Enterprise VPN Design - Lan to Lan via PIX

I have 15 sites each with pix firewall 506 or better. I would like to create a VPN full mesh without creating a total of n * (n-1) tunnel configurations. How can I cut down this number?

This should help: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/ipsec/2_2/prov_gd/ipsecpg8.htm

Similar Messages

Cannot log in the BAM Enterprise Link Design Studio

Hi, all,
I installed a BAM 10.1.3.3 in Windows 2003 SP1 server. And I cannot log in the BAM Enterprise Link Design Studio with the following errors:
[SERVERERROR] Error from Server: ORA-00942: table or view does not exit
Information from server:
942
0
oraclebam
[Oracle BAM Enterprise Link error code: SA -- 0x1, RW -- 0x5]
Unable to locate the repository.
[Oracle BAM Enterprise Link error code: RP -- 0x11, RP -- 0x102]
Unable to connect to the Repository.
[Oracle BAM Enterprise Link error code: IS -- 0x7, IS -- 0x19]
Thanks in advance for your ideas and suggestions.
Best Regards,
Bill

Self Answer: reinstall the BAM, and only check the repository install, don't move the data service and it works.

Enterprise link design studio start up error.

Hi ,
I have installed BAM on XP and working on it.
When i try opening Enterprise link design studio i am getting TNS listener error.
A tns entry is there in the tnsnames.ora file.
I was using the studio previously and was working fine.
What is going wrong.
Regards
Ashwini

Hi
I have reinstalled Enterprise Link and now i am able to open design studio.
But BAM user was not created during the installation i created it manually.
I created a plan when i try updating the plan i am getting the following error
Unable to connect to ADC server "Main" as user: "NT AUTHORITY\SYSTEM":
Ticks must be between DateTime.MinValue.Ticks and DateTime.MaxValue.Ticks.
Parameter name: ticks
[ErrorSource="mscorlib"]
[Oracle BAM Enterprise Link error code: 0x75 -- 0x1, 0x75 -- 0xB]
Error while beginning the execution for the step 'Oracle BAM Enterprise Message Receiver'
[Oracle BAM Enterprise Link error code: DC -- 0x1, DC -- 0x83]
Update of Plan "myBPELOrderBookingPlan" failed.
[Oracle BAM Enterprise Link error code: PlanMgr -- 0x1, PlanMgr -- 0xD5]
Regards
Ashwini

IPSec VPN Design

Hi,
Attached is my network topology. I want to encrypt the traffic comes from site A,B, and C to the main router and visa versa.
I think we have two options:
1- Make the main router the IPSec termination for the sites A,B, and C routers.
2- Make Site A Router the IPSec termination for sites B and C and the main router the IPSec termination for site A.
Which one is preferred and why?
Thanks in advance
Abd Alqader

Hi
There are a number of things to take into acount here.
1) Does router A do any NAT/PAT on packets going through it. If it does it may be easier to terminate VPN's from B, C on A then start new VPN to main router.
2) Processing power of routers. If you use A as a termination point then it needs to VPN not just for users at Site A but also site B & C.
3) Complexity of configuration. I think if you create separate VPN's for each site to the main site your configuration will be easier.
4) Redundancy. At the moment Router A is single point of failure in that if it goes down B & C also lose connectivity. If you were at some future date to have secondary links from B & C it would make sense to have spearate VPN's rather than aggregate via A.
All things being equal i would look to create individual VPN's from each site but this is a recommendation based o what you have supplied. There may be more factors for you to consider.
HTH
Jon

New enterprise mobility design guide

Hi, anybody knows if there's a newer enterprise mobility design guide than 4.1? Some of Cisco's WLAN new features such as CAPWAP is not included in 4.1. It's time for Cisco to prepare a new design guide.

Hi Matthew,
<a href="http://www.sap.com/mk/get?_EC=DRQ9ocPiuHUaeFthOrrkni">Here is the guide.</a>
Regards,
Austin

Pix 501 IPSec VPN no LAN access and no ping

Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,

Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni

Slow finder Browsing when accessing LAN via VPN connexion

I am running ML Server, latest upadte on a 2010 Mac Mini Server machine.
When I am connected to my network from a remote location via VPN, and I try to browse my LAN structure with Finder, it takes ages for the list of folders/files to appear and refresh.
I have checked my VPN configuration and tried different type (L2TP, PPTP) but nothing significantly differ in term of browsing speed.
I also appreciate that the network connection at the remote location, as well as the upload speed on my local network can influence the overwal browsing speed... but after several test, I confirm I have more than 3 Mbps bandwith for upload on the local network, and 20 Mbps minimum on the remote location.
I also tried AFP / SMB, but does not seem to change anything.
So, I guess I hope the Community has already experienced the issue and some of you guys may have found a workaround to this issue.
Many thanks.

why not try cisco ipsec
Input the following settings:
Interface: VPN
VPN Type: Cisco IPSec
Service Name: This can be anything, I left the default.
Edit the new interface details as follows:
Server Address: cisco.vpntraffic.com or other country vpn such as Portugal VPN
Account Name: Your vpn account
Password: Your vpn password
How to setup Mac OS X Built-In Cisco VPN

Unable to Access Company LAN via VPN

Hello,
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
Many Thanks for any help on this...
FWBKH(config)# show running-config
: Saved
ASA Version 8.2(2)
hostname FWBKH
domain-name test.local
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 9.9.9.9 zscaler-uk-network
name 10.8.50.0 inside-network-it
name 10.8.112.0 inside-servers
name 17.7.9.10 fwbkh-out
name 10.8.127.200 fwbkh-in
name 192.168.10.0 bkh-vpn-pool
interface Vlan1
nameif inside
security-level 100
ip address fwbkh-in 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address fwbkh-out 255.255.255.248
interface Vlan3
nameif vpn
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive
access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https
access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0
access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu vpn 1500
ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.8.0.0 255.255.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.8.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint BKHFW
enrollment self
subject-name CN=FWBKH
crl configure
crypto ca certificate chain BKHFW
certificate fc968750
    308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105
    05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d
    ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
    7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.8.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy UK-VPN-USERS internal
group-policy UK-VPN-USERS attributes
dns-server value 10.8.112.1 10.8.112.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value UK-VPN-USERS_splitTunnel
default-domain value test.local
address-pools value UK-VPN-POOL
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
username karl password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group UK-VPN-USERS type remote-access
tunnel-group UK-VPN-USERS general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group UK-VPN-USERS ipsec-attributes
pre-shared-key *****
tunnel-group IT-VPN type remote-access
tunnel-group IT-VPN general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group IT-VPN ipsec-attributes
pre-shared-key *****
class-map ALLOW-USER-CLASS
match access-list USER-ACL
class-map type inspect http match-all ALLOW-URL-CLASS
match not request header from regex ALLOW-ZSGATEWAY
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http ALLOW-URL-POLICY
parameters
class ALLOW-URL-CLASS
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map ALLOW-USER-URL-POLICY
class ALLOW-USER-CLASS
inspect http
service-policy global_policy global
service-policy ALLOW-USER-URL-POLICY interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00725d3158adc23e6a2664addb24fce1
: end

Hi Karl,
Please make the following changes:
ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0
no nat (outside) 0 access-list outside_nat0_outbound outside
access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0
group-policy UK-VPN-USERS attributes
split-tunnel-network-list value UK-VPN-USERS_SPLIT
no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0
management-access inside
As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.
Once you are done, connect the client and try:
ping 10.8.127.200
Does it work?
Try to ping other internal IPs as well.
Let me know how it goes.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez

ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

Hi community,
I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0
access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set myset
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy
I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
Thanks in advanced.

Hi tranminhc,
Step 1: Create an object.
object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0
Step 2: Create a standard ACL.
access-list my-split standard permit ip object RemoteVPN_LocalNet
Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
Step 4: Create new nat exemption.
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
Step 5: Apply ACL on the tunnel.
group-policy Split_Tunnel_Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split
Step 6:
I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.
Please add a default or add static route as shown below.
route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
Hope this helps.
Thanks
Rizwan Rafeek

Cant use VPN on LAN but can on WIFI

Hi
I am curently running 10.8.2 and when connected to the metwork using a LAN cable I cant use any of my VPN connections...
But when I disconnect form the LAN and turn on WIFI all VPN's work???
Any ideas?

From the menu bar, select
 ▹ System Preferences ▹ Network
If the Network preference pane is locked, click the lock icon in the lower left corner and enter your password to unlock it. Select the Ethernet connection, then click the Advanced button and select the Hardware tab. Select
Configure: Manually
and
MTU: Custom
Enter an MTU value of 1280.
Click OK and then Apply. Test.
You must apply the change before it takes effect.
If the issue is resolved, experiment with higher MTU values until you find the highest one that works. The higher the MTU, the better the network interface will perform.
If changing the MTU has no effect, restore the Configure setting to Automatically.

No internet connection while actively connected to LAN via ethernet

I am having trouble connecting to the internet while working in my office at school via the Universities LAN. Everything worked fine last friday when I left for the weekend and then monday morning it would not connect. Over the weekend I updated the firmware with the MacBook EFI Firmware Update 1.2. Im not sure if this update may have reconfigured my network settings. I have an older PowerBook that still connects fine to the universities network. The strange thing is that when I plug in the ethernet cable and go into network diagnostics it shows that I am connected to the network via ethernet. If I run through the diagnostics for ethernet connections the network status is fine for the ethernet, network setting, and isp, but the internet and server fail citing no connection. I cannot connect to the internet via firefox or safari, but I can use Yahoo Instant messenger fine. If I can use the messenger why can't I connect to the internet? When I first connect my computer to the ethernet cable after a restart the internet works for maybe a minute then says cannot find network. I have done some searching around and think this may be an IP address issue, but have no clue how to remedy the situation. I have contacted our IT people and being a PC university no one can help me with a mac.
Thank you for any insight into this issue!

If you have Yahoo, then you can access the internet. Is it possible that the Yahoo IM client uses a hardcoded IP address to contact the Yahoo IM servers?
If you run Applications -> Utilities -> Network Utility -> Lookup
can you lookup any network names and get their IP address?
I'm wondering if you have valid DNS servers.

How access Office LAN via Cisco Router & Switches HELP!!

Hello everyone!
For starters I am no Cisco guru but at least find my way around a few things here and there.
I work as the IT dude for a company with two branches at different geolocations.
Our local network infrastructure at both HQ and branch offices comprise a Cisco 1941 Router and SF 300 24P Managed switches which hooks up our servers, workstations and VoIP phones.
The dedicated internet [DI] is connected via a Hughes radio link which belongs to the telco and on a different IP class and connects to interface 0/0 of Cisco 1941. Interface 0/1 is then connected to one of the SF 300 24P managed switches on another IP class for LAN [192.168.1/24]
I have three questions.
1. How do I access for example the File Server on the Corporate LAN from home?
2. How do I get workstations at branch offices authenticate with Active Directory Server at the HQ?
3. How do I get to get VoIP phones in branch offices hooked up to HQ VoIP PBX?
Thank you very much.

Hello everyone!
For starters I am no Cisco guru but at least find my way around a few things here and there.
I work as the IT dude for a company with two branches at different geolocations.
Our local network infrastructure at both HQ and branch offices comprise a Cisco 1941 Router and SF 300 24P Managed switches which hooks up our servers, workstations and VoIP phones.
The dedicated internet [DI] is connected via a Hughes radio link which belongs to the telco and on a different IP class and connects to interface 0/0 of Cisco 1941. Interface 0/1 is then connected to one of the SF 300 24P managed switches on another IP class for LAN [192.168.1/24]
I have three questions.
1. How do I access for example the File Server on the Corporate LAN from home?
2. How do I get workstations at branch offices authenticate with Active Directory Server at the HQ?
3. How do I get to get VoIP phones in branch offices hooked up to HQ VoIP PBX?
Thank you very much.

Cannot print to printer on ethernet lan via wireless router

Hi,
Apple Macbook connected via Airport running class A network 10.0.0.X, which is connected to a Netgear 4 port router running class C network 192.168.0.X. Also on this class C network is a LAN network printer and a Windows PC. The Netgear router is connected to the internet and the Apple Macbook can connect to the internet and can ping the printer connected to the Netgear router, but when it sends a print job to this printer, the response is "Printer is busy. Will Retry in 30 seconds"
The windows PC can print to the network printer (both connected to the same netgear router) just fine.
the Macbook is running 10.4.11.
Please help.. and thanks in advance!

Network Printer Troubleshooting
Ping printer: If you have the printers IP address open Terminal (Applications/Utilities) and at the prompt type: ping {printerIP}. You will get a reply or failure.
If you haven't done so already, try resetting the printing system.
OS X Mavericks: Reset the printing system also Yosemite

Setup iCal server accessible to the LAN via web browser

Hello guys,
I am newbie in mac server and I believe there are lots of guys over there that could help me.
Here's my environment:
Software/Server: Mac OS X Server 10.6
Hardware: Mac Mini Server Snow Leopard
LAN/internet Setup:
Broadband -> router -> mac mini server
-> mac users
-> pc users
Now, here's my scenario:
The mac mini is already running (OS is already installed) and act a normal computer usage like internet browsing, doing some documents and so on and so forth. But now, we decided to make the mac mini server as a server(calendar (iCal) server, address book server, web-server). I'm not so much familiar with DNS, DHCP or networking things to make the client computers connected to server.
My main concern is that I want the calendar to be accessible via web browser in our local network (something like this -> http://calendar.company/ or can access via IP address of the server like.. http://192.168.1.20/), in this case Mac and PC users connected to our LAN(router) can able to access and share their our calendar.
Now questions are:
1. How can I setup the mac mini server and calendar server to be accessible via web browser to the mac and pc users?
2. Do I still need to setup DNS and public IP for my server?
3. Where can I get a step by step tutorials that I could follow?
All recommendations and comments are all appreciated
Thanks in advance,
Emmman

I can't find any clear and step by step instructions with my concern. I am not expecting this to be easy(can setup even non-IT) as apple advertise but as I am reading the documentations I notice these things to be properly setup:
1. Functional DNS system. - This is a high level networking Stuff(Non-IT can't even understand it).
2. IP addresses, reverse IP's etc - Non-IT can't even understand it
3. Router Configurations - Non-IT can't even understand it.
and so on and so forth.
We, the newbie on mac server just need a clear and step by step scenario on how to setup the whole thing.
Thank you.

Designing LAN

Hi
I am trying to figure out how to design my network.
The basic topology is Internet --> Gateway -> Router -> Switch -> PC's
On the switch I want to create 14 seperate VLAN's.
Each VLAN should have a subnet of 10.10.10.x/29 which gives me 6 useable addresses pr. subnet/vlan.
The VLAN's should not be allowed to communicate with each other.
Each VLAN should receive DHCP from the router.
I will create a trunk from the Gbit ports on the router and the switch.
I have looked at buying the following equipment:
Switch: Catalyst WS-C2960-48TC-L
Router: Catalyst WS-C3560-8PC-S
Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.
My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.
Any help is very appreciated!
/Martin

HiI am trying to figure out how to design my network.The basic topology is Internet --> Gateway -> Router -> Switch -> PC'sOn the switch I want to create 14 seperate VLAN's.
Each VLAN should have a subnet of 10.10.10.x/29 which gives me 6 useable addresses pr. subnet/vlan.
The VLAN's should not be allowed to communicate with each other.
Each VLAN should receive DHCP from the router.
I will create a trunk from the Gbit ports on the router and the switch.
I have looked at buying the following equipment:
Switch: Catalyst WS-C2960-48TC-L
Router: Catalyst WS-C3560-8PC-S
Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.
My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.
Any help is very appreciated!
/Martin
Martin,
3560 is itself is l3 switch for communication for local lan subnet to internet you need to have nat functionality 3560 switches does not support nat functionality.
If you have router like 1800,2600 or any router seires which you can buy for your setup can be used for internet functionality,with router you can have router on stick configuration for l2 switch with router interface.
Check out the below link for router on stick concept and apply the acl on sub interface to restric the traffic entering into other vlanin in direction.
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

Enterprise VPN Design - Lan to Lan via PIX

Similar Messages

Maybe you are looking for