Dynamic vpn
Hi all,
Is it possible to establish a site to site VPN connection with one site Fixed Ip address and the other site Dynamic Ip.
One site is Pix and the other is ADSL
Thanks
Sudeesh
Sudeesh,
http://www.cisco.com/warp/public/110/dynamicpix.html
You can ignore the VPN Client config, and the remote "dynamic" pix config, the priciple works I have tested this in a lab.
HTH.
Similar Messages
-
Problem in Configuring Dynamic VPN in the pix
Hi All,
I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.
ip local pool vpnpool1 192.168.170.1-192.168.170.254
crypto dynamic-map map2 20 set transform-set guatemala1
crypto map map1 20 ipsec-isakmp dynamic map2
crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Guatemalavpn address-pool vpnpool1
vpngroup Guatemalavpn split-tunnel inside_nat0_outbound
vpngroup Guatemalavpn idle-time 36000
vpngroup Guatemalavpn password xxxxxxx
access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0
route outside 192.168.170.0 255.255.255.0 200.30.222.65
access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outboundTry it and tell me if works:
ip local pool vpnpool1 192.168.170.1-192.168.170.254
access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list acl-inside extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-group acl-inside in interface inside
nat (inside) 0 access-list inside_nat0_outbound
group-policy Guatemalavpn internal
group-policy Guatemalavpn attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
default-domain value mydomain.com
crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 20 set transform-set guatemala1
crypto map map1 20 ipsec-isakmp dynamic map2
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group Guatemalavpn type ipsec-ra
tunnel-group Guatemalavpn general-attributes
address-pool vpnpool1
default-group-policy Guatemalavpn
tunnel-group Guatemalavpn ipsec-attributes
pre-shared-key *
route outside 192.168.170.0 255.255.255.0 200.30.222.65 -
Hello, world!
I have Dynamic VPN with hub (Cisco 2811) and spokes (Cisco 881). In one spoke site, that has network 10.10.x.x, there is a resource that suppose to be published. I need publish it on hub router.
So hub router has Gi0/0 (to ISP) and VLAN 12 (to ASA, then to local users etc). There is no access-list's on router (NAT for local office configured on ASA).
Can I publish resource by using static NAT in this terms? Resource network of spoke site has OSPF route on this VPN hub.Change the static nat rule to use a route-map
ip access-list extended static
deny ip host 192.168.100.35 remote_network 0.0.0.255
permit ip host 192.168.100.35 any
route-map static-port permit
match ip address static
ip nat inside source static tcp 192.168.100.35 3389 87.47.135.123 3389 route-map static-port -
LLQ/shaping over dynamic VPN peer?
I've got an ASA firewall that has multiple VPN peers that connect l2l via dynamic IPs (no peer in the crypto map), and I'm wondering on the appropriate way to apply LLQ/shaping to each individual tunnel at the head-end.
Is this possible, or do I need a static endpoint to apply the policy to the individual tunnel group?
Any assistance is appreciated.Hi Tzy,
Two tunnels for same traffic on a same device is not possible but you can configure a redundancy for the 2 cellular links for the same traffic.
But if the traffic are different for both the ACLs, the the tunnels should come up but you need to define routes as to which traffic would use what interface.
if there is a def route pointing to interface cell0/0/1 then all traffic will be taken using that interface, and you would then need to define either a static route for access-list 102 or a route-map to direct the traffic to the cell0/0/2 interface.
On the ASA, you just need to configure the settings for a dynamic VPN tunnel.
Hope that helps.
Cheers,
Abhi -
WRVS4400N - Multiple Dynamic VPN Configurations?
Hello,
I am wondering if anyone knows whether or not the WRVS4400N supports more than one dynamic VPN configuration?
I am trying to get the WRVS4400N to let more than one TheGreenBow client to connect to it.....
Thank you,
A ReadYes, you can configure multiple dynamic-to-static l2l on ASA. But for multiple connections using ezvpn will be much easier. Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml -
Logging dynamic vpn connections
How can I log dynamic vpn connections on a 2621 and pix 501? I have syslog syslog already setup and working.
You can use the Cisco Secure Access Control Server (ACS) for this. This is RADIUS/TACACS+ software that you can install on various versions of Windows Server 200x.
You can perform Authentication, Authorization and most import for you; Accounting. The server keeps track of who logged in, when he/she did that, how much traffic passed by, how long he/she stayed connected, etc etc.
More information on the Cisco Secure ACS can be found here: http://www.cisco.com/go/acs
Please rate if the post helps!
Regards,
Michael -
i would like to setup a ipsec to the juniper firewall.My cisco box is 1841 and have 3g gsm card.I try to initiate traffic from cisco,its ok but juniper phase 1 is not ok. Ä°s there any suggesstion for dynamic vpn issue or anyone try this before ?
Regardsi would like to setup a ipsec to the juniper firewall.My cisco box is 1841 and have 3g gsm card.I try to initiate traffic from cisco,its ok but juniper phase 1 is not ok. Ä°s there any suggesstion for dynamic vpn issue or anyone try this before ?
Regards -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
Connected dynamic VPN wan address change
I have a hub and spoke VPN. The spoke is dynamic.
If once the tunnel is established the WAN address changes the router doesn't know to start a new session and the VPN TAKES ages to come up as it still thinks it has an active tunnel.
Any idea how I can reduce the time for the tunnel to re-establish?Hello Martin,
You got to change the security-association lifetime:
set security-association lifetime #
Give it a try and let us know.
Regards,
Julio -
Dynamic VPN From Juniper SSG5 Uses DefaultRAGroup
I am trying to set up a VPN to an ASA5540 with a static IP address from a Juniper SSG5 with a dynamic IP address. I have tested the configuration from an ASA to ASA and it works fine. When I try to connect with the Juniper SSG5 it does not work. I did a debug crypto ikev1 and it shows the SSG5 defaulting to the DefaultRAGroup. It's supposed to use the DefaultL2LGroup. Does anyone have an idea of what could be the problem. I will post the configuration shortly. I appreciate the help.
Below is the config of the ASA. This works fine from another ASA, but does not from the Juniper SSG5.
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.252
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map EXTERNAL 5 match address vpn
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set 3DES-SHA
crypto map EXTERNAL 5 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map EXTERNAL interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key ***** -
Dynamic VPN - client to IOS - with shaping
I have 3640s and want to encrypt wireless clients to the router, since not all win2k laptops do leap. Peap tested is flaky. I have VPN client to IOS using dynamic cryptomap with back-end RADIUS xauth working, only, one 2.5meg FTP stream brings the proc utilization to 80% with AES or 1DES. I came up with the idea of using class-based shaping to throttel the encrypted traffic to under 2 meg on the ingress and egress, which brings the utilization down to 50%. I hammering the shapping queues and see no drops, what are the implications on this VPN
This is a temp fix until non-cisco wireless clients start supporting PEAP, and will only have 2 or 3 clients on at a time.hello thx for the replay
but all the trafic is routed to my firewall and i have a message in my firerwall by its look like my firewall didn't response
thx for help -
ASA5510 dynamic VPN from RV042
So far I have a complete phase 1, and an almost complete phase 2, but one thing I can't figure out. I see this in the debug.
peer is not authenticated by xauth - drop connection.
I get it right after the proxy is setup.
Here is my config
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
nem enable
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
I have tried many different configurations on both sides, but they all fail with the same error of peer not authenticated by xauth.I have tried it with it on, with it off and always the same thing comes back.
Here is aaa common 50 debug
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DefaultRAGroup
Resp:
grp_policy_ioctl(0x0a250e40, 114698, 0xa9372788)
grp_policy_ioctl: Looking up DefaultRAGroup
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 114, pAcb = 0xadae6da0
AAA task: aaa_process_msg(0xa9373220) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 14 "DefaultRAGroup"
2 User-Password(2) 0 0xae048023 ** Unresolved Attribute **
user policy attributes:
None
tunnel policy attributes:
1 Idle-Timeout(28) 4 0
2 Tunnelling-Protocol(4107) 4 12
3 Store-PW(4112) 4 1
4 Group-Policy(4121) 14 "DefaultRAGroup"
5 Network-Extension-Mode-Allowed(4160) 4 1
AAA API: In aaa_close
AAA API: In aaa_send_acct_start
AAA task: aaa_process_msg(0xa9373220) received message type 3
In aaai_close_session (114)
AAA API: In aaa_open
AAA session opened: handle = 115
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0xa9373220) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DefaultRAGroup)
Got server ID 0 for group policy DB
and isakmp 127 with the relevant information. Up to this point it passes.
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.253.20.0--255.255.255.0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 10.253.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, processing ID payload
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR ID received
66.252.79.16
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x., Received local Proxy Host data in ID Payload: Address x.x.x.x, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xace21cd8, mess id 0xb4d2530a)!
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xace21cd8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message -
Having trouble with Dynamic-to-static
Having an issue with traffic passing over a dynamic-to-static VPN. Phase 1 and Phase 2 both complete. sh cry ips sa on the ASA shows 0 #pkts encaps. From the 861 it shows 0 #pkts decaps
I know its a lot to look at but hopefully someone will see something obvious that I messed up.
The second tunnel is working. It is coming from a CradlePoint MBR1400 so I am unable to apply the config from that.
ciscoasa# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 107.46.57.189
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: xxx.xxx.xxx.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:
local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 107.46.57.189
#pkts encaps: 3166, #pkts encrypt: 3166, #pkts digest: 3166
#pkts decaps: 2828, #pkts decrypt: 2828, #pkts verify: 2828
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3166, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.98, remote crypto endpt.: 107.46.57.189
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 0D67A97D
current inbound spi : B59B6F50
inbound esp sas:
spi: 0xB59B6F50 (3046862672)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5472256, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3020
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFF7FFFF
outbound esp sas:
spi: 0x0D67A97D (224897405)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5472256, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3020
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: xxx.xxx.xxx.98
local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1041, #pkts decrypt: 1044, #pkts verify: 1044
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.xxx/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/2944
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 9613FEAC
current inbound spi : 186C9E40
inbound esp sas:
spi: 0x186C9E40 (409771584)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 5476352, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (3914991/3199)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9613FEAC (2517892780)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 5476352, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/3198)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
REMOTE Config Cisco 861
Current configuration : 3112 bytes
! Last configuration change at 13:07:07 UTC Mon Jan 2 2006 by jwright
! NVRAM config last updated at 12:10:49 UTC Mon Jan 2 2006 by jwright
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Corvid
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
logging console critical
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3769564853
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3769564853
revocation-check none
rsakeypair TP-self-signed-3769564853
crypto pki certificate chain TP-self-signed-3769564853
certificate self-signed 02
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
license udi pid CISCO861-K9 sn
username xxxxx privilege 15 secret 5 $1$SI.
username xxxxx privilege 15 secret 5 $1$y1
ip tcp synwait-time 10
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ************ address xxx.xxx.xxx.xxx
crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac
crypto map RTP 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set RTPSET
match address 100
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map RTP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 24 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 any
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASA5510
ciscoasa# sh run
: Saved
ASA Version 8.2(1)11
hostname ciscoasa
domain-name pme.local
enable password xxx encrypted
passwd xxx encrypted
names
interface Ethernet0/0
nameif backup
security-level 1
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
interface Ethernet0/2
shutdown
nameif outside2
security-level 0
no ip address
interface Ethernet0/3
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224
interface Management0/0
nameif management
security-level 100
ip address 172.17.0.199 255.255.255.0
management-only
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
boot system disk0:/asa821-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside2
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server HOMESTEAD-INT
name-server SEBRING-INT
domain-name pme.local
object-group service SQLTEST udp
description SQLTEST for VES
port-object eq 1434
object-group service SQLTEST_TCP tcp
description SQLTEST For VES
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.10.0 255.255.255.248
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.xxx eq 1434
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 1433 inactive
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https
access-list outside_access_in remark HTTP for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www
access-list outside_access_in remark HTTPS for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https
access-list outside_access_in extended deny icmp any any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended deny icmp any any
access-list inside_access_out extended permit ip any any log
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging host inside 10.10.2.12
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 302017
no logging message 302016
mtu backup 1500
mtu inside 1500
mtu outside2 1500
mtu outside 1500
mtu management 1500
ip local pool IPSECVPN2 10.10.11.76-10.10.11.100
ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0
ip local pool IPSECVPN 10.10.11.25-10.10.11.75
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (backup) 1 xxx.xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255
static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255
static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255
static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255
static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255
static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255
static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255
static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255
static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255
access-group outside_access_in in interface backup
access-group inside_access_out in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1
route backup 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 254
route backup 62.109.192.0 255.255.240.0 xxx.xxx.xxx.xxx 1
route backup 64.68.96.0 255.255.224.0 xxx.xxx.xxx.xxx 1
route backup 66.114.160.0 255.255.240.0 xxx.xxx.xxx.xxx 1
route backup 66.163.32.0 255.255.240.0 xxx.xxx.xxx.xxx 1
route backup 209.197.192.0 255.255.224.0 xxx.xxx.xxx.xxx 1
route backup 210.4.192.0 255.255.240.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
http-proxy enable
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD-INT
key ******
radius-common-pw ******
aaa authentication ssh console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.255.0 management
http redirect backup 80
http redirect outside 80
snmp-server location Server Room
snmp-server contact Jay
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho xxx.xxx.xxx.xxx interface outside
timeout 3000
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set PM1
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1
crypto map cryptomap1 interface backup
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint xxx.xxx.xxx.xxx
enrollment terminal
fqdn xxx.xxx.xxx.xxx
subject-name CN= xxx.xxx.xxx.xxx, O=xxxx, C=US, St=MI, L=xxxx
keypair xxx.xxx.xxx.xxx
crl configure
crypto ca certificate chain xxx.xxx.xxx.xxx
certificate 041200616c79f4
30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d
quit
crypto isakmp identity address
crypto isakmp enable backup
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp nat-traversal 33
track 1 rtr 100 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.22.86.210 source backup prefer
ssl trust-point vpn.prattmiller.com outside
ssl trust-point vpn.prattmiller.com backup
ssl trust-point vpn.prattmiller.com outside2
webvpn
enable backup
enable outside2
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
svc profiles AllowRemoteUsers disk0:/AnyConnectProfile.xml
svc enable
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 10.10.2.1 10.10.2.62
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value pme.local
webvpn
url-list value Book1
svc profiles value AllowRemoteUsers
svc ask enable default webvpn timeout 10
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol webvpn
webvpn
svc ask enable default webvpn timeout 15
username xxxx password RrjDgdg5BBLrGPnn encrypted privilege 15
username xxxx password qDxllXruMJHEVZji encrypted privilege 15
username xxxx password dGOqWbOOjP0FVxtl encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (backup) IPSECVPN2
address-pool (outside2) IPSECVPN2
address-pool (outside) SSLVPN
address-pool SSLVPN
authentication-server-group PMERADIUS
tunnel-group pm_ipsec type remote-access
tunnel-group pm_ipsec general-attributes
address-pool IPSECVPN2
tunnel-group pm_ipsec ipsec-attributes
pre-shared-key *
tunnel-group prattmiller type remote-access
tunnel-group prattmiller general-attributes
address-pool IPSECVPN
tunnel-group prattmiller ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class class-default
service-policy global_policy global
smtp-server 10.10.2.6
prompt hostname context
Cryptochecksum:8316029502f6698d4015f5e1b3d40a08
: end
[code] TEST [/code]My question about this is the other Dynamic VPN that is working has no static route.
I added:
route outside 10.10.10.0 255.255.255.248 xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the IP of the non working remote IKE Peer)
This had no effect.
Looking at the two tunnels. The working tunnel is using IKE IPSEC and the nonworking tunnel is using IKE IPsecOverNatT. What have I entered that tells the VPN to use IPsecOverNatT? -
Problem with VPN Client and PIX 7.0(5)
Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
Thanks in AdvancedHi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255 -
IOS VPN will not respond to Cisco VPN Client connections.
Hi all,
I am about to set my routers on fire here.
I have two 2921 ISRs both with Security licenses on separate leased lines. I have configured one to accept VPN connections from our Cisco VPN Client remote workers.
I have followed the set up process I used on another site with an 1841/Sec router and the same clients and I have also checked against the config given in the latest IOS15 EasyVPN guide.
With all debugs active, all I see is
038062: Dec 8 14:03:04.519: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (N) NEW SA
038063: Dec 8 14:03:04.519: ISAKMP: Created a peer struct for x.y.z.z, peer port 60225
038064: Dec 8 14:03:04.519: ISAKMP: New peer created peer = 0x3972090C peer_handle = 0x8001D881
038065: Dec 8 14:03:04.523: ISAKMP: Locking peer struct 0x3972090C, refcount 1 for crypto_isakmp_process_block
038066: Dec 8 14:03:04.523: ISAKMP:(0):Setting client config settings 3E156D70
038067: Dec 8 14:03:10.027: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE
Below is the abridged config.
System image file is "flash0:c2900-universalk9-mz.SPA.154-1.T1.bin"
aaa new-model
aaa authentication login default local
aaa authentication login VPNAUTH local
aaa authorization exec default local
aaa authorization network VPN local
aaa session-id common
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
crypto isakmp client configuration group VPN
key ****-****-****-****
dns 192.168.177.207 192.168.177.3
domain xxx.local
pool VPNADDRESSES
acl REVERSEROUTE
crypto ipsec transform-set HASH esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSECPROFILE
set transform-set HASH
crypto dynamic-map VPN 1
set transform-set HASH
reverse-route
crypto map VPN client authentication list VPNAUTH
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic VPN
ip local pool VPNADDRESSES 172.16.198.16 172.16.198.31
ip access-list extended REVERSEROUTE
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended FIREWALL
2 permit udp any host a.b.c.d eq non500-isakmp
3 permit udp any host a.b.c.d eq isakmp
4 permit ahp any host a.b.c.d
5 permit esp any host a.b.c.d
If anyone can see anything wrong, I would be so pleased and it would save the destruction of an ostensibly innocent router.
Thanks,
Paul> I actually love you. Thank you so much.
Sorry, I'm married ... ;-)
> Im not using a virtual template. Can I get away without the Crypto Map if I use one...? All my tunnels are VTIs
oh yes, I could have seen that ...
crypto isakmp profile VPN-RA
match identity group VPN
client authentication list VPNAUTH
isakmp authorization list VPN
client configuration address respond
virtual-template 1
interface Virtual-Template1 type tunnel
description Tunnel fuer Cisco VPN-Client
ip unnumbered GigabitEthernet0/0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
Your isakmp-config and ipsec profile stays the same.
Maybe you are looking for
-
Photoshop CC 2014 3D option doesn't show up?
Could someone help me, Ive had Photoshop CC (2014) for a few weeks and everything was fine and I had the 3D option. But a few days ago I upgraded to windows 8.1 (previously i had windows 7). After I installed Photoshop again, I didn't have the 3D opt
-
What's changed in Photoshop 12.1?
I recently upgraded my CS5 design premium to version 5.5-- by uninstalling to previous version and clean installing the new-- and have noticed that the updated version of Photoshop (12.1) performs very slowly overall compared to that which installed
-
Wrong Locations when importing photos
I'd be grateful if some could help with this. I used an app on my iPhone called GeoTag Photos to add geotag my photos (obviously!) I've just upgraded to iPhoto 11 and imported some photos that have been geotagged. I used EXIF Viewer to check the tags
-
How to setup thunderbolt bridge between two macbook Pro (retina and 2011 )?
I have a new 13" MB Pro retina and want to use the thunderbolt bridge btween the 13" and the 15" MB pro 2011. Somehow I cannot do anything with this, and on both laptops it shows the the Thunderbolt slots as "Inactive". I have connected the the two l
-
What are the responsibilities of Functional consultant in Upgradation?
hai friends What are the responsibilities of Functional consultant in an Upgradation Project Are the responsibilites similar to implementation project.if no How does it differ. Thanks regards Krishna