IPSec VPN with VTI behind DSL router

Hi All,
Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
Router gi0/1        -->        DSL Modem     -->     Internet  --> to HQ (Firewall with static IP)
Outside 192.168.1.2            WAN static public IP
                                                       LAN 192.168.1.1
Interface config:
interface GigabitEthernet0/1
 ip vrf forwarding Internet-VRF
 ip address 192.168.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
end
Tunnel config:
crypto isakmp policy 282
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec profile VPN
 set transform-set aes256-sha
 set pfs group2
interface Tunnel1
 ip vrf forwarding Internet-VRF
 ip address 172.27.82.254 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 tunnel source Gi0/1
 tunnel mode ipsec ipv4
 tunnel destination xxx.xxx.xxx.xxx
 tunnel protection ipsec profile VPN
I have been digging into Cisco documentation but have no answer found.
Thanks in advance.

Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?

Similar Messages

  • QuickVPN - RV110W behind DSL Router

    Hi all,
    I have a Cisco RV110W behind an Actiontek V1000H DSL router supplied by my ISP.
    I'd like to be able to make use of the Cisco QuickVPN client. According to my ISP placing the Actiontek into bridge mode cannot be done.
    On the Actiontek I have forwarded the following ports to my RV110W's address:
    60443/tcp
    4500/udp
    500/udp
    On the RV110W I have ensured that remote management is enabled (on port 60443).
    When attempting to connect with the client (using port 60443) - I get this far:
    2012/01/30 11:16:21 [STATUS]OS Version: Windows 7
    2012/01/30 11:16:21 [STATUS]Windows Firewall Domain Profile Settings: ON
    2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
    2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
    2012/01/30 11:16:21 [STATUS]One network interface detected with IP address 192.168.245.164
    2012/01/30 11:16:21 [STATUS]Connecting...
    2012/01/30 11:16:22 [DEBUG]Input VPN Server Address = xx.xx.xx.xx
    2012/01/30 11:16:22 [STATUS]Connecting to remote gateway with IP address: xx.xx.xx.xx
    2012/01/30 11:16:22 [WARNING]Server's certificate doesn't exist on your local computer.
    2012/01/30 11:16:23 [WARNING]Remote gateway wasn't reached...
    2012/01/30 11:16:23 [WARNING]Failed to connect.
    2012/01/30 11:16:23 [WARNING]Failed to connect!
    Any suggestions? Is this configuration even possible?
    Thanks!

    Hi, Rudi & Craig
    I just tested another diffrent way, which way as Craig's book did, I set
    Master's IP is DSL Router inside IP which same as "PUBLIC" Network Card's
    IP address (10.0.0.101) when setting the MASTER's configuration in
    iManager, it still working fine. Then it will be the best way if the ISP
    change my static Public IP.
    BTW, Craig, when you have chance, can you memtion this on your web site or
    in your book (when you have new version book), BM38SP5 got a bug, the
    vpn.jar cannot set Non-BM VPN Slave (I used Linksys router for Slave
    server), I called Novell support engineer, he said Novell knew this error,
    I have to use the vpn.jar which in BM38SP4_IR5 to setup Non-BM VPN Salve.
    But there is another problem, the vpn.jar which in BM38SP4_IR5 cannot set
    MASTER VPN server. The only way to do the job is install BM38SP5, setup
    MASTER VPN server, setup C2S VPN, then copy the vpn.jar which in
    BM38SP4_IR5 in, to setup Non-BM VPN Salve. I hope you can understand my
    poor Engish.
    James
    > Rudolf Thilo wrote:
    > Hello James.
    >> In Craig's book, there is a sample
    >> for VPN Slave Server behind DSL router.
    >> But I don't know I can setup Master VPN
    >> server behind DSL router or not.
    > It works, starting with BM3.8. IIRC Craig has an example
    > in his book? You will need to specify the DSL router's
    > (static!!) public IP address as the MASTER's public IP
    > when setting um the MASTER's configuration.
    > Regards, Rudi.

  • RA VPN into ASA5505 behind C871 Router with one public IP address

    Hello,
    I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
    PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
    The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
    version 15.0
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    hostname router
    boot-start-marker
    boot-end-marker
    enable password 7 xxxx
    aaa new-model
    aaa session-id common
    clock timezone UTC -8
    clock summer-time PDT recurring
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.2.1
    ip dhcp excluded-address 192.168.2.2
    ip dhcp pool dhcp-vlan2
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.1
    ip cef
    ip domain name xxxx.local
    no ipv6 cef
    multilink bundle-name authenticated
    password encryption aes
    username xxxx password 7 xxxx
    ip ssh version 2
    interface FastEthernet0
    switchport mode trunk
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description WAN Interface
    ip address 1.1.1.2 255.255.255.252
    ip access-group wna-in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    no ip address
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan10
    description router-asa
    ip address 10.10.10.1 255.255.255.252
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list nat-pat interface FastEthernet4 overload
    ip nat inside source static 10.10.10.1 interface FastEthernet4
    ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
    ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
    ip nat inside source static esp 10.10.10.2 interface FastEthernet4
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    ip route 10.10.10.0 255.255.255.252 10.10.10.2
    ip route 192.168.2.0 255.255.255.0 10.10.10.2
    ip access-list standard ssh
    permit 0.0.0.0 255.255.255.0 log
    permit any log
    ip access-list extended nat-pat
    deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    permit ip 192.168.2.0 0.0.0.255 any
    ip access-list extended wan-in
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.255.0.0 0.0.255.255 any
    deny   ip 255.0.0.0 0.255.255.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    deny   ip host 0.0.0.0 any
    deny   icmp any any fragments log
    permit tcp any any established
    permit icmp any any net-unreachable
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit icmp any any host-unreachable
    permit icmp any any port-unreachable
    permit icmp any any packet-too-big
    permit icmp any any administratively-prohibited
    permit icmp any any source-quench
    permit icmp any any ttl-exceeded
    permit icmp any any echo-reply
    deny   ip any any log
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    no modem enable
    line aux 0
    line vty 0 4
    access-class ssh in
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    scheduler max-task-time 5000
    end
    ASA:
    ASA Version 9.1(2)
    hostname asa
    domain-name xxxx.local
    enable password xxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxx encrypted
    names
    ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
    interface Ethernet0/0
    switchport trunk allowed vlan 2,10
    switchport mode trunk
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Vlan10
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.252
    ftp mode passive
    clock timezone UTC -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name xxxx.local
    object network vlan2-mapped
    subnet 192.168.2.0 255.255.255.0
    object network vlan2-real
    subnet 192.168.2.0 255.255.255.0
    object network vpn-192.168.100.0
    subnet 192.168.100.0 255.255.255.224
    object network lan-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
    object network vlan2-real
    nat (inside,outside) static vlan2-mapped
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 10.10.10.1 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.2.0 255.255.255.0 inside
    ssh 10.10.10.1 255.255.255.255 outside
    ssh timeout 20
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    anyconnect-essentials
    group-policy vpn internal
    group-policy vpn attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn-split
    default-domain value xxxx.local
    username xxxx password xxxx encrypted privilege 15
    tunnel-group vpn type remote-access
    tunnel-group vpn general-attributes
    address-pool vpn-pool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    ikev1 pre-shared-key xxxx
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
    : end

    Hi,
    I think, that you want control all outbound traffic from the LAN to the outside by ASA.
    I suggest some modifications as shown below.
    C871:
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.2 255.255.255.0
    no ip nat inside
    no ip proxy-arp
    ip virtual-reassembly
    ip access-list extended nat-pat
    no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    no permit ip 192.168.2.0 0.0.0.255 any
    deny ip 192.168.2.0 0.0.0.255 any
    permit ip 10.10.10.0 0.0.0.255 any
    ASA 5505:
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    Try them out and response.
    Best regards,
    MB

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

  • RV180 behind DSL-ROUTER can't connect with QuickVPN

    Hello,
    I want to ask if is possible to configure the RV180 behind my DSL Router to connect using QuickVPN. First I tried to connect to the PPTP server and worked fine, but when I tried to connect using QickVPN, seems to connect but when the client says "verifying network" after a while appears the message "network not responding..."
    In my DSL-Router forwared this ports: UDP: 500,4500,443,60443 - TCP: 443,60443 (i don't know if tcp ports are needed but I opened for testing) and allowed protocol ESP (comes with the rule to allow IPSEC-L2TP)
    Thanks!

    Hello Siva,
    From where I have to test reachabilty? From the computer where I have installed the QuickVPN client I can reach de WAN interface of the DSL-Router, which is doing NAT and forwarding the ports I said to the WAN interface of my RV180. The network betwwen DSL and RV180 is using private ips.
    The schema is:
    Internet ---- (public ip) dsl router (192.168.1.1) ---- (192.168.1.50)RV180(10.0.0.1) ----- my network 10.0.0.0/24
    In the document you posted is explained:
    "Your Cisco router must have a direct public IP address for QuickVPN to work, please check under the status tab and your internet connection type and make sure it has a public IP address and it is not behind another router. This issue is more common with DSL connections; if you are behind another router/modem you should request your ISP to turn it into bridge mode so our router can be the border router between your LAN and your ISP."
    It's my configuration. I will look how to turn my DSL router into a bridge. Thanks.

  • Cisco ASA 5505 site to site IPSec VPN with RV220W issue

    I have a ASA5505 connected to RV220W through IPSec VPN. When  using SMB to transfer large file, the ASA5505 will show error message:
    CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
    The error message from the debug crypto engine. When  the message show, the speed of the transfer will slow down quickly, and  even no data can be go through between ASA and the RV220W. But the IPSec  SA and the IKE SA is active, and can ping the inside network in both  site.
    Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
    Any suggestions on where to look would be much appreciated.
    Thanks in advance
    Terry

    Hi Ted thanks for your reply and information.
    The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
    I am already surrander for this issue......

  • How to access Time Capsule drives behind DSL Router over WAN

    Hello everyone,
    I have an older Time capsule(with USB Drive) connected to my Hitron CGN3 DSL wireless router over ethernet. 
    I have turned off the wireless functionality of the TC since the router seems to be much faster on Speedtest.net. 
    I have my TC and attached USB drive setup to share over WAN but am getting a Double NAT error.
    It doesn't seem like I can turn off NAT on my Router.
    I can't run the TC in bridge mode because it will remove the Share over WAN option for the TC and Drive.
    Is it possible to setup the TC and attached USB drive to the router, without wireless on, so that I can access the TC and drive over the internet?
    Any help would be soooooo apreciated!!!
    Thanks!
    Ian

    Does anyone know why my Time Capsule drive sharing needs to be set to disk password?
    You can set the TC disks to user accounts.. at least you can on older TC with older airport utility.. but there are consequences which you discovered.
    If you set accounts.. you will have major issue with the existing files.. they will all disappear.
    The old v5 utility gives you this warning.. which somehow Apple forgot on new version.
    It actually makes all the present files disappear for all users. The warning just doesn't go far enough. You do this on a blank TC.. and of course the USB drive is just the same.. you cannot use different settings on that to the TC internal drive. So offload all your files.. create accounts on a bare TC.. load the files back into the correct user profiles.
    In the end you probably want more flexibility than a TC is designed for.. buy something designed for remote access.. WD MyCloud.. it is hugely superior.
    Also. . .  I am trying some File manager apps for my iPhone in hopes that i can connect to the same drive with it.  So far no luck with the free versions of FileBrowser Lite or File Explorer Free.
    Most are SMB based.. not AFP.. Apple offer only two protocols.. SMB and AFP. But no responsible ISP allows SMB over the internet. The flood of files from hacked windows machines would bring the internet to a grinding halt.
    People do get around it.. you can use filebrowser for instance by opening SMB to the outside world on a non-standard port.
    See http://www.stratospherix.com/support/gsw_timecapsule.php?page=6remote
    But this is incredibly risky.. there is very poor security and it is not a great idea. The AFP security is much better than SMB.
    If you want security use something other than TC.. any real NAS that offers VPN access for instance. The cost of a WD MyCloud is very reasonable when you look at the flexibility of the design. But any decent NAS will offer real remote access.. not Apple's limited pretend version.

  • Using Airport Express with an ATT DSL router

    July 10, 2012
    Hi All! The following thoughts are for
         1) those of you who use ATT DSL as your internet service-provider, and
         2) who wish to stream iTunes songs from your computer to speakers in other rooms via AIRPORT EXPRESSes, and
         3) are wondering whether you have to purchase a separate Apple Airport Extreme base-station, or can simply use your exisiting ATT router.
    Having just spent several days and many hours on the phone before Apple's tech "Dan" was finally able to get my system up and running, I thought some of you might appreciate my sharing the following info while it's still fresh in my mind.
    1. You may need to update your ATT router to the latest version, in order for it to properly communicate with your AIRPORT EXPRESS(es) (henceforth shortened to "AEs").  The AEs use 802.11n speed.  My original ATT router (a 2Wire 2701HG-B) was no faster than "-h,"  and this might have been part of the problem as to why my system wouldn't work.  I went to my local AT&T store, and got their latest router: as of this writing, a Netgear "Westell"  Model B90-755025-15, which can run at both the slower speeds as well as the faster "-n."  To find out some of the specs of my router, an Apple tech had me type in the 10 digits of my Gateway IP Address into the address-bar (no need for the "https://www") and "Presto!", up popped several pages of info on my router.
    2. When first setting up your AE, it needs to be back in "default mode."  If it's right out of the box, you don't need to do anything.  But if, like me, you've already made several attempts to get it running, then you need to reset it to its pre-configured state,  You do that by taking a bent paper-clip, and inserting one end into the little hole on the ports-side of your AE (near where the mini-plug of a speaker-cable is inserted). While the device is plugged in, gently press the paper-clip into the hole until the light on top blinks amber QUICKLY, the flashes coming in rapid succession.  Then remove the paper-clip, and the AE will glow solid amber--meaning it's waiting to be re-programmed.
    3. When first setting up your AE, do NOT attach an ETHERNET CABLE from the router.  The only cable that needs to be attached is the mini-plug cable running to some sort of portable, powered speaker.  For myself, to make things easier, I brought my AE and my new Sony RDP-M5iP speaker/dock into the same room as my Imac & router. That way, I'd know immediately if the AE was working correctly.
    4. After you've clicked on your Airport Utility App (hard drive TO Applications TO Utilities folder), you'll soon come to a page that asks you to name your AE (this page calls it a "base station").  Before you do that, you should see a button in the lower left-hand corner that says, "Other Options."  Click on it.  You'll then be given a choice of "Creating a New Network"  or "Choosing an Existing Network."  You want this 2nd choice--because you indeed are planning to use your ATT router's exisitng wireless network.
    5. Shortly, you'll come to the page asking you to name your AE.  Call it, for instance, "Family Room Speaker." As for password, at first I--as well as virtually all of the techs with whom I spoke--thought I should type in the multi-digit ATT router-password (called a "Wireless Network Key").  But finally, "Dan" told me to simply type in, "express1"  (or, for my 2nd AE, "express2").  That did the trick! 
    6. Your AE should now be glowing green on top.  Plus, on the 10x6" dark-grey rectangular box displaying the globe (i.e., your main internet connection), the globe should have a now-green glowing circle to its left.  And underneath, it should be displaying a rectangle named "Family Room Speaker" (or whatever name you've given your Airport Express).
    7. When you now open iTunes, you should see a little blue rectangle (with a triangle in its middle) in the lower right-hand corner of your iTunes box.  Click on it, and it should show listed both your computer-speaker as well as your AE speaker(s), plus a heading called "multiple speakers."  Click on "multiple,"  and it will bring up a box displaying all your now-current speakers.  Check the small square next to any speakers that are unchecked, and a volume-slider will appear.  Bring them all up to a comfortable level.  Then click on an iTunes track you'd like to play and, viola!, you should hear music playing both from your computer and from the portable speaker to which your AE is attached.
    8. Now close iTunes. Then unplug your Airport Express and--if you have a 2nd AE-- plug them both back into your power-strip. Go thru the set-up steps in your Airport Utility App for this 2nd AE.  At the end of it, both AEs should be glowing green on top, and both should be displayed on your computer-screen.
    Now re-open iTunes, and start a song playing.  (Don't forget to click on the blue rectangle at the R-hand bottom, and activate the new AE speaker.)  By inserting your speaker cable alternately into each of the AEs, you should be able to verify that, yes, both are now working.
    9. Unplug both AEs, and bring them to whatever room you want to use them in.  Plug them in to a wall outlet, and run your mini-cable from the AE to the speaker.  Give the AEs a few minutes to pick up the signal once again from your ATT router; when they do, their lights will change from amber back to green. Tech Dan warned me to keep them away from too much metal, to avoid interference. As soon as they turn green, you should now be hearing your iTunes track playing thruout your house! (If not, you may have to first close iTunes on your computer, then re-open it, and start a new track playing.)
    The BOTTOM LINE: no, you don't have to purchase a separate Apple Extreme to be your base-station.  Your ATT router--if it's running at the 802.11n standard--should be able to work with your Airport Express(es)!
    My thanks to Sean and Cameron and  Chris and, most especially, Dan, the Apple techs who patiently worked with me to get this system online. 

    I am GREATLY appreciative of this overview. Even though I don't understand a lot of it. I will keep working through. I am-- have for 2 years-- had terrible connectivity with AT&T's service & 2Wire router. My MacBookPro keeps dropping the signal. I'm talking every few clicks at times. Husband's PC drops it, too, but not nearly as much as the Mac. I'm sure what you posted can help us get better connectivity.

  • VPN with Time Capsule, Linksys router

    We are running SLS 10.6.4 on a Mac Mini over Cox business internet with a fixed IP, and we've been trying to get VPN service working on the Mini through our TC. After some finagling I came across this post which describes the lack of L2TP support in the TC, so we bought a Linksys/Cisco WRV210 VPN router. We do want to keep the TC on the network for file sharing.
    When setting this up, it would seem to me that the WRV210 should be (or would have to be?) the gateway. However, it appears to be limited in the number of ports that can be forwarded (at least without manually editing its config file; the web interface doesn't show enough for our needs). Or maybe there is a way to use the WRV210 for handling VPN access, while mapping a range of other ports to the TC and then on to the server?
    Alternatively, perhaps we can continue using the TC as the gateway, mapping VPN access through the TC to the WRV210?
    If anyone else has any experience with this type of setup, feel free to chime in.

    Having tried this in the past......the only way that I could ever get the WRT54G to connect correctly was by turning off the wireless security on both the Time Capsule and Linksys device.
    Not sure if you want to run an open network.....or even if that will work with newer firmware on the Time Capsule. I believe that I was using 7.4.2 or possiby 7.5.2 at the time.
    But, you never know. Maybe another user has a magic wand.
    My opinion......life would be tons easier if you added an AirPort Express to the Time Capsule network, and added an Ethernet switch with as many ports as you need....and the connection will run 2-3 times faster or more than the WRT54G can provide.

  • Setting up site to site IPSec VPN with RV 120W

    Hi All,
    I am looking to set up a site to site VPN between a local and remote office, with a RV 120w as the gateway at either side. Aside from changing the remote site's IP and Subnet, what do I need to do to get this functional? to call myself a well tooled novice would be appropriate. Any help is appreciated.
    Thanks,
    Scott

    You will most likely need to call the Cisco Small Business Support Center at 1-866-606-1866 so that
    we can assist you in setting up the Gateway to Gateway VPN Tunnel.
    THANKS
    Rick Roe
    Cisco Small Business Support Center

  • RV180W ipsec vpn with multiple networks

    Hello,
    I am setting up a customer site.  One side is RV180W and the other side is Checkpoint 500W.
    RV180W side
    LAN - 192.168.100.0/24
    Checkpoint side
    LAN - 172.26.1.0/24
    VOIP - 172.26.2.0/24
    Need to setup an ipsec tunnel between the site.  However, from the RV180W side, I can only ping the VOIP network, but not LAN.  Need help.  I have heard that RV180W only can talk to one remote network via ipsec, correct?  Any other way to workaround this other than changing out the RV180W?  Thanks.
    Ho

    Hi Tom,
    I have a similar situation, needing to setup 3 tunnels to the same endpoint.  Each tunnel has a different remote LAN setting, but I can only get one tunnel to work at a time.  I have to disable the other two.  For more details, see my posting: https://supportforums.cisco.com/message/3781143#3781143
    How can I setup 3 IPSEC tunnels to the same endpoint?
    Marshall

  • How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000

    Hello all.
    This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
    I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with  VPN.
    On the site of Router Scientific Atlanta Cisco 2320 this is some info:
    WAN IP: A.A.A.A
    Router Local IP: 192.168.5.1
    Subnet: 192.168.5.X
    Subnet Mask: 255.255.255.0
    On the site of RVS4000 4-Port Gigabit Security Router with  VPN this is some info:
    WAN IP: B.B.B.B
    Router Local IP: 192.168.0.10
    Subnet: 192.168.0.X
    Subnet Mask: 255.255.255.0
    Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
    I show the configuration on Router Scientific Atlanta Cisco 2320:
    I show the configuration on RVS4000 4-Port Gigabit Security Router with  VPN:
    If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
    If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with  VPN the Status Up:
    As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with  VPN) by my own web browser accesing by the local IP 192.168.0.10
    I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
    I wish that this help to anyone that need to do this.
    Best regards!

    Hey,
    Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
    Regards,
    Prapanch

  • How to reduce the IPSec VPN connection establishment time

    Hi,
    I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as  a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
    The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
    Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
    Or this is the minimum amount of time required for the first connection establishment?
    Thank you for your help.

    Sara,
    Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
    Thanks,
    Raga

  • How to check the port status in IPSec VPN

    Hi Experts,
    Is there any way by which we can find that the UDP port 500 is blocked at ISP side.
    My IPSec VPN configured between two cisco router in production network is not coming up and experts are saying that the ISP has blocked the port 500 somewhere in between, however ISP denying and saying that they dont block any port.
    kindly suggest what whould be the best wayout?
    Thanks

    Thanks Marvin,
    How could I capture the traffic from initiating peer so that I can figure out that UDP port 500 is blocked or not, with the help of wireshark...
    In my network ONT/Modem (having four ethernet port) is installed at both the end and from one of its port the router is connected at each side and IPSec VPN is configured between the router. to check the UDP port status, my question is, should i connect my laptop (running with wireshark) with one of the port of ONT and capture the traffice or is there any other way and how that traffice will tell me that port 500 is blocked or not?

  • IPSec VPN to MPLS (PE)

    Guys, Is that possible to setup site-tosite IPsec VPN to an MPLS enabled router using Cisco ASA (ASA5520--> MPLS)? Is there any configuration problem I need to be aware?
    Many thanks in advance.

    Thank you all for all your input.
    One thing to clear, our ASA is seating behind our ISP router and the hosting provider is located somewhere in the internet (outside our ISP network)
    here is the config sent by the hosting provider, which i believe is an MPLS VPN configuration. The engineer is trying to terminate our ASA IPsec VPN into this config. Will it work?
    ip vrf vs319776
    description vfi240 - CLIENT1 vs319776
    rd 7496:319776
    maximum routes 10 100
    crypto keyring vs319776
    pre-shared-key address 203.x.x.7 key --omitted--
    crypto isakmp profile vs319776
    vrf vs319776
    keyring vs319776
    match identity address 203.x.x.7 255.255.255.255
    keepalive 10 retry 2
    crypto dynamic-map VPN 390
    set transform-set 3dessha 3desmd5
    set isakmp-profile vs319776
    match address vs319776
    reverse-route
    interface FastEthernet2/0.673
    ip vrf forwarding vs319776
    ip route vrf vs319776 210.x.x.192 255.255.255.255 202.x.x.206
    ip route vrf vs319776 210.x.x.200 255.255.255.255 202.x.x.206
    ip access-list extended vs319776
    permit ip 10.1.1.192 0.0.0.7 202.x.x.206 0.0.0.7
    permit ip 10.1.1.200 0.0.0.7 202.x.x5.206 0.0.0.7
    deny ip host 0.0.0.0 any
    end
    Our ASA configuration is the normal ASA IPsecl2l config.

Maybe you are looking for

  • My hard drive crashed..what to do?

    Hi, My hard drive crashed..What should i do now? Is there a way for me to upload the content of my ipod to a new/blank itunes library (on my new hard drive), eventhough i understand that it usually works the other way around (itunes to ipod)? Any hel

  • I can't seem to click on the descrition area when trying to sell something in ebay. Thanks Jan.

    When going to the SELL area of ebay, I can use every part except the description area. I hover the mouse over , the arrow is there but you can't click on it to start typing. Ta Jan.

  • JDBC Receiver - INPUT CURSOR - Procedure

    Hello People! I've already configured a scenario where a JDBC Receiver channel called a procedure. The procedure had an output cursor and it worked ok! Now I have to configure a scenario where a JDBC Receiver channel calls a procedure and the procedu

  • Partner data saved on PO

    Hi people, When the Purchase Order's data are saved , which table is used to save all the information of the Partner : - Function - Description - Number - Name I need to change this informations by Prog.  but I didn't find this table. Someone knows,

  • Broad casting as an excel sheet option is not there

    Hi All, We are trying to do broad cast for a workbook in BI 7.0 in excel sheet format . So we have created workbook and created broad casting setting for this workbook, we are getting pdf format broad casting but i am not getting the option to broad