Cisco DPC3925 vpn with Netscreen FW

Hi All
I am trying to  get up an point to point VPN between  a Cisco DPC3925 and a netscreen 5GT Firewall
I have configured up everything as i think it should, i belive the phase one and phase two are both configured ok, if i change the phase one settings to something different then i will get a different error
on the cisco I am using Auto Ike, with a shared key and PFS - both phase one and phase two are set  the same at both ends cisco / netscreen
I'm pretty savy with the netscreen so I can pretty much pull out what ever data is needed, not so much with the cisco as the config options seem quite limited
When I try to connect, the VPN log on the CISCO shows the below, but on the netscreen it thinks that phase one Negotiations are complete (in logs etc)
The netscreen seems to be much more configurable than the CISCO, so i guess i need to change something on that but im not sure what
I know I haven't provdided much info on my config, but I was hoping someone may be able to give me abit more of an idea of what the cisco is expecting to receive ftom the netscreen that its not getting from the logs, I have chaged the external IP's in this log, the log goes from the bottom up as thats how the cisco dumps it
Anything obvios stand out to anyone?
1.1.1.1 is the Cisco,, 2.2.2.2 is the netscreen
Thu Sep 13 14:49:53 2012    IKE Phase 1 Negotiation FAILED 1.1.1.1==>2.2.2.2
Thu Sep 13 14:49:47 2012    phase2 negotiation failed due to time up waiting for phase1. 02.2.2.2 ==>1.1.1.1 
Thu Sep 13 14:49:43 2012    error -1 process rcvd packet 
Thu Sep 13 14:49:43 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1
(origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:49:32 2012    error -1 process rcvd packet 
Thu Sep 13 14:49:32 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1 (origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:49:26 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1 (origCookie=16 60 41 e5 51 8e b9 43 , respCookie=39 0e 63 70 48 49 36 7b )
Thu Sep 13 14:49:26 2012    unknown Informational exchange received. 
Thu Sep 13 14:49:21 2012    error -1 process rcvd packet 
Thu Sep 13 14:49:21 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1 (origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:49:11 2012    error -1 process rcvd packet 
Thu Sep 13 14:49:11 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1 (origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:49:01 2012    error -1 process rcvd packet 
Thu Sep 13 14:49:01 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1 (origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:48:50 2012    error -1 process rcvd packet 
Thu Sep 13 14:48:50 2012    Bad IKE packet received 2.2.2.2 ==>1.1.1.1(origCookie=e3 4e 2c 81 b7 2a 40 e3 , respCookie=58 0a 56 24 e8 3d 78 f4 )
Thu Sep 13 14:48:50 2012    invalid ID payload. 
Thu Sep 13 14:48:49 2012    IKE Phase 1 Negotiation Started 1.1.1.1==>2.2.2.2

Hi Tony,
Thank you for your question. However this community is for Cisco Small Business Products and the DPC3925 is not a Cisco Small Business Product.
Your product is an internet service provider (ISP) supported product. In other words you need to contact your ISP or technology reseller that you purchased this from to help you with your question.
I did some research and found the following links on the DPC3925 that may be of help.
http://www.cisco.com/web/consumer/support/modem_DPC3925.html
http://www.cisco.com/web/consumer/support/prod_modems.html
http://www.cisco.com/web/consumer/support/modem_DPC3925.html#~drivers
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport

Similar Messages

  • Solaris 10 site to site VPN with netscreen or linux freeswan

    Hello,
    Have anybody made Solaris site to site ipsec VPN with netscreen firewall or linux freeswan?

    a.alekseev,
    It works! Thank you very much. I somehow have overlooked that command entirely. I am very grateful.

  • Remote connection to SAP(internet VPN) with Juniper Netscreen 5XT

    Hi,
    I am now setting up the remote connection (internet VPN) with the network device Juniper Netscreen 5XT.
    Since I am not a network expert, I met some trouble on it.
    We have prepared 2 public IP address. 61.xx.xx.45/29 for SAP router and 61.xx.xx.46/29 for setting up the VPN tunnel.
    And we use 192.168.1.10/255.255.255.0(for example) as the private IP address of SAP router, and use NAT to map 192.168.1.10 to 61.xx.xx.45/29...
    Any way, although the VPN tunnel can be set up, I can not ping the SAP router@SAP side.
    But with the help of SAP, I did the test, use 202.xx.xx.xx(public IP address) as private IP address of SAP router, and did not use NAT, and registered in SAP side,I can ping the SAP router@SAP side.
    I also think that use NAT of SAP router is a normal way to settup the internet VPN.
    What's wrong with it?
    Would you please give me some suggestion on it?
    Thanks in advance.
    Best regards,
    Randy

    It is OK after replace the network device as the cisco router.

  • Azure Site to Site VPN with Cisco ASA 5505

    I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
    IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
    Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
    Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
    Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
    Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
    I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
    (Does azure support 9.x version of asa?)
    How can i fix it?

    Hi,
    As of now, we do not have any scripts for Cisco ASA 9x series.
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
    demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    Did you download the VPN configuration file from the dashboard and copy the content of the configuration
    file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
    According to the
    Cisco ASA template, it should be similar to this:
    access-list <RP_AccessList>
    extended permit ip object-group
    <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
    nat (inside,outside) source static <RP_OnPremiseNetwork>
    <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
    <RP_AzureNetwork>
    Based on my experience, to establish
    IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
    VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
    compatible for dynamic routing, please make sure that you chose the static routing.
    Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
    Hope this helps you.
    Girish Prajwal

  • Remote access VPN with Cisco Router - Can not get the Internal Lan .

    Dear Sir ,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
    I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Below is the IP address of the device.
    Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
    IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
    IP address:10.10.10.1
    Mask:255.255.255.0 F0/0
    IP Address :20.20.20.1
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.3
    Mask:255.255.255.0
    F0/0
    IP address :20.20.20.2
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.1
    Mask:255.255.255.0
    I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
    Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
    Need your help to fix the problem.
    Router R2 Configuration :!
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R2
    boot-start-marker
    boot-end-marker
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip tcp synwait-time 5
    interface FastEthernet0/0
    ip address 20.20.20.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    end
    Router R1 Configuration :
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login USERAUTH local
    aaa authorization network NETAUTHORIZE local
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    username vpnuser password 0 strongpassword
    ip tcp synwait-time 5
    crypto keyring vpnclientskey
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp client configuration group remotevpn
    key cisco123
    dns 192.168.1.2
    wins 192.168.1.2
    domain mycompany.com
    pool vpnpool
    acl VPN-ACL
    crypto isakmp profile remoteclients
    description remote access vpn clients
    keyring vpnclientskey
    match identity group remotevpn
    client authentication list USERAUTH
    isakmp authorization list NETAUTHORIZE
    client configuration address respond
    crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
    crypto dynamic-map DYNMAP 10
    set transform-set TRSET
    set isakmp-profile remoteclients
    crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
    interface FastEthernet0/0
    ip address 20.20.20.1 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPNMAP
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpnpool 192.168.50.1 192.168.50.10
    ip forward-protocol nd
    ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
    ip access-list extended NAT-ACL
    deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 any
    ip access-list extended VPN-ACL
    permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    end

    Dear All,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
    Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Waiting for your responce .
    --Milon

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

  • Cisco DPC3925 With AirPort Express

    Hi,
    I have recently upgraded my Cable modem from Singapore Service Provider, Starhub. It is using Cisco DPC3925 cable modem. The modem has been setup successfully in my home. However, I face the following problems.
    The modem will disconnect and reset automatically
    Cannot setup AirPort Express to extend the wireless range. When I tried to use the Extend Existing Network option in Airport Express, it will prompt an error that "This network cannot be extend".
    Any advise?

    Hi Kenny,
    Thank you for your question.  However this community is for Cisco Small Business Products and the DPC3925 is not a Cisco Small Business Product.
    Your product is an internet service provider (ISP) supported product.  In other words you need to contact your ISP or technology reseller that you purchased this from to help you with your question.
    However I did some research and found this area which may help you:
    http://www.cisco.com/web/consumer/support/prod_modems.html#~homegateways
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport
    twitter: CiscoSBsupport

  • Difference between setting up a vpn with windows 7 and cisco routers

    Hi.I was wondering what the main difference Is between setting up a vpn with windows 7 or configuring It on cisco routers.
      When you setup the vpn on windows 7 or xp do the client and server pc's take care of the encryption and decryption whereas configuring vpn on routers , the encryption and decryption Is done solely by the routers?
    If I want to setup a connection where an IP In the same Internal lan Is assigned to the client pc I'm guessing I'd have to use a router configuration.
      Thanks

    Thank you for the response, lucky for me there was another option. Threatened to cancel with the ISP on the NAT side unless they assigned us a public static ip/gateway/subnet. They ended up doing that and the VPN connected as soon as the changes were made in the Linksys.

  • Trouble with Cisco Anyconnect VPN Client

    Hello,
    our Cisco AnyConnect VPN Client has stopped working, we are a medical office and we are attempting to connect to "clientvpn.e-mds.com" however it will not connect, the username and password we input are irrelevant it doesnt come up with a "wrong credentials" window it just erases the password and at the bottom of the window it says "Please enter your username and password". our version is 2.5.0217 does anyone know anything to try? any help would be appreciated

    you may want to try the OS X networking forums:
    http://discussions.apple.com/forum.jspa?forumID=733

  • Problem using SunRay with Cisco AnyConnect VPN Client

    I am using Cisco AnyConnect VPN Client Version 2.5.3046
    I  have a PC and a SunRay connected to my router. I use VPN to connect my  SunRay and my PC to my work computer. My PC works fine, I am able to  connect to the internet and also run cisco VPN to connect to my work  computer. But when I try to use my SunRay, I get a window on the screen  with the message:
        VPN IKE Phase 1 agg I msg1This window  keeps moving around on the screen. I am not able to connect my SunRay  through VPN to my work computer. Any idea what could be wrong and how I  can fix this?

    2.2 is definitely better.
    On one PC, I'm fine. On another -- very similar -- it tells me it can't start the VPN even after uninstalling and re-installing and everything else I can think of, with plenty of re-boots inbetween.
    Aaaaarrrrrrggggggghhhh.

  • Setup Sunray 3G with Cisco 3005 VPN concentrator

    hi,
    I first explain the setup situation:
    Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
    Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
    can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
    Is there some info about what IKE proposal i need to select in the Cisco 3005?
    Any help would be appreciated
    Thx

    I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

  • Help with Cisco RV180 VPN

    I have installed the Cisco RV180 VPN at a customer location.
    Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway.  When scanning, the third-party states they are not in compliance with this report:
    THREAT REFERENCE
    Summary:
    TLS Protocol Session Renegotiation Security Vulnerability
    Risk: High (3)
    Port: 443
    Protocol: TCP
    Threat ID: misc_opensslrenegotiation
    Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
    06/11/12
    CVE 2009-3555
    Multiple vendors TLS protocol implementations are prone to a  security vulnerability related to the session-renegotiation process  which allows man-in-the-middle attackers to insert data into HTTPS  sessions, and possibly other types of sessions protected by TLS or SSL, by  sending an unauthenticated request that is processed retroactively by a  server in a post-renegotiation context.
    Information From Target:
    Service: 443:TCP
    Session Renegotiation succeeded on 443:TCP
    They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world.  From my understanding, port 443 must be opened for the QuickVPN Client to function.  How do I block port 443 from everyone except the QuickVPN Client?  Or how do I configure the RV180 to satisfy the above threat?
    Thanks in advance for any information you can provide.

    Hi,
    following config is for cisco VPN client access with dynamic allocation and split-tunnel.
    Hope this helps, please rate post if it does!
    aaa new-model
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    username vpnc password 0 userpass
    crypto isakmp client configuration group vpncg
    key grouppass
    dns 4.2.2.1
    wins 10.59.2.10
    domain domain.com
    pool ip-pool
    acl 108
    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    interface FastEthernet0/0
    ip nat outside
    crypto map clientmap
    interface vlan1
    ip address 10.59.2.1 255.255.255.0
    ip nat inside
    ip local pool ip-pool 10.0.230.1 10.0.230.20
    access-list 108 remark VPN client split tunnel
    access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255

  • Anyone using Cisco Clean Access with Juniper SSL VPN?

    We're testing Cisco Clean Access with Juniper SSL VPN, and are running into a problem with single sign on. The Juniper box is sending the user's source IP as the framed-ip-address, and not the Network Connect assigned IP, which is why we need to get SSO to work. Has anyone done this, and what did you do to get it working? Thanks.

    Hi,
    I've no experience with this app but it does list
    Juniper as a sujpported client:
    http://www.equinux.com/us/products/vpntracker/interoperability.html

  • I am trying to setup VPN with QuickVPN

    Hi I am trying to setup VPN with WRVS4400N and Quick VPN on client side. I am fairly new to VPN and did some research and looked through the manual but can't seem to get it to work so far and from what I noticed many people are having this problem. So hopefully someone can tell what the problem is or at least point to right direction on solving this.
    Basically it gives the "Failed to establish connection" generic error, shows it almost instantly..
    It also showed the certificate error before but then I read about putting it in the installation directory and it stopped showing it, and whats strange is later I removed it but it doesnt show the error any longer, so don't know if its caching it somewhere or what can be going on...
    In effort to look for answer and test things out I tried to connect to another location and setup a WRV200 router, I also get the same error but not instantly, it even shows "Activating Policy" but then doesn't go farther and shows the generic error...
    Also with this setup strangly it always shows the certificate error, no matter if I put one in directory or not... Even tried to name it as the WRVS4400N certificate name...
    Anyway VPN IPSec is disabled, and Client Accounts are configured and changed password several times to make sure its correct, VPN Passthrough enabled on all 3 options.
    I tried to disable Windows Router, I also have a router in place do I possibly need to open some type of ports for the QuickVPN client?
    Don't know yet whats going on if I am missing something or if there is some problem that needs work-around but if you know the answer or guesses of answer please let me know.

    Hi Aleksandr,
    since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.
    best regards,
    Herbert
    Cisco Moderator

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

Maybe you are looking for

  • 10gr2 64 Link failed

    dear all, i downloaded oracle database 10gr2 from this link: http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201linx8664soft.html in order to install it in my hp AMD64 opteroN Previously, i view that my certify matrix i

  • Getting Error in Fulfillment

    Hi Jim, I am getting following error in download an ebook from our ebookstore: Error getting license Server communication problem: E_ADEPT_INTERNAL Please suggest me why this error occures? Regards, Mangal Varshney

  • Error with Statement Rule: Reference is ambiguous

    Hello, Hopefully someone will be able to help me out with this inquiry. I have a configurator model where the BOM has been imported. Within this model, there are two BOM nodes of the same name (Item Number) but they are unique in the model by their e

  • Architecture for APEX using iAS 10.1.2 and 10g with Dataguard replication

    We are currently using APEX in a stand-alone architecture using iAS 10.1.2 on with 10g as the DB(all on the same server). Our APEX apps are fast becoming a significant part of our production environment and I would like to set up a redundant failover

  • Oracle to mySAP integration scenario

    Hi, I am trying to integrate Oracle running on NT with mySAP SRM running on UNIX using XI 3.0. We would like to update the data from oracle to SRM system. I have JDBC driver is already installed in XI and have a RFC for SRM system update. This is wha