GRE for VPN using extendable NAT.

Similar Messages

• Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

  Hi everybody,
  I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
  Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
  After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
  Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
  add 1050 allow from any to any in
  (This looks a little like a server manager bug to me, but I digress)
  So I tried manually editing the file in /etc/ipfilter but no joy.
  Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.

  Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
  The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.

• HT201272 ii was not able to pay for subscription for VPN using my Apple ID account

  I was not able to pay for a VPN subscription using my apple ID Account
  pls assist
  thanks

  Call.
  Apple Store Customer Service at 1-800-676-2775 or visit online Help for more information.
  To contact product and tech support: Contacting Apple for support and service - this includes
  international calling numbers..
  For Mac App Store: Apple - Support - Mac App Store.
  For iTunes: Apple - Support - iTunes.

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• Use extended ACL with NAT

  Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
  I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
  thanks in advance,
  Han                  
  access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
  global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
  global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
  nat (inside) 0 access-list inside_nat0_outbound_5
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 2 0.0.0.0 0.0.0.0

  Hi Han,
  If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
  standard ACL:
  access-list 10 standard permit ip 172.16.0.0
  Extended ACL:
  access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
  This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
  Please do rate if the given information helps.
  By
  Karthik

• Confused how to set-up a PC & laptop with Cisco WRVS4400N VPN for home use

  Just bought a new PC and laptop and was recommended by (CDW) to use a Cisco WRVS4400N to set up the VPN.
  For home use, only the PC and laptop, both running Windows 7.  I use Comcast as my ISP.
  The mountains of docs confuses me to no end, can anyone simplify this for me.  I look at all the details and do not know where to start.
  In short,
  (1) configure router to recognize my PC and Comcast, and I guess the laptop.
  (2) configure laptop to go wireless and communicate with PC.
  Any assistance would be much appreciated.
  Thanks,
  Terry

  For a very small office and a minimum of admin and tech know how, one approach i'd suggest is to not worry about user id collisions at all. any time anyone wants to use a mac you just set them up as a user, using consistent names/passwords.
  Have a "Work" volume on each mac that has "ignore ownership on this volume" ticked. that way UID collisions aren't important.
  You can make a Desktop folder on the Work volume and make a SYMBOLIC LINK from every user's home that replaces their desktop with the desktop folder on the Work volume.
  Make it known that the user's home is for personal stuff ONLY, and the Work volume (inc the desktop) is where work in progress lives.
  At a later date with some confidence in your network and your admin skills you could impose consistent UIDs using an OD master

• How to use ISE for VPN auth

  Hello
  looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
  Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
  Thanks

  We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.
  So if you have an admin user that wants to login:
  authentication: user found in ldap (or ad)
  authorization:
  -user is coming from asa ip address
  -user attribute is admin
  = user is authorized for the admin class on your asa vpn device.

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Using ISE to assign ACL's for VPN users

  Hi,
  I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
  Does anyone know of a good document or training video knocking about that I can use?
  Thanks
  Jason

  Jason,
  If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
  If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• HT1424 Is VPN really needed for home use?

  Is VPN really needed for home use on the iPad 2?

  I don't have one. The only times I've seen a need for a VPN is when we've had employees that need to access the work network from home, so need to have a connection that meets the work's security to be granted access to the network (our network is inaccessible outside the building without a VPN)

• Cisco 2800 - Multiple VPNs Using Virtual-Template

  Hello List,
  I have a question related to the way of setting up multiple VPNs using
  virtual-template configuration (Cisco calls this Dynamic VPN): how can
  I make my configuration to be a "spoke" type VPN rather than "hub" type
  without using "crypto map" on the physical interface?
  Here is how it works now (the VPN hub config):
  !!! the VPN hub config
  crypto keyring PSKs
  pre-shared-key address <peer_ip> key 6 ************
  crypto isakmp profile ISAKMP_Profile
  keyring PSKs
  self-identity address
  match identity address <peer_ip> 255.255.255.255
  virtual-template 1
  crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
  crypto ipsec profile IPSEC_Profile
  set transform-set Transform_Set
  set isakmp-profile ISAKMP_Profile
  interface Loopback1007
  description This is a public IP address from a range routed via my
  gatey IP address (see bellow)
  ip address <my_VPN-hub_ip> 255.255.255.255
  no ip redirects
  interface Multilink1
  description This is my gateway IP address facing the ISP
  ip address <my_public_IP> 255.255.255.252
  no ip redirects
  no ip unreachables
  ip nbar protocol-discovery
  ip nat outside
  ip virtual-reassembly
  rate-limit input access-group 102 8000 1500 2000 conform-action
  transmit exceed-action drop
  ip route-cache flow
  no cdp enable
  ppp multilink
  ppp multilink fragment delay 20
  ppp multilink interleave
  ppp multilink group 1
  ppp multilink multiclass
  service-policy output qos_pm-outbound
  interface Serial0/0/0
  description 1st Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Serial0/0/1
  description 2nd Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1007
  ip access-group vpn_acl-tunnel-encr-in in
  ip access-group vpn_acl-tunnel-encr-out out
  ip mtu 1400
  ip route-cache flow
  tunnel source Loopback1007
  tunnel mode ipsec ipv4
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  tunnel protection ipsec profile IPSEC_Profile
  service-policy output qos_pm-VPN
  ip access-list extended vpn_acl-tunnel-encr-in
  permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
  ip access-list extended vpn_acl-tunnel-encr-out
  permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
  !!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
  Cisco VPN concentrators)
  !!! all follow the standard crypto map config on the physical
  interface.
  !!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt
  It is obvious that with my router configured as a VPN hub, if the
  tunnel dies, I need to wait for the peer to reset the tunnel, all this
  time my clients in my network are not able to access the remote sites.
  The reason to use the virtual-template interfaces as suppose to
  traditional "crypto map" way, is that my peers do not want to share the
  same VPN end-point between themselves (different companies all
  together) and they are very strict in regards to ACLs. As I don't have
  a VPN device for each one of them and their number increases (I have 5
  separate tunnels right now with a potential grow to 15 in the next 3
  months), I need to find a way to get rid of the hub config in my end (I
  did not have much choice there when I migrated to this platform from a
  linux box).
  Pros for the Virtual-Template:
  - separate QoS for each tunnel
  - ACLs configured directly on the tunnel interface (grater flexibility)
  - tunnel end-point IP address can be part of a range BGP advertised via
  multiple ISP links
  Cons:
  - hub config, the tunnel needs to be reseted by the peer
  Any help is very much appreciated. Thank you,
  Adrian

  Hope the following link will help you
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

• My Windows phone 8.1 can't seem to find any certificates, needed for VPN

  Hello,
  I set up an IKEv2 VPN at home so I could use it on my desktop as well as on my Windows phone.
  Now, I have two options which are supported by the VPN: 1) I can use username/password, but then I have to install the root certificate. 2) Use the client certificate.
  Now I've tried both but none seem to work. When I use username/password I get error 13801, which apparantly means that it can't find the root certificate. When I try to set up the VPN using the client certificate, I can't set it up because when I want to
  choose a certificate, it says there aren't any.
  I have installed both (several times by now) using the PFX and PF12 formats. I've tried regenerating them. None of this helps.
  My phone won't accept any crt or pem files so that's not gonna work either.
  I've tried restarting the phone, that didn't help either.
  Any suggestions?
  Thanks!

  Okay, I didn't get it to work with user/password authentication, but I did manage to use a client certificate.
  What I had to do was regenerate the certificate with Extended Key Usage: ClientAuth.
  Now, I'm facing a new issue because the server isn't accepting me for some reason, which apparantly has something to do with authentication or encryption. I haven't figured that out yet so I'll have a look at the server software instead.
  But if anyone knows what kind of thing Windows phone could be asking for that Windows desktop doesn't, that could be useful.

• Port forwarding not working for VPN

  Hi there,
  I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
  I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
  So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
  The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
  I have indicated that the VPN should use the range - 10.0.0.1 to 200
  The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
  I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
  Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
  Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
  Thanks in advance, and I hope to hear from folk soon.
  Chris

  OK - here's how my router is configured:
  NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
  I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
  These are the ports I have open:
  UDP - 500
  UDP - 1701
  TCP - 1723
  TCP - 3283
  UDP - 3283
  UDP - 4500
  TCP - 5900
  TCP - 5988
  I have these ports open to accomodate remoting in via Apple Remote Desktop.
  However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
  Don't know if that helps or not, but it works for me.

• Recommended ASA software for VPN ?

  Hello -
  We’re in the process of migrating our legacy VPN concentrators over to a pair of ASA5540s. The VPN connections we use today are L2L, RA, & easy VPN. I don’t want to jump up to 8.3 or higher just yet, due to the differences in the NAT, group-objects and ACL policies.
  Would it be recommended to use an 8.2 code as standard for VPN endpoints?
  Thanks -
  John

  You can very well use 8.2 .Right 8.3 onwards changes are there the way we configure NAT but its not very complicated to ignore latest version just because of NAT.
  Just have a look on the link-http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html.
  You might miss some new aded features but if not using those then its all right to go for 8.2
  Thanks
  Ajay