Cisco IOS Router to PIX VPN Issues
Hi Everyone,
I have a small issue here which someone may be able to shed some light on.
I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
Any ideas.
Yes all this is setup.
I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network.
Similar Messages
-
DHCP issue on Cisco IOS router
Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41: DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02: DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
ThanksHi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 126
Leased addresses : 47
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
a.b.c.118 a.b.c.1 - a.b.c.126 47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
network a.b.c.0 255.255.255.128
default-router a.b.c.1
dns-server 207.172.3.8 207.172.3.9
domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
a.b.c.19 0168.7f74.6260.9b Mar 23 2011 01:56 PM Automatic
a.b.c.52 0100.4854.897d.17 Mar 23 2011 12:53 PM Automatic
a.b.c.56 0100.4063.e7b5.b2 Mar 23 2011 03:33 PM Automatic
a.b.c.57 0100.1b63.f246.8c Mar 23 2011 03:34 PM Automatic
a.b.c.68 015c.5948.0b97.d6 Mar 22 2011 05:59 PM Automatic
a.b.c.69 0168.7f74.626d.67 Mar 23 2011 07:07 AM Automatic
a.b.c.70 0198.fc11.5027.1d Mar 22 2011 07:04 PM Automatic
a.b.c.71 01dc.2b61.04ba.af Mar 22 2011 10:26 PM Automatic
a.b.c.72 017c.c537.58e6.64 Mar 22 2011 08:37 PM Automatic
a.b.c.73 017c.6d62.3303.57 Mar 23 2011 03:54 AM Automatic
a.b.c.74 0124.ab81.cda4.68 Mar 23 2011 05:01 AM Automatic
a.b.c.75 0100.1e52.8f11.a5 Mar 23 2011 02:47 PM Automatic
a.b.c.76 0100.264a.5fc8.e3 Mar 23 2011 07:13 AM Automatic
a.b.c.77 017c.6d62.38cd.40 Mar 23 2011 02:06 PM Automatic
a.b.c.78 0100.1d4f.f647.79 Mar 23 2011 02:37 PM Automatic
a.b.c.79 0100.26b0.8637.3d Mar 23 2011 01:16 PM Automatic
a.b.c.81 0130.694b.e9de.82 Mar 23 2011 03:19 PM Automatic
a.b.c.82 0100.21e9.6864.80 Mar 23 2011 12:04 PM Automatic
a.b.c.83 0124.ab81.63e6.b5 Mar 23 2011 09:38 AM Automatic
a.b.c.84 0100.16b6.0455.c2 Mar 23 2011 09:42 AM Automatic
a.b.c.85 0100.1302.4c96.9e Mar 23 2011 09:49 AM Automatic
a.b.c.86 0140.a6d9.741c.e0 Mar 23 2011 12:12 PM Automatic
a.b.c.87 0100.264a.b8e9.50 Mar 23 2011 10:16 AM Automatic
a.b.c.88 0140.a6d9.4911.67 Mar 23 2011 03:19 PM Automatic
a.b.c.89 013c.7437.1e32.96 Mar 23 2011 10:27 AM Automatic
a.b.c.90 01d8.3062.689c.4b Mar 23 2011 11:55 AM Automatic
a.b.c.91 0158.946b.4df8.bc Mar 23 2011 10:49 AM Automatic
a.b.c.92 0100.2215.7368.26 Mar 23 2011 10:23 AM Automatic
a.b.c.93 0100.23df.76ea.90 Mar 23 2011 02:33 PM Automatic
a.b.c.94 0124.ab81.708d.83 Mar 23 2011 03:58 PM Automatic
a.b.c.95 0100.1cb3.163d.5a Mar 23 2011 03:13 PM Automatic
a.b.c.96 01cc.08e0.2aeb.96 Mar 23 2011 01:27 PM Automatic
a.b.c.97 0188.c663.d0d0.55 Mar 23 2011 01:57 PM Automatic
a.b.c.98 0100.1b77.08bb.89 Mar 23 2011 01:15 PM Automatic
a.b.c.99 0100.1ec2.47d7.19 Mar 23 2011 12:43 PM Automatic
a.b.c.102 0100.1310.8e74.78 Mar 23 2011 12:41 PM Automatic
a.b.c.103 0100.24d6.58b0.82 Mar 23 2011 01:44 PM Automatic
a.b.c.104 0100.2608.7df2.68 Mar 23 2011 03:23 PM Automatic
a.b.c.106 01c8.bcc8.1a86.41 Mar 23 2011 03:56 PM Automatic
a.b.c.107 01a4.6706.1e54.94 Mar 23 2011 04:08 PM Automatic
a.b.c.108 017c.c537.46ac.0e Mar 23 2011 02:41 PM Automatic
a.b.c.111 0100.037f.0ea2.19 Mar 23 2011 02:47 PM Automatic
a.b.c.112 01d8.3062.75c5.9c Mar 23 2011 03:33 PM Automatic
a.b.c.113 0021.9116.449e Mar 23 2011 03:36 PM Automatic
a.b.c.114 0100.1ff3.46d9.a9 Mar 23 2011 03:40 PM Automatic
a.b.c.116 0104.1e64.4a0d.a3 Mar 23 2011 04:21 PM Automatic
a.b.c.117 0190.27e4.4ae8.94 Mar 23 2011 04:24 PM Automatic
Thanks! -
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
Router-to-PIX VPN Tunnels fade in and out
Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
Crypto isakmp keepalive 10 5
crypto ipsec secutity-association lifetime seconds 28800
I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
Thank you,
ChrisTry using the debug commands and see if you are getting any error messages that might give us some idea.
-
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
Cisco 831 Router to Configure VPN Access
Hello,
I need assistance in configuring a VPN in a Cisco 831 Router. I do not have any experience in configuring routers and VPN's, and would appreciate if any one could help out.
I would like to connect three Laptops to the Cisco 831 via Cisco VPN Client. Three laptops must have 10.42.6.x Address assigned by the router on the VPN Connection. They will also need access to the internal network which is 192.168.x.x private network. The Cisco has a Static IP on the Internal Interface and External Interface. I have tried several different ways of doing this, however I must be doing something wrong in my config.
Any help or suggestions would be appreciated.Hi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Does Cisco 857 router support Easy VPN?!!
Hi,
I've a Cisco 857 router with a 12.4(6)T IOS.
I want to configure it to act as an Easy VPN server, to allow my remote clients -using cisco vpn clients- to access the internal resourses behind the router.
Is it applicable with this router model?!!
thanks and regards,
AlaAla, upsolutely, you would probably need advance k9 security image, check at software advisory tools and slect software features for your platform.
sofware advisory
http://tools.cisco.com/Support/Fusion/FusionHome.do
857 Models See table 3 Software feature
http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6195/product_data_sheet0900aecd8028a9a9_ps380_Products_Data_Sheet.html
HTH
Rgds
Jorge -
WRVS4400S Cisco Router to Fortinet VPN Issue
I created the VPN between WRCS4400N and Fortinet 111c and tunnel is up. When i am pinging my cisco subnet (10.0.20.0) from fortinet, its pinging. But when i am pinging fortinet (10.0.1.8) or any ip of this subnet from cisco router its not pinging.
I have real IP on my Fortinet and dyndns on Cisco Router. The simple diagram is attached for my vpn network. I think its routing issue, i have to add route in cisco router but i don't know what route i have to add there in order work the vpn perfectly. kindly help...Hi Muhammad,
since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.
best regards,
Herbert
Cisco Moderator -
Router to pix vpn ipsec - bandwidth issue
I basically followed the config example of cisco in :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
it works fine.
my pb is:
the remote site has a 2Mbps line but once the tunnel is up, even without traffic in the tunnel, the link between any client behind the router and a line tester in the OUTSIDE world (internet) will give very poor results.....
what could be wrong ?
no crc error, no error at all, just that the bandwidth with the outside world is vanishing
any idea?Did you apply any QOS on the link?
-
EZVPN Router to PIX - vpn tunnel fails after xauth
I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
KenThank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source list Lan_Addresses interface Ethernet0 overload
ip access-list standard Lan_Addresses
permit 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
This didn't change things. Also, things behave differently when I use a bad username/password, for example:
AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
Username: baduser
Password:
AADDAA#
*Mar 14 06:27:07.891: xauth-type: 0
*Mar 14 06:27:07.895: username: baduser
*Mar 14 06:27:07.895: password:
*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
XX. ID = -475558296
*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
0 peer_port 500 (I) CONF_XAUTH
*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
"Done with xauth request/reply exchange"
*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
TTR
*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
= IKE_XAUTH_REPLY_SENT
*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
500 sport 500 Global (I) CONF_XAUTH
*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
XXX.XX. message ID = 559535353
*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
= IKE_XAUTH_REPLY_AWAIT
*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
llowing command:
*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
Thanks again,
Ken -
Cisco RV220/RV110 Site-Site VPN issues
Hi I have a couple of sites using the RV220 at head office and a few RV110's at branch offices linked by IPSec VPN. I am finding the links to be very unstable and it appears to be the actual routers causing this.
The issue starts when data flow stops between two sites, I can restart the RV110 at the branch office but this rarely fixes the issue. If I restart the RV220 at head office then the VPN is re-established. I find that both ends think they are connected, but I can't drop or reconnect the interface using the web interface. Traffic (Rx/Tx) across the link is usually reported as 0.
I have three businesses I look after that have this identical issue. The remote sites are connected via various methods (bridge mode to ADSL or 4G services)
All devices running latest firmware. Some times the links will freeze up several times a day, some times once a week.
Any help appreciated, this has been going on for some time.Hi I have a couple of sites using the RV220 at head office and a few RV110's at branch offices linked by IPSec VPN. I am finding the links to be very unstable and it appears to be the actual routers causing this.
The issue starts when data flow stops between two sites, I can restart the RV110 at the branch office but this rarely fixes the issue. If I restart the RV220 at head office then the VPN is re-established. I find that both ends think they are connected, but I can't drop or reconnect the interface using the web interface. Traffic (Rx/Tx) across the link is usually reported as 0.
I have three businesses I look after that have this identical issue. The remote sites are connected via various methods (bridge mode to ADSL or 4G services)
All devices running latest firmware. Some times the links will freeze up several times a day, some times once a week.
Any help appreciated, this has been going on for some time. -
Cisco DSL-Router 876W: VPN with Apple Builtin PPTP??
Hello
I spoke last week to someone about the VPN Problems with several Firewalls and Routers. I hate it to use VPN Tracker, Cisco VPN Client or IP Securitas. I would like to use only the builtin VPN Clients of the Apple OS X.
He suggest me to use Cisco 876 Router. That VPN should support the builtin VPN Client of Apple. Has some member of this forum testet this Router and get the VPN working?
I tried to contact Cisco here in Switzerland, but they have nearly any know-how of Apple Products
Who can help me?
Regards
GérardHello
We had installed the Cisco Router with the VPN Server.
It is possible to make a connection with the builtin PPTP Client of Apple. The Connection is very instable. It disconnect every X minutes.
Ferther I am not able to use all the Apple Remote Desktop funktion. So I see the ARD Client at the VPN Site. Im am able to see which Program is running and are also able to update the ARD Client.
But the Control and Show Funktion off ARD ist not working.
So this solution ist not useable to do Remote Maintanance
Has someone the same problems or an idea why it is not working
Regard
Gérard -
The following topic describes how to do L2TP/IPSec on Windows 8.
https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8
However, I am trying to use the same template for Chrome OS clients and it does not work. Has it ever been set up successfully? Any ideas would be greatly appreciated.
Thank you,
Aram.Randy, I understand now!
What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
On the router thye would configure a secondary logging server.
e.i
say your syslog server is 20.20.20.20
router(config)#logging 20.20.20.20
router(config)#logging trap informational
the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
Rgds
-Jorge -
IPhone 2.1 now supports Cisco VPN Client to IOS router
Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.
I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
The relevant isakmp/ipsec config should be:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group myvpn
key mysecretkey
dns 10.0.0.2 10.0.0.3
wins 10.0.0.2
domain mydomain.example.com
pool ippool
acl 150
split-dns mydomain.example.com
netmask 255.255.255.0
crypto isakmp profile ike-myvpn-profile
match identity group myvpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile myvpn
set transform-set ESP-3DES-SHA
set isakmp-profile ike-myvpn-profile
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet1
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile myvpn
See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting. -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.
Maybe you are looking for
-
How to enable copy , cut for Rich Text editors
I have a rich-text with cut , copy options but when i try to cut or copy it gives me the following error - Your browser's security settings don't permit the editor to execute cut operations. Please use the keyboard shortcut (Ctrl/Cmd+X). I have tried
-
Dear all, While creating sale order, as per my client's requirement, i had manually entered tax. But this manual entry doesnt have tax code.So while creating billing, it gives account determination error that is in account key MW3, gl account is miss
-
Bug in ios 8.1.3
I have just upgraden my ipone 6 to IOS 8.1.3 What happened, the screen resolution has changed so I cant use the phone, I can access things, and I dont know how to change it. nyone have a fix for this??
-
DB13 offline backup terminated
Dear all, I was taking offline backup and found the error and checked the detailed log : BR0360W Not enough disk space in /oracle/Q11/sapreorg for verification, missing at least 6139.147 MB BR0128W Option '-w' ignored for 'out_of_space' I have 293238
-
Fios out in Colleyvill​e???
Fios has been down all day here. No phone. No internet. No TV. Lights are green on box in garage. Red light on box on outside of home saying no service. Anyone else out?