One router, multiple separate dial-in VPN configs... can it be done?

Similar Messages

• Converting a BEFW11S4 V.2 router to a wireless access point. Can it be done?

  I recently upgraded my home wireless router to an N device.  Now, I'd like to use my old B wireless router as an access point to improve coverage on my property.  I'd like to place it in a location in my house too distant from the N router to connect it with a cable.  Any way to configure the old B router as a wireless access point?
  Thanks for any help you can give me.
  Dave

  yes..u can certainly configure the router as an AP ... follow the steps below :
  1)connect the B-router's port 1 to once of the LAN ports of the N-router
  2)access the B-router's web ui , using its ip address
  3)configure the wireless settings....in case , you want to make a roaming wireless network , the wireless settings on both the router should be same
  4)if the ip add of the N-router is 192.168.1.1 , then change the ip add of the B-router to 192.168.1.2 and disable its DHCP server ..

• Can we write more than one routing rule in a RS?

  Can we write more than one routing rule in a RS?

  You can specify multiple routing rules for a single operation of a routing service. If no filter is applied, they are all executed. For routing rules with filters, only the target operations for which the filter condition holds are invoked. Priority is based on the order in which they appear in the routing rules window.
  Ronald

• Using 2 drives as one volume,can it be done?

  I have 2 Solid state drives hat I would like to use as one volume. how do I do it or can it be done?

  What is the manufacturer/model of your motherboard/pc?
  If the motherboard has a raid controller or if this is a desktop and you are willing to purchase an add-in controller, you could create a raid 0 volume that will most likely be significantly faster than using a single ssd. Most raid controllers also provide
  a JBOD function for creating spanned volumes. See:
  http://en.wikipedia.org/wiki/RAID
  http://en.wikipedia.org/wiki/Non-RAID_drive_architectures#JBOD
  Windows also includes it's own software for the creation of software raid and spanned volumes - see
  http://www.howtogeek.com/howto/36504/how-to-create-a-software-raid-array-in-windows-7/
  Common advice is that you are twice as likely to lose data by using for example a raid 0 array. Does this mean that if you only use single disks that you do not need a backup strategy?
  No, it does not. And with a decent backup strategy, data loss in the case of drive failure will be minimal.
  In more than ten years of using raid 0 in my personal pc's, I have had one drive failure. It happened after I rather clumsily snapped the sata connector off the disk. But I superglued it back on and amazingly, it worked perfectly for another three years. Impact
  when it failed again (I was/am still ready) - zero.

• Multiple ISDN dialer stops routing

  Hi,
  I have a 1721 with the BRI WICs.
  The router is used for remote control for a series (20 different) sites, which callback for security reason.
  It happens that after a while (two hours of operation) when I ping a site, the router starts dialing, but routing never occours and, after another piece of time, if I ping the router does not dial, even if debugging shows interesting traffic.
  This is a sample of the configuration:
  hostname myhost
  username Site1 password Site1
  username Site2 password Site2
  mmi polling-interval 60
  no mmi auto-configure
  no mmi pvc
  mmi snmp-timeout 180
  no aaa new-model
  ip subnet-zero
  no ip domain lookup
  no ip cef
  ip audit po max-events 100
  no ftp-server write-enable
  isdn switch-type basic-net3
  interface BRI0
  bandwidth 128
  no ip address
  encapsulation ppp
  dialer pool-member 1
  isdn switch-type basic-net3
  no cdp enable
  ppp multilink
  interface BRI1
  bandwidth 128
  no ip address
  encapsulation ppp
  dialer pool-member 1
  isdn switch-type basic-net3
  no cdp enable
  ppp multilink
  interface FastEthernet0
  ip address 10.0.0.1 255.255.255.0
  speed 100
  full-duplex
  no cdp enable
  interface Dialer1
  bandwidth 128
  ip address 172.16.1.253 255.255.255.252
  encapsulation ppp
  dialer pool 1
  dialer remote-name Site1
  dialer idle-timeout 30
  dialer string 0XXXXXXX
  dialer caller XXXXXXX
  dialer load-threshold 1 either
  dialer-group 1
  no cdp enable
  ppp multilink
  other dialer are similar, then
  ip classless
  ip route 192.168.1.0 255.255.255.0 Dialer1
  access-list 100 deny 53 any any
  access-list 100 deny 55 any any
  access-list 100 deny 77 any any
  access-list 100 deny pim any any
  access-list 100 deny udp any eq netbios-dgm any
  access-list 100 deny udp any eq netbios-ns any
  access-list 100 deny udp any eq netbios-ss any
  access-list 100 permit ip any any
  dialer-list 1 protocol ip list 100
  What's wrong with this???
  Help please!
  Thanks in advance

  I'll try to remove the multilink's and I'll tell what will happen. Anyway, shouldn't bandwidth 128 command allow one remote site to connect to main site using max 2 B-channels?
  This is the dialer on the remote site that handles the connection with the main site.
  interface Dialer99
  ip address
  encapsulation ppp
  dialer pool 1
  dialer remote-name myremote
  dialer idle-timeout 30
  dialer string 0XXXXXXXXX
  dialer string 0YYYYYYYYY
  dialer caller XXXXXXXXX callback
  dialer caller YYYYYYYYY callback
  dialer-group 1
  no cdp enable
  ppp authentication chap
  ppp multilink
  The dialer string 0YYYYYYYYY means that the dialer string has a leading zero, as per italian numbering plan, while the called id has not. This is the reason why dialer string has a leading zero and dialer caller doesn't.
  Ciao

• Webvpn GW's on one router with domain names

  Hi,
  I'm trying to configure multiple WebVPN gateways on one router using one front door VRF and multiple back door VRF's. Think of this like a cloud service provider with several customers using different VRFs and one Internet VRF used for the incoming connections for the remote users.
  Doing so, several scenarios arise:
  Using one gateway and several context with a seperate VRF for each.
  Please let me know if I am wrong here:
  I can only assign one trustpoint because I only have one gateway. This means that all users connecting can only use one domain name like "*.isp.com". This also implies the use of a wildcard certificate.
  Using several gateways and several context with a seperate VRF for each.
  I can only assign multiple trustpoints because I only have one gateway. This means that users connecting can use multiple domains name like "webvpn.clientA.com" and "webvpn.clientB.com".
  I would prefer the first situation but then I run into a second problem:
  There are several commands related to hostname and up till now I have not figured out which one does exactly what:
  ROUTER(config)#webvpn gateway WEB_GW
  ROUTER(config-webvpn-gateway)#hostname
  ROUTER(config)#webvpn context CUST1_CT
  ROUTER(config-webvpn-context)#gateway WEB_GW domain
  ROUTER(config-webvpn-context)#gateway WEB_GW virtual-host
  Is there anyone who can explain to me what exactly does what?
  My personal guest is that I only need to configure the virtual-host like this" CUST1_CT -> virtual-host cust1.isp.com and CUST2_CT -> virtual-host cust2.isp.com". But I'm not sure about this and up till now I have not found any documentation that describes this very clearly.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• Multiple site-to-site VPNs on same ASA

  I need to set up an IPSEC tunnel to let a vendor at a remote site print to a printer on my network.  I am planning to use an ASA 5520 to do this.  The architecture is pretty simple:
  [Remote computer] -- [Remote FW] --<VPN Tunnel>-- [Local FW] -- [Local Routing] -- [Printer]
  The caveat is that there will eventually be more than one vender needing to do this.  Each will have a different destination but that mena there will be more than one VPN connection to the ASA at my end.  It looks like the ASA 5520 can support more than one site-to-site VPN but will I need to assign a different endpoint IP address to each tunnel?
  I searched and didn't find a design guide for multiple site-to-site VPNs.  If one exists I'd appreciate a pointer.
  Stephen

  You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.
  Example:
  crypto map outside_map 1 match address s2s-VPN-1
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.2.3.4
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  tunnel-group 1.2.3.4 type ipsec-l2l
  tunnel-group 1.2.3.4 ipsec-attributes
   ikev1 pre-shared-key SomeSecureKey$
  crypto map outside_map 2 match address s2s-VPN-2
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 4.5.6.7
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  tunnel-group 4.5.6.7 type ipsec-l2l
  tunnel-group 4.5.6.7 ipsec-attributes
  ikev1 pre-shared-key SomeSecureKey2$

• Overwrite dynamic (eigrp) route when external dials into router

  Hi
  I would like to find a way to overwrite a dynamic (eigrp) route with a routing entry pointing to a dialer interface, when someone has dialed into this dialer interface.
  Does someone of you knows a way how this can be done?
  Thanks in advance and kind regards
  Mark

  Thanks tor you reply.
  Until now I have heard of reverse route injection only in conjunction with setting up vpn connections. And a quick search doesn't shows much. But I keep on searching.
  Maybe I should tell something more about my setup. There are 2 routers (both 2612). On the LAN side the do hsrp. And on the WAN side each of them has 2 BRI interfaces connected to a multi-line-hunting-group for dialin and dialout. On the LAN I do eigrp and so overwrite a static route pointing to the dialer on the second router because of an administrativ distance of 200 at the static route.
  When dialing out everything works fine. But when someone dials in to the second router (which is the hsrp standby one) the routing table of this router isn't changed/updated. I Bad expected something like a "directly connected" event puts a new entry in the routing table pointing to the now connected dialer Interface. But this does not happen.
  What I'm looking for is a way how this can be done, so that these is a backward pointing route on the hsrp standby router for the dialed in sides.
  Is there a way to do this?
  Regards
  Mark

• Does a Router support 2 BGP As in one router

  Does a Router support 2 BGP As in one router. I have gone through the below Cisco page, however my router is not allowing to enter the second AS in the router, it is giving the error as usual " BGP is already running; AS is XX" . 
  http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsbgpdas.html#wp1056689
  My Router :- Cisco 3845
  IOS Version :- c3845-advipservicesk9-mz.124-24.T8.bin

  Hi,
  You can not run multiple BGP processes on a single router with each of them being in a separate AS. What you can do, and the link in your post explains that, is that towards a particular eBGP neighbor, you can use the neighbor local-as command to appear to be in a different AS than the one you really are in. So you do not start two BGP processes, you just make your single BGP process to appear to use a different ASN on a particular eBGP peering.
  Best regards,
  Peter

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• Can only connect one user at a time via VPN?

  Hi, long-term Mac user but new to OS X Server. Dug thru the forums quite a bit but couldn't find an answer to this one - hopefully I wasn't searching with the wrong keywords.
  Installed OS X Server 10.6 on a MacBook (white, 1 generation back) at the office. Sits behind an Airport Extreme, which is connected to Comcast. Other machines at the office are NOT routed through the Server, but rather connect directly to the Airport Extreme for internet access. I've set up server.mydomainname.com to point to our Comcast address, and I am able to connect via VPN to the server without any problems, and access the server using the server.mydomainname.com address which I pointed to my Comcast IP address, as long as I check "Send all traffic over VPN connection" on my client.
  However, when I'm logged in via VPN on one computer, and then log in via VPN on another computer (with the same UID or a different one), the first one loses all connectivity through the VPN - it's as if it had been logged off.
  In Server Admin, under the Settings|Network tabs, I have Computer Name set up as "theserver", and Local Hostname as "theserver" (so I can access via theserver.private). VPN is set up to enable L2TP over IPsec, sharing ranges 10.0.1.200 thru 10.0.1.220; no load balancing, no PPTP. Client DNS servers is set to 10.0.1.29.
  Any ideas as to why I can only connect with one client at a time?

  Thanks. I didn't see anything interesting, but then again I'm not up on VPN details. Here's the scenario:
  First, I logged in as "user1", and I can use the VPN.
  Then, I logged in as "user2", and I can use the VPN with user2, but user1 is no longer able to do anything over the VPN.
  Then I hung up with user2, but user1 still can't see anything over the VPN.
  Then I hung up and reconnected with user1, and user1 can use the VPN again.
  Here's part of the log for this activity. I've replaced potentially identifying info with "XYZ" for safety. Appreciate any thoughts on this!
  Tue Oct 19 07:33:08 2010 : L2TP received ICCN
  Tue Oct 19 07:33:08 2010 : L2TP connection established.
  Tue Oct 19 07:33:08 2010 : using link 1
  Tue Oct 19 07:33:08 2010 : Using interface ppp1
  Tue Oct 19 07:33:08 2010 : Connect: ppp1 <--> socket[34:18]
  Tue Oct 19 07:33:08 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:08 2010 : lcp_reqci: returning CONFACK.
  Tue Oct 19 07:33:08 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:08 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
  Tue Oct 19 07:33:08 2010 : sent [CHAP Challenge id=0x18 <XYZ>, name = "myserver.private"]
  Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
  Tue Oct 19 07:33:08 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
  Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
  Tue Oct 19 07:33:08 2010 : rcvd [CHAP Response id=0x18 <XYZ>, name = "user2"]
  Tue Oct 19 07:33:08 2010 : sent [CHAP Success id=0x18 "S=XYZ M=Access granted"]
  Tue Oct 19 07:33:08 2010 : CHAP peer authentication succeeded for user2
  Tue Oct 19 07:33:08 2010 : DSAccessControl plugin: User 'user2' authorized for access
  Tue Oct 19 07:33:08 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
  Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfReq id=0x1]
  Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
  Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-NAK
  Tue Oct 19 07:33:08 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:33:08 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
  Tue Oct 19 07:33:08 2010 : Unsupported protocol 0x8057 received
  Tue Oct 19 07:33:08 2010 : sent [LCP ProtRej id=0x2 80 47 01 01 00 0f 01 0a 02 1b 63 ff fe a0 dd da]
  Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x1 <ms-dns1 0.0.0.1> <ms-dns1 0.0.0.1>]
  Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfRej id=0x1 <ms-dns1 0.0.0.1>]
  Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
  Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfAck id=0x1]
  Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-ACK
  Tue Oct 19 07:33:08 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:33:08 2010 : ipcp: up
  Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
  Tue Oct 19 07:33:08 2010 : found interface en0 for proxy arp
  Tue Oct 19 07:33:08 2010 : local IP address 10.0.1.29
  Tue Oct 19 07:33:08 2010 : remote IP address 10.0.1.213
  Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
  Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x2 <ms-dns1 0.0.0.1>]
  Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfAck id=0x2 <ms-dns1 0.0.0.1>]
  Tue Oct 19 07:33:08 2010 : sent [ACSP data <payload len 26, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
  <domain: name XYZ>]
  Tue Oct 19 07:33:08 2010 : rcvd [IP data <src addr 10.0.1.213> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
  Tue Oct 19 07:33:08 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.213> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">]
  Tue Oct 19 07:33:08 2010 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
  Tue Oct 19 07:33:34 2010 : rcvd [LCP TermReq id=0x2 "User request"]
  Tue Oct 19 07:33:34 2010 : LCP terminated by peer (User request)
  Tue Oct 19 07:33:34 2010 : ipcp: down
  Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
  Tue Oct 19 07:33:34 2010 : sent [LCP TermAck id=0x2]
  Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
  Tue Oct 19 07:33:34 2010 : L2TP received CDN
  Tue Oct 19 07:33:34 2010 : Connection terminated.
  Tue Oct 19 07:33:34 2010 : Connect time 0.5 minutes.
  Tue Oct 19 07:33:34 2010 : Sent 777000 bytes, received 105388 bytes.
  Tue Oct 19 07:33:34 2010 : L2TP disconnecting...
  Tue Oct 19 07:33:34 2010 : L2TP disconnected
  2010-10-19 07:33:34 PDT --> Client with address = 10.0.1.213 has hungup
  Tue Oct 19 07:33:50 2010 : rcvd [LCP TermReq id=0x3 "User request"]
  Tue Oct 19 07:33:50 2010 : LCP terminated by peer (User request)
  Tue Oct 19 07:33:50 2010 : ipcp: down
  Tue Oct 19 07:33:50 2010 : sent [LCP TermAck id=0x3]
  Tue Oct 19 07:33:50 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.214).
  Tue Oct 19 07:33:50 2010 : L2TP received CDN
  Tue Oct 19 07:33:50 2010 : Connection terminated.
  Tue Oct 19 07:33:50 2010 : Connect time 3.5 minutes.
  Tue Oct 19 07:33:50 2010 : Sent 625383 bytes, received 225586 bytes.
  Tue Oct 19 07:33:50 2010 : L2TP disconnecting...
  Tue Oct 19 07:33:50 2010 : L2TP disconnected
  2010-10-19 07:33:50 PDT --> Client with address = 10.0.1.214 has hungup
  2010-10-19 07:33:59 PDT Incoming call... Address given to client = 10.0.1.216
  Tue Oct 19 07:33:59 2010 : Directory Services Authentication plugin initialized
  Tue Oct 19 07:33:59 2010 : Directory Services Authorization plugin initialized
  Tue Oct 19 07:33:59 2010 : L2TP incoming call in progress from 'XYZ'...
  Tue Oct 19 07:33:59 2010 : L2TP received SCCRQ
  Tue Oct 19 07:33:59 2010 : L2TP sent SCCRP
  Tue Oct 19 07:33:59 2010 : L2TP received SCCCN
  Tue Oct 19 07:33:59 2010 : L2TP received ICRQ
  Tue Oct 19 07:33:59 2010 : L2TP sent ICRP
  Tue Oct 19 07:33:59 2010 : L2TP received ICCN
  Tue Oct 19 07:33:59 2010 : L2TP connection established.
  Tue Oct 19 07:33:59 2010 : using link 0
  Tue Oct 19 07:33:59 2010 : Using interface ppp0
  Tue Oct 19 07:33:59 2010 : Connect: ppp0 <--> socket[34:18]
  Tue Oct 19 07:33:59 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:59 2010 : lcp_reqci: returning CONFACK.
  Tue Oct 19 07:33:59 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
  Tue Oct 19 07:33:59 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
  Tue Oct 19 07:33:59 2010 : sent [CHAP Challenge id=0xf1 <XYZ>, name = "myserver.private"]
  Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
  Tue Oct 19 07:33:59 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
  Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
  Tue Oct 19 07:33:59 2010 : rcvd [CHAP Response id=0xf1 <XYZ>, name = "user1"]
  Tue Oct 19 07:34:00 2010 : sent [CHAP Success id=0xf1 "S=XYZ M=Access granted"]
  Tue Oct 19 07:34:00 2010 : CHAP peer authentication succeeded for user1
  Tue Oct 19 07:34:00 2010 : DSAccessControl plugin: User 'user1' authorized for access
  Tue Oct 19 07:34:00 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
  Tue Oct 19 07:34:00 2010 : sent [ACSCP ConfReq id=0x1]
  Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
  Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-NAK
  Tue Oct 19 07:34:00 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:34:00 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
  Tue Oct 19 07:34:00 2010 : Unsupported protocol 0x8057 received
  Tue Oct 19 07:34:00 2010 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1b 63 ff fe 99 35 cb]
  Tue Oct 19 07:34:00 2010 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]
  Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
  Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-ACK
  Tue Oct 19 07:34:00 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
  Tue Oct 19 07:34:00 2010 : ipcp: up
  Tue Oct 19 07:34:00 2010 : found interface en0 for proxy arp
  Tue Oct 19 07:34:00 2010 : local IP address 10.0.1.29
  Tue Oct 19 07:34:00 2010 : remote IP address 10.0.1.216
  Tue Oct 19 07:34:00 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.216).
  Tue Oct 19 07:34:00 2010 : rcvd [IP data <src addr 10.0.1.216> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
  Tue Oct 19 07:34:00 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.216> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">]

• NAT and Routed Network with Two ISP's on one router

  I'm sure this has been done covered many times, but I am not finding it.
  I have two ISP connections.
  With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
  With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
  On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
  I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
  Everything on 192.168.100.x should use NAT and go out ISP-B
  I have tried
  ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
  route-map ISP-B permit 10
   match ip address 101
   match interface GigabitEthernet0/1
   set ip next-hop 100.0.0.1
  route-map ISP-A permit 10
   match ip address 111
   match interface Multilink1
   set ip next-hop 1.1.1.1
  The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

  Hey,
  we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes. 
  i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
  My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
  MY PROCESS OF REMOVING CONFIG:
  REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS 
  REMOVE THE OBJECTS AND OBJECTS GROUPS
  REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
  REMOVE CRYPTO MAP TRANSFORM-SET
  REMOVE ISAKMP-POLICY
  REMOVE CRYPTO MAP 
  WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
  BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
  IPSEC(crypto_map_check): crypto map XYZ 20 incomplete.  No peer or access-list specified.
  20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
  any help would great
  regards

  Hi
  You could do either of 2 things.
  1) Enable NAT-Traversal on your ASA
  2) Add the following on your pix :
  fixup protocol esp-ike
  This allows one IPSEC connection to run through PAT.
  HTH
  Jon

• Dial up VPN?

  i need to configure a dial up VPN...i have a 16 port modem network module in my router to terminate dialup connections....i want to have users dial into the router and have a VPN to the network....
  i was thinking creating the dial up...once thats establishes having them launch the VPN client on their machine to connect to the inside interface of the router which will have the crypto bound to it....
  Anyone know of a better way? or have any thoughts?
  TIA

  Hi
  If i read your reply properly you would like to have both dial in onto the modem module as well as remote access vpn usin vpn client.
  If thats the case then you can configure both remote access vpn and normal dial in using the modem module.
  In the second option you are going to connect the PSTN lines on the modem module its a Point to Point between your router and the remote user but established when theres is some requirement for the same.
  regds

• I could really use a second set of eyes on this VPN config. :)

  Hi all,
  I am attempting to setup a client -> server VPN using IOS 12.4, and Cisco Client 5.x. At this point, the client does connect, however, I cannot ping, or send / receive data over the VPN.  I am initially attempting a split-tunnel config, as they seem easier.  Ideally, the client would route *all* data over the VPN including that which is destined for the public network in the interest of safe browsing remotely.  However, I haven't got that far yet. 
  Currently, I have a network setup as:
  FastEthernet0/0 - Public network via DHCP from ISP.
  FastEthernet0/1 - Internal network on the 192.168.1.0 /24 network.
  I currently have a NAT overload on FastEthernet0/0 so that internal hosts can browse the Internet.  As mentioned, I would also like to have remote VPN hosts browse the Internet via this same overload.
  Below is my config in full with some parts redacted.  Please let me know what I am doing wrong for this split-tunnel setup, and any suggestions to get this working in a non-split-tunnel way would be great.  I have been working on this for 2 days, and all the tutorials and guides I've read do not seem to work for me.
  Thanks!
  Trevor
  ! Last configuration change at 23:06:48 EDT Fri Apr 27 2012 by trevor
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec+
  no service password-encryption
  hostname myrouter
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 sometextsometextsometext
  enable password somepassword
  aaa new-model
  aaa authentication login userauth local
  aaa authorization network groupauth local
  username vpnuser password 0 vpnpassword
  clock timezone EST -5
  clock summer-time EDT recurring
  ip name-server 4.2.2.2
  ! needed to enable resolutiion of the URLs in the update config commands
  ip domain lookup
  ip ddns update method mydomain_update
    http
     add http://login:[email protected]/nic/update?hostname=mydomain.dyndns.org&[email protected]/nic/update?hostname=mydomain.dyndns.org&myip=<a>
    interval maximum 0 0 1440 0
    interval minimum 0 0 1440 0
  ! Applying update method to interface
  !interface FastEthernet0/0
  !  ip ddns update mydomain_update
  ip domain name mydomain.dyndns.org
  username user privilege 15 secret 5 sometextsometextsometext
  interface FastEthernet0/0
  description *** Outside ***
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map vpn-map
  ip ddns update mydomain_update
  interface FastEthernet0/1
  description *** Inside ***
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Loopback0
  description VPN
  ip address 10.1.254.1 255.255.255.240
  crypto isakmp policy 1
  encryption aes
  authentication pre-share
  group 2
  crypto isakmp client configuration group vpngroup
  key vpnpassword
  dns 4.2.2.2 4.2.2.1
  domain mydomain.dyndns.org
  pool vpnpool
  acl 101
  crypto ipsec transform-set vpn esp-aes esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set vpn
  reverse-route
  crypto map vpn-map client authentication list userauth
  crypto map vpn-map isakmp authorization list groupauth
  crypto map vpn-map client configuration address respond
  crypto map vpn-map 10 ipsec-isakmp dynamic dynmap
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 10 permit 192.168.1.0 0.0.0.255
  access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255
  ip local pool vpnpool 10.1.254.2 10.1.254.14
  !radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key cisco
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  privilege level 15
  transport input ssh
  ntp clock-period 17208002
  ntp server 142.137.247.109
  end

  I apologize I'm thick here.  So, I need to remove the line I added on the access-list.  So access-list 101 would just be:
  access-list 101 permit 192.168.1.0 0.0.0.255 any
  Which should pass the split-tunneling route to the client.
  I then need to add a line to prevent nat from occurring from my internal (192.168.1.0/24) network to the VPN network which is (10.1.254.0/24).  I would also need to add a  new access-list to that effect.  However, I should keep the existing nat line in order to ensure that internal nework machines can reach the public network so:
  no ip nat inside source list 102 interface FastEthernet0/0 overload
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 102 permit 192.168.1.0 0.0.0.255 10.1.245.0 0.0.0.255
  Is this correct?
  Thanks again for your help!
  Trevor