Conflict with ISA570W Remote VPN
Ok... this one makes absolutely no sense. I'm hoping someone can help.
My customer's IP phones stopped working when I enabled Remote IPSec on the ISA570W.
Here's the configuration:
When the Mitel IP phones power on, they acquire an IP address from the hosted VoIP server via DHCP (option 128) then download the configuration file via TFTP. When I enable Remote IPSec on the ISA570W, the phones obtain their address, but stall during the TFTP transfer. If I disable Remote IPSec and power-cycle the ISA570W, the phones start up normally. If Remote IPSec is enabled and I disconnect the WAN1 interface, the phones start normally.
I fail to see how enabling Remote IPSec on the ISA570W causes a communication failure between the IP phones and the hosted VoIP servers.
The phones are not communicating through the ISA570W. The path is: IP Phone<-->LAN<-->Cisco 2430<-->Host
Any ideas?
Thanks,
Rick
Nagaraja,
The VoIP solution is hosted by a third party (Broadview Networks), so I have limited information on the configuration of their Cisco 2430.
Here's what I can provide:
LAN
192.168.0.0/24
ISA570W
LAN
VLAN 1 (Default - GE2-GE9)
IP Address: 192.168.0.1/24
WAN1 (GE1 - Internet - Fairpoint FTTP)
IP Address: 71.***.***.39/24
Add'l IP: 71.***.***.139/24
WAN2 (GE10 - Internet - Broadview Cisco 2430 Data interface)
IP Address: 64.***.***.138/31
Note: WAN1 is used primarily for Internet access and inbound connections.
WAN2 is used for site-to-site IPSec over Broadview Internet to remote office.
Site-to-site IPSec: 192.168.0.0/24 <--> 192.168.16.0/24
Cisco 2430
WAN: T1 to Broadview Networks
Data interface (fe?/?)
IP Address: 64.---.---.137/31
Voice interface (fe?/?)
IP Address: ???
TFTP Server: 10.161.0.32/??
Phones are assigned IP addresses on network 10.160.90.0/?? via DHCP (Option 128)
Servers, computers and phones are connected to the same physical switches. This is necessary because we use the passthrough port on the phone for the computers.
When Remote IPSec is enabled on the ISA570W, phones successfully acquire DHCP and begin the TFTP transfer, but stall after a few blocks. In rare cases, a phone will complete the TFTP transfer but hang during initialization.
Here's a sample capture:
10.160.90.43 10.161.0.32 TFTP: Read Request - File: MinetIp5220Dpl.bin, Transfer Mode: octet blksize: 4096 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Option Acknowledgement - blksize: 1024 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 0 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 1 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 1 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 2 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 2 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 3 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 3 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 4 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 4 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 5 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 5 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 6 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 6 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 6 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 6 {UDP:3132, IPv4:3129}
10.161.0.32 10.160.90.43 TFTP: Data - Block Number: 6 {UDP:3132, IPv4:3129}
10.160.90.43 10.161.0.32 TFTP: Acknowledgement - Block Number: 6 {UDP:3132, IPv4:3129}
Note that in this example, block six continues to retry indefinately.
Any one of the following actions will clear the problem:
Disconnect the ISA570W from the LAN
Disconnect the ISA570W WAN1 interface
Disable Remote IPSec and power-cycle the ISA570W
Here's the Remote IPSec configuration:
Group name: M*******s_VPN
WAN Interface: WAN1
IKE auth method: Pre-shared key
Password: ************
Mode: Client
Pool range for client LAN: 192.168.0.176 - 192.168.0.191
Client internet access: Create NAT rule... enabled
WAN failover: Off
Zone Access Control: Only LAN and WAN permitted
Mode configuration:
Primary DNS: 192.168.0.19
Default Domain: m*********c.com
Split tunnel: On
Protected network: 192.168.0.0 255.255.255.0
Based on the capture, the path between the TFTP server and the phone is unaffected. The TFTP traffic is UDP. Is it possible it's getting corrupted?
Thanks,
Rick
Similar Messages
-
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
Static Policy NAT in VPN conflicts with Static NAT
I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni -
VPN Issue: Could not Negotiate a connection with the remote PPP server
Hello Folks,
I setup VPN on Windows Server 2003 Enterprise R2. I am successfully able to connect to VPN via laptop internally and externally. However, on my iPhone I am not able to connect and receiving the following error "Could not Negotiate a connection with the remote PPP server".
There doesnt seem to be a lot of documentation regarding this on Apple and or throughout the web.
Anyone resolve this issue?
Peace
Phil C.I am not entirely sure my full setup. I had a friend help me set it up. Now for some reason when on WIFI on my own network I am able to connect to VPN ( I wasnt able to before), but when I switch to edge there is still no response for the PPP server. I even messed around with the PPP options still no response. Unfortunately I am not extremely server literate so my troubleshooting is limited. However it is now working via my own WIFI and will try it on another WIFI network tomorrow. I am wondering though if it connecting had to do with any updates from microsoft. Since this is a newly installed server 2003 it has been running updates. Some food for thought.
Peace
Phil -
Help with setting up Remote VPN
Hi,
Currently our company is using following:
Linksys WAG200G(54Mbps): ADSL Modem/DHCP/Firewall/port forwarding/wireless
CISCO ESW-540-8P switch for intranet: 1x Windows Server 2012 Standard/ 1x NAS and connected to 1x CISCO WAP4410N for wireless
We intend to enable our network for remote VPN( 1 to 5 users) and as well as upgrading the WAG200G to new equipment to use 802.11n wireless.
Would hope someone can suggest stable small business equipment/s for our upgrade? I have previously bought the WAP4410N and tried upgrading to 802.11n for all our users but was not successful as this unit constantly give us access problems. So right I am only using this for my support purpose. I read the WAP321 is a stable equipment from community comments so may consider getting one for 802.11n access. As for VPN and ADSL modem, hope someone can suggest suitable stable models.
Thank you.There are many devices that can provide you a VPN solution. Personally I would get a router of some sorts maybe a 2800 or 1800 series and then create a L2 tunnel config on it. There are many links on the web where you could almost do a copy paste of the config. The issue will then be the ability to do a NAT to the router and setting up internal access. That is always unique to the environment so I couldn't help more there without a better diagram and basic configs.
Here is a link with sample configs
http://tekcert.com/blog/2006/12/14/configuring-cisco-router-accept-vpn-connections
-Toby
Sent from Cisco Technical Support Android App -
I have a Macbook Pro with Windows Vista installed on it. Vista has no problem printing to my Airport network through Bonjour. Where I run into a problem is when I am connected to work through a VPN on the Windows side. When I try to print something from work, the work printer, which is really a reference to my local network printer, creates a HobLink file. From everything that I can gather, this HobLink file is encrypted, and Bonjour has a conflict with it. So, in essence, if I establish a VPN with my office on the Windows side, I cannot print to anything. Does anyone know a work around to this HobLink/Bonjour conflict? Thanks.
I am not sure this is HobLink related. Do you use HobLink to connect to terminal servers at work? That's apparently what it's for: "HOBLink JWT is the time saving, cost-efficient and web-based answer for fast, multi-user access to centrally located Windows applications and data on Windows Terminal Servers from Apple Macintosh's OS X."
In general, Bonjour does not work over VPN connections because the Bonjour broadcast packets are not passed. I am not sure if this is a limitation of VPN or just the routers, which also do not pass Bonjour packets between subnets on a local network by default.
Update: I just found this informative discussion on MacOSXHints about this topic: http://www.macosxhints.com/article.php?story=20080626194901370 -
IPSec remote VPN with VPN client giving error
Hi ,
ASA 5505 current configuration is : (setup using ASDM)
esult of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname TEST
enable password ___________ encrypted
passwd __________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list sap_vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 192.168.10.0-192.168.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sap_vpn internal
group-policy sap_vpn attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sap_vpn_splitTunnelAcl
username test password ____________ encrypted privilege 0
username test attributes
vpn-group-policy sap_vpn
username TEST password ________________ encrypted privilege 15
tunnel-group sap_vpn type remote-access
tunnel-group sap_vpn general-attributes
address-pool test_pool
default-group-policy sap_vpn
tunnel-group sap_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b67cdffbb9567f754052e72f69ef95f1
: end
I am using VPN client with host IP 192.168.2.20 and group authentication with username:sap_vpn and preshared key as password but could not connect to vpn and getting attached error message.
ASA set up with ASDM initial wizard: inside interface (VLAN1) IP 192.168.1.1 and outside (VLAN2) IP 192.168.2.20 assigned using DHCP. I am using outside interface IP 192.168.2.20 for HOST IP in VPN client for remote connection??? is it right??
please advise for this.Hi,
current configuration for ASA 5505 for IPSec remote VPN as below:
ASA Version 8.2(5)
hostname _________
domain-name ________
enable password ___________ encrypted
passwd _________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.7 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address ______________(public IP)
ftp mode passive
dns server-group DefaultDNS
domain-name ________
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.224.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 172.16.10.0-172.16.16.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.0.11-192.168.0.138 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy dyt_vpn internal
group-policy dyt_vpn attributes
vpn-tunnel-protocol IPSec
default-domain value _______
username test password _________ encrypted privilege 0
username test attributes
vpn-group-policy dyt_vpn
username ________ password ______________encrypted privilege 15
tunnel-group dyt_vpn type remote-access
tunnel-group dyt_vpn general-attributes
address-pool test_pool
default-group-policy dyt_vpn
tunnel-group dyt_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:eb0f7a5c2385b7400e9b9432fb2df9d1
: end
when I am assigning PUblic IP to outisde interface of ASA, it is showing outside interface down.
can anybody please help me for that.
Thanks,
Sap -
Connect to remote VPN from a network with its own VPN
I have a Mac OS X Server v10.6 running L2TP behind a D-Link DIR-625 router.
I have client with a similar setup - Mac OS X Server v10.7 running L2TP behind a Time Capsule.
I want to be able to connect to my client's VPN from inside my network, but I get an error, "The L2TP-VPN server did not respond..."
When I disable the virutal server entries on my D-Link for VPN IKE (UDP Port 500) and VPN ESP (Protocol 50), I am able to connect to the remote VPN, but then obviously nobody can connect to my VPN.
Is this normal? Is it not possible to connect to remote VPNs if you are on a network that has a VPN server running behind a router?You can still use SSH to connect from a UNIX platform to your DB Server (the same way you do in your desktop).
There's a few tutorials in making an active SSH tunnel for database activities, however, I think this kind of solution requieres more administration effort and in some environments could be cumbersome; if security is a concern, you can purchase ASO from Oracle, it handles the network encryption for you.
Regards!
P.D. If you use PuTTy on your desktop, you could try the -L parameter for the ssh command. -
Remote VPN access with Windows 7, 64 bit
Hey there,
What do you guys suggest for Remote VPN access with Windows 7, 64 bit?Hi,
You can configure a Remote access VPN with a windows 7, 64 bit client. You wieall hav to download a IPsec VPN client specially for a 64-bit machine. It should not give you much trouble.
The client is vpnclient-winx64-msi-5.0.07.0290-k9.exe. it is available on cisco.com site.
hope this helps.
Regards,
Anisha
P.S.: please mark this thread as resolved if you feel your query is resolved. Do rate helpful posts. -
Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access
i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
Cisco Asa 5505
I
Outside == 155.155.155.x
Inside = 192.168.7.1
VPN POOL Address = 10.10.10.1 - 10.10.10.20
Layer 3 Switch Config
Vlan 2
interface ip address = 192.168.1.1
Vlan 2
interface ip address = 192.168.2.1
Vlan 2
interface ip address = 192.168.3.1
Vlan 2
interface ip address = 192.168.4.1
Vlan 2
interface ip address = 192.168.5.1
ip Routing
So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
Thank You allWhen My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
But i can't reach the rest of the VLAN - example
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
But i can reach the Connected Interface Vlan to My ASA ..
So here i think iam miss configuration to my Route
Any Help Please this is urgent -
Apple Remote Desktop conflict with iChat/iSight
I have found an irritating but reproducible conflict between Apple Remote Desktop (ARD) and iChat. If I try to set up a video chat (either within our local network or to the outside world) when ARD is running on my computer (PB 12" 1.5GHz, 10.4.4), the video attempts to start ie I get a video window, but the connection never creates and after a few seconds I get a message saying
‘Disconnected from video chat because: Can't get video from the camera’.
If I quit ARD everything works OK. Does anyone know of a fix for this?
Thanks
TonySee your other post http://discussions.apple.com/message.jspa?messageID=1573741#1573741
-
Confilicts with XP "Remote Desktop" and ZFD4 "Remote Control"
He have a similar problem like this. Some machines, after installing Zen4
agent, after first login, the WS reboot automatically every time.
He have discovered a conflit with display adapter ( Intel eXtreme graphics
2 ).
Resolution: With workstation at CTRL+ALT+DEL or password prompt, access
the registry of this machine with a remote admin WS. At the
HKLM\Software\Microsoft\Windows\Current Version\Run commands, find startup
tools from the display adapter, like HotKeysCmds -> C:\Windows\System32
\hkcmd.exe and remove them from registry.
Logon at the WS and if it run fine, reinstall the display adapter.
I hope this help you.
Regards,
BJ
> Current workstation Configuration - WinXP(SP1), Client32
> (483sp1),Enabled
> Microsoft Remote Desktop (Used to connect to machine via NAT at
> Firewall),
> ZFD4 at server. I installed ZFD4 management agent as local
> administrator
> with no problem. However on initial reboot, the machine would not
> boot
> normally and was stuck in a reboot loop. I was able to oot into safe
> mode
> however, unable to un-install the ZFD4 remote agent.
>
> 1) Is there some type of conflict between the two "Remote Control"
> applications.
>
> 2)How do I correct the current reboot loop.
>
> 3)What is the best scenario to remote control a desktop via VPN or
> NAT,
> keeping in mind that I may not have the Netware Client loaded on all
controlling workstations.
>
>
>I'm not sure if Apple Remote can, but
Microsoft offers a free program called Remote Desktop Connection so you can do just that.
www.microsoft.com/mac -
Hello Guys
i created three different Remote VPN connections with three different networks . i can make them one but for some reasons i don't mix all.
and iam using Cisco asa 5505 with Shrew Soft VPN software , so my problem is
- i connected Shrew soft remote vpn , if i try to connected another remote vpn connection this will not accept the second connection , so please can any one give me a remote vpn connection software that accepts more than one connectionHi,
Since you mention the ASA and the VPN I presume you are trying to connect by VPN Client to the same ASA?
Why would you want to have several VPN client connections at the same time? (Though I think that isnt even possible)
What are you trying to accomplish by these 3 different VPN Client configurations configured on the same ASA?
Isnt it just possible to configure one VPN Client connection to the ASA that would handle all the traffic of these 3 VPN Client connections?
- Jouni -
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni
Maybe you are looking for
-
Using Copy statement in Stored procedure
The following statement works in sqlplus session: copy from comment/password@servername append amcomment_temp using select * from amcomment where commentid in(1,2,3,4) I want to use this in a stored procedure. There is a long datatype in this table.
-
Last week I had to recieve an iPhone 3S loaner phone. The guy at the counter restored it partly (expect for apps); it worked like a headach and I exchanged it for an iPhone 4. He handed it over to me and said I could restore it once I was home. I go
-
I done all troubleshooting I could find. I have two apple tv's. Both of them do not show up in ITUNES
-
How do I change these icons?
Finder and Dashboard... I understand the procedure to change the icon for most apps (open the "get info" window of the icon I want, copy the icon and then paste it to the "get info" window of the app I want to change) But when I do this with the Dash
-
Deleting connectors within CC 5.3
While debugging my other issue, we concluded that perhaps we should delete all our JCo settings and redo them just to be sure. I went into Compliance Calibrator and found that I am able to create new connectors and logical systems, but not delete exi