Dmvpn wtih backhauled internet traffic to central site

Similar Messages

• Understanding 5505 firewall-site to site and internet traffic

  Hi,
  My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
  I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
  That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things.  Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
  We need to have this in place by the end of February 2013.
  Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
  1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
  2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
            I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
  3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
  In all cases, I dont want internet going through the home office as it currently is traveling.
  I have done a lot of searching but so far have come up empty with answers.
  Question 1:     (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
  Question 2:     Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
  Question 3:     We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
  Question 4:     In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
  Question 5:     In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 92.168.0.0 to 192.168.255.0. So for instance, I could use 101.1.20.0 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
  Reasons for setting this up:
  Slow speeds over the T1.
  increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
  Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
  I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
  additional notes:
  I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
  I will be onsite for testing at the end of February  and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
  Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
  Dave

  Thanks for getting back to me and so quickly!
  1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
  192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
  2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
  4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
  5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
  Next Steps
  1-         Configure the ASA5510 for the 5505 connection
  2-         Configure the ASA5505 for the 5510 connection
  3-         Configure SLA for Comcast and XOcomm outside connections
  4-         For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.
  Thanks
  dave

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• How can I route internet traffic over IPSec point to point?

  I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism? 
  Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
  crypto isakmp policy 20
  (encryption parameters here)
  crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
  crypto ipsec transform-set remotesite (encryption parameters here)
  crypto ipsec df-bit clear
  crypto map Mainsite 1 ipsec-isakmp
   set peer x.x.x.x (Public ASA IP)
   set transform-set remotesite
   match address 100
  interface FastEthernet0/0
   description $ETH-LAN$
   ip address 10.1.1.1 255.255.0.0
   ip nbar protocol-discovery
  interface FastEthernet0/1
   description ISP Interface
   ip address x.x.x.x (public IP) 255.255.255.0
   crypto map Mainsite
   crypto ipsec df-bit clear
  ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
  access-list 100 remark Access list Mainsite Access
  access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
  and other various headquarter networks...

  Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism. 
  What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet. 
  HTH

• Mountain Lion Server VPN unable to route internet traffic

  Hi! I have set up a VPN server on my home network specifically so that I could connect via a VPN client remotely and tunnel all internet traffic through my home network (It is a long story but I need to be able to access services that are specific to my home IP . . . ) I have been tearing my hair out trying to get it work but can not. The VPN connection happens OK and I can set up the remote client to send all traffic via VPN but any internet traffic just times out . . . In other words I can not get the server to share my home network via the VPN connection.

  Hi and thanks for taking the time to answer.
  As I am sure you have guessed I don't have much experience or knowledge with this. So I will try to clarify what I am trying to do.
  I do not need a VPN server for the conventional reasons of being able to access a private network (i.e my home network) remotely, although this is a nice additional benefit. I need the VPN server so that I can log in remotely (when I am using my mobile broadband or when I am overseas for example) and make it look like the machine I am using is on my home network.
  The reason for this is that I have access to web services that are IP specific. That is I can ONLY log in if I am logging in from my registered home IP (which is static for this exact reason).
  I have been told on similar support sites that if I route ALL traffic through the VPN, then when I use my browser on the remote machine all web traffic will go through the VPN as well and it will look like the traffic is coming from the subnet of my home IP.
  I guess in other words I am trying to use my VPN as an "anonymous" proxy (anonymous in the sense that although the traffic is coming form somewhere else, it still looks like it is coming from my home IP).
  I know this will cripple the speed due to the narrow upstream bandwidth but I am willing to pay this price.
  Now as for your questions:
  I have the server set up on a machine on my home subnet and I have enabled VPN port forwarding on the ADSL router.
  I know the connection happens as when I connect the VPN either from my iPhone using 4G or my laptop using my mobile broadband I get the "connecting . . . authenticating . . . connected" messages and when I check in properties it shows it to be connected to my home IP as VPN server and has an IP address that looks like it is on my home subnet.
  By internet traffic timing out I meant web traffic.
  As I mentioned above, I need all web traffic to go through the VPN. So indeed not ALL traffic but definitely ALL web traffic. The only way I could find to do this is to enable the "Send all traffic" option.
  Now I guess the obvious question is why am I not using a proxy. I have tried (and spent ages setting up Squid) but could never get it to "hide" the true origin of the traffic completely.
  Now having written all this, I reinstalled mountain lion and server yesterday (out of sheer frustration rather than anything else) and it seems to work this morning. So if I log in via VPN on my mobile or laptop and use an IP checker on the web it comes up with my home IP : ))
  The only thing I have now noticed is that if the VPN server stops working (which seems to be as soon as the computer I run it on goes to sleep) web traffic reverts to using the normal channels which is potentially problematic for me.
  So my questions now are -
  Any ideas what I was doing wrong in the first place?
  Any suggestions on how I could set this up better?
  Any way to set up the remote device so that it only allows web traffic via VPN (so that if the VPN connection drops, it is unable to use it's own internet connection for continuing web traffic)?
  Thanks for any suggestions : )
  Cheers

• DLSW ER+ at the central site

  The network topology that I have is two MSFCs and two external routers at central site and two MSFCs and two external routers at the remote site.
  DLSW is activated on the external routers. In regards to DLSW+ ER at the central site, only one translational or transparent bridge can be active at a time. Manual intervention is required to cause a router to take over for the other router. Is there any other way to have some means of dlsw redundancy (w/o manual intervention) at the central site (for ethernet environment only)?
  Second, DLSW ER+ cannot be deployed easily at the central site, since you need a lot of dlsw mapping. On the other hand, you also need local SNA PUs to be able and reach the CIP (both located at the central site) but reside on a different broadcast domain. Any ideas?
  Thanks

  Hi,
  on the central side, host end, there are a couple of things you can do.
  The potential solutions mentioned below are in the order that cisco would prefer.
  1.
  The most clean thing to do is to upgrade and configure the mainframe for appn and allow hpr/ip between the host end router and the host.
  You will need to run dlsw/vdlc/snasw in the host end routers to be able to do this.
  It also requires that you have ip connectivity to the mainframe.
  If you do this than the mac address, the remote devices connect to, is configured as a snasw vdlc port in the routers. Both of them are active all the time, the remotes will learn the remote mac address over both peers and as such you have automatic, non manual intervention, redundancy, loadbalancing. The mac addresses in this case only exist in the central router. Nowhere else. The remote device does not know anything about this change.
  Each of the head end dlsw/vdlc/snasw routers will have at least one hpr/ip uplink to the host. This is routed ip traffic into the mainframe.
  In that case you can also define the physical ethernets as snasw ports, do hsrp on it and configure a hsrp mac address, this mac address would then be used as dmac for local clients connecting to the host.
  2.
  If for some reason you can not do the appn/snasw configuration you still have some options.
  If you are using cisco cip's with csna today than you most likely have on path into the mainframe today for each mac address.
  You can configure multiple vlans between the dlsw router and the cip router, i.e. dot1q trunk, and on the cip router you can configure multiple virtual ring groups and more than one csna path statement into the host. At the end you attach each vlan to one of the channel path, configure srtlb for each vlan into a unique vring, and then configure a different adapter number on each of the internal tokenring lans with the same mac address.
  On the dlsw router you can configure multiple bridge groups into dlsw and each of those bridge groups goes to a different vlan. If you do this with two dlsw routers going to the same cip router you then end up with two channel access's and one vlan on each of the dlsw routers. If you do it to two cip routers you need 4 vlans. Just make sure that you dont bridge the vlans together.
  The remotes learn than the remote mac address over both peers and your redundancy is established.
  For the local clients this solution has the draw back that you need to pick a vlan where to connect them. There is no automatic redundancy, like hsrp in the first example, for those.
  3.
  You can enable both dlsw routers towards a single bridge-group and apply a mac address filter inbound to the bridge group only allowing the mac address/es of the hosts as source mac address.
  That way you kill the potential loop on the head end. You will also need to put on as much restrictive filtering as possible to only allow the traffic that is wanted.
  thanks...
  Matthias

• ASA5510 w/ (2) Internet Connections: Dedicated VPN traffic, Dedicated Internet traffic?

  We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)

  See below, this discussion will provider guidance as to how to setup your topology.
  https://supportforums.cisco.com/message/3359963#3359963
  Don't forget to rate all posts that are helpful.

• VPN 3005 - Reroute Internet traffic out local connection

  We have a VPN 3005 concentrator that connects to our backbone switch. We have about 6 sites who have the following subnet:
  site A: 172.16.x.x
  site B: 172.17.x.x (etc)
  When a user is at home, hotel, or directly connected to the Internet and they connect with the VPN client to our network we want all Internet traffic (cnn, google, etc) to route through their local connection and not through our network through our internal Internet connection. How can I setup the VPN Concentrator to allow all internal traffic and reroute all other traffic out their local Internet connection?

  split tunneling needs to be configured on the concentrator.
  firstly, create a network list.
  go configuration>policy management>traffic management>network lists. then put the private lan ip behind concentrator on to the list.
  go configuration>user management>groups>client config
  you will see "split tunneling policy" and "split tunneling network list"
  with option "split tunneling policy", choose "only tunnel networks on the list". with option "split tunneling network list", choose the network list you just created.

• How to provide internet access for a site collection in SharePoint Foundation 2010

  Hi all,
  I am working on SharePoint Foundation 2010. I have to make a site collection available on internet.
  Only one site collection is to be brought on internet rest of the site collections should not be accessible from outside.
  How do I achieve this. Any help is greatly appreciated.
  Thanks in advance.

  Hello,
  As per my knowledge, you have to create new Web Application for your site to publishing it to internet. Since internet settings can be done at web application so create new one and then backup your existing site and restore in new web app.
  You can refer below thread for licensing:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/b63b3643-d0c7-45d2-8372-364fda348ed0/sharepoint-foundation-licensing-on-internetfacing-server?forum=sharepointgeneralprevious
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• SCCM 2012 MP does not monitor anything but the central site

  Hi,
  We've tried implementing the SCCM 2012 MP (5.0.7804.1000) to monitor our SCCM 2012 SP1 setup running on Server 2012 from our SCOM 2012 SP1 setup.
  Everything imports fine and after ~30 minutes the servers are discovered and appears.
  After a while longer the central site and the SDK-service shows up as monitored but the resto of the 5 DPs and all other server roles remains unmonitored even after 3 days.. ..?
  All the agents are set to enable proxy.
  The SCOM servers runs with one service accounts and the agents with different action accounts.
  The SCOM action accounts on the SCCM-servers all run with the same domain service account with administrator-privileges on the SCCM-servers but no permissions within SCCM.
  Does the action account need any specific permissions in the SQL DB or in SCCM? To be part of any specific role?
  Any advise is greatly appreciated :)

  We have resolved this issue, I'm not exactly sure how we resolved it but what I think fixed the problem for us was creating overrides for the object discovery rules contained in the MP. 
  See my blog on our implementation: http://damonjohns.com/2014/07/01/monitoring-configuration-manager-2012-r2-with-the-scom-2012-r2-management-pack/
  My blog contains a screen shot and all the values I changed.
  You may ask why we increased the rate at which the hierarchy discovery rule executed with an override? Well
  in part it was due to:
  A. Us having the issue and
  B. I was sick of trying to trouble shoot the event log error that by default only registered every 6 hours.
  After I created the overrides, the MP started discovering data. It wasn't immediate though, it took another 6 hours or so for it to start working correctly. I think what might be happening is that one of the discovery rules is not completing correctly which
  causes the others to fail - hence no data. I have no idea why shortening the time on the discovery objects made any difference. But...it worked for me.
  Cheers
  Damon

• How do i change the my sender name that is appearing in my email that's incoming? its correct on my iPhone email and my internet carriers email access site.

  How do i change my sender name that is appearing in my email that's incoming? it's correct on my iPhone email and my internet carriers email access site, but not on my imac email. for instance, when someone else gets my email...it says its from "mike Hoak".  I need it to be me (Karen), not one of my random contacts.  not sure how it even happened.

  Hi karen elizabeth I,
  I understand that you want to change the full name associated with your email account in Mail on OS X. Here is an article that will help you find this setting and adjust it:
  Mail settings you might need from your email provider - Apple Support
  http://support.apple.com/en-is/HT1277
  This setting can be found by going to your Mail Preferences, then the Accounts tab, then selecting your account. Thanks for being a part of the Apple Support Communities!
  Regards,
  Braden

• How do I get the internet traffic to come to my own server?

  If I'm moving from paying a host for coldfusion to using my own license on my own server, How do I get the internet traffic to come to my own server?

  You connect the computer to a network.  This is pretty much automatically handled by the hardware and the operating system.
  You may want to read up on some of the basics of networking and the tcp/ip world.
  To have a networked computer tell you its IP address type 'ipconfig' at a dos command line.

• Loosing battery from internet traffic all the time

  4 days ago i have bought an iphone 5
  previous one was an iphone 4
  my problem is the iphone 5 all the time spending my internet traffic, but i turned off all the push notification and etc apps whiches use the inernet....
  because of that my iphone loses battery for 2-3 hours
  HELP ME PLEASE !

  I have another computer connected
  to this network in another part of the house
  If that is a Windows XP computer make sure it is not trying to do an 802.1x authentication since that will cause those interruptions:
  http://www.efelix.co.uk/tech/1010.html
  Ensure that the Enable IEEE 802.1x authentication for this network check box is not checked.
  Also, upgrading to Service Pack 2 should take care of that problem.
  Otherwise, Airports are a reliable product so perhaps you are in an area of interference? Pick a different channel - like 9?

• Out-of-control consumer Internet traffic by apple tv

  Out-of-control consumer Internet traffic by apple tv
  Greetings
  I recently bought an Apple TV, but since then I is the intensity of Internet traffic. Kindly advise me please, why does this happen? Secondly, what is the solution? I only use this machine for Airplay, and I do not want to use the Internet.

  What are you talking about?
  Please clearly explain what the issue is.

• Upgrade weblogic10.3.2 to 10.3.5., error in discover using central site

  Hi,
  I have installed weblogic 10.3.2 in my host, created domain, and discovered them in central site.then I used upgrade installer to upgrade weblogic server to 10.3.5, in Adminserver Console, I can see the version changed to 10.3.5, but in EM central site, the weblogic version is still 10.3.2 even after I refresh the domain. I wonder whether it should rediscover the target again, so I remove the domain, and discover again, but when I finding target, it prompt "No targets discovered.",Hide:"For more troubleshooting tips refer support note: 1458357.1 ".
  I have three questions:
  1、when we update targets,do we need to rediscover in central site?if not,why the version of weblogic is still 10.3.2
  2、why I rediscover the target, it prompt "No targets discovered.". I have domain on that host.
  3、I cannot find support note: 1458357.1 in mos.
  Thanks & Regards,
  Dan
  Edited by: 955975 on 2012-8-30 下午11:43
  Edited by: 955975 on 2012-8-30 下午11:54

  Hi Dan,
  The discovery perl scripts are located in /agent/plugins/oracle.sysman.emas.discovery.plugin_12.1.0.2.0/scripts/*
  Troubleshooting steps:
  1. Agent side
  Set Agent PERL Traces to DEBUG level by Login to Cloud control ->Targets->All Targets->click on the Agent link->expend drop-down menu "Agent"->Properties ->Choose" DEBUG" for property: EMAGENT_PERL_TRACE_LEVEL
  The log file associated to emagent perl is [..]/agent/agent_inst/sysman/log/emagent_perl.trc. If agent successfully discovers the targets, the targets properties are listed in emagent_perl.trc.
  2. OMS side
  Once the targets had been discovered by the agent, the target discovery information is sent back to OMS in order to be added as monitored targets in Cloud Control.
  There should be no BEA-XXX error in /agent/agent_inst/sysman/log/emagent_perl.trc file before targets definition discovered. If there is BEA-XXX error, it will be sent back to OMS and adding targets to Cloud Control will fail.
  Set OMS to DEBUG level
  cd <OMS_HOME>/bin
  emctl set property -name log4j.rootCategory -value 'DEBUG, emlogAppender, emtrcAppender' -module logging
  The OMS log file to investigate: [..]/Middleware/gc_inst/em/EMGC_OMS1/sysman/log/emoms.trc
  Regards,
  Kal