Dynamic VPN - client to IOS - with shaping

I have 3640s and want to encrypt wireless clients to the router, since not all win2k laptops do leap. Peap tested is flaky. I have VPN client to IOS using dynamic cryptomap with back-end RADIUS xauth working, only, one 2.5meg FTP stream brings the proc utilization to 80% with AES or 1DES. I came up with the idea of using class-based shaping to throttel the encrypted traffic to under 2 meg on the ingress and egress, which brings the utilization down to 50%. I hammering the shapping queues and see no drops, what are the implications on this VPN
This is a temp fix until non-cisco wireless clients start supporting PEAP, and will only have 2 or 3 clients on at a time.

hello thx for the replay
but all the trafic is routed to my firewall and i have a message in my firerwall by its look like my firewall didn't response
thx for help

Similar Messages

Strange issue with 3.6.3 VPN Client and IOS firewall

I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Ok..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

Contivity vpn client behind router with easy server

Hi, I've seen this argument before, but without an effective solution.
I have a contivity client behind a 857 cisco router. This client needs to connect to a remote VPN server.
With NAT enable and easy VPN server disable all works fine.
When I enable easy VPN server on the 857 (I need to connect several dial-up cisco vpn client from outside to this office) the contivity client can't connect anymore to the remote vpn server and hang up with the famous "bannet text" error.
I think that because the external interface of the 857 is waiting for cisco vpn client to connect, it intercepts also the data from the remote contivity vpn server, not forwarding to the client inside the LAN.
If there is a way to "passthrough" the contivity connection data to the internal client it would be very nice.
Many thanks, Stefano.

Hi, I found a possible solution. At this page
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
this is the interesting part:
!--- Dynamic crypto map.
crypto dynamic-map dynmap 1
set transform-set foo
match address 199
access-list 199 permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip host 172.16.142.191 192.168.1.0 0.0.0.255
I try to put the contivity vpn client to another subnet (192.168.3.10) but the easy vpn server still intercepts its encrypted data.
Salutes.

IPhone 2.1 now supports Cisco VPN Client to IOS router

Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.

I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
The relevant isakmp/ipsec config should be:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group myvpn
key mysecretkey
dns 10.0.0.2 10.0.0.3
wins 10.0.0.2
domain mydomain.example.com
pool ippool
acl 150
split-dns mydomain.example.com
netmask 255.255.255.0
crypto isakmp profile ike-myvpn-profile
match identity group myvpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile myvpn
set transform-set ESP-3DES-SHA
set isakmp-profile ike-myvpn-profile
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet1
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile myvpn
See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting.

Cisco VPN client install fails with Error 1722 on Windows 7

Hi,
I am having issues with laptops upgraded from Vista to Windows 7.
Prior to the upgrade they are running Cisco VPN Client 5.0.05.0290. These laptops also have Juniper Network Connect 6.5 and Citrix web client installed. The windows upgrade advisor made no recommendations regarding uninstalling / reinstalling these apps.
I have done an inplace upgade to Windows 7 (Windows Vista Enterprise 32bit to Windows 7 Enterprise 32 bit) and after the install the Cisco client is not working. Uninstalled the client (the uninstall was successful) then reinstalled and the installation fails at Installing Cisco Systems Virtual Adapter - error 1722 there was a problem with the windows installer package.
I have followed the steps for a manual uninstall of the Cisco client and then tried the install again - still not successful. Interestingly (or not) the Juniper Network Connect also fails with the error The Network Connect Virtual adapter driver is not installed properly. This also fails to reinstall after being removed.
I tried removing the VPN clients on another laptop and then running the upgrade but the same errors occured when reinstalling the VPN Client. I have tried the Winfix and DNE patch from Citrix but these fail saying there is a corruption in the application.
On another laptop where only the Cisco VPN client was installed a reinstall was required after the upgrade, but it did install successfully.
On a clean image these applications all install fine, however I have a large number of laptops do upgrade and don't want to do a fresh install and settings migration on all of them.
What files / registry entrys are involved with the DNE adapter so I can manually clear it all out before reinstalling?
Anything else I can do to troubleshoot this issue?
Cheers,
James

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi
(Using Shrew VPN is a possible workaround.)

AnyConnect VPN Client on IOS Router

Hi Guys, I configured AnyConnect SSL VPN on Cisco 2811 router. It works perfectly when I login via web and run secure mobility client. However, when I connect directly from the mobility client connection fails. It does not even ask me for username and password.
Mar 7 21:36:47.613: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: VPN_GATEWAY i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at
Mar 7 21:36:47.617: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.621: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.745: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
      Data buffer(buffer: 0x4925DA18, data: 0x3F57ED98, len: 1,
      offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Fragmented App data - buffered
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
      Data buffer(buffer: 0x4925D818, data: 0x3F2033F8, len: 242,
      offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Appl. processing Failed : 2
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.753: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.753: WV: server side not ready to send.
====================
Here is the config:
=====================
crypto pki trustpoint VPN_TRUSTPOINT
enrollment selfsigned
serial-number
subject-name CN=academy-certificate
revocation-check crl
rsakeypair RSA_KEY
crypto pki certificate chain VPN_TRUSTPOINT
ip local pool VPN_POOL 192.168.7.100 192.168.7.150
webvpn gateway VPN_GATEWAY
ip address <ip>
ssl trustpoint VPN_TRUSTPOINT
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.02040-k9.pkg sequence 1
webvpn context VPN_CONTEXT
title "<title>"
ssl authenticate verify all
login-message "<message>"
policy group VPNPOLICY
   functions svc-required
   svc address-pool "VPN_POOL"
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 192.168.1.0 255.255.255.0
default-group-policy VPNPOLICY
aaa authentication list default
gateway VPN_GATEWAY
max-users 10
inservice
I have not figured out yet, why mobility client works when launched from the web and why it does not work directly. Any input or hints would be much appreciated

Hi Giorgi,
This could be related to CSCti89976.
AnyConnect 3.0 doesn't work with existing IOS.
Symptoms:
Standalone AnyConnect 3.0 client does not work with an existing IOS headend.
Conditions:
AnyConnect 3.0 with an IOS Router as the headend.
Workaround:
Use AnyConnect 2.5 or use weblaunch.
Upgrade IOS
Would it be possible to upgrade the IOS version?
HTH.
Portu.

Win 7 VPN Client 5.0.07 no longer works properly with Citrix DNE Update

Since Cisco Systems VPN Client does not work properly with mobile broadband on Windows 7, we've been successfully using Citrix's DNE Update to fix this for about 6 months. All of a sudden, machines with the DNE Update stopped working properly over VPN (whether using mobile broadband or not). The only fix is to unbind the DNE Lightweight driver from your network adapters, uninstall the DNE Update and reinstall the VPN Client. However, then you cannot use an aircard with VPN as the DNE Update was the fix.
Symptoms of the VPN issues with DNE Update:
-web pages displaying garbled
-internal web pages not rendering at all
-remote connectivity not working (VNC)
-RDP connects then crashes with data encryption errors
The only change that I can identify on our machines and in our environment would be Windows updates, but I've been unable to identify which one might have caused the problem.
Has anyone encountered this issue and found a fix? Does anyone know of another reliable fix for VPN Client to work with Windows 7 and aircards?
We're looking at moving to another VPN solution but that will take time and we need a more immediate solution.
Thanks in advance for your help.
Tony

Hi Prapanch
No offence . . . . but you need to read the complete thread before posting re:IP address & gateway
I'm not posting head end config because the config works with XP
There are no W7 specific parameters with ASA 8.3(2)
Multiple W7 machines have been used to test this.
We are looking at extracting level 15 logs from the client end - I will post if they don''t give an obvious answer.
TAC still not able to resolve this.
Rgds
Barry

Cisco VPN client crashes with Error 51 on Intel Mac Mini

I am in the process of migrating from XP to Tiger on a brand-new Mac Mini (Intel Duo). Now I am stuck:
I use v 4.8.00 of the Cisco VPN client supplied by my university's IT dept. to connect to the Campus intranet. I have been unable to succesfully use this software, as it crashes upon initializing with "Error 51: Cannot connect to the VPN subsystem." Re-installing the software does not change the state of affairs.
After some research, I used a hack found here (http://www.versiontracker.com/php/feedback/article.php?story=20060107011305622 and http://www.versiontracker.com/php/feedback/article.php?story=20060107011305622) to manually restart the VPN daemon. The Terminal result looks like this:
kld(): warning /System/Library/Extensions/CiscoVPN.kext/Contents/MacOS/CiscoVPN cputype (18, architecture ppc) does not match cputype (7 architecture i386) of objects files previously loaded (file not loaded)
kextload: kldlookup("_kmodinfo") failed for module /System/Library/Extensions/CiscoVPN.kext/Contents/MacOS/CiscoVPN
kextload: a link/load error occured for kernel extension /System/Library/Extensions/CiscoVPN.kext
load failed for extension /System/Library/Extensions/CiscoVPN.kext
(run kextload with -t for diagnostic output)
Not being fluent in Darwin, I can only interpret this to mean that the VPN client is incompatible with the Intel chip in the Mac mini... Is this correct? Is the only way for me to use VPN to wait for a 4.8.x version to be made available?
Hopeful still,
felixx

Also - the Mac VPN system will work with most Cisco networking devices. You can open up the PCF profile that your IT group wants you to use and figure out most of the questions Internet Connect will ask you to set up the VPN connection. For the rest, you have to ask the IT group or try some things and see what works...
cheers,
Mike

Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.

I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

Reliable working combination of VPN client and Sidewinder firewall?

My work's I.T. Dept has deployed a "Sidewinder" VPN firewall with certs at our workplace. All works well with our many remote Windoze clients. The Windoze clients are using a "Greenbow" VPN client.
They (the I.T. Dept.) were never able to get the built-in OS X VPN client to work with the Sidewinder VPN firewall at all. I don't really have any details of what they tried or why it didn't work and they aren't exactly the friendliest types to us Mac users in the organization so I probably won't be getting any further details in that regard.
They (the I.T. Dept.) did get VPN Tracker Player v6.2 client to work on the remote Mac clients -- sort of -- but it consistently fails after roughly ten minutes of connection time at IKE renegotiation. They purportedly had a trouble ticket open with, and were working with, Equinux to try to resolve the issue, but after spending a certain amount of time on it, they basically told us Mac users in the organization that they had already spent way too much time on trying to make the Mac VPN client work, so they weren't going to be doing anything further with it, so too bad, so sad for us. And they've got 100% Director support backing up their decision.
So, the question du jour is, is anyone out there using a VPN client on a Mac and reliably connecting through a "Sidewinder" VPN firewall/server with certs (i.e., no dropped connections after about ten minutes or thereabouts), and if so, what VPN client are using and how did you/do you have it configured?
Thanks

(first and last) bump

RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN Client

I have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

VPN client no access, two ip addresses

Hello,
Vista and VPN client v5.0 with 3000 concentrator. After logging in an ipconfig shows Ipv4/subnet mask twice, giving two different IP addresses in the same pool and subnet. The gateway is blank, thus no access to LAN or Internet.
No unusual changes since problem started happening a week ago, flushed DNS cache, any ideas out there? Much thanks!

Thank you for your response.
If I did "ipconfig /all" it would show that the "Local Area Connection 2:" is Cisco Systems VPN Adapter.
Before connecting to VPN, the TCP/IPv4 properties of the VPN adapter showed 0.0.0.0 as the IP. After connecting, the same window showed the first IP address of two in the same subnet. The DNS and DHCP IPs are correct.
DHCP is configured at user's home. The log in admin page of the VPN showed it issued the first of the two IPs, no record of the second one. Correction: he gets internet but not LAN. Pings to LAN resources map to the correct IP...
Again, if all else fails, I'll try to get him to reinstall the client but if any of this info rings a bell with you, please advise. Thank you!

Tunneling using Cisco VPN Client 4.9

Hello,
in recent times I used the Cisco VPN Client 4.7 with no problems:
1. I installed the software
2. I started "Internet Connect.app", created a VPN connection (PPTP) with no entries
3. created a new network connection ("Tunnel to company"), with ETH and VPN (PPTP) enabled
4. the ethernet interface points at the local router wich is connected to my ISP
5. DHCP-Client-ID: our.company.de, DNS-Server: no entry, Domain-Names: our.company.de
6. Proxies: our companies proxies
7. the VPN (PPTP) interface is configuered as PPP, DNS-Server: our companies server IPs, Domain-Names: no entries, Proxy: no entries
8. Starting the Cisco VPN Client I configuered an new session, connected, ok
As said, this was in the old days.
Now using Cisco VPN Client 4.9 on a MacBookPro (Intel) this works also with one exception:
I can establish a network connection (ping, smb, AFP, intranet/HTTP) only using the companies fully qualified domain name, e.g.:
1. ping server1: unable to resolve name
2. ping server1.our.company.de: works as exspected
I am using Cisco VPN Client 4.9.00 (0050), Mac OS X 4.8 with all available updates.
Any help would be appreciated
Roland

...
trying the same (without the "Internet Config.app" / VPN PPTP) using VPN Tracker works fine. But I don´t want to spend Euro 79.-...
Roland

Shrew soft vpn client

I am trying to get the shrew soft vpn client to work with a cisco ipsec vpn on windows server 2012. Has anyone done this with it or similar generic vpn clients?

I don't want to push this thread, but I've finally managed to make a PKGBUILD for it. It's now on AUR (entry 28548) and my first packet there It's necessary to add 'iked' to the DAEMONS list in /etc/rc.conf, start it up once by hand and use ikea-qt to set up and connect to your networks.
Last edited by Basic-Master (2009-07-19 04:23:10)

IPSEC IOS with IAS AAA

Hi all,
I do not set up IAS to authenticate the users for IPSEC VPN client under IOS?
Have idea or any doc about this?
Regards
Marck

Hi Marck,
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
Hope this helps,
somishra

Dynamic VPN - client to IOS - with shaping

Similar Messages

Maybe you are looking for