0/3
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover replication http
failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

Hi Sanjeev,
If it is a context based configuration that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
Thanks,
Varun Rao
Security Team,
Cisco TAC

WDS PXE DHCP, Clients on different subnet

Hello,
We are having a lot of trouble trying to get pxe imaging working from our WDS server on different subnets. We have an existing Zenworking imaging setup working as of right now, but WDS is causing more issues than I care to troubleshoot. I have read
blog after blog, forum post after forum post and everyone says just install it and it works! I guess we have run into some sort of problem that nobody else has.
Enviroment:
2x DC's, Server 2012 R2, both run DNS, 10.5.0.101, 10.5.0.102
1x DHCP Server, 2012 R2, 10.5.0.105
1x WDS Server, 2012 R2, 10.5.0.41
If I put a client on the same subnet as all of the servers it seems to work, except for the fact that it takes a while for the client to get an IP and continue to load wdsnbp.com. I would say around 20-30 seconds. In our zenworks enviroment it takes
no more than 1 second to get an IP. As for the dhcp server itself, clients receive normal dhcp offers instantly. So that part is working properly.
Now when I try an access the WDS pxe server from a different subnet other than the one that all of the servers are on, noting that I do have the ip helper address setup on our layer 3 switch:
interface Vlan2025
ip address 10.200.20.1 255.255.255.0
ip helper-address 10.5.0.105
ip helper-address 10.5.0.41
It always says failed to receive boot file. But as I said earlier, clients in windows receive dhcp leases from 10.5.0.105 without issue.
Setting the client options in the DHCP server with options 66 and 67 works sortof, but we found that it was unreliable and often finicky. Like having the system repeatedly ask to press f12, and even if you did press f12 it would still ask to press f12
again.
So I continued to do a wirehark packet capture on the port where the device was trying to get the dhcp/pxe info from the DHCP / WDS servers. The first packet here is from the DHCP server and the second is from the WDS server.
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xd6c565d2
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 10.200.20.117 (10.200.20.117)
Next server IP address: 10.5.0.105 (10.5.0.105)
Relay agent IP address: 10.200.20.1 (10.200.20.1)
Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type
Length: 1
DHCP: Offer (2)
Option: (1) Subnet Mask
Length: 4
Subnet Mask: 255.255.255.0 (255.255.255.0)
Option: (58) Renewal Time Value
Length: 4
Renewal Time Value: (21600s) 6 hours
Option: (59) Rebinding Time Value
Length: 4
Rebinding Time Value: (37800s) 10 hours, 30 minutes
Option: (51) IP Address Lease Time
Length: 4
IP Address Lease Time: (43200s) 12 hours
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.5.0.105 (10.5.0.105)
Option: (3) Router
Length: 4
Router: 10.200.20.1 (10.200.20.1)
Option: (6) Domain Name Server
Length: 8
Domain Name Server: 10.5.0.101 (10.5.0.101)
Domain Name Server: 10.5.0.102 (10.5.0.102)
Option: (15) Domain Name
Length: 8
Domain Name: domain.com
Option: (255) End
Option End: 255
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xd2c565d2
Seconds elapsed: 4
Bootp flags: 0x8000 (Broadcast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 10.5.0.41 (10.5.0.41)
Relay agent IP address: 10.200.20.1 (10.200.20.1)
Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
Client hardware address padding: 00000000000000000000
Server host name: wds1.domain.com
Boot file name not given
Magic cookie: DHCP
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.5.0.41 (10.5.0.41)
Option: (97) UUID/GUID-based Client Identifier
Length: 17
Client Identifier (UUID): eb8daa31-8e62-11df-bbd8-d1c565d278e7
Option: (60) Vendor class identifier
Length: 9
Vendor class identifier: PXEClient
Option: (53) DHCP Message Type
Length: 1
DHCP: Offer (2)
Option: (255) End
Option End: 255
What I find interesting is that the WDS server is not handing out a boot file name:
"Boot file name not given"
Could this be the reason why we receive the no boot file received error when trying to boot a client into pxe?
The other thing that I noticed was that the WDS server is also responding with the:
" Option: (60) Vendor class identifier
Length: 9
Vendor class identifier: PXEClient
Why would it be responding with this, when the dhcp is on a separate server. Is this option only if you have DHCP and WDS on the same server?
Any help would be appreciated as there has been too much time already spent on getting nowhere.
Thanks,
Dan.

Dan,
10 months later and not one reply... I'm having the same issue, did you ever figure this out? DHCP server is my Cisco Switch, WDS/PXE is on another network. The WDS and PXE is working fine as I can do so from the same network as the WDS/PXE
server. I can also get the WDS/PXE to work if I have a MS DHCP server on a different network and populate the option 66 and option 67. I cannot get this to work using Cisco ip helper-address for some reason.
Thanks,

Streaming music on different subnet

I've got a fairly basic network setup. I'm using adsl with a cisco 837 router. My isp has assigned me 16 static ip addresses. I've got a local dhcp server which hands out a range of ip's that have been provisioned to me via my isp which are used for workstations (laptops, desktops, et al), with the remaining staticly assigned (servers for example).
diagram;
telco=] 837/router -> switch -> devices
Everything is connected directly to the switch, except for wireless clients.
Now, to keep myself from running out of the 16 assigned ip addresses, I've setup a seperate subnet for devices which won't need contact with the internet world.
Those devices I've put under 10.1.0.0 of which I've given my airport express a 10.1.0.0 address.
Under iTunes on my iMac the airport express is listed in the drop-down box, when I select it, it sits forever stating it's connecting to the airport express.
On the other hand iTunes running on my laptop running windows does not present the drop-down box.
Is there any way to correct this, without having to give the airport express a public (non 10.x.x.x) ip address?

You have given the AE an IP address for a network,
not a device on that network based on a standard
subnet mask. Each network has two unassignable
numbers, the IP address of the network, and
broadcast. Try 10.1.0.1 for your AE.
I was just giving an example of the network configuration, the ip address of the AE is not actually 10.1.0.0 but 10.1.0.4.
If you want
devices on different subnets to have access, they
need to at least be on the same network, and then
alter the subnet mask for them so both subnets appear
on the same network.
They are on the same network, in the sense that I can talk to a 10.1.0.x address from one of my public ip addresses and vice versa. The only difference is 10.1.0.x cannot talk to anything wan side where machines/devices with a public address can.
Devices assigned with the
public network IPs will be difficult to configure, so
they see the private non-routable network, but I
think it can be done???? I would try another
scheme.... give the AE one of the static IPs and then
NAT with it. Then it would be a Gateway to the
computers behind it for the others in your public
range.... but that's just me . Hope that helps.
I am not looking to setting up NAT. I already have a gateway, the cisco 837 router. I already have a wireless access point which I recently mounted. Thus, I'm not needing any of the wifi capabilities of the AE, but just the airtunes facilities to local machines running on my lan.
Just to reclarify, I have an ip range in the 217.155.6.x block, and to keep myself from using all of the ips in that block, I'm using 10.1.x.x addresses (non-traversable) for the remaining bits that don't require wan side communication.
Michael

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

Can ARD 3 now share a screen across 2 different subnets

We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
Thanks,
Greg

Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
Thanks in advance,
Greg

Can members in a pool be on different subnets using CSM

Hello. We have recently been investigating load balancing devices, and were almost set on F5. We then overhauled our core network, including replacing one 4507R with 2 6500's, outfitted with Sup720's and FWSM modules.
Now, we are seriously thinking about investing in the CSM or ACE module instead of the F5. I was wondering if the servers in my virtual pool can be on different subnets?
For example, the user is looking for a web server with an IP of 192.168.110.1. This virtual ip is setup on the CSM module, and contains three physical servers, 192.168.110.10, 192.168.110.20, and 10.10.10.1 (server in a different data center, only to be used if the two primary servers go down). Will this work, or do all members in the pool need to be on the same subnet?
Thanks.

I would recommend the following test results published by veritest
http://www.lionbridge.com/NR/rdonlyres/5518CDEC-0D57-446E-8E3D-2AE73DCB7EEF/0/csm_comparison.pdf
Gilles.

WRV200 IPSEC VPN to a remote site with 2 different subnets

Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?

Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni

Using a interface in a sparse-root zone on a different subnet

Hello,
is it possible to use interface ce0 for the global zone and configure interface ce1 for the non-global zone, but the interfaces are on a different subnet?
ce0 ... 10.5.5.18 / global zone
ce1 ... 192.168.5.18 / non-global zone
using Solaris 5.10 Generic_125100-10
I configured ce0 in the global zone (of course)
and I plumbed ce1 also in the global zone - but configured ce1 in the zones definition
zonecfg:oem> add net
zonecfg:oem:net> set physical=ce1
zonecfg:oem:net> set address=192.168.5.18The zone boots without any problems and it looks like this:
[global zone]
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
        ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        inet 0.0.0.0 netmask 0
        ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        zone oem
        inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255[non-global zone]
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255I've read this is solved with GLDv3 drivers and exclusive IP instances mentioned in the blog http://blogs.sun.com/stw/entry/what_s_up_ce_doc -
so the system shows
# dladm show-link
ce0             type: legacy    mtu: 1500       device: ce0
ce1             type: legacy    mtu: 1500       device: ce1I get weird results even if I ping between the zones, I get "ICMP Destination unreachable"
Can this be solved with a full-root zone ...?
-- Nick

here are my current settings:
*[global zone]*
# netstat -nr
Routing Table: IPv4
Destination           Gateway           Flags Ref   Use   Interface
10.5.5.0             10.5.5.18          U         1 10864 ce0
224.0.0.0            10.5.5.18          U         1      0 ce0
default             10.5.5 .1          UG        1 42839
127.0.0.1            127.0.0.1          UH        2 619817 lo0
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
        ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        inet 0.0.0.0 netmask 0
        ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        zone oem
        inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255
! root@elba2:/ # route get 192.168.5.18
   route to: 192.168.5.18
destination: 192.168.5.18
       mask: 255.255.255.255
interface: ce1:1
      flags: <UP,DONE>
recvpipe sendpipe ssthresh    rtt,ms rttvar,ms hopcount      mtu     expire
       0         0         0         0         0         0      8232         0 *[sparse-root zone]*
# netstat -nr
Routing Table: IPv4
Destination           Gateway           Flags Ref   Use   Interface
192.168.5.0          192.168.5.18         U         1     83 ce1:1
224.0.0.0            192.168.5.18         U         1      0 ce1:1
127.0.0.1            127.0.0.1            UH       19 86105 lo0:1
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        inet 192.168.5.18 netmask ffffff00 broadcast 192.168.1.255
# route get 10.5.5.18
   route to: 10.5.5.18
destination: 10.5.5.18
       mask: 255.255.255.255
interface: ce0
      flags: <UP,DONE>
recvpipe sendpipe ssthresh    rtt,ms rttvar,ms hopcount      mtu     expire
       0         0         0         0         0         0      8232         0 Thank you for your time !
-- Nick

Using DHCP with a cFP-20XX across a different subnet

I have a cFP-2010 that will work great when set up with a static IP or DHCP as long as it is on the same subnet. If I set it for DHCP then move it to a different subnet, MAX can no longer find it. Do I have to use a static IP when going across subnets, or is there something I'm missing?
Thanks,
Steve

Selmore,
Not 100% sure this will work for FieldPoint controllers, but for some
other NI controllers (e.g. CompactRIO) if you give a name to the
controller in MAX and set it to use DHCP, then when its IP address is
assigned by the DHCP server its name is registered as a DNS name. That
means you can use that name to communicate to it from a different
subnet. By using ping commands you should be able to demonstrate if
this works for FieldPoint or not; I believe it should.
Hope my answer is clear enough and helps.
JMota

Cisco CP (ccp) on different subnets

Similar Messages

Maybe you are looking for