Connecting VPNs using a PIX Firewall

Similar Messages

• REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

  Hey,
  we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes. 
  i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
  My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
  MY PROCESS OF REMOVING CONFIG:
  REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS 
  REMOVE THE OBJECTS AND OBJECTS GROUPS
  REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
  REMOVE CRYPTO MAP TRANSFORM-SET
  REMOVE ISAKMP-POLICY
  REMOVE CRYPTO MAP 
  WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
  BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
  IPSEC(crypto_map_check): crypto map XYZ 20 incomplete.  No peer or access-list specified.
  20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
  any help would great
  regards

  Hi
  You could do either of 2 things.
  1) Enable NAT-Traversal on your ASA
  2) Add the following on your pix :
  fixup protocol esp-ike
  This allows one IPSEC connection to run through PAT.
  HTH
  Jon

• How to set up VPN using MAC OSX 10.4.11, Please help I need someone to help me set up VPN using regular DSL connection on my home so someone can help me troubleshoot my XSAN system remotely. THANKS

  Hello,
  I'm having trouble setting up a VPN using MAC OSX 10.4.11 Server. I have and XSAN system and one of my volumes has been down for quite a while now. There is a very kind MAC IT professional that is willing to help be troubleshoot my system but he needs to be able to access my system remotely. I am able to connect the MDC to DSL but I haven't been able to set up the VPN. Please help, this is an emergency. Thanks!
  Marco

  have you forwared the ports on your router? Why not let him in via teamviewer? its free and mac compatable

• User having trouble connecting to VPN using mobile broadband card

  I've got a user with a laptop running Windows 7 who is trying to use an AT&T mobile broadband card to connect to a VPN using the Cisco IPSec VPN client. The card is the Sierra Wireless Momentum 4G. The VPN connection established fine, but no traffic gets passed after that. Other users can connect to the VPN fine (not using mobile broadband, though). Wired and wireless connections from this laptop are able to get to the VPN fine. It's just over the mobile broadband service that this happens. Are there any workarounds for this issue?

  Hi and Welcome to the Community!
  To use the proprietary BB services (including Push email capability, native browser, BBM, etc.), you must have an adequate data plan from your carrier. The carriers host BIS (BlackBerry Internet Service) for their BB users. Typically, BIS is not available via generic data plans. Many carriers call what is necessary The Blackberry Data Plan. Whatever they call it, it is the carrier who delivers BIS to their BB users -- contact them for assistance. Once you have a BIS-capable data plan on your BB (at whatever fees your carrier will charge, btw), your BB-proprietary services will function (e.g., you will have Personal/Internet Email added to the email setup wizard, your BBM will function, etc).
  http://www.blackberryfaq.com/index.php/What_do_I_need_a_Data_Plan_for%3F
  With hundreds of carriers in the world, each with dozens of different data plans, it's impossible to tell you specifically what any service plan might actually provide. Only the carriers can answer that question. The best thing to do is to decide what services you desire, and then talk to your carrier about obtaining (from them) a data plan that enables what you desire.
  Good luck!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Connecting over VPN using Toad

  Hello,
  We have started experience problems connecting to our 9i and 10g databases when using Toad over a VPN connection. Although a connection is actually made nothing is returned to the Toad client and it justs hangs. This problem only occurs over a VPN. When connected to the LAN there is no problem. Also it is possible to connect over the VPN using SQL Developer. This has only recently started happening. In the past we have been able to connect over the VPN without a problem. Sounds like a Toad problem? Yes! I was wondering if anyone else had experienced this and new of a resolution.
  Thanks James

  Hi ,
  The OP is able to connect through SQL Developer using VPN so no issues with VPN,The OP is facing problem when connecting using TOAD so:
  1)Try to disconnect the TOAD and than try if that doesn't work can you please type the error message you are getting while connecting to the TOAD using VPN.
  Best regards,
  Rafi.
  http://rafioracledba.blogspot.com/

• RV220W - Connect to SSL VPN using Win7 Built-In SSTP

  I'm relatively new to establishing VPN connections and I'm having one heck of a time getting everything configured.
  I'm setting up a RV220W at the office and trying to get VPN steup. I've have gotten Quick VPN connections working using the QuickVPN software. I've given up for now on IPsec VPN connactions and will come back to these later.
  What I'd like to get setup is the SSL VPN connections using the Win7 built in VPN client. Is this even possible? I initially tried to connect to the VPN via the SSL Web access but I cannot get the software/divers to install on any of the 3+ Win7 64 bit machines I tried.
  So can the SSL VPN on the RV220W be setup to connect to with the Win7 VPN Client using SSTP?
  Any links or guidance on how to setup the cerificates on the server and where to install them on the Client PCs? I think this is my major issue right now as the error I get when I try to connect is either: "The certificate's CN name does not match the passed value" (Error Code: 0x800B010F)  or " A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" (Error Code: 0x800B0109). I'm trying to use self signed certifcates and I'm not sure if that is the issue (self signed vs genuine) but I really am not getting anywhere with this.
  Also, the VPN does not have a FQDN just a static IP if this matters.
  While I'm at it, I'd also gladly take any good links for IPsec on the RV220W but I wont be tackling that until SSL & the certificates are setup.
  Thanks,
  Justin

  OK. Sorry to reply to myself but I got a few steps further. I figured I'd post how in case anyone needs to references this in the future or correct something I've done wrong.
  So I've decided to use a Self Signed Certificate.
  First I went to the Certificate page on the RV220W Config
  Select Generate Certificate and fill in the info. As I'm not using a FQDN but a static IP, I set the Name, Subject & IP address all to the same, static IP.
  I generated that and then hit view to copy the CSR
  From there you need to generate a certificate.
  I used Getacert (http://www.getacert.com/signacert.html)
  I pasted the CSR into the text box and hit SubmitCSR
  Make sure you save the getacert public certificate and your own signed certificate
  Back in the RV220W Certificate page, upload the getacert.cer to the Trusted Certificate section and your own self certificate to Active Self Certificates Table
  This should generate a new Cert for the router and you will have to reaccept it to get back to the web config
  Back in the Cert page again, Download the routers certificate.
  Back on your client, import both the getacert.cer as well as the routers certificate to the "Trusted Root Certification Authorities"
  These steps got me closer.
  Now when I try to connect using the Win7 VPN Client with SSTP I get a new error: Error Description: 0x800704D4: The network connection was aborted by the local system.
  Any idea how to resolve this on the RV220W?
  - Justin

• Suddenly my ethernet and firewall are no longer connected. router is good...and can connect only using wifi...suggestions?

  suddenly my ethernet and firewall are no longer connected. router is good...and can connect only using wifi...suggestions?

  SOLUTION! 
  I've been suffering from this problem for a few months.  I tried everything suggested by everyone, and then, today, I had a mad idea. 
  I used to work in a room in the house that's about 12 metres away from the router. It's on the next storey up and horizontally about 8 metres away.  The problem started when I began to work in the same room as the router. 
  Today I became so frustrated that for some reason I walked into a room about 8 metres away on the same level - Guess what?  I connected with no problem at all. Feeling full of joy I walked back to the room where the router is located - Dropped internet connection within a few minutes!  Walked back to the the room that's 8 metres away and, hey presto! I have a connection. I now realise that the problem was that I moved too close to the router.
  I can think of no logical explanation for my experience, but empirically it seems to work.  Does anyone have the faintest idea of why this should be the case?  In the absence of an answer I think I may have to start believing in fairies at the bottom of the garden - I'm just off to set a meal for them.
  By the way, I don't know if it has any significance, but the router is a BT Infinity router that has replaced the incredibly unreliable Virgin Media cable connection

• ISDN backup for ADSL connected sites using separate router

  In our set-up we have a central site with a large number of remote sites connected.
  We have moved a number of remote sites from ISDN connections to ADSL connections. However, we would like to keep the ISDN and use it for backup.
  The problem I have is - how do I implement ISDN backup with our current set-up? From the documentation, I can see how to do this for more "straightforward" set-ups but not for the set-up we have! Let me explain:
  At the central site, we have a Cisco 7206 router. The ISDN connected sites connect directly to this router (which is configured with a large number of dialer map statements for each site)
  The 7206 connects to a PIX515E firewall. The ADSL connected sites connect over the public internet using IPSEC with the tunnels terminating on the PIX.
  The 7206 router contains static routes for the ADSL connected sites, pointing to the firewall.
  At the remote sites, we have a Cisco 837 router for the ADSL connection.
  This is connected (via ethernet) to the router we want to use for ISDN backup - a Cisco 800. The 837 and 800 are configured with HSRP.
  However, at the moment, if the 837 or the ADSL link was to go down, there would be no means to connect to the central site. How can we configure this to use the 2nd router for ISDN backup, given our set-up?
  Any suggestions would be greatly appreciated!
  (incidentally, I have only recently joined this company and have taken this over, without any information to go on as to why things are set up as they are !)

  Hello again,
  I think you can pretty much ignore my last message. I've done a bit more digging and I think I have a better idea of what you mean now!
  Lets see if I've got this about right. To recap:
  I need to set up a GRE tunnel between the remote site and 7206 router at head office, which in turn would be using IPSEC tunnel between remote router and PIX.
  So, steps required:
  1) set up IPSec tunnel to to PIX (this is the way it is already currenly configured - am I right in thinking no further configuration would be required as far as the PIX is concerned, for the new set-up?)
  2) set up GRE tunnel between remote ADSL router and 7206 - requires tunnel interface on both router with start point and end point configured. Use GRE keepalive to enable the line protocol to be brought down if the far end cannot be reached.
  3) Add static routes on ADSL router to reach head office network via tunnel interface
  4) Add static route on 7206 router to reach remote network via tunnel interface
  5) Configure ISDN map statement on 7206 mapping remote network to ISDN number
  6) Configure "floating" static routes on 7206 to use ISDN to reach remote network
  7) Configure HSRP on ADSL and ISDN routers with tracking of tunnel interface. If tunnel interface goes down, then ISDN router takes over as active.
  8) Configure static routes on ISDN router to point to head office network using BRI0 interface.
  So, under normal operation, traffic between head office and remote office will be routed across the GRE tunnel using the ADSL link.
  If the ADSL link was to go down then the GRE tunnel would also go down. So, the 7206 would then use the floating static routes to reach the remote network via the ISDN connection.
  The ISDN router would take over as active at the remote site since the tunnel interface would have gone down, forcing the HSRP to failover.
  Does that all sound about right? Is there anything I've missed?
  I'll start trying to put some configurations together when I get the chance - but, if its ok, I'll probably run these past you too, just to make sure they seem correct!
  Thanks,
  Neil

• PIX Firewall 525 can not start

  Hi,
  Today my colleague add 2 lines of access-list to our PIX 525.  After 10 minutes, my firewall was rebooted and until now can't start.  The booting process as listed below.
  The questions are :
  1. What is my OS version? Flash?
  2. How to remove those 2 lines (reset the config to default)?
  3. How to solve the issue?
  Thanks,
  Andy
  Booting process
  ================
  Rebooting..þ
  Wait.....
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  00  00   8086   7192  Host Bridge
  00  07  00   8086   7110  ISA Bridge
  00  07  01   8086   7111  IDE Controller
  00  07  02   8086   7112  Serial Bus         9
  00  07  03   8086   7113  PCI Bridge
  00  0D  00   8086   1209  Ethernet           11
  00  0E  00   8086   1209  Ethernet           10
  Cisco Secure PIX Firewall Embedded BIOS Version 4.3
  Wait...ndeavor Board, Boot Block BIOS
  +------------------------------------------------------------------------------+
  |          System BIOS Configuration, (C) 2000 General Software, Inc.          |
  +---------------------------------------+--------------------------------------+
  | System CPU           : Pentium III    | Low Memory           : 638KB         |
  | Coprocessor          : Enabled        | Extended Memory      : 255MB         |
  | Embedded BIOS Date   : 08/25/00       | Serial Ports 1-2     : 03F8 02F8     |
  +---------------------------------------+--------------------------------------+
  Cisco Secure PIX Firewall BIOS (4.0) #39: Tue Nov 28 18:44:51 PST 2000
  Platform PIX-525
  System Flash=E28F128J3 @ 0xfff00000
  Use BREAK or ESC to interrupt flash boot.
  Use SPACE to begin flash boot immediately.
  Reading 1528320 bytes of image from flash.
  256MB RAM
  System Flash=E28F128J3 @ 0xfff00000
  BIOS Flash=am29f400b @ 0xd8000
  mcwa i82559 Ethernet at irq 11  MAC: 0006.5336.8129
  mcwa i82559 Ethernet at irq 10  MAC: 0006.5336.8128
                                 ||        ||
                                 ||        ||
                                ||||      ||||
                            ..:||||||:..:||||||:..
                           c i s c o S y s t e m s
                          Private Internet eXchange
                          Cisco PIX Firewall
  Cisco PIX Firewall Version 6.2(1)
  Licensed Features:
  Failover:           Enabled
  VPN-DES:            Enabled
  VPN-3DES:           Disabled
  Maximum Interfaces: 8
  Cut-through Proxy:  Enabled
  Guards:             Enabled
  URL-filtering:      Enabled
  Inside Hosts:       Unlimited
  Throughput:         Unlimited
  IKE peers:          Unlimited
  An internal error occurred.  Specifically, a programming assertion was
  violated.  Copy the error message exactly as it appears, and get the
  output of the show version command and the contents of the configuration
  file.  Then call your technical support representative.
  assertion "addr < sfmm_chip_size" failed: file "sfmm.c", line 254
  No thread name
  Traceback:
  0: 802decd5
  1: 8007a8ce
  2: 800769bb
  3: 80078223
  4: 8007635e
  5: 800017d5
  6: 800758ab
  7: 80120ed6
      vector 0x00000003 (breakpoint)
         edi 0x8007a887
         esi 0x000000fe
         ebp 0x7ffffcb8
         esp 0x7ffffcac
         ebx 0x8007a5a3
         edx 0x000003fd
         ecx 0x0000000a
         eax 0x00000042
  error code n/a
         eip 0x802dffac
          cs 0x00000008
      eflags 0x00000046
         CR2 0x00000000
  Stack dump: base:0x7ffffc2c size:64, active:64
  0x7ffffd2c: 0x00020000
  0x7ffffd28: 0x807f2828
  0x7ffffd24: 0xfffe0000
  0x7ffffd20: 0x00000300
  0x7ffffd1c: 0x800769bb
  0x7ffffd18: 0x7ffffd48
  0x7ffffd14: 0x00000001
  0x7ffffd10: 0x00000002
  0x7ffffd0c: 0x800762f4
  0x7ffffd08: 0x804a849c
  0x7ffffd04: 0x00000020
  0x7ffffd00: 0x805100c0
  0x7ffffcfc: 0x7ffffd48
  0x7ffffcf8: 0x8007a887
  0x7ffffcf4: 0x000000fe
  0x7ffffcf0: 0x8007a5a3
  0x7ffffcec: 0x8007a8ce
  0x7ffffce8: 0x7ffffd18
  0x7ffffce4: 0x80317cd4
  0x7ffffce0: 0xffffffff
  0x7ffffcdc: 0x80078163
  0x7ffffcd8: 0x807f2828
  0x7ffffcd4: 0xfffe0000
  0x7ffffcd0: 0x805100c0
  0x7ffffccc: 0x000000fe
  0x7ffffcc8: 0x8007a5a3
  0x7ffffcc4: 0x8007a887
  0x7ffffcc0: 0x802dec68
  0x7ffffcbc: 0x802decd5
  0x7ffffcb8: 0x7ffffce8
  0x7ffffcb4: 0x00000046
  0x7ffffcb0: 0x00000008
  0x7ffffcac: 0x802dffac *
  0x7ffffca8: 0x00000042
  0x7ffffca4: 0x0000000a
  0x7ffffca0: 0x000003fd
  0x7ffffc9c: 0x8007a5a3
  0x7ffffc98: 0x7ffffcac
  0x7ffffc94: 0x7ffffcb8
  0x7ffffc90: 0x000000fe
  0x7ffffc8c: 0x8007a887
  0x7ffffc88: 0x00000003
  0x7ffffc84: 0x80004779
  0x7ffffc80: 0x7ffffcb8
  0x7ffffc7c: 0x802c4deb
  0x7ffffc78: 0x7ffffc98
  0x7ffffc74: 0x7ffffd48
  0x7ffffc70: 0x00000001
  0x7ffffc6c: 0x000000fe
  0x7ffffc68: 0x8007a5a3
  0x7ffffc64: 0x7ffffd48
  0x7ffffc60: 0x80120ed6
  0x7ffffc5c: 0x00000007
  0x7ffffc58: 0x7ffffcac
  0x7ffffc54: 0x80002d70
  0x7ffffc50: 0x7ffffc80
  0x7ffffc4c: 0x7ffffcac
  0x7ffffc48: 0x80002ab0
  0x7ffffc44: 0x00000040
  0x7ffffc40: 0x7ffffc80
  0x7ffffc3c: 0x74656720
  0x7ffffc38: 0x7ffffe28
  0x7ffffc34: 0x2c737261
  0x7ffffc30: 0x8007a887
  Nested traceback attempted via interrupt.
  Traceback output aborted.
  Rebooting..þ

  Urgent help!!!

• Oracle 8i through CISCO PIX Firewall

  HI all,
  I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
  The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
  =============================
  oracle error con 440
  unable to make connection oracle - 12514 tns.couldn't resolve service name
  the menu was not connectable with oracle. a menu is ended
  ==============================
  Many thanks for PIX and Oracle config.
  HATO

  Varun,
  Thank you for your help.
  I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
  Memory Requirements:
  If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
  What is the difference between the restricted Licenses and the Unrestricted Licenses?
  Thanks!

• Problem with VPN Client and PIX 7.0(5)

  Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
  sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
  and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
  I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
  This is the configuration i apply
  access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
  access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit ip any any
  access-list acl-vpn-sap-remoto extended permit icmp any any
  ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
  nat (inside) 0 access-list cryptomap-scada
  group-policy VPN_SAP_PED internal
  group-policy VPN_SAP_PED attributes
  vpn-filter value acl-vpn-sap-remoto
  vpn-tunnel-protocol IPSec
  username vpnuser password **** encrypted
  username vpnuser attributes
  vpn-group-policy VPN_SAP_PED
  crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
  crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
  crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
  crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
  isakmp policy 7 authentication pre-share
  isakmp policy 7 encryption 3des
  isakmp policy 7 hash sha
  isakmp policy 7 group 2
  isakmp policy 7 lifetime 43200
  tunnel-group VPN_SAP_PED type ipsec-ra
  tunnel-group VPN_SAP_PED general-attributes
  address-pool pool_vpn_sap
  default-group-policy VPN_SAP_PED
  tunnel-group VPN_SAP_PED ipsec-attributes
  pre-shared-key clavevpnsap
  Thanks in Advanced

  Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
  PIX-Principal(config)# show running-config nat
  nat (inside) 0 access-list cryptomap-scada
  nat (inside) 9 JOsorioPC 255.255.255.255
  nat (inside) 9 GColinaPC 255.255.255.255
  nat (inside) 9 AlfonsoPC 255.255.255.255
  nat (inside) 9 AngelPC 255.255.255.255
  nat (inside) 9 JerryPC 255.255.255.255
  nat (inside) 9 EstebanPC 255.255.255.255
  nat (inside) 9 GiancarloPC 255.255.255.255
  nat (inside) 9 WilliamsPC 255.255.255.255
  nat (inside) 9 PerniaPC 255.255.255.255
  nat (inside) 9 ElvisDomPC 255.255.255.255
  nat (inside) 8 LBermudezPC 255.255.255.255
  nat (inside) 9 HelpDeskPC 255.255.255.255
  nat (inside) 9 OscarOPC 255.255.255.255
  nat (inside) 9 AnaPC 255.255.255.255
  nat (inside) 9 RobertoPC 255.255.255.255
  nat (inside) 9 MarthaPC 255.255.255.255
  nat (inside) 9 NOCPc5-I 255.255.255.255
  nat (inside) 9 NOCPc6-I 255.255.255.255
  nat (inside) 9 CiraPC 255.255.255.255
  nat (inside) 9 JaimePC 255.255.255.255
  nat (inside) 9 EugemarPC 255.255.255.255
  nat (inside) 9 JosePC 255.255.255.255
  nat (inside) 9 RixioPC 255.255.255.255
  nat (inside) 9 DaniellePC 255.255.255.255
  nat (inside) 9 NorimarPC 255.255.255.255
  nat (inside) 9 NNavaPC 255.255.255.255
  nat (inside) 8 ManriquePC 255.255.255.255
  nat (inside) 8 MarcialPC 255.255.255.255
  nat (inside) 8 JAlbornozPC 255.255.255.255
  nat (inside) 9 GUrdanetaPC 255.255.255.255
  nat (inside) 9 RVegaPC 255.255.255.255
  nat (inside) 9 LLabarcaPC 255.255.255.255
  nat (inside) 9 Torondoy-I 255.255.255.255
  nat (inside) 9 Escuque-I 255.255.255.255
  nat (inside) 9 Turbio-I 255.255.255.255
  nat (inside) 9 JoseMora 255.255.255.255
  nat (inside) 8 San-Juan-I 255.255.255.255
  nat (inside) 8 Router7507 255.255.255.255
  nat (inside) 8 NOCPc4-I 255.255.255.255
  nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• How do I set up my very first VPN using a BT Home ...

  Greetings!
  I would like to set up a VPN via my BT Home Hub.
  I've already set up a Windows 7 VPN server on my PC, and I can connect my Android devices successfully using my domestic wireless connection through the hub.
  Now I want to be able to connect to my VPN using any internet connection, anywhere.
  I'd like to find out what settings I need to set on my hub, and what settings I need to set on the Android device. I'm assuming – perhaps overoptimistically – that I won't need to do anything more with my Windows 7 VPN server.
  What I need to do on the hub is a complete mystery to me. Presumably I need to tell it to send VPN traffic straight to my PC, but I've no idea how to do this.
  As I've managed to connect my Android devices to the Windows VPN server this aspect of the process seems less mysterious to me. Presumably I need to tell them (the Android devices) the IP address of my hub (which, while it isn't technically static, is more than static enough for my needs). And presumably, if my hub has been persuaded to route VPN traffic to my PC, I can use the Windows account name and password to make the connection.
  If anyone can point me in the direction I need to go, or point me at where my questions have already been answered, I would be most grateful. I see a lot of VPN threads here, but they all seem to be about difficulties encountered on existing setups. I need to know how to create an existing setup first: then I'll know if I have issues that require further attention.
  Cheers!

  "You will need to set port forwarding on your home hub so that the incoming VPN connection is forwarded to the IP address of your PC. Your VPN range you have set on Windows 7, must not be on the same subnet as the home hub.
  If its using a standard VPN port, then there may already be a pre-defined application within the home hub that you can use, depending on which version of the home hub you are using. If not, then you will have to define one yourself.
  I think its port 1723 for Windows VPN."
  Thanks, Keith.
  Unfortunately my ignorance exceeds your expectations, so I have to ask more questions…
  How do I specify the incoming VPN connection in my home hub?
  What is the VPN range I must set on Windows 7, and how do I ensure it's not on the same subnet as my home hub? Is this something to do with the incoming IP addresses assignment settings for the TCP/IPv4 network component of the Windows 7 Incoming Connections' properties?
  How can I tell if "it" is using a standard VPN port? And does "it" refer to my home hub, my Windows Incoming Connection, or my Android device?
  When it comes to defining an application myself, how do I determine what port range needs to be translated, how do I determine what (port range?) it needs to be translated to, and how do I determine what the trigger port needs to be?
  Thanks.

• Terminal Commands for Internet Connect VPN?

  I could maybe do this as an applescript but I'm hoping there are terminal commands which I can incorporate into an rsync script...
  I need to open a PPTP VPN connection on a computer (Internet Connect VPN client, 10.4.8) , to connect to VPN services on OS X Server (10.4.8). The configuration works fine but really needs manual intervention at times. I would like to just script the equivalent of hitting the 'connect' button, so this can be run by cron.
  Any ideas or links?
  Ta.
  -david

  I did repair permissions with disk Utility and I used Onyx to delete the various caches, but that didn't work.
  Everything is functioning. The problem isn't on the VPN server side, because I can log into the VPN on my Powerbook and the status shows correctly. There's definitely something going on with my G5.
  This isn't a really huge deal, but it would be nice if the status indicated that I'm connected when I'm connected.

• How to add new group entry in Cisco Vpn using powershell

  I am working on a powershell script to connect cisco vpn using powershell, I am able to connect to vpn but not sure how to add new group to vpn. I am using the following script$vpn_profile = 'Test'
  $username = 'TestUser'
  $userPassword = ConvertTo-SecureString -String "Password" -AsPlainText -Force
  $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist
  $username,$userPassword
  $password = $credentials.GetNetworkCredential().Password
  Set-Location 'c:\Program Files (x86)\Cisco Systems\VPN Client'
  .\vpnclient.exe connect $vpn_profile user $username pwd $password
  Write-Host "You Are Connected"
  cd "C:\"

  Have you entered .\vpnclient.exe /? to see if it will return information about other switches you can use with this executable? Other than connect, I was able to track down a few without actually having the executable (http://www.scribd.com/doc/40108893/Cisco-VPN-Client-Command-Line).
  That said, I do not believe that there is a switch that will help you create a connection. These are either done manually through the GUI, or can be likely be added by supplying a properly formatted file in the proper place.
  If you're using the version of the Cisco VPN client I think you are, then your connection settings, or profiles, are stored in individual .pcf files somewhere on your computer (likely in the Cisco directory). These are simple, text-based files. Find one
  on your computer, save it with another name, and then modify it manually. If you really want to use PowerShell, then use this opportunity to learn how to create and edit basic text files using PowerShell. If you have a standard connection file, then you can
  put that file onto remote computers any number of ways. If a .pcf file exists in the proper place when the VPN client is opened, then it likely will not prompt for a new connection.
  Update: Added more info; clarified