IOS 2811 VPN Site-toSite

Hi Netpro
I need search a IOS image whit support VPN Site-to-Site for 2800 series routers
How feature have to find in Feture Navigator?
Regards

You can go to Feature Navigator and look for IPSEC Network Security.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Regards,
Arul
** Please rate all helpful posts **

Similar Messages

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank

VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945

Hi everyone,
I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
The connection will use internet connection for HO and each branch offices.
And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
what kind of VPN client server or VPN site-to-site that recommended for this deployment?
and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
please advise
Regards,
Ovindo

Hi Leo,
technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones, but not 250 ipsec users and 10 phones.
If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
hth
Herbert

VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042

Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
Thanks

On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
Existing configuration
object network email
host 172.16.0.0
description 255.255.0.0
Correct configuration
object network email
subnet 172.16.0.0 255.255.0.0

How do I configure a VPN Site and Subnets in Lync when clients have /32 Addresses?

Hello,
I've found a few people asking this question out in the "interwebs" but no one seems to quite answer their question (Those poor souls).
In most occasions that I've seen, my customers have configured their VPN networks with a /24 (255.255.255.0) ip address. However, when those clients connect to the VPN they are actually getting a /32 (255.255.255.255) address.
This seems to pose an issue for Lync reporting when it comes to configuring a VPN site and VPN subnets.
(NOTE:You might ask why these customers are not going about best practice and using split-tunneling? In this case, they absolutely CANNOT institute split-tunneling so all traffic MUST flow through the VPN tunnel.)
For example sake, here is how I would imagine to setup a VPN site with subnets in Lync Network Configuration:
VPN (Site)
    -172.16.33.0 /24 (Subnet)
    -172.16.34.0 /24 (Subnet)
    -172.16.35.0 /24 (Subnet)
The problem is that when I run a Location Report in Lync to look at call data to/from the VPN site, it's not there. Reason being, the VPN client was given a /32 address which doesn't match up to the /24 I configured in Lync.
So, in my mind my options are:
Create a /32 subnet for each single address corresponding to a VPN client and attach them to the VPN site (What a mess).
Change the subnet mask for the 3 subnets I've defined to /32 instead of /24 and see what happens even though putting an IP address of 172.16.33.0 /32 doesn't make much sense.
Remove the subnets and site from Lync because CAC and Bandwidth control are actually useless over VPN.
Any thoughts on this?
John K. Boslooper | Lync Technical Specialist | Project Leadership Associates
Phone: 312.448.2269 | www.projectleadership.net

Jin,
/32 addresses are a valid subnet mask, however that means that a host with a IP Address of 192.168.23.4 and a subnet mask of 255.255.255.255 (/32) is the ONLY host on that subnet.
The VPN configuration is correct. The /32 mask is common with a Juniper VPN (which is what they are using) and the DHCP server that is handing out the addresses is the Juniper VPN appliance.
They have already started working out a plan to use a different internal DHCP relay which should hand out the addresses correctly.
There has to be someone else out there with this issue or that can point out that i'm overlooking one key principal with VPN subnets.
Anyone?
John K. Boslooper | Lync Technical Specialist | Project Leadership Associates Phone: 312.448.2269 | www.projectleadership.net

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps -

Please gives sample configure VPN site to site on ASA 5512-x v.9.1!

Dear All,
Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.
my is use that i dont know to how to configure nonat.
i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html
Best Regards,
HK

Hi,
The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following
object network SOURCE-NETWORK
subnet
object network DESTINATION-NETWORK
subnet
nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK
In the above
SOURCE-NETWORK contains the network on your side of the network
DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.
Depending how many source and destination networks we are talking about, this might need some modifying.
Hopefully this helps
- Jouni

Ipsec VPN site to site, best settings for optimal data transfer

I have a ISA570 at work and have set up an ipsec VPN site to site connection with my router at home which is a RV180. I'm trying to do large backups from my office to my home storage. Can you tell me what are the most efficient settings as far as the VPN connection is concerned to optimize the transfer rate? Also any settings that I may make on my Windows 7 workstation at work. I'm transferring from a worstation to the terrastation that I have at my home.

Hi Daniel,
I noticed that your post was located in the VPN Site to Site instead of the Small Business Security area. I have moved your post to the correct area so that you will get some help. As a Cisco customer with a service contract, you can call the small business support center to speak with an engineer. The phone numbers are located here:
https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport

Can not ping between remote vpn site ???

site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ASA-5510# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03s

Hi Rico,
You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
example:
Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B
nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A
Hope this helps
Thanks
Rizwan Rafeek

SSH VPN Site to Site ?

Is there any such thing as a SSH VPN Site to Site ?
Also, if using IPSec 3Des, is there a way to tune the packet size for a Site to Site VPN? If there is, what are the recommendations?

Calling it an SSH tunnel would be incorrect. However, if the requirement is that you should be able to ssh into the PIX firewalls from behind each other then all you need is allow the ssh from the outside interface of the other PIX. E.g. :
PIX 1 outside IP : 1.1.1.1
PIX 2 outside IP : 2.2.2.2
On PIX1 : ssh 2.2.2.2 255.255.255.255 outside
On PIX2 : ssh 1.1.1.1 255.255.255.255 outside
I've given the commands assuming the name of the interface that connects to the internet is 'outside'. If I've not understood the requirement correctly, please explain it in detail.
HTH,
Please rate if it helps,
Regards,
Kamal

Poor Network Performance from VPN sites

We are experiencing poor network performance when connecting from hardware VPN sites. VPN sites have Cisco Hardware VPN client 3002 which terminates to Cisco 3005 VPN concentrator. Geting upload/download speeds of 355/484kbsp from VPN to surewest.com. If I remove the VPN and connect laptop directly to dsl modem, speeds are 3mb up and 1mb down. Any ideas what could be causing this?

Try this
Adjust the MTU and MSS size in concentrator and client.
Try these link for more info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

Advice with Site-toSite VPN Setup

Hi all
I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site. I need help selecting the right hardware.
At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection. At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300. The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
My central site is a static IP, but the remote site is not.
Can anyone suggest the right peace of kit. The rv042 looks like it may be OK, but I need to be certain. Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
TIA

Hi Nigel,.
I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the lower priced Cisco Small Business products.
1.SR520-FE-K9
A very very low cost Cisco IOS based router.
it offers the advantages of Cisco IOS CLI in a low low price
excellent debugging
excellent counters
can be managed by the free utility Cisco Configuration Assistant
supported by Cisco TAC
Allows for site to site IPSec VPN tunnels
There are two ADSL variants SR520-ADSL-K9 SR520-ADSLI-K9
Wireless versions as well..but check datasheet.
2. RV220W or RV120W (relatively new)
Gui only configuration
provides IPSec tunnel between gateways
enhanced software compared to older WRV2XX
VLAN and trunk support
PPTP server (with RV220W)
Gig wan and LAN ports on the RV220w
supported by Cisco Small Business Support Center
3. RV042 (refresh of a popular router , newly released Version 3 hardware and new firmware)
Gui only configuration
provides IPSec tunnel between gateways
impoved software
VLAN and trunk support
PPTP server as well
supported by Cisco Small Business Support Center
Moving up in features and price, you could check out the;
4. SA500 series ( with newly released version 2 firmware)
A very capable box offering IPSec tunnels as well as
termination for SSL client vpn tunnels
option for IPS, content filtering , trend integration
But spend some time and really and check out the dataheets on all these products.
Also, If you are a cisco partner there is a management GUI emulator for the RV220W, RV120W, SA500. It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
regards Dave

Cisco IOS SSL VPN Not Working - Internet Explorer

Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
        quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
   local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
   port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
Thanks

Hi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

VPN Site-To-Site

Possuo 6 unidades da empresa que gostaria de interligar por VPN, seriam criados dois túneis um para dados e outro para voz.
Possuo algumas dúvidas com relação a configuração, segurança, qualidade e disponibilidade.
A infra pensada foi a seguinte:
As 6 localidades ficam em locais diferentes da cidade, a maioria com conexão dsl, pensei em utilizar o DynDNS para identificálas na Internet, cada localidade possuirá um range de IP sequencial, os principais equipamentos de rede serão padronizados, a infra de cabos esta sendo to reformulada.
1 - RV042 centralizando os túneis.
5 - WRV210 ligando ao centralizador VPN.
Como é a primeira vez que faço um projeto deste tipo peço a instrução de vocês sobre como proceder, toda e qualquer dica será válida.
Agradeço a atenção de todos.

Hello Farnell,
This is possible, no problem at all
What you will need to do:
Include the traffic in the No_Nat rules on all of the sites for this traffic
Configure routes pointing to the other subnet via the Azure device.
Include in the crypto map to the azure site the traffic from both subnets
Afterwards my friend, you should be up and running!
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura

IOS SSL VPN application issues

Hi,
I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.
Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).
If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.
I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.
Anyone else experienced this?
Thanks
Scott

Farrukh,
As requested please see related config below:
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
ip cef
crypto pki trustpoint TP-self-signed-569873274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-569873274
revocation-check none
rsakeypair TP-self-signed-569873274
crypto pki certificate chain TP-self-signed-569873274
certificate self-signed 01
interface GigabitEthernet1/0
description $SWDMADDR:192.168.0.2$
ip address 10.0.0.1 255.255.255.0
no ip route-cache cef
interface GigabitEthernet1/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
no ip route-cache same-interface
interface GigabitEthernet1/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.0.0.1
no ip route-cache same-interface
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ip local pool TEST 192.168.20.200 192.168.20.240
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 101 remark WEBVPN
access-list 101 permit tcp any host 203.206.169.63 eq 443
access-list 101 deny ip any any log
route-map SDM_RMAP_1 permit 1
match ip address 102
webvpn gateway gateway_1
ip address 203.206.169.63 port 443
ssl trustpoint TP-self-signed-569873274
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn context Default_context
ssl authenticate verify all
no inservice
webvpn context visicom
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
url-list "WEB"
heading "Welcome"
url-text "OWA" url-value "http://192.168.0.10/exchange"
policy group policy_1
url-list "WEB"
functions svc-enabled
svc address-pool "TEST"
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
svc split include 192.168.20.0 255.255.255.0
svc split include 10.10.10.0 255.255.255.0
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_3
gateway gateway_1
inservice

IOS 2811 VPN Site-toSite

Similar Messages

Maybe you are looking for