EZ VPN client in DMZ and a router-on-a-stick
Does anyone know if it is possible to use a Cisco 1811 as an EZVPN client
while the router is setup with only one interface? I have a customer that
requested their VPN router to us be setup in their DMZ with no public facing
interface on the 1811 (VPN device). I usually configure our VPN
configurations with an internet facing interface and a DMZ facing interface.
I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
HTH
Similar Messages
-
Site-to-site vpn with 2 asa and home router
I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enableI am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enable -
How to configure Multiple PPTP VPN Clients on cisco 3g supported Router
I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available. -
VPN Client Accounts: "Username and passwords must consist of numbers or letters"
I am configuring a username in the VPN Client Accounts withing a Cisco WRVS4400N.
The username I must enter is in the form: [email protected]
Unfortunately, when I input that username, the system informs me that I cannot have anything other than numbers an letters.
The instructions from my University require us to use that FULL email format.
http://net-services.ufl.edu/provided_services/vpn/anyconnect/legacy-install.html
Is there a way to fix this?Any solution for this? How can I pass in a blank domain parameter so I am automatically logged in instead of receiving the log-in dialog asking for the domain?
-
RV320: VPN periodically freezes up and requires router reboot
This occurs for both site-to-site as well as client vpn. When it occurs, VPN's can not reconnect. Is there a known issue?
hi, to this topic I'd like to post my problem. so i have wrt120n wireless router, and I had a problem with connecting two computers ( one PC on cable, other Notebook with wireless). When both computers is online, router start to reboot. Event wiever posted :
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0000E87303EE. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. especially when trying to send a file between computers through skype.
so that first problem, now I can't connect to internet at all. I've found almost the same problem:.
The computer is able to connect to the router perfectly fine, but I can't get on to the internet because I'm unable to aquire an IP address from the router. Instead of giving me my 198.168.1.x IP, I'm getting a 169.254.x.x.
But the thing is that i can't connect to router adress 192.168.1.1, I tried to reset router but still nothing. any ideas? how connect to the router? -
VPN Client can't reach router or hosts, but can reach other connected sites.
We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
Few notes:
I have added some lines excluding NAT in a few different ways, but does not resolve.
I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
Any help would be greatly appreciated. Here is the config:
boot-start-marker
boot system flash
boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
no ip domain lookup
ip inspect log drop-pkt
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL ntp
ip inspect name FIREWALL pptp
ip inspect name FIREWALL dns
ip inspect name FIREWALL l2tp
ip inspect name FIREWALL pop3
ip inspect name FIREWALL icmp router-traffic
no ipv6 cef
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 95
authentication pre-share
group 2
crypto isakmp policy 99
hash md5
authentication pre-share
group 2
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp client configuration group VPN-RAS
key *********
dns 10.96.17.2 10.1.200.50
wins 10.96.17.2 10.1.200.50
domain mine.com
pool RAPOOL
acl SPLIT
save-password
split-dns mind.com
netmask 255.255.255.0
crypto isakmp profile USERS
match identity group VPN-RAS
client authentication list DOMAIN
isakmp authorization list VPN-RAS
client configuration address respond
keepalive 300 retry 5
crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set DES esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map dynmap 1
set transform-set AES128
set isakmp-profile USERS
crypto map COMPANY_VPN 10 ipsec-isakmp
set peer *******
set transform-set 3DES-MD5
match address PA-VPN
qos pre-classify
crypto map COMPANY_VPN 50 ipsec-isakmp
set peer ******
set transform-set AES128
match address VPN
qos pre-classify
crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 37.222.111.224 255.255.255.248
ip access-group INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map COMPANY_VPN
interface GigabitEthernet0/1
no ip address
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1.17
description LAN
encapsulation dot1Q 17
ip address 10.96.17.253 255.255.255.0
ip access-group OUTBOUND in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
standby 0 ip 10.96.17.254
standby 0 priority 110
standby 0 preempt
standby 0 track 1 decrement 20
interface GigabitEthernet0/1.27
description VOICE
encapsulation dot1Q 27
ip address 192.168.17.254 255.255.255.0
ip access-group OUTBOUND in
ip helper-address 10.96.17.2
ip flow ingress
ip nat inside
ip virtual-reassembly in
h323-gateway voip bind srcaddr 192.168.17.254
ip local pool RAPOOL 10.96.20.50 10.96.20.150
ip forward-protocol nd
ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 37.222.111.223
ip route 10.96.16.0 255.255.255.0 10.96.17.250
ip route 172.22.1.0 255.255.255.0 10.96.17.250
ip route 172.22.2.0 255.255.255.0 10.96.17.250
ip route 172.22.3.0 255.255.255.0 10.96.17.250
ip route 192.168.16.0 255.255.255.0 10.96.17.250
ip access-list extended DMZ
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended GUEST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended INBOUND
deny ip 80.25.124.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit udp host 173.239.147.114 any eq isakmp
permit esp host 173.239.147.114 any
deny ip 192.168.0.0 0.0.255.255 any
permit udp any host 37.222.111.224 eq isakmp
permit udp any host 37.222.111.224 eq non500-isakmp
permit esp any host 37.222.111.224
ip access-list extended NAT
deny ip 10.96.20.0 0.0.0.255 any
deny ip any 10.96.20.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended NONAT
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
ip access-list extended OUTBOUND
deny udp any host 22.55.77.106 eq isakmp
deny udp any host 22.55.77.106 eq non500-isakmp
deny esp any host 22.55.77.106
permit ip any any
ip access-list extended PA-VPN
permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
ip access-list extended SPLIT
permit ip 10.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VPN
permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
route-map NAT-POOL deny 5
match ip address NONAT
route-map NAT-POOL permit 10
match ip address NATWe have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
Few notes:
I have added some lines excluding NAT in a few different ways, but does not resolve.
I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
Any help would be greatly appreciated. Here is the config:
boot-start-marker
boot system flash
boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
no ip domain lookup
ip inspect log drop-pkt
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL ntp
ip inspect name FIREWALL pptp
ip inspect name FIREWALL dns
ip inspect name FIREWALL l2tp
ip inspect name FIREWALL pop3
ip inspect name FIREWALL icmp router-traffic
no ipv6 cef
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 95
authentication pre-share
group 2
crypto isakmp policy 99
hash md5
authentication pre-share
group 2
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp client configuration group VPN-RAS
key *********
dns 10.96.17.2 10.1.200.50
wins 10.96.17.2 10.1.200.50
domain mine.com
pool RAPOOL
acl SPLIT
save-password
split-dns mind.com
netmask 255.255.255.0
crypto isakmp profile USERS
match identity group VPN-RAS
client authentication list DOMAIN
isakmp authorization list VPN-RAS
client configuration address respond
keepalive 300 retry 5
crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set DES esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map dynmap 1
set transform-set AES128
set isakmp-profile USERS
crypto map COMPANY_VPN 10 ipsec-isakmp
set peer *******
set transform-set 3DES-MD5
match address PA-VPN
qos pre-classify
crypto map COMPANY_VPN 50 ipsec-isakmp
set peer ******
set transform-set AES128
match address VPN
qos pre-classify
crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 37.222.111.224 255.255.255.248
ip access-group INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map COMPANY_VPN
interface GigabitEthernet0/1
no ip address
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1.17
description LAN
encapsulation dot1Q 17
ip address 10.96.17.253 255.255.255.0
ip access-group OUTBOUND in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
standby 0 ip 10.96.17.254
standby 0 priority 110
standby 0 preempt
standby 0 track 1 decrement 20
interface GigabitEthernet0/1.27
description VOICE
encapsulation dot1Q 27
ip address 192.168.17.254 255.255.255.0
ip access-group OUTBOUND in
ip helper-address 10.96.17.2
ip flow ingress
ip nat inside
ip virtual-reassembly in
h323-gateway voip bind srcaddr 192.168.17.254
ip local pool RAPOOL 10.96.20.50 10.96.20.150
ip forward-protocol nd
ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 37.222.111.223
ip route 10.96.16.0 255.255.255.0 10.96.17.250
ip route 172.22.1.0 255.255.255.0 10.96.17.250
ip route 172.22.2.0 255.255.255.0 10.96.17.250
ip route 172.22.3.0 255.255.255.0 10.96.17.250
ip route 192.168.16.0 255.255.255.0 10.96.17.250
ip access-list extended DMZ
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended GUEST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended INBOUND
deny ip 80.25.124.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit udp host 173.239.147.114 any eq isakmp
permit esp host 173.239.147.114 any
deny ip 192.168.0.0 0.0.255.255 any
permit udp any host 37.222.111.224 eq isakmp
permit udp any host 37.222.111.224 eq non500-isakmp
permit esp any host 37.222.111.224
ip access-list extended NAT
deny ip 10.96.20.0 0.0.0.255 any
deny ip any 10.96.20.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended NONAT
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
ip access-list extended OUTBOUND
deny udp any host 22.55.77.106 eq isakmp
deny udp any host 22.55.77.106 eq non500-isakmp
deny esp any host 22.55.77.106
permit ip any any
ip access-list extended PA-VPN
permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
ip access-list extended SPLIT
permit ip 10.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VPN
permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
route-map NAT-POOL deny 5
match ip address NONAT
route-map NAT-POOL permit 10
match ip address NAT -
Vpn configuration problems 2621xm and vpn client
hello,
I'm trying to configure my home cisco 2621xm to accept vpn connections. I've used many cisco pdf documents and they all same almost the same so I've done my configuration using these documents.
now I just can't get past this error message I'm getting and I have no idea why this is happening.
any ideas to help me get past this step, I'm really stuck here.
also, I've tried vpn client version 5 and 4.8
cisco ios version is:
Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 05:48 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
vision-router-01 uptime is 2 hours, 53 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advipservicesk9-mz.124-16.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 2621XM (MPC860P) processor (revision 1.0) with 127308K/3764K bytes of memory.
Processor board ID JAD06350FM7
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
here is my the config that's vpn related
aaa authentication login MYTAC group tacacs+ local enable
aaa authorization network GROUPAUTHOR local
username someuser password 0 somepassword
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration group VTELVPN
key cisco123
dns 192.168.10.5
domain xyz.com
pool VTELVPNPOOL
crypto ipsec transform-set VTELSET1 esp-aes esp-sha-hmac
crypto dynamic-map VTELDYNAMAP 10
set transform-set VTELSET1
set identity thisrouter-01
reverse-route
crypto map VTELCLIENTMAP client authentication list MYTAC
crypto map VTELCLIENTMAP isakmp authorization list GROUPAUTOHOR
crypto map VTELCLIENTMAP client configuration address respond
crypto map VTELCLIENTMAP 10 ipsec-isakmp dynamic VTELDYNAMAP
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname xxxxxx
ppp chap password 7 hahahahohoho
ppp pap sent-username xxxxxx password 7 hahahahohoho
crypto map VTELCLIENTMAP
ip local pool VTELVPNPOOL 192.168.6.3 192.168.6.254Hi
Can you try assigning a static ip to the dialer interface and try checking out the vpn connectivity ?
regds -
Cisco VPN Client and Quick VPN interaction?
I have both a Cisco VPN client for connecting to my company LAN and a QuickVPN client for connecting to my home LAN installed on my W2K laptop. Both start and run correctly, and both connect just as they should. My home LAN uses a WRV54G router to provide VPN connection. I can alternate back and forth between the two clients and connect to each LAN with no obvious issues, but not at the same time, of course.
Here's the question. When I connect to the home LAN, I can log on with no problem and I can remotely administer the WRV54G with no problem. I can ping all of the wired and wireless W2K computers on my home LAN with no problem. However, I cannot "see", browse or map any of the shared resources on my home LAN. I have created user accounts on the home LAN computers for my laptop and router logins and I have given these accounts permissions to my shared resources, but I still cannot get to them. Linksys tech support has been absolutely no help whatsoever, even after repeated attempts.
While trying to troubleshoot this myself, I've noticed that when the Cisco VPN client is running and I'm connected to my company LAN, the IP address and subnet of my computer is changed to ones assigned by the DHCP server at my company. This seems to happen because the Cisco client activates the "Local Area Connection Number 2" on my laptop and assigns IP addresses using it. However, when I'm using the QuickVPN client to connect to my home, the IP address and subnet of my laptop continues to be those assigned by whatever local network I'm connected to (e.g. hotel, etc).
I'm wondering if the QuickVPN is supposed to be assigning an IP address and subnet to my laptop from the WRV54G's DHCP server when I connect to my home LAN. If so, could the Cisco VPN client installed on my laptop be preventing that from happening?
Sorry for the long post, but I'm at my wit's end on this one and Linksys is just no help at all.1. The Cisco VPN client creates a virtual interface on your computer. This allows you to route traffic to the tunnel. The QuickVPN client is simpler. It only encrypts the traffic to the other end. It does not use a virtual interface. That's why you don't have another IP address when connected with QuickVPN. QuickVPN only encrypts IP packets with IPSec from your computer to 192.168.1.* (or whatever you may use on your WRV LAN) and sends them to the WRV's public IP address.
2. Microsoft Windows file sharing and LAN network browsing depends on network broadcasts. Those only work inside a LAN. If you connect from the outside to a LAN, broadcasts won't go through the VPN tunnel. This means you cannot use standard name windows workgroup name resolution to access shares. Those are propagated with broadcasts which will never go through the VPN tunnel. This means you are not able to use workgroup browsing. All you can to do access your shares is to use the IP address of the other computer.
In short:
\\mycomputer\share won't work
\\192.168.1.50\share works
(assuming the general sharing setup is O.K., i.e. you can use sharing correctly inside your LAN).
Of course, firewalls on the server end may cause problems. Access comes in from a public IP address. This may be blocked. Check the firewall logs on the server to find out if this is the case or not.
Moreover, establishing the VPN connection from a private LAN to a private LAN may not work. This is due to the double network address translation which breaks IPSec and thus the connection. If the hotel uses private IP addresses, this may be the case. But in that case you won't get ping responses from your WRV LAN.
What definitively won't work is in case when the hotel uses the same IP address subnet as you. If the hotel uses 192.168.1.* addresses and your WRV uses 192.168.1.* addresses you cannot connect. QuickVPN does only IPSec tunneling. There is no address translation in QuickVPN. Therefore connecting the identical private IP address subnet through QuickVPN will never work because all addresses exists twice, once on either side. -
How to configure router to use ip pool on the aaa server for vpn clients
how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
sebastanHello Sebastan,
what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
Regards,
GNT -
Reliable working combination of VPN client and Sidewinder firewall?
My work's I.T. Dept has deployed a "Sidewinder" VPN firewall with certs at our workplace. All works well with our many remote Windoze clients. The Windoze clients are using a "Greenbow" VPN client.
They (the I.T. Dept.) were never able to get the built-in OS X VPN client to work with the Sidewinder VPN firewall at all. I don't really have any details of what they tried or why it didn't work and they aren't exactly the friendliest types to us Mac users in the organization so I probably won't be getting any further details in that regard.
They (the I.T. Dept.) did get VPN Tracker Player v6.2 client to work on the remote Mac clients -- sort of -- but it consistently fails after roughly ten minutes of connection time at IKE renegotiation. They purportedly had a trouble ticket open with, and were working with, Equinux to try to resolve the issue, but after spending a certain amount of time on it, they basically told us Mac users in the organization that they had already spent way too much time on trying to make the Mac VPN client work, so they weren't going to be doing anything further with it, so too bad, so sad for us. And they've got 100% Director support backing up their decision.
So, the question du jour is, is anyone out there using a VPN client on a Mac and reliably connecting through a "Sidewinder" VPN firewall/server with certs (i.e., no dropped connections after about ten minutes or thereabouts), and if so, what VPN client are using and how did you/do you have it configured?
Thanks(first and last) bump
-
VPN Client and Windows 7 - Window won't show
Bizarre issue I've now experienced on two separate PC's with VPN Client 5.00.07.0410 on 32-bit Windows 7:
Out of the blue, when the user double-clicks the Cisco VPN Client icon, the lock shows up in the system tray, and the application shows in the taskbar. You may get a glimpse of the window when you double-click the taskbar icon, or single click it and choose the application from the list. However, you are not able to actually get the window to be visible. This of course makes it impossible for the user to click the "connect" button.
I've discovered that when the icon is in the taskbar, and you hit "Enter" on the keyboard, it will connect. However I wouldn't expect a user to be able to figure this out, and so it was quite frustrating for them when this happened.
I've noticed there is a new version of the software for 64-bit users, but not for 32.
Anybody else experience this? Find a solution?
I tried uninstalling/re-installing and it made no difference.
-ChrisTry this so you don't have to do it each time... it worked for XP Pro 32-bit (Dell E6410). Haven't yet encountered on W7 Pro:
Bring up Task Manager (Ctrl+Alt_Delete). Open the Applications tab. Highlight VPN Client, right-click and select Maximize. (Sometimes if the system dies (power-loss) when connected to VPN the registry remembers the minimized setting and will not un-minimize it except with this process (and maybe one yet to be determined).)
I'm currently working (20140617) on a similar issue for W7 Pro for the User Authentication window where the RSA passcode needs to be entered. Alt-Tab works but I'm trying to make it permanent. (One problem is the user has a difficult time following instructions.) -
Site-Site VPN PIX501 and CISCO Router
Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end -
VPN client connected to VPN but can't ping or access to server
HI ,
i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
Software itself shown connected but request time out when ping.
Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
aaa new-model
aaa authentication login userauthen local
aaa authorization network adminmap group VPNClient
aaa authorization network groupauthor local
aaa authorization network map-singapore local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key emptyspace address 203.142.83.218 no-xauth
crypto isakmp keepalive 15 periodic
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group map-singapore
key cisco123
dns 192.168.6.3
domain cisco.com
pool ippool
acl 102
crypto isakmp profile VPNclient
match identity address 27.54.43.210 255.255.255.255
match identity group vpnclient
client authentication list userauthen
client configuration address respond
crypto ipsec security-association idle-time 86400
crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set DYNSET
set isakmp-profile VPNclient
reverse-route
crypto map VPNMAP client authentication list userauthen
crypto map VPNMAP isakmp authorization list map-singapore
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
crypto map VPNMAP 11 ipsec-isakmp
description VPN to ASA5520
set peer 203.142.83.218
set security-association lifetime kilobytes 14608000
set security-association lifetime seconds 86400
set transform-set REMSET
match address 100
interface GigabitEthernet0/0
ip address 27.54.43.210 255.255.255.240
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
ip local pool ippool 10.20.1.0 10.20.1.100
ip forward-protocol nd
ip pim bidir-enable
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.6.3 27.54.43.212
ip route 0.0.0.0 0.0.0.0 27.54.43.209
ip route 192.168.1.0 255.255.255.0 27.54.43.209
ip route 192.168.151.0 255.255.255.0 192.168.6.151
ip route 192.168.208.0 255.255.255.0 27.54.43.209
ip access-list extended RA_SING
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip any any log
access-list 1 remark Local Network
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 2 remark VPNClient-range
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 10 permit 192.168.102.0 0.0.0.255
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
access-list 101 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip any any log
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
alias isakmp-profile sh crypto isakmp sa
alias exec ipsec sh crypto ipsec sa
banner motd ^CC^CI did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.
-
Is there really a Cisco VPN client for Linux? _Really?_
Hello folks,
I've finally after almost experiencing a brain aneurysm by trying to think too hard got my Cisco 881-SEC-K9 router properly configured for a multipoint IPSec VPN tunnel to my Amazon Virtual Private Cloud, so that hurdle is finally passed and I actually feel it was a very important milestone in my life somehow. I never thought I'd see the day I actually got my hands on a legitimate Cisco non-stink... erm.. I mean, non-linksys router. Now I just can't seem to find a 'client' VPN program for Linux. I'm currently running a Xen Hypervisor environment on openSUSE Linux because it's the only Linux distribution that completes all of my strenous requirements in a Linux server environment. It's also the most mature, and secure Linux on this planet, making it the most appreciable Linux distribution for my research needs. Using NetworkManager is not really an option for a basic Linux server environment, and OpenVPN is just too confusing to comprehend for my tiny little head. I've heard mention of some mysterious "Easy VPN" but after hours of digging online can't find any information about it, even the Cisco download link leads to a Page Not Found error. I do see a Linux VPN API for the AnyConnect program, but is that an actual VPN client, or just an API? It seems to want my money to download it but I don't have any money nor do I really know what it is because it's all secretive-like, closed source, and I can't even find a simple README file on it explaining what it is exactly. I'm just an out-of-work software developer trying to connect to my home router for personal use and I can't really afford to fork over a million and a half dollars for a single program that I'm only going to need to download once in my lifetime that should have been included with the router in the first place. I more than likely won't even be able to figure out how to use the program anyways because I don't know anything about VPN connections which is why I bought this router so I can try to figure it all out as part of the not-for-profit open source, volunteer research I'm presently trying to conduct. Is there some kind of evaluation or trial period for personal use? That would be really nice so I could at least figure out if I'm going to be able to figure it out or not. I hate throwing money away when it's in such short supply these days. There's really no alternative to a Cisco router. It's an absolute necessity for the things I'm trying to accomplish, so trying to settle for something else and going on with my life is not really an option. No, this is something I just need to face head on and get it over with.
<Rant>
Maybe I have a little too much crazy in me for my own good, but I don't see why it should take so much money just to learn how to do something for personal reference, it's not really a skill I would ever use otherwise. Wouldn't it be great if Cisco made their VPN client open source and free to the public to use and modify, to improve on, to learn and to grow and bring the whole world closer together as a community? Even the source code to the old discontinued Cisco VPN client could be used as a valuable learning tool for some poor starving college student or Open Source Software developer somewhere trying to get by on Ramen Noodles and Ramen Noodle Sauce on Toast (don't tell me you never thought about it). Through the ripple effect, It would drastically improve sales over the course of time, because it would open the door to a whole new market where those who previously could not afford to participate now could. That's the true power of Open Source. It creates a more skilled work force for the future by openly contributing and sharing knowledge together. What if the next big internet technology and the solution to world tyranny - the solution to end all wars forever - were locked in the mind of an unemployed software developer who couldn't afford to upgrade their cisco router software or access the software they needed because it was closed source and required committing to an expensive service contract to download? That would be just terrible, wouldn't it? I guess there's no way to ever know for sure. I suppose I'd be just as happy if some kind soul out there could point me to an easy to use alternative to an always on VPN connection that runs in the background which doesn't require NetworkManager or having to spend days upon days digging through and trying to comprehend either some really poor or extremely complex documentation? I apologize for all the run on sentences posed as questions, but I've just got some serious mental burnout from all of this, being unemployed is some hard work folks. I could really use a vacation. Perhaps a camping trip to the coast is in order after I get this working, that sounds nice, doesn't it? Nothing like a good summer thunder storm on the ocean beach - far away from technology - to refresh the mind.
</Rant>I do tend to talk too much and I don't mince any words either. What I am however, is really appreciative for the help. I know you hear that all the time, but you have no idea how much time and headache you just saved me. I think vpnc might be just what I've been looking for, unless someone can think of a client for Linux that I might be able to throw a little further. I'm very security minded now, after the backlash of Blackhat 2013, there's no telling which direction the internet might head next. Oh, you didn't hear? Well wether they realize it or not, DARPA basically declared war with other government agencies by releasing their own version of a spy program for civilians to use against the whoever -- possibly even the governmnet itself. They even went so far as to suggest it's private usage to blanket entire cities in information gathering. Civilians are a powerful foe, as they are not bound by the oath of office, any evidence they obtain is admissible in court, wether they know that or not. There's a very important reason for that. It's to prevent another civil war from ever happening, we shed enough blood the first time around less people forgot. It's something that can and will be avoided because our civilization has advanced beyond the need for bloodshed. The courts have to obey the majority rule, no matter what. For the first time in history, cyberwarfare can reach into the physical world to cause serious damage to physical structures like the nuclear facility incident in Iran. There's scarry bills trying to sneak through congress that are changing the landscape of technology forever for the entire world. We're at a pivotal point now where things can happen. It will be interesting to see how it all plays out over the next decade or so. No matter which way you look at it, just be preparerd to sell a whole lot of routers.
-
How to enable traffic between VPN clients in Windows Server 2012 R2?
Hello,
I installed Remote Access role with VPN.
IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
VPN server uses Windows Authentication and Windows Accounting.
With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
For example, VPN server has ip 192.168.99.5
VPN Client 1 - 192.168.99.6
VPN Client 2 - 192.168.99.7
I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
What else should I configure to allow network traffic between VPN clients?Hi,
To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
Irssi not working - Perl module?
intimidat0r@phork ~ $ irssi Can't locate Symbol.pm in @INC (@INC contains: /usr/lib/perl5/5.8.8/i686-linux-thread-multi /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_per
-
How to disable app from opening into full screen mode
Dear all I'm on OSX 10.8.4 and every time i start an app it'll go to full screen even after quiting it and opening the app again. Is there a way to stop this from happening
-
Finder does not work on OS X Yosemite 10.3.3
After I upgraded the new OS X, I have found the Finder app have been showing the notice like the photo in above. Even I clicked the Reopen button, obviously it does not take any action or no response to show up the Finder window as well. Please give
-
Apple ID pops up for no reason on iPod Touch 4th gen on iOS 5.1.1
When I updated to iOS 5.1.1, it fixed every problem I had before. However, it'll ask me to sign into my Apple ID for no reason at all. I checked everything, and there isn't any updates, songs, videos, etc. that needs to be downloaded. What's going on
-
How to 'hide' one stroked-only object behind another?
I'm struggling with something that shouldn't be this difficult! I'm laying-out a white-only T-Shirt logo (to go on a dark-green T-shirt) For the sake of simplicity, let's say I have two ovals with no fill, just a white stroke. A small oval overlappi