Netgear FVS336G VPN Firewall and BT HH3
I am trying to put the FVS336G into my home network directly after the HH3 and before a netgear 16port switch. The 200+ pages netgear ref manual is not paticularly helpful and from what I have read/+online I can only have one DHCP Server on the network, currently that is the HH3. Can I disable DHCP Server on the HH3 and I assume bridge it to the FVS336G? I would like the FVS336G to act as the DHCP Server in the network and use the HH3 just as an ADSL Modem. Or do I dispense with the HH3 and just get a cheap ADSL modem? I purchased the FVS336G so that I could secure my network down better and use the VPN/SSL tunnelling to allow me to access my NAS when I am away from home on business.
Any advice on putting a physical VPN Firewall router into the network would be appreciated.
PPPoA is used for ADSL connections, and PPPoE is used for Infinity connections.
If you used a separate ADSL modem to do the authentication, then authentication would not be needed on the Netgear, as the PPP session would already be up, however it would be a waste of money if you moved to Infinity.
Meanwhile, you can still use the Netgear as an additional wireless access point if you want.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.
Similar Messages
-
Adding NetGear Prosafe 8-port Gigabit VPN Firewall to existing TimeCapsule Network
I need some help and direction with this one...
What I currently have setup and what I am doing on a day to day is as follows;
Cox Cable Broadband > ISP Cable Model > Time Capsule >Airport Express v1 + Airport Express v2 (Both extending wireless). I have a Dell/Windows Server setup as a Media Server and also have it setup to accept VPN connection as well. I remote into my network quite a bit as well as VPN into it quite a bit, I RDP into the Dell Server as well as an iMAC and MacBook Pro from time to time. I have PS3, Xbox360, Apple TV 1stG and 2ndG, 2011iMac, 2011MacBookPro, iPAD3 and various other wireless clients. I would really like to add as much security as I possibly can and thought adding a Hardware firewall would be a good step.
So I Purchased a NetGear ProSafe 8-port Gigabit VPN Firewall that I would install on my network and have everything behind that. The problem is I have no idea how to set it up for the best protection and performance. Only thing I found online is putting it behind my TC which would then leave my Wireless Clients outside the Firewall? I'm usually pretty good with this stuff, but this time I'm just completely confused and not even sure if I need this or if it's completely useles. I do like the TimeCapsule also running 2 Airport Express (v1 & v2) to extend my wireless network, but I'm not sure if it's as secure as it could be.
If this was a good step buying a hardware firewall and from what I've read the model I bought (FVS318G) is pretty good, it's also solving a problem I have had with my network is needed Ethernet access. Time Capsule only has 3 ports so I figured this would also solve the lack of Ethernet ports as well.
I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
Can Anyone offer advice?? How I should configure this? Is it pointless? Return the Netgear Firewall? Buy a different hardware firewall???
*BTW* I have software security covered, just want to add hardware as well.
Any help/suggestions would be extremely helpful!
Thank you!I am not sure who made the suggestion for the vpn router to be behind the TC.. they do that sometimes for connection to vpn for downloading TV shows etc.. but your proposed network layout is correct.
I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
All correct.. The Netgear has to be the one and only router.. otherwise the VPN will not give you access to the rest of the network behind the NAT.
So easy peasy.. bridge the TC.. use the 5.6 utility if LIon.. you will need to download and install it..
http://support.apple.com/kb/DL1482
Lion v6 is a toy..
Go to manual setup, internet tab. Connection sharing.. off, bridge mode. update the TC.. voila you are done.
You should probably reboot the whole network. As the expresses will need to now get IP from the netgear not the TC. Tell us if you run into trouble, but everything should work, although it may require a reset and redo setup of the TC and express to get everything smooth again.
Next issue.. hardware and software firewalls.. sometimes produces the great wall of china.. very secure... oh so secure nothing gets in.. or out. I do not know the Netgear.. but I would start with whatever the lowest preset is for the firewall. And see if you have issues.
And of course then do the vpn setup.. which is a lot of fun.. (read strong sarcasm). But once you establish the tunnel should then give you access to the whole network.. you will not need to use RDP unless you need to actually take over a computer.
VPN firewall is the RIGHT WAY.. albeit it can be painful in the initial stages. -
Strange issue with 3.6.3 VPN Client and IOS firewall
I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
checkOk..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets." -
Reliable working combination of VPN client and Sidewinder firewall?
My work's I.T. Dept has deployed a "Sidewinder" VPN firewall with certs at our workplace. All works well with our many remote Windoze clients. The Windoze clients are using a "Greenbow" VPN client.
They (the I.T. Dept.) were never able to get the built-in OS X VPN client to work with the Sidewinder VPN firewall at all. I don't really have any details of what they tried or why it didn't work and they aren't exactly the friendliest types to us Mac users in the organization so I probably won't be getting any further details in that regard.
They (the I.T. Dept.) did get VPN Tracker Player v6.2 client to work on the remote Mac clients -- sort of -- but it consistently fails after roughly ten minutes of connection time at IKE renegotiation. They purportedly had a trouble ticket open with, and were working with, Equinux to try to resolve the issue, but after spending a certain amount of time on it, they basically told us Mac users in the organization that they had already spent way too much time on trying to make the Mac VPN client work, so they weren't going to be doing anything further with it, so too bad, so sad for us. And they've got 100% Director support backing up their decision.
So, the question du jour is, is anyone out there using a VPN client on a Mac and reliably connecting through a "Sidewinder" VPN firewall/server with certs (i.e., no dropped connections after about ten minutes or thereabouts), and if so, what VPN client are using and how did you/do you have it configured?
Thanks(first and last) bump
-
Hello,
I am trying to get VPN connection from iPhone and iPad(3G). I have tested Linksys (Cisco) RV042 -router. But I was told by Cisco that RV042 does not support connection from iPhone...
So, I would like to ask which VPN/Firewall devices you have used succesfully with iPhone or iPad?
Message was edited by: SarnikorpiThey will be like any other exam, three years valid towards any eligible path.
-
Would like to configure the VPN firewall with my existing system. I have Verizon DSL which involves the DSL modem and the Firewall. I have the IP addresses of each. How would I determine an appropriate IP address for the firewall. Should the device be physically connected between the DSL modem and the router? Advice sought
The router has it's own firewall I would turn the firewall in the modem off or at very least put your computer in the DMZ of the modem so that it's firewall doesn't affect you. By default the router is already set to allow VPN connections using IPsec PPTP and L2TP Protocols. @ this point your router will still act as your firewall and you will be able to access VPN.
Vista Ultimate 32 Bit
AMD 64 X2 6400+ Black Edition
4BG RAM
1.18 Terabytes Of Hard Drive Space
Acer 22inch Widescreen LCD
Nvidia 8600 GT PCI E 512 DDR3
WRT54G Router
Netgear Gigabit Switch
Motorola 2210 Modem -
Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication
Hi Community.
I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
What do you think?Hi,
Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
- Jouni -
Cisco ASA 5505, Cisco VPN Client and Novell Netware
Hi,
Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.
-
ASA 5505 site-to-site VPN tunnel and client VPN sessions
Hello all
I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z). His satellite office will have a single PC sitting behind the ASA. In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
The first question I have is about the ASA 5505 and the various licensing options. I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A. Would someone please confirm or deny that for me?
Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules? Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
Thanks in advance for any assistance provided!First question:
Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
Second question:
Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
Last question:
This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
Here is what needs to be configured:
1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
2) On site A configures: same-security-traffic permit intra-interface
3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
On Site Z:
access-list permit ip
On Site A:
access-list permit ip
4) NAT exemption on site Z needs to include vpn client pool subnet as well.
Hope that helps.
Message was edited by: Jennifer Halim -
WRT54G - Is there anyway to add a separate VPN/Firewall device to complement this product
I have a WRT54G v.2 device and I hate to throw it out. My dilemma is that I'm in need of a VPN/Firewall device as well. So I would like to know if there is a device that I can purchase from Linksys that will provide the VPN/Firewall features as a complement to my existing WRT54G? I'd appreciate any info someone might be able to provide.
Regards.Hi,
you have options between the RV series of VPN routers and the BEFSX41 and the BEFVP41.however you will have to change your network a bit.Your main router will have to be either of the VPN routers.The DHCP of the wrt will have to be disabled and you will also need to change the ip of the wrt from 192.168.1.1 to 1962.168.1.2
The connection will be.modem to internet port of the VPN router and then from port 1 of the VPN router to port 1 on the wrt.Do not use the internet ports of the wrt. -
IChat NetGear on/off: -8 and abrupt disconnect
iChat worked flawlessly until NetGear was installed. I have worked with local techies and NetGear techies in India, and THOUGHT two problems (Error -8 and failure to connect with the immediate message that AIM was suddenly disconnected) were solved when I reverted NetGear to Factory Default Settings and then followed the steps to add the necessary iChat ports to chat with the Mac OS X Firewall active. iChat works great now ... sometimes. I never know when I click on it if I am going to have active iChat or abrupt disconnect or Error -8.
Anybody know why iChat is on/off in seeming random order?
Reverting to either port 443 or 5191 instead of 5190 has no effect at all. Those WERE my emergency fall backs when I could connect no other way. Now they don't work. It's either all or nothing! Suggestions?
PowerPC G4 Mac OS X (10.4.7)Try another router.
Here in the US and with respect to iChat, I prefer Buffalo Technology and Linksys routers and avoid Belkin, Netgear, D-Link, and MIMO or pre-N routers. -
Q about vpn (mullvad) and openresolv
I am behind a NAT 192.168.0.0/24. The router doing NAT is also forwarding DNS requests to my ISP, thus the clients on the local network has 192.168.0.1 as its DNS server. I have set up mullvad VPN om my arch laptop per instructions in https://wiki.archlinux.org/index.php/Mullvad
There is only one thing bothering me. When I run the script to start the vpn service, update-resolv-conf is called and updates /etc/resolv.conf. However, the DNS server the VPN provider provides is only added to resolv.conf.
# generated by resolvconf
nameserver 10.X.X.1
nameserver 192.168.0.1 <---- why is this still here?!
I would like resolvconf to replace the nameserver instead (to prevent DNS leaks). I have tried to understand the relevant scripts and played around with openresolv options, without luck. Would be greatful for pointers in the right direction.
EDIT: i realise this is quick-fixable with an edit to /etc/openvpn/update-resolv-conf, for example the following in the end of the case up) part
sed -i '/192\.168/d' /etc/resolv.conf
but there should be a cleaner way of doing this
Last edited by raptorjesus (2015-06-02 16:31:02)Hi,
Cant really comment regardning the 4G
For L2L VPN between the different branches the basic requirement would be to have a static public IP address that you can configure on a device doing the L2L VPN in each branch office.
If the public IP address of the VPN device is Dynamic, it will require a bit more planning and configuring depending if you are going to use routers or firewalls.
Are you planning on using Cisco ASA/PIX firewalls perhaps on the branches or do they already have some devices you were planning on using?
Using one central Cisco ASA firewall and perhaps ASA5505 at the remote side would give you a chance to rather easily connect all the 3 sites (through the central ASA) without needing Static Public IP addresses at the smaller branches.
- Jouni -
Difference between Firewall and Router
I can do VPN remote access configuration by using cisco firewall also I can do it using the cisco router by using the SDM program so what is the benefits from using the firewall or all of them are the same?
I mean it's recommended to use the firewill? if yes, why ?Answer-
1) WE can make Security-Level on Firewall,but router can't
2) We can make firewall in multiple context(Virtual Firewall) but router can't
3) We can create SSL VPN on Firewall,but router can't
4) Whenever a packet inspected by Firewall and another packet comes with same contents then firewall didn't check that packet,
but router checks all packets.(show connections)
5) Firewall works as L2 and L3 both, but router only on L3.
6) Firewall inspects packets on L3 to L7 but router works on L3.
7) Firewall have Failover,router can't
8) Whenever we take trace,then firewall cannot comes on picture,but router always shows as a Hop Count. -
Site-Site VPN PIX501 and CISCO Router
Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end -
Help with cisco 837 VPN firewall configuration
Hi guys,
I attempted to configure remote access VPN using cisco 837.IPSEC and firewall features were added already.However, the VPN client keeps saying "remote peer no longer responding".
Upon removing firewall and ACLs, VPN client works. Therefore, I believe these two parts went wrong. Could you please take a look on my config below and see what is going on. On the other hand, when i issue the same config to cisco 827, it does not work. My question is whether cisco 827 IOS 12.1(3)support IPSEC.
Any help would be highly appreciated.This document demonstrates how to configure a connection between a router and the Cisco VPN Client 4.x using Remote Authentication Dial-In User Service (RADIUS) for user authentication. Cisco IOS? Software Releases 12.2(8)T and later support connections from Cisco VPN Client 3.x. The VPN Clients 3.x and 4.x use Diffie Hellman (DH) group 2 policy. The isakmp policy # group 2 command enables the VPN Clients to connect.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml
Maybe you are looking for
-
I installed the new Mavericks update on my MacBook Pro when it was released and offered free of charge. After that my computer started crashing on a regular basis, upon the realization that my warranty was due to expire at the end of the year I took
-
One of my users with Acrobat 8 Standard is having issues with color pdfs. The pdfs are drawings and when I open them, I see all the colors of what the original was. However, when he opens the same pdf, it only shows in black and white. This is happen
-
How can I completely delete an app, so it won't even be listed in the app store under purchased items? And I will stop being prompted to make updates even though I've removed it from my iPad?
-
My CD drive isn't working anymore
Hi to all. I've had my Macbook pro for about...4 or 5 years now. I'm trying to copy some music from CD's i recently bought but for some reason my CD-Rom drive just keeps spitting CD's out. I put the CD in, and it spits it right back out without it ev
-
Multiple Music Files in Slideshow
I have a long slideshow (300+ pictures), and am trying to play multiple songs in the background, but even when I select multiple iTunes songs, the first one repeats over and over. Is there a way to play consecutive selections?