Policy Based Routing with VPN Client configuration

Similar Messages

• Does icmp redirect work with policy based route

  Setup:
  R1 and R2 on same ip net.
  On R1 policy based route is configured with R2 as next hop.
  Will R1 send icmp redirect (to use R2 instead) to those hosts that match the policy based routing ?
  Thanks.
  Gert Schaarup

  HI Gert,
  The answer to your question is yes. I have verified this in a lab previously. As long as all the conditions for ICMP redirect have been met (source address on same net, best gateway on same net) then ICMP redirects are sent regardless of whether PBR or normal routing is being used.
  Hope that helps - pls rate the post if it does.
  Paresh

• Policy based routing on VRF interfaces to route traffic through TE Tunnel

  Hi All,
  Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
  The tunnel is already build up with these below config
  interface Tunnel25
  ip unnumbered Loopback0
  tunnel destination 10.250.16.250
  tunnel mode mpls traffic-eng
  tunnel mpls traffic-eng path-option 10 explicit name test
  ip explicit-path name test enable
  next-address x.x.x.x
  next-address y.y.y.y
  router ospf 1
  mpls traffic-eng router-id Loopback0
  mpls traffic-eng area 0
  mpls traffic-eng tunnels
  nterface GigabitEthernet5/2
  mpls traffic-eng tunnels
  mpls ip
  Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
  We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
  Any help would be really appreciated
  Thanks
  Regards
  Anantha Subramanian Natarajan

  hi Anantha!
  I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
  But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
  So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
  You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
  For your second question, the answer would be easy :
  If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
  If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
  Regards,
  Niranjan

• Policy based routing

  Hello,
  I am setting up PBR. Looking at my configuration, will the next hop apply for both access lists 100 and 101? or will access-list 101 use 192.168.0.1 as the next up? I was hoping acl 101 will use 10.10.10.1 as next up.
  router configuration:
  route-map policy-based-routing permit 10
  match ip address 100
  set ip next-hop 192.168.10.1
  route-map policy-based-routing permit 20
  match ip address 101
  set ip next-hop 10.10.10.1
  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 100 deny ip 10.10.10.0 0.0.0.255 any
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 101 deny ip any any
  ip route 0.0.0.0 0.0.0.0 10.10.10.1

  Paul,
  All you need is the following configuration.
  route-map policy-based-routing permit 10
  match ip address 100
  set ip next-hop 192.168.10.1
  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
  ip route 0.0.0.0 0.0.0.0 10.10.10.1
  with the above configuration applied to the correct incoming interface, all traffic from 10.10.10.0 destined to 192.168.10.0 will use the next hop from the route map and all other traffic wil use the default route
  HTH
  Narayan

• WSA and Cisco Policy Based Routing

  I'm looking to convert my WSA from explicit to transparent proxy using policy based routing on a Cisco router. See the config below where xxx.xxx.xxx.xxx is the P1 interface on the WSA. Does anyone see any issues with the following in a production environment?
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  The P1 interface on the WSA is located upstream from the router so I'm not checking for it in the ACL.

  That router configuration looks good to me, but just make sure that the WSA was configured for Transparent mode during the initial System Setup Wizard configuration. If it was initially configured for explicit only, then you will need to run the wizard again to change it to transparent.
  Also, make sure to add a deny statement to the top of access-list 110 for the WSA IP address if the WSA will be going out to the Internet through the same e0/1 interface. Loops are bad. :twisted:
  Cheers,
  Jason

• Introduce second default gateway into policy-based routing and optimization

  Questions:
  1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
  2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
  Address range A.B.0.0/16 represents assigned Internet-routable addresses.
  Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
  DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
  PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.

  Ok I will see if I can run out to work and try this today..
  After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
  for instance
  # Access to one of my local networks
  access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
  # Send Internet traffic to ASA/PIX
  access-list 172 permit ip 172.20.200.0 0.0.0.255 any
  route-map pix-172-20-200 permit 10
  match ip address 101
  set ip next-hop 172.20.200.1
  route-map pix-172-20-200 permit 20
  match ip address 172
  set ip next-hop 172.20.200.2
  and so on?
  I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
  I wantto make sure I can still get to the local networks I need to get to.
  I appreciate all your help, and I will test this later on today..
  Thanks
  Don Hickey

• Policy based routing to host in same vlan/subnet

  Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
  vlans 802
  172.21.1.1/24
  ip policy route-map West
  vlan 803
  172.21.17.1/24
  ip policy route-map West
  route-map West permit 10
    match vlan 802-803
    set ip default next-hop 172.21.1.237
  Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
  any help is appreciated.
  thanks, scott

  Scott
  If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
  src IP 172.21.1.10 255.255.255.0
  dst IP 172.21.1.237 255.255.255.0
  src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
  So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
  Edit - what exactly do you mean when you say -
  However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
  How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
  Jon

• Policy based routing on a Layer 3 switch

  I am doing some lab testing on policy based routing. I am having some issues that I can't see to get working right.
  Here is the config:
  ip local policy route-map Test-map
  ip access-list extended icmp
  permit icmp 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit icmp 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255
  ip access-list extended telnet
  permit tcp 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 eq telnet
  permit tcp 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255 eq telnet
  ip access-list extended test
  permit icmp 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
  route-map Test-map permit 10
  match ip address icmp
  set ip next-hop 192.168.1.3
  route-map Test-map permit 20
  match ip address telnet
  set ip next-hop 192.168.1.2
  The first thing I did was I only had 1 network on this box the 192.168.1.x and when I plugged a pc into a port on the switch and tried to ping the remote network of 192.168.200.1 it will not hit on my access-lists for my policy based routes.
  If I do a ping from the switches IOS interface directly the access-lists get hits and the policy based routes work fine.
  So I was puzzled by this and figured maybe policy based routes only work if they come from one network to another network. So I setup a 2nd vlan called 192.168.2.x and put my pc in that vlan. I then proceed to ping 192.168.200.1 and still was unable to get any hits on the access-lits or policy based routes.
  So what am I doing wrong or am I trying to use policy based routing wrong here?

  I've done that command but then when I do a "show run" I don't see it in the configuration and it doesn't seem to be working.
  Also if everything is on the same vlan 100 will the pbr work? or does this require that I use two different vlans? (one for inside and one for outside) so that I have a interface from where the packets are coming from?

• SRP527-U Policy Based Routing To Squid?

  Hi,
  I have a SRP527-U running 1.2.6.
  I have a simple setup, a ADSL connection to the Internet and a bunch of PC's behind that with Internet access.
  I've setup a host on the same VLAN as the other devices and I've set it up running squid.
  What I'd like to do is use the Policy Based Routing function to force all users trying to browse the Internet through that squid instance.
  That is
  Source of 192.168.0.20/32 Port 80 -> Policy Based Route to Destination of 192.168.0.50 port 3128
  Is that possible with this device, or is that outside of its capabilities?  I've looked at the PBR section, but it seems to imply forcing all traffic out through a WAN Interface which isn't what I want to achieve.
  Kind Regards,
  Tim

  Scott
  If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
  src IP 172.21.1.10 255.255.255.0
  dst IP 172.21.1.237 255.255.255.0
  src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
  So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
  Edit - what exactly do you mean when you say -
  However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
  How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
  Jon

• Problem with VPN Client and network access

  We are running VPN client 4.0.1 on our laptops, and there are a number of users who are getting documents they are using on the internal network (off VPN) corrupted. The initial cause seemed to be the stateful firewall, but I have that turned off, and we are still getting it.
  It only seems to be on the machines with VPN client installed, and it is only happening when the user is working on a file direct from the network drive. They are not connecting via the VPN client when the problem occurs.
  any suggestions?
  William.

  Did you get any joy with this ? We seem to be having the same issue.
  Thanks

• How to configure full tunnel with VPN client and router?

  I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

  I think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

• Problem with VPN client on Cisco 1801

  Hi,
  I have configured a new router for a customer.
  All works fine but i have a strange issue with the VPN client.
  When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
  This is the log form the VPN client:
  Cisco Systems VPN Client Version 5.0.07.0290
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.1.7601 Service Pack 1
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      14:37:59.133  04/08/13  Sev=Info/6          GUI/0x63B00011
  Reloaded the Certificates in all Certificate Stores successfully.
  2      14:38:01.321  04/08/13  Sev=Info/4          CM/0x63100002
  Begin connection process
  3      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100004
  Establish secure connection
  4      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100024
  Attempt connection with server "asgardvpn.dyndns.info"
  5      14:38:02.380  04/08/13  Sev=Info/6          IKE/0x6300003B
  Attempting to establish a connection with 79.52.36.120.
  6      14:38:02.384  04/08/13  Sev=Info/4          IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  7      14:38:02.388  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
  8      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700008
  IPSec driver successfully started
  9      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  10     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x6300002F
  Received ISAKMP packet: peer = 79.52.36.120
  11     14:38:02.460  04/08/13  Sev=Info/4          IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
  12     14:38:02.506  04/08/13  Sev=Info/6          GUI/0x63B00012
  Authentication request attributes is 6h.
  13     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  14     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports DPD
  15     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports DWR Code and DWR Text
  16     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports XAUTH
  17     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
  Peer supports NAT-T
  18     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000001
  IOS Vendor ID Contruction successful
  19     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
  20     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  21     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000083
  IKE Port in use - Local Port =  0xCEFD, Remote Port = 0x1194
  22     14:38:02.465  04/08/13  Sev=Info/5          IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  23     14:38:02.465  04/08/13  Sev=Info/4          CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  24     14:38:02.502  04/08/13  Sev=Info/5          IKE/0x6300002F
  Received ISAKMP packet: peer = 79.52.36.120
  25     14:38:02.502  04/08/13  Sev=Info/4          IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
  26     14:38:02.502  04/08/13  Sev=Info/4          CM/0x63100015
  Launch xAuth application
  27     14:38:07.623  04/08/13  Sev=Info/4          CM/0x63100017
  xAuth application returned
  28     14:38:07.623  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
  29     14:38:12.656  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  30     14:38:22.808  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  31     14:38:32.949  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  32     14:38:43.089  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  33     14:38:53.230  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  34     14:39:03.371  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  35     14:39:13.514  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  36     14:39:23.652  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  37     14:39:33.807  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  38     14:39:43.948  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  39     14:39:54.088  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  40     14:40:04.233  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  41     14:40:14.384  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  42     14:40:24.510  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  43     14:40:34.666  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  44     14:40:44.807  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  45     14:40:54.947  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  46     14:41:05.090  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  47     14:41:15.230  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  48     14:41:25.370  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  49     14:41:35.524  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  50     14:41:45.665  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  51     14:41:55.805  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  52     14:42:05.951  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  53     14:42:16.089  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  54     14:42:26.228  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  55     14:42:36.383  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  56     14:42:46.523  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  57     14:42:56.664  04/08/13  Sev=Info/6          IKE/0x63000055
  Sent a keepalive on the IPSec SA
  58     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
  59     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
  60     14:43:03.248  04/08/13  Sev=Info/4          IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
  61     14:43:03.248  04/08/13  Sev=Info/4          CM/0x63100014
  Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
  62     14:43:03.248  04/08/13  Sev=Info/5          CM/0x63100025
  Initializing CVPNDrv
  63     14:43:03.262  04/08/13  Sev=Info/6          CM/0x63100046
  Set tunnel established flag in registry to 0.
  64     14:43:03.262  04/08/13  Sev=Info/4          IKE/0x63000001
  IKE received signal to terminate VPN connection
  65     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  66     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  67     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
  Deleted all keys
  68     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x6370000A
  IPSec driver successfully stopped
  And this is the conf from the 1801:
  hostname xxx
  boot-start-marker
  boot-end-marker
  enable secret 5 xxx
  aaa new-model
  aaa authentication login xauthlist local
  aaa authorization network groupauthor local
  aaa session-id common
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.0.1.1 10.0.1.10
  ip dhcp excluded-address 10.0.1.60 10.0.1.200
  ip dhcp excluded-address 10.0.1.225
  ip dhcp excluded-address 10.0.1.250
  ip dhcp pool LAN
     network 10.0.1.0 255.255.255.0
     default-router 10.0.1.10
     dns-server 10.0.1.200 8.8.8.8
     domain-name xxx
     lease infinite
  ip name-server 10.0.1.200
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip inspect log drop-pkt
  ip inspect name Firewall cuseeme
  ip inspect name Firewall dns
  ip inspect name Firewall ftp
  ip inspect name Firewall h323
  ip inspect name Firewall icmp
  ip inspect name Firewall imap
  ip inspect name Firewall pop3
  ip inspect name Firewall rcmd
  ip inspect name Firewall realaudio
  ip inspect name Firewall rtsp
  ip inspect name Firewall esmtp
  ip inspect name Firewall sqlnet
  ip inspect name Firewall streamworks
  ip inspect name Firewall tftp
  ip inspect name Firewall vdolive
  ip inspect name Firewall udp
  ip inspect name Firewall tcp
  ip inspect name Firewall https
  ip inspect name Firewall http
  multilink bundle-name authenticated
  username xxx password 0 xxxx
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2 
  crypto isakmp client configuration group xxx
  key xxx
  dns 10.0.1.200
  wins 10.0.1.200
  domain xxx
  pool ippool
  acl 101 
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  crypto map clientmap client authentication list userauthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive  
  log config
    hidekeys
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  dsl operating-mode adsl2+
  hold-queue 224 in
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  ip address 10.0.1.10 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  ppp authentication chap callin
  ppp pap sent-username aliceadsl password 0 aliceadsl
  crypto map clientmap
  ip local pool ippool 10.16.20.1 10.16.20.200
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 0.0.0.0 0.0.0.0 10.0.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
  ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
  ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
  ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
  ip nat inside source list 101 interface Dialer0 overload
  access-list 101 remark *** ACL nonat ***
  access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
  access-list 101 permit ip 10.0.1.0 0.0.0.255 any
  access-list 150 remark *** ACL split tunnel ***
  access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password xxx
  scheduler max-task-time 5000
  end 
  Anyone can help me ?
  Sometimes the vpn can be vreated using the iPhone or iPad vpn client...

  I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
  3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
  regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
  HELP?

• Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

  Hi Community.
  I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
  I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
  VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
  The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
  I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
  My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
  I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
  What do you think?

  Hi,
  Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
  This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
  - Jouni

• WRV200 - Problems with VPN Client and Internal network access

  I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
  How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
  Has anyone gotten this to work?

  I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
  If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
  Anyway, you can use the DoS Prevention, this is not interfering.
  HTH.

• Problem with VPN Client and PIX 7.0(5)

  Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
  sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
  and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
  I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
  This is the configuration i apply
  access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
  access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit ip any any
  access-list acl-vpn-sap-remoto extended permit icmp any any
  ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
  nat (inside) 0 access-list cryptomap-scada
  group-policy VPN_SAP_PED internal
  group-policy VPN_SAP_PED attributes
  vpn-filter value acl-vpn-sap-remoto
  vpn-tunnel-protocol IPSec
  username vpnuser password **** encrypted
  username vpnuser attributes
  vpn-group-policy VPN_SAP_PED
  crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
  crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
  crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
  crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
  isakmp policy 7 authentication pre-share
  isakmp policy 7 encryption 3des
  isakmp policy 7 hash sha
  isakmp policy 7 group 2
  isakmp policy 7 lifetime 43200
  tunnel-group VPN_SAP_PED type ipsec-ra
  tunnel-group VPN_SAP_PED general-attributes
  address-pool pool_vpn_sap
  default-group-policy VPN_SAP_PED
  tunnel-group VPN_SAP_PED ipsec-attributes
  pre-shared-key clavevpnsap
  Thanks in Advanced

  Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
  PIX-Principal(config)# show running-config nat
  nat (inside) 0 access-list cryptomap-scada
  nat (inside) 9 JOsorioPC 255.255.255.255
  nat (inside) 9 GColinaPC 255.255.255.255
  nat (inside) 9 AlfonsoPC 255.255.255.255
  nat (inside) 9 AngelPC 255.255.255.255
  nat (inside) 9 JerryPC 255.255.255.255
  nat (inside) 9 EstebanPC 255.255.255.255
  nat (inside) 9 GiancarloPC 255.255.255.255
  nat (inside) 9 WilliamsPC 255.255.255.255
  nat (inside) 9 PerniaPC 255.255.255.255
  nat (inside) 9 ElvisDomPC 255.255.255.255
  nat (inside) 8 LBermudezPC 255.255.255.255
  nat (inside) 9 HelpDeskPC 255.255.255.255
  nat (inside) 9 OscarOPC 255.255.255.255
  nat (inside) 9 AnaPC 255.255.255.255
  nat (inside) 9 RobertoPC 255.255.255.255
  nat (inside) 9 MarthaPC 255.255.255.255
  nat (inside) 9 NOCPc5-I 255.255.255.255
  nat (inside) 9 NOCPc6-I 255.255.255.255
  nat (inside) 9 CiraPC 255.255.255.255
  nat (inside) 9 JaimePC 255.255.255.255
  nat (inside) 9 EugemarPC 255.255.255.255
  nat (inside) 9 JosePC 255.255.255.255
  nat (inside) 9 RixioPC 255.255.255.255
  nat (inside) 9 DaniellePC 255.255.255.255
  nat (inside) 9 NorimarPC 255.255.255.255
  nat (inside) 9 NNavaPC 255.255.255.255
  nat (inside) 8 ManriquePC 255.255.255.255
  nat (inside) 8 MarcialPC 255.255.255.255
  nat (inside) 8 JAlbornozPC 255.255.255.255
  nat (inside) 9 GUrdanetaPC 255.255.255.255
  nat (inside) 9 RVegaPC 255.255.255.255
  nat (inside) 9 LLabarcaPC 255.255.255.255
  nat (inside) 9 Torondoy-I 255.255.255.255
  nat (inside) 9 Escuque-I 255.255.255.255
  nat (inside) 9 Turbio-I 255.255.255.255
  nat (inside) 9 JoseMora 255.255.255.255
  nat (inside) 8 San-Juan-I 255.255.255.255
  nat (inside) 8 Router7507 255.255.255.255
  nat (inside) 8 NOCPc4-I 255.255.255.255
  nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255