Replace 3005 VPN Concentrator

Similar Messages

• Setup Sunray 3G with Cisco 3005 VPN concentrator

  hi,
  I first explain the setup situation:
  Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
  Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
  can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
  Is there some info about what IKE proposal i need to select in the Cisco 3005?
  Any help would be appreciated
  Thx

  I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

• Cisco 3005 vpn concentrator console cable

  hi
  i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
  ive tried looking on ebay but with no luck
  ps
  i live in england
  regards
  melvyn brown

  Melvyn,
  Use a Straight Through Cable to console into the VPN3000.
  I hope it helps.
  Regards,
  Arul

• What's replaced the vpn concentrator?

  Greenhorn here, I didn't sit any of this up.  We have three remote sites, sister institutions, that we share an app with.  We house the app.  One site has a vpn concentrator setup, the other two are using a point to point leased line. They have each have a router that connects to a single router.  They want to replace the leased lines with a vpn concentrator.  Doing the digging I see the concentrators are EOL.
  So what's used to replace the concentrator today?  What's a solution today to move away from the leased lines? These are all cash poor non-profits. My guess is they'll say look on Ebay for a concentrator if the solution is too pricey.
  Thanks Jim

  Sorry it took so long but here's the output from sh version.
  Location 1
  Cisco Internetwork Operating System Software
  IOS (tm) C2600 Software (C2600-I-M), Version 12.2(16a), RELEASE SOFTWARE (fc2)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 18-Apr-03 19:25 by xxxxx
  Image text-base: 0x8000808C, data-base: 0x80A0EE84
  ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
  xxxxxxxxx uptime is 41 weeks, 3 days, 20 hours, 54 minutes
  System returned to ROM by power-on
  System image file is "flash:c2600-i-mz.122-16a.bin"
  cisco 2621 (MPC860) processor (revision 0x00) with 27648K/5120K bytes of memory.
  Processor board ID JAD07070EVT (2982455740)
  M860 processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  32K bytes of non-volatile configuration memory.
  8192K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 2
  Cisco Internetwork Operating System Software
  IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 14-Feb-03 14:34 by ccai
  Image text-base: 0x80008124, data-base: 0x80A94064
  ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
  xxxxxxxxxxx uptime is 14 weeks, 14 hours, 22 minutes
  System returned to ROM by power-on
  System image file is "flash:c1700-sy-mz.122-11.T6.bin"
  cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
  Processor board ID FOC0708028N (496857573), with hardware revision 0000
  MPC860P processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 Serial network interface(s)
  WIC T1-DSU
  32K bytes of non-volatile configuration memory.
  16384K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 3
  Cisco Internetwork Operating System Software
  IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 14-Feb-03 14:34 by ccai
  Image text-base: 0x80008124, data-base: 0x80A94064
  ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
  Xxxxxxxxx uptime is 13 weeks, 6 days, 5 minutes
  System returned to ROM by reload
  System image file is "flash:c1700-sy-mz.122-11.T6.bin"
  cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
  Processor board ID FOC0707142M (1927840357), with hardware revision 0000
  MPC860P processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 Serial network interface(s)
  WIC T1-DSU
  32K bytes of non-volatile configuration memory.
  16384K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 4
  Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2006 by Cisco Systems, Inc.
  Compiled Mon 06-Nov-06 02:36 by alnguyen
  ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
  xxxxxxxxxx uptime is 40 weeks, 5 days, 6 hours, 22 minutes
  System returned to ROM by reload at 13:34:01 UTC Thu Dec 27 2012
  System image file is "flash:c2800nm-advsecurityk9-mz.124-3g.bin"
  This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to [email protected].
  Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
  Processor board ID FTX1051A01V
  2 FastEthernet interfaces
  2 Serial interfaces
  1 Virtual Private Network (VPN) Module
  DRAM configuration is 64 bits wide with parity enabled.
  239K bytes of non-volatile configuration memory.
  62720K bytes of ATA CompactFlash (Read/Write)
  Configuration register is 0x2102

• Cannot console into a 3005 VPN Concentrator

  Hi all,
  I recently acquired a 3005 that was supposed to be working.  And in all fairness, it seems to be.  The status light is yellow while it boots and a few seconds after turning it on, it goes to solid green.
  I have tried everything I can to console into this unit.  I used TeraTerm with a USB to serial adapter and a straight through serial cable with the settings suggested in the manual and I get nothing.  Is there something I could be doing wrong?  Is there any other way I could try to test this unit?  Is there anything else you guys can think of to try?
  Any help is much appreciated.  This has frustrated me to no end.  I have tried mutliple computers, multiple cables, multiple com ports.  I'm fairly positive I'm doing something wrong, but I have no idea what. 
  Here are my terminal session settings:
  BR:     9600
  Data:   8 Bit
  Parity: None
  Stop:   1 Bit
  Flow Control:  Hardware
  This is per the manual.
  Thanks,
  Brandon

  Finally got it!  Ended up just making a straight through cable.  The cables that I thought were straight through were not.  Made one with two RJ45 to DB9 adapters pinned out to standard serial on each end of a cat 5. 
  Brandon

• 3005 VPN Client Time-Outs

  My Cisco 3005 VPN Concentrator keeps timeing out for some connections. When I look through the logs the only thing I see is:
  626 07/03/2002 00:06:30.890 SEV=5 IP/50 RPT=192
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  627 07/03/2002 00:11:31.260 SEV=5 IP/50 RPT=193
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  628 07/03/2002 00:16:31.720 SEV=5 IP/50 RPT=194
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  629 07/03/2002 00:21:32.030 SEV=5 IP/50 RPT=195
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  630 07/03/2002 00:26:32.420 SEV=5 IP/50 RPT=196
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  631 07/03/2002 00:31:32.810 SEV=5 IP/50 RPT=197
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  632 07/03/2002 00:36:33.200 SEV=5 IP/50 RPT=198
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  633 07/03/2002 00:41:33.610 SEV=5 IP/50 RPT=199
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  634 07/03/2002 00:46:33.970 SEV=5 IP/50 RPT=200
  Headend received TCP ACK pkt from client 68.38.72.43, TCP source port 1195
  Any Ideas???? I have hardcoded the speed and duplex on the WAN interface
  Thanks

  Hi,
  I think we need to turn on some additional logs to figure out the issue here, Some of the things to check on:
  Does it happen with all ISP connections using the same client machine?
  Is the timing consistent with the disconnects?
  Did you try with both Split tunneling enabled and disabled?
  Hope this helps,
  Regards,
  Aamir Waheed,
  Cisco Systems, Inc.
  -=-=-

• AAA VPN Concentrator 3005

  Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?

  Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
  Cheers
  Brian

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• IP Address Assignment on VPN Concentrator through AD

  Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
  I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.

  Sorry for the thread title it should be : "reserver" not reverse.
  I have been advised to read the "admin guide"
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
  under the heading below
  Assign a Specific IP Address to a User
  In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
  My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
  On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
  nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
  nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
  nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
  global (outside) 1 10.1.1.150-10.1.1.155
  global (outside) 1 10.1.1.156
  route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
  http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
  What I am thinking to do, are below (please any comment) :
  1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
  2- Create another group called : " mobile_users "
  3- Create a user called : " commuter "
  4- Assign the user " commuter " to the group " mobile_user "
  5- Assign ip address 10..2.2.2 to the user " commuter "
  6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
  again since I am using production box, I have to assure that the modification above does not screw up the whole system

• Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator

  Hi All,
  Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
  Any help would be greatly appreciated.
  Thanks in advance.
  Samir

  Make sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices.  RME will only use HTTPS to fetch VPN concentrator configurations.

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• LDAP ON VPN CONCENTRATOR

  I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
  For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
  but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
  Thanks

  The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html

• Routing loop when tracing to remote ip address on vpn concentrator

  When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
  Tracing route to x.3.17.145
  over a maximum of 30 hops:
  1    29 ms    31 ms    28 ms  172.4.0.20
    2    32 ms    30 ms    29 ms  172.4.0.25
    3    38 ms    29 ms    31 ms  172.3.0.21
    4    33 ms    30 ms    32 ms  172.4.0.25
    5    32 ms    49 ms    27 ms  172.3.0.21
    6    35 ms    30 ms    38 ms  172.4.0.25
    7    31 ms    28 ms    28 ms  172.3.0.21
     8    28 ms    28 ms    42 ms  172.4.0.25
    9    38 ms    27 ms    32 ms  172.3.0.21
  10    35 ms    28 ms    36 ms  172.4.0.25
  11    35 ms    27 ms    28 ms  172.3.0.21
  12    30 ms    28 ms    28 ms  172.4.0.25
  13    39 ms    30 ms    43 ms  172.3.0.21
  14    48 ms    28 ms    29 ms  172.4.0.25
  15    36 ms    28 ms    34 ms  172.3.0.21
  16    39 ms    39 ms    56 ms  172.4.0.25
  17    42 ms    38 ms    47 ms  172.3.0.21
  18    35 ms    39 ms    41 ms  172.4.0.25
  19    49 ms    32 ms    29 ms  172.3.0.21
  20    32 ms    28 ms    29 ms  172.4.0.25
  21    28 ms    43 ms    30 ms  172.3.0.21
  22    37 ms    32 ms    34 ms  172.4.0.25
  23    29 ms    31 ms    32 ms  172.3.0.21
  24    29 ms    33 ms    31 ms  172.4.0.25
  25    32 ms    41 ms    43 ms  172.3.0.21
  26    43 ms    29 ms    39 ms  172.4.0.25
  27    47 ms    33 ms    31 ms  172.3.0.21
  28    37 ms    29 ms    35 ms  172.4.0.25
  29    44 ms    30 ms    91 ms  172.3.0.21
  30    31 ms    41 ms    50 ms  172.4.0.25
  172.3.0.21 is my private interface on the vpn 3000.
  172.4.0.20 is my public interface on the vpn 3000.
  172.4.0.25 is the default gateway / router interface on my router.
  interface GigabitEthernet1/1/0.1
  description connected to LAN
  encapsulation dot1Q 1 native
  ip address 10.3.0.25 255.255.255.0
  interface GigabitEthernet0/0.4
  description vpn 3000 concentratorconnection
  encapsulation dot1Q 4
  ip address 10.4.0.25 255.255.255.0
  172.3.0.21 has a no default gateway on the vpn conentrator.
  172.3.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.

  Hi John
  could you clarify where you are pinging from and where you are pinging to please?
  From the LAN to a destination across a VPN tunnel?
  Or from a source across the VPN tunnel to a host on the concentrator's LAN?
  Or from a source across the VPN tunnel to a host on the Internet?
  I suppose your last line has a typo, it should be
  172.4.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.
  right?
  Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
  tnx
  Herbert