Multiple VPN connection question

Similar Messages

• RV042 VPN Connection Questions

  Hello,
  I have successfully connected two RV042s to establish a VPN gateway to VPN gateway connection. I have the follow questions, please comment:
  1. I would like to keep the VPN tunnel connection time indefinite. Is it sufficient by checking the "Keep-Alive" box on the VPN -> Gateway To Gateway -> Advance page? Or, I have to ping the RV042 periodically?
  2. Do the "Phase 1/Phase 2 SA Life Time" (on VPN -> Gateway To Gateway page) settings have any impact on keeping the VPN connection time indefinite? What are the optimal values for them?
  3. Is there an API, command, or script to replace a manual clicking on the "CONNECT" button to establish the VPN tunnel from the VPN -> Summary page? Or, is there a way to accomplish this at power up?
  4. Is there a way to establish a VPN tunnel without going through login and clicking the "CONNECT" button? (Auto connect at power up?)
  Thank you in advance for the comments.
  Steve

  Hi, Mike,
  I did not do any extensive testings on the RV042s, but I did the following things to my RV042s:
  1. Enabled the "Keep-Alive" feature  (see Administration Guide, page 128),
  2. Enabled the "Dead Peer Detection" feature and set the interval to 10 seconds. (see Administration Guide, page 129).
  Make sure you save the changes.
  These features are available below the "Advanced" button under the VPN selection. I hope this help.
  You can power down the router or disconnect the network to verify the result. The VPN tunnel should be re-established and stay connected.
  Steve

• Multiple VPN Connections through Wireless router

  I have an old LinkSys Wireless router that I use at home to connect to my work's VPN. Recvently I've added a few machines to my network. I need 2 or 3 of them connected to the VPN at work simultaneously. However, if I connect more than one computer to the VPN one of them always drops. I cannot get more than one connection to the VPN. All 3 connections use a different ID and password so it is not an account problem.
  My question is, is this a limitation of the older router? And if I get a new LinkSys Wireless-G router will that allow me to connect more than one machine to the VPN?
  Thank You,
  Jason
  (Mod note: Removed non-public information.)
  Message Edited by Vince_02 on 06-30-2007 10:02 AM

  Hi,
  I'm facing the same issue. i have WRT54G.
  You said something like "you will have to trigger the VPN ports instead of forwarding them."
  Dunno what it means, can you explain it in more non-network-techy language... something which i can do... dunno if i can do it!
  Thanks,
  Santosh.

• Multiple DB connection question.

  I have a MDB that currently processes a message and updates a Oracle DB say Database A. Now we want that MDB to check some flags on a different Oracle database instance, say Database B before it updates the Database A.
  Basically, the during the processing of a message the MDB has to access Database A, Database B and Database A again in that order. My question is whatever I am trying to do is reccommended? Since I need connection to Database A again after I do some woek with Database B, can I still keep that connection around or do I have to close that right away?
  I am using wls 8.1.
  Any suggestions?
  Thanks
  JB

  <p>The short answer is that you can keep both connections around at the same time, without any issues. Just be careful with any cleanup where you close connections, and make sure that both get dealt with regardless of any exceptions that might occur.</p>
  <p>But depending on the number of MDBs in your configured pool, it might be a more efficient use of database connections to create a smaller pool of stateless session beans to hold those database connections and expose utility methods for the queries (which could use prepared statements)</p>
  Kevin Powe<br>
  Senior Consultant
  Message was edited by:
  kevinpowe

• Advice needed for VPN connections

  OK to first describe what I'm looking at .We have a bookmobile that goes to 13 different locations within our county. At each stop we are using the service provider's DSL modem to connect to their network, we have two different providers and staff changes the modem at each stop, and a Cisco831 router to make a VPN connection to our PIX. We are using the router to make the VPN connection so that we can have two staff computers use internal network resources i.e. Library database, network drives, e-mail. We tried using Cisco VPN client on the local machine but when we have two clients going on two machines at the same time neither would work. So we let the router make that connection.
  We are going to have two bookmobiles operating and I need to purchase another router to make the connection and I am wondering which router would be a better solution for us.
  So for me the question is
  1) should I keep things as they are and buy a 871 and have staff change modems as needed
  2) Should I get an 877, 878 router and make configuration changes daily as needed. Staff have not been able to do this in past. I've enough to do without this!
  3) Up for any suggestions Maybe SDM with a pretty GUI for staff to use. It seems Cisco's CLI was too much for them.
  Thanks to all for any help
  Systems A

  No Nat-traversal is enabled.
  When we tried multiple VPN connections it was through a DSL modem/router. This is why we went to a Cisco831 router and having it make the secure connection to our PIX.
  Thanks for you help

• Question about VPN connections on a E2500 router

  Hello,
  I am working with vpn setups for the first time, so I have some questions I would really appriciate some help with. I would like to be able to connect to a computer on a home network through a linksys E2500 router. I have found alot of documentation on connecting to an external vpn from a computer on the lan side of the router, but nothing on connecting from the outside in. The router does have a static ip address with my internet provider, so I can contact the router from the outside. But makeing the connection to the computer on the other side of the router is where I am missing something or I dont realize that it is not possible. On the lan side I am using DHCP to assign the address to the computer I want to connect to. Perhaps I need to make it have a static address also? I realize that when I configure the connection from the outside that I need to direct the connection to the remote computer in some way, unless vpn connections are fully passed through the router and the connection issue I am haveing is with the "inside" computer.
  Other info:
  I am using windows 7 for the vpn access
  Thank you in advance for your help.

  ChicagoGuy72 wrote:
  Hello,
  I am working with vpn setups for the first time, so I have some questions I would really appriciate some help with. I would like to be able to connect to a computer on a home network through a linksys E2500 router. I have found alot of documentation on connecting to an external vpn from a computer on the lan side of the router, but nothing on connecting from the outside in. The router does have a static ip address with my internet provider, so I can contact the router from the outside. But makeing the connection to the computer on the other side of the router is where I am missing something or I dont realize that it is not possible. On the lan side I am using DHCP to assign the address to the computer I want to connect to. Perhaps I need to make it have a static address also? I realize that when I configure the connection from the outside that I need to direct the connection to the remote computer in some way, unless vpn connections are fully passed through the router and the connection issue I am haveing is with the "inside" computer.
  Other info:
  I am using windows 7 for the vpn access
  Thank you in advance for your help.
  Kindly check these links:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008009436a...

• ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

  I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
  Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
  Is this possible?
  Thanks,
  Tommy

  When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
  I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
  If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
  Regards,
  Anuj

• How can i allow multiple incoming connections on my windows 8 vpn server?

  Hi eveyone, 
  Im trying to find out how to allow more than 1 incoming VPN connection into my windows 8.1 PC and no clue how to do it without openVPN or other programs (which i have no clue how to set up either)
  Im starting to use my home NAS for work where I store everything on it so when ever I go to a job I can either access it or save a new file to it. The problem is my wife also wants to use it and I dont want to not be allowed to connect when I need to or
  not allow her to connect. 
  Is there any way I can allow 2+ incoming connections on my home PC without getting a seperate software? 
  If the only option is getting a seperate program can anyone provide something that I can settup to my home router so I can access the NAS by the private IP?
  Thank you

    Short answer - no. The client OS only allows one incoming VPN connection.
  Bill

• Certificate error when Lync client login through VPN connection

  Hello,
  I am using the certificates from internal cert authority on Lync 2013 frontend servers and on edge server internal network. Edge external is using a third part certificate.
  The users always use MS VPN connection when work remotely. We have multiple subnets in the company so "use default gateway on remote network" is enabled for routing.
  When the users try to log in Lync client from non-domain joined computers while on VPN, they can't log in and get certificate error. It is hard to import the internal certificate on the computers.
  What change do I need to do to the Lync certificates? Thanks

  You have a few options:
  1) You could attempt to hardcode the client so that it always connects through the edge.  This can be done through tools->options->personal->advanced->manual configuration (but you may have to hardcode the FQDN in your hosts file so it doesn't
  attempt to resolve via internal DNS).  This may not work since your firewall may not be too happy with "internal" traffic leaving and coming back through the edge.
  2) Write a script that helps automate the certificate installation and try to walk users through it.
  3) Bite the bullet and use a third party certificate on the internal servers.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• How can i use an existing vpn connection without using the option "Send all traffic over vpn connection"?

  I have been trying to get my computer (os x.7) to astablish a remote desktop connection to my work computer via a vpn tunnel. In fact I have just discovered that it works fine if i select to "send all traffic over vpn connection" from the options in the advanced setup of the vpn.
  If the option is selected microsofts "Remote desktop connection for mac" works just fine. However without selecting the option it is not taking advantage of the tunnel but tries to connect as if the tunnel would not exist.
  Now the question is how do I get program to use the vpn tunnel without checking the above option?
  Thanks for any hints and pointers.

  Then can her computer be authorized to both accounts?
  Absolutely. You can authorize any given computer to up to five iTunes Store accounts.
  If purchases are made on her account, to a computer authorized to my account, can I put those songs on my iPod?
  If you connect your iPod to her computer, yes. Tracks download only to the computer from which they're purchased, regardless of which iTunes Store account is used for the purchase. Or you could copy the tracks from her computer to yours and then authorize your computer to her iTunes Store account. But that's sort of defeating the original purpose, it would seem to me.
  is it better to buy music through Amazon downloads and/or actually purchasing CDs to avoid the security features iTunes puts on its music?
  That's certainly an option. If it's an entire album I want, I buy CDs. That way I can import them at the quality I want and to whichever of my systems I want. Amazon or one of the other download stores that offer tracks as MP3 are also an option, though for me download stores are best when you just want a couple of tracks off a given CD.

• ASA 5505 VPN Connection Issue

  Good morning everyone,
  At my last position I was IT Director whose area of expertise was database and application development. All of the company's networking planning and maintainence I entrusted to my sysadmin, Salvadore. Back in 2004 we began implementing major changes in the network. Salvadore recommended SonicWALL firewalls. He did a fantastic job of securing our valuable server assets. Among the many improvements Salvadore established VPN access to the datacenter assets for mobile employees. What I remember especially well was the ease-of-use: start the VPN Client then RDP to a server or connect with SQL Server, in addition to connecting to all devices on my home network. It was absolutely beautiful!
  Fast forward to today. I have since retired. I do a little bit of daytrading on the side for entertainment. I leased a dedicated server to run an application that runs continuously 24 hours a day, 5 days a week. I contacted Salvadore to do a security audit on the server. As expected the server was under constant assault by bots trying to hack the RDP port. Salvadore recommended a firewall. The datacenter host offered us two choices of Cisco firewalls, one of which we chose: ASA 5505.
  Today I have a secure server which pleases me. The one thing that bothers me however is that I lose access to my home network devices while the VPN Client is connected. Here are the symptoms:
  I cannot send an email with Outlook as I normally do by relaying off of my Internet provider's SMTP server.
  I cannot connect to the TradeStation servers with my TradeStation application using login credentials that are authorized for my home network only.
  I cannot access my Seagate network storage drive.
  This is what I discovered:
  My wireless adapter (which I use from this laptop) identifies itself as "Wireless LAN adapter Wireless Network Connection" in IPCONFIG. IPv4 address is 192.168.0.5. Default Gateway: 192.168.0.1.
  After I connect the VPN Client, IPCONFIG reports a new adapter: "Ethernet adapter Local Area Connection 2". IPv4 address is 10.0.10.4. Default Gateway: 10.0.10.1.
  When I launch Windows Task Manager and click on the Networking tab, I see those two adapters.
  When launch IE and go to bandwidthplace.com to run a test, I see all of the network traffic going over "Ethernet adapter Local Area Connection 2".
  When I disconnect VPN and then rerun the bandwidth test, I see that all of the network traffic now goes over "Wireless LAN adapter Wireless Network Connection".
  This explains all of the symptoms:
  My Internet Provider will only allow me to relay off of their email servers if I am connected to their network.
  TradeStation refuses connection to their network because my credentials do not match my network address.
  There is no Seagate network storage device on the remote server network.
  My questions to the Cisco Support Community are:
  Is this the best I can hope for?
  Must all traffic be routed through the VPN connection?
  Is there any way to route traffic destined for 10.0.*.* through VPN and everything else through the default connection?
  Thank you everyone for your help. I would be happy to provide additional detailed information.

  Hi Brian,
  you can route traffic destined to 10.0.*.* over the VPN and keep normal internet traffic unencrypted over the default connection - this setup is known as VPN Split Tunnelling.
  This doc shows how to setup the access control list and apply this to the tunnel policy.
  Hope this helps
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

• VPN License question on 5505 ASA Firewall

  Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers.  Firewall was configured by someone else who isn't available. 
  Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers".  Can anyone elaborate on "Total VPN Peers"?  Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
  Thank you in advance,
  Jeff

  Hi Linda,
  The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
  -Mike

• Yet Another ASA VPN Licensing Question :)

  I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
  1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
  2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
  Thanks!

  It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
  Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
  If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

• ASA VPN client question

  Hello.
  I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
  The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
  Is this a normal condition with Easy VPN Client enabled?

  u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
  lets say the private network behind the vpn server is 192.168.1.0/24
  so make a standard ACL
  access-list split standard permit 192.168.1.0 255.255.255.0
  group-policy [ur grop policy name] attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
  good luck
  Rate if helpful

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio