Route based VPN ?
Hi all,
Are there any Cisco gears supporting route-based vpn (not GRE over IPSec) ?
Same problem here. Just works on Snow Leopard. Now I have to use a Windows virtual machine to connect to Linux based PPTP VPN. It is a shame.
I noticed that I can ping and SSH to the VPN server machine. In my case, the local IP address for that machine is 192.168.41.6. I can ping it and SSH it.
MacBook-de-Daniel:~ daniel$ ping -c 4 192.168.41.6
PING 192.168.41.6 (192.168.41.6): 56 data bytes
64 bytes from 192.168.41.6: icmp_seq=0 ttl=64 time=262.643 ms
64 bytes from 192.168.41.6: icmp_seq=1 ttl=64 time=320.283 ms
64 bytes from 192.168.41.6: icmp_seq=2 ttl=64 time=258.763 ms
64 bytes from 192.168.41.6: icmp_seq=3 ttl=64 time=271.596 ms
--- 192.168.41.6 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 258.763/278.321/320.283/24.670 ms
However, I am not able to ping or SSH or anything to any IP address in the 192.168.41.0 network (that is the network I am connection to through VPN). This works perfectly on Snow Leopard. For example:
MacBook-de-Daniel:~ daniel$ ping -c 4 192.168.41.20
PING 192.168.41.20 (192.168.41.20): 56 data bytes
Request timeout for icmp_seq 0
36 bytes from 190.223.188.1: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 f68e 0 0000 3d 01 ea46 172.16.7.7 192.168.41.20
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
--- 192.168.41.20 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
I don't know how to solve this situation in Lion. It is upsetting. Please Apple, solve it. Or tell us how to solve it. Thanks.
Similar Messages
-
Hi Guys,
I came across this command, but have problem understanding what it does or how to use it:
Router(config-router-af)# import path selection {all | bestpath [strict] | multipath [strict]}
It falls under the "BGP Event-Based VPN Import" section:
http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/iproute_bgp/configuration/guide/2_xe/irg_xe_book/irg_event_vpn_import_xe.html#wp1059052
Does anyone know what this does or how this works?Hi,
It specifies the BGP import path selection policy for a specific VRF instance.
You might be aware on VRF-LITE, that's the VPNs without MPLS.
BGP Event-Based VPN Import
The BGP Event-Based VPN Import feature introduces a modification to the existing BGP path import process. BGP Virtual Private Network (VPN) import provides importing functionality for BGP paths where BGP paths are imported from the BGP VPN table into a BGP virtual routing and forwarding (VRF) topology. In the existing path import process, when path updates occur, the import updates are processed during the next scan time, which is a configurable interval of 5 to 15 seconds. The scan time adds a delay in the propagation of routes. The enhanced BGP path import is driven by events; when a BGP path changes, all of its imported copies are updated as soon as processing is available.
When you use the BGP Event-Based VPN Import feature, convergence times are significantly reduced because provider edge (PE) routers can propagate VPN paths to customer edge (CE) routers without the scan time delay. Configuration changes such as adding imported route targets (RT) to a VRF are not processed immediately, and are still handled during the 60-second periodic scanner pass.
Import Path Selection Policy
Event-based VPN import introduces three path selection policies:
•All—Import all available paths from the exporting net that match any route target (RT) associated with the importing VRF instance.
•Best path—Import the best available path that matches the RT of the VRF instance. If the best path in the exporting net does not match the RT of the VRF instance, a best available path that matches the RT of the VRF instance is imported.
•Multipath—Import the best path and all paths marked as multipaths that match the RT of the VRF instance. If there are no best path or multipath matches, then the best available path is selected.
- Ashok
Please rate the useful post or mark as correct answer as it will help others looking for similar information -
Web based VPN issue wheras anyconnect and VPN client working fine
Experts,
We have Cisco ASA 5540 and im running into issues with accessing the webbased VPN(https://X.X.x.x).there are about 8 VPN profiles configured and im unable to login using any of the profiles whereas VPN client and Cisco Any connect are working fine. on accessing web based VPN after providing the login credentials and hit enter the page is getting refreshed and it throws me back to the same login page again. This is the Production ASA and i cannot run debug.
Kindly, provide me your valuable inputs.
Thank you!Your problem is the NAT-config. First, the following line is not needed as RDP doesn't work ober UDP:
ip nat inside source static udp 192.168.10.136 3389 interface Dialer0 3389
Then, the following command causes the problems:
ip nat inside source static tcp 192.168.10.136 3389 interface Dialer0 3389
With that the router assumes that the server 192.168.10.136 should always be reached through the IP of dialer0 and does a translation.
There are a couple of ways to resolve the problem, but they all have some drawbacks ...
1) Only access the server through VPN. For that you just delete the NAT-statement above (the one with tcp) and you should be able to reach the server through the VPN.
2) Restrict the NAT to don't do a translation if a VPN-peer is accessing the server.
For that you need to attach a route-map to the NAT-statement. But that won't work with the "interface"-keyword in the NAT-Statement. But you can use this if you get a fixed IP from your provider.
3) Assign a second IP to the RDP-server. The original IP which is used in the NAT-statement is used for accessing the server without the VPN, the second IP is used for accessing the server through VPN.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Select Switch Executive Route based on Socket Index
Hi,
I have a sequence set up in TestStand which simultaneously tests up to 4 UUT's. In order to run a current measurments, I need to be able to switch each device through the DMM. I have the routes properly configured in Swith Executive, and everything runs fine when I switch manually using the Test Panel feature. What I need to do now though, is choose which device is routed to the DMM based on its test socket number.
So, for the "Measure Current" test step on "Test Socket 0", I go to the Properties>Switching window and just select "Connect_UUT0" route group. This works fine for a single test socket, but how can I dynamically switch route when I have more than one UUT?
I'm aware of the "RunState.TestSockets.MyIndex" variable, but I can't seem to select a route based on this. ie: In "Routes to Connect" I typed "Str(Connect_UUT)+Str(RunState.TestSockets.MyIndex)" after I read a similar solution on this forum, but I just get an error.
I'd really appresciate some help on this,
Thanks,
Kevin
Solved!
Go to Solution.Hey Kevin,
You shouldn't need to do Str(Connect_UUT). You're likely getting the error because it's trying to interpret Connect_UUT as a variable instead of a string. Try this instead:
"Connect_UUT"+Str(RunState.TestSocks.MyIndex)
I think that will work, but let us know if you run into any more trouble!
Daniel E.
TestStand Product Support Engineer
National Instruments -
Router based activity and method call issue
Hi All
Iam presently working of Router based task flow(Bounded task flow) and page fragments
here in above router based task flow i have used the method call.
In above method call i return status ,and on basis of that status i redirect it to success page or error page(the success and error page are page fragments i.e. .jsff page).
i have done the drag and drop of the above mentioned router based task flow in my jspx page in a facet as a region.
below is the code for the my jspx page
<af:region value="#{bindings.testtaskflowvalidations.regionModel}"
id="r1"/>but my problem is that the method call which i included in above router based ,that method is not called(method call is not being happened).
So what changes i need to make so that the method is being is called.
currently iam using jdevloper 11.1.1.4.0
Thanks and Regards
Bipin Patil.
Edited by: Bipin Patil on Jun 29, 2011 1:59 AMHi
iam not getting any kinds of server errors.
below is my router code
<?xml version="1.0" encoding="windows-1252" ?>
<adfc-config xmlns="http://xmlns.oracle.com/adf/controller" version="1.2">
<task-flow-definition id="ValidationTaskFlow">
<default-activity id="__1">ValidationTask</default-activity>
<managed-bean id="__25">
<managed-bean-name id="__24">validationBean</managed-bean-name>
<managed-bean-class id="__27">com.test.Validate</managed-bean-class>
<managed-bean-scope id="__26">pageFlow</managed-bean-scope>
</managed-bean>
<router id="ValidationTask">
<case>
<expression>#{pageFlowScope.Validationstatus == 'true'}</expression>
<outcome id="__2">success</outcome>
</case>
<case>
<expression>#{pageFlowScope.Validationstatus == 'false'}</expression>
<outcome id="__3">fail</outcome>
</case>
<default-outcome>fail</default-outcome>
</router>
<view id="validationsuccess">
<page>/pages/main.jsff</page>
</view>
<view id="validationerror">
<page>/pages/hashkeyvalidationerror.jsff</page>
</view>
<method-call id="ValidationStatusSupplier">
<method>#{pageFlowScope.validationBean.onBeforePhase}</method>
<outcome id="__9">
<fixed-outcome>ValidateFlow</fixed-outcome>
</outcome>
</method-call>
<control-flow-rule id="__10">
<from-activity-id id="__11">ValidationTask</from-activity-id>
<control-flow-case id="__12">
<from-outcome id="__14">success</from-outcome>
<to-activity-id id="__13">validationsuccess</to-activity-id>
</control-flow-case>
<control-flow-case id="__16">
<from-outcome id="__15">fail</from-outcome>
<to-activity-id id="__17">validationerror</to-activity-id>
</control-flow-case>
</control-flow-rule>
<control-flow-rule id="__19">
<from-activity-id id="__20">ValidationStatusSupplier</from-activity-id>
<control-flow-case id="__23">
<from-outcome id="__21">ValidateFlow</from-outcome>
<to-activity-id id="__22">ValidationTask</to-activity-id>
</control-flow-case>
</control-flow-rule>
<use-page-fragments/>
<visibility id="__18">
<url-invoke-allowed/>
</visibility>
</task-flow-definition>
</adfc-config> -
We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
ThanksHi CrankyMonkey,
9.4 image includes new features for SSLTLS that might be impacting your certificate authentication.
"Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
As workaround you can try to use the following cipher configuration and check if works.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA"
Reference link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
Rate if helps.
-Randy -
I got ucs chassis connected to 2 7k in vpc mode. Can i use route base on IP hash as a vmware load balancing policy or does it have to be route based on virtual port ID
yes sorry i mean the ucs chassis to FI and FI to 7k.
FI connected via VPC. Can i use IP hash load balancing? -
I've been told that my iPod Touch (2nd Gen, iOS 3.x) can use only PPTP-based VPN. In other words, it can not use SSL-based VPN.
On the VPN configuration screen I see tabs for L2TP and IPSec as well as PPTP.
Can either L2TP or IPSec be used for SSL-based VPNs?
Thank you.
- nelloUnforunately not, at least not that I have used. The closest I can get to free that I can vouch for is Remote HD which I use on my iPad, but that works on iPod as well. It is 5 bucks and while not a full featured VNC works pretty well running a computer remotely. Sorry I couldn't help more, maybe someone else has more experience
-
RV042 inserting bogus route on VPN gateway
I can not determine where destination route 10.50.0.0/24 to 10.40.0.1 on Lan interface (ixp0) is coming from. There were some static routes to VPN networks which were not necessary, I deleted them. After I deleted static routes the routing table looked good and I was able to ping all VPN LAN gateways. Thought I had it made then tried to access printer in 10.50.0.0/24 network from 10.40.0.0/24 network, could not connect. Returned to router and saw route 10.50.0.0/24 to 10.40.0.1 had been injected. Don't have a clue where it came from.
Anyone have this issue?
xxx.16.200.72
255.255.255.252
xxx.16.200.74
0
ixp2
xxx.16.200.72
255.255.255.252
40
ixp2
xxx.16.200.72
255.255.255.252
45
ipsec1
xxx.172.122.192
255.255.255.224
xxx.172.122.210
0
ixp1
xxx.172.122.192
255.255.255.224
40
ixp1
xxx.172.122.192
255.255.255.224
45
ipsec0
10.70.0.0
255.255.255.0
xxx.172.122.193
10
ipsec0
10.50.0.0
255.255.255.0
10.40.0.1
2
ixp0
10.50.0.0
255.255.255.0
xxx.16.200.73
10
ipsec1
10.60.0.0
255.255.255.0
xxx.172.122.193
10
ipsec0
10.40.0.0
255.255.255.0
10.40.0.2
0
ixp0
10.40.0.0
255.255.255.0
50
ixp0
default
0.0.0.0
xxx.172.122.193
15
ixp1
default
0.0.0.0
xxx.16.200.73
40
ixp2
default
0.0.0.0
xxx.172.122.193
40
ixp1Problem resolved.
Apparently router does not do a good job on cleaning up routing table when changes are made.
Reboot of router cleaned up the routes and was able to ping all VPN LAN gateways. -
ASA does not propagate routes to VPN users
Good afternoon
I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
Here are my split tunneling settings:
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
Any ideas?
I apreciate your help
Best regardsajaychauhan
Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
ASA Version 8.2(1)
hostname asa-xxxx
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 197.X.XX.XX 255.255.255.248
interface GigabitEthernet0/1
nameif vpncorp
security-level 50
ip address 10.X.XX.XX 255.255.255.248
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address 10.x.xx.xx 255.255.255.240
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name zz.df.es
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 14000
logging buffered debugging
logging asdm debugging
logging facility 21
logging host mgmt 10.xx.x.x
logging class auth trap informational
logging class config trap informational
logging class ha trap informational
logging class sys trap informational
logging class vpdn trap informational
logging class vpn trap informational
mtu outside 1500
mtu vpncorp 1500
mtu mgmt 1500
ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server mgmtt protocol radius
aaa-server mgmtt (mgmt) host 10.xx.x.xx
timeout xxx
key xxxxxxxxxx
authentication-port xxx
accounting-port xxxx
aaa-server mgmtt (mgmt) host 10.xx.xx.xx
timeout xxx
key xxxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server Users (mgmt) host 10.xx.xx.xx
key xxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users-2 protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server users-2 (mgmt) host 10.xx.xx.xxx
key xxxx
authentication-port xxx
accounting-port xxxx
aaa authentication ...
aaa authentication ...
aaa authentication ...
aaa authorization ...
aaa accounting ...
aaa accounting ...
aaa accounting ...
snmp-server ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec security-association lifetime seconds xxx
crypto ipsec security-association lifetime kilobytes xxx
crypto dynamic-map vpn-ra-dyn_map 10 set ...
crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy ...
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
crypto isakmp policy xxx
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
telnet timeout xxx
ssh 10.x.x.x 255.255.255.255 mgmt
ssh timeout x
ssh version x
console timeout x
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
default-domain value xx.xx.es
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-idle-timeout 1
split-tunnel-policy tunnelspecified
username ...
username ...
username ...
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) Users
accounting-server-group users
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxx
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group asa type remote-access
tunnel-group asa general-attributes
address-pool VPN-user-pool
authentication-server-group (outside) test
accounting-server-group test
tunnel-group asa ipsec-attributes
pre-shared-key xxxx
tunnel-group asa ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group tstvpn type remote-access
tunnel-group tstvpn general-attributes
authentication-server-group (outside) users-2
accounting-server-group users-2
default-group-policy DefaultRAGroup
tunnel-group tstvpn ipsec-attributes
pre-shared-key xxxx
tunnel-group tstvpn ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum xxxx
policy-map global_policy
class inspection_default
inspect xxxx
inspect ...
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxx
: end -
my router does vpn passthrough and is set up correctly. Does it also have to host the vpn?
Thanks
GregNot sure I understand your question or problem, but I'll give it a shot.
No, you do not have to host the VPN server on your router. That wouldn't do you any good for working around the limitations of the VZW network anyways since you are still on the same VZW network. When you setup a VPN you normally want it to be on someone else's network so you can enable things like port forwarding and remote access.
The VPN Passthrough feature only allows your VPN clients to access VPN servers, its not the same thing as hosting. If you want your router to auto connect to a VPN server (which is more common) that is something different. VPN clients connect to VPN servers. VPN clients are normally installed on your personal devices or your router. VPN servers are geographically located somewhere else and on someone else's network. -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
Routing based on destination IP and traffic type
Is it possible to route traffic based on the destination IP and the type of traffic?
ASA5512
Software 9.2.1
We have an ASA 5512 that is used as a VPN termination point. Our employees connect from one of our customer sites to this VPN point. The customer also hosts services on the same IP address that our employees use to access our VPN on.
What I want to do is to use a different route for certain traffic to take to get to these other services provide by our customer, for instance they offer an FTP site and I want to use a different route to get our internal users to this FTP site. Is this possible to achieve?
Any help would be greatly appreciated.
MurrayTechnically speaking the ASA doesn't do policy based routing. However, you might be able to simulate something similar to PBR by using a combination of static routes and NAT.
If you describe your Network setup, ASA, and how the alternate route is connected to your customer, we might be able to help you better.
Please remember to select a correct answer and rate helpful posts -
Can't access other computer on Windows 8.1 based VPN
Hi,
I have a computer in my office, and my laptop at home.
I want to be able to access resources at my office when I'm at home.
Both computers are Windows 8.1 based, and in both I'm the Admin.
I've successfully created a VPN connection. I've configured my office router to allow PPTP 1793 port connections.
I've configured the Office computer as the VPN server, and successfully connected to it when I was at home.
I was expecting to see the office computer as part of the network , but unfortunately I can't get to see that computer when I'm at home.
I was searching the web for solution. I've found a possible solution, which didn't help me - to set Network to be Private, in Windows settings via registry or network policy, but that didn't help.
How can I access my office computer, when I am at home?
Thanks!
Amir.You may also need to verify the network settings of your VPN connection. Check the IP address assigned to your VPN adapter and to the remote computer (VPN server). Verify that you can access the remote computer by IP address (\\x.x.x.x) in File Explorer.
VPN connections often use a separate subnet and IP range and thus computers detected across this adapter are not seen by network discovery. You will need to enter the computer name (if DNS is working over the VPN link) or IP address to access the remote
computer.
Also consider that when a VPN connection is established the client is effectively joining the server network, not the other way around.
Brandon
Windows Outreach Team- IT Pro
Windows for IT Pros on TechNet -
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407
Maybe you are looking for
-
Error in installing Experience Manager.
Hi all, I have installed - 1)MDEX 2)Platform Services 3)CAS 4)Document Converter. 5)Deployment Template. 6)Oracle Endeca Guided Search 2.1.2 for Microsoft Windows x64 (64-bit) V31161-01 Everything is installed in a single local machine.The Endec
-
URGENT: How to print the report to a file
Hi Environment Windows NT/2000 Forms 2.5 I want to print the output of a particular report to a file. When I direct the output to the printer and click on 'print to file' option, it prints to a file but the file is not in a recognizable format. I wan
-
Satellite U940 PSU6SA - Win 7 installation ask for HDD drivers
Hi not sure whether to put this under 'Windows 7', Mods please move as needed. I have a Toshiba U940 PSU6SA-02K002 ultrabook which came with Windows 8 (not Pro) and I would like to install windows 7 on it. It has a 500 GB Hitachi and a small 32GB mSA
-
Adding days to the current date
I'm trying to write a program that takes an order and prints an invoice for my intro to java class. The date of the order and the date of arrival (which is 14 days after the date of the order) are to appear on this invoice. I thought that I figured i
-
Trying to understand N1k licenses.
Folks, I have a Nexus 1kv switch which shows that some of the licenses may expire soon, I am trying to understand what licenses are these and how can I get them updated? aus-clm2-n1kv# sh license VSG20121101153332010.lic: SERVER this_host ANY VENDOR