Route based VPN ?

Similar Messages

• BGP Event-Based VPN Import

  Hi Guys,
  I came across this command, but have problem understanding what it does or how to use it:
  Router(config-router-af)# import path selection {all | bestpath [strict] | multipath [strict]}
  It falls under the "BGP Event-Based VPN Import" section:
  http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/iproute_bgp/configuration/guide/2_xe/irg_xe_book/irg_event_vpn_import_xe.html#wp1059052
  Does anyone know what this does or how this works?

  Hi,
  It specifies the BGP import path selection policy for a specific VRF instance.
  You might be aware on VRF-LITE, that's the VPNs without MPLS.
  BGP Event-Based VPN Import
  The BGP Event-Based VPN Import feature introduces a modification to the existing BGP path import process. BGP Virtual Private Network (VPN) import provides importing functionality for BGP paths where BGP paths are imported from the BGP VPN table into a BGP virtual routing and forwarding (VRF) topology. In the existing path import process, when path updates occur, the import updates are processed during the next scan time, which is a configurable interval of 5 to 15 seconds. The scan time adds a delay in the propagation of routes. The enhanced BGP path import is driven by events; when a BGP path changes, all of its imported copies are updated as soon as processing is available.
  When you use the BGP Event-Based VPN Import feature, convergence times are significantly reduced because provider edge (PE) routers can propagate VPN paths to customer edge (CE) routers without the scan time delay. Configuration changes such as adding imported route targets (RT) to a VRF are not processed immediately, and are still handled during the 60-second periodic scanner pass.
  Import Path Selection Policy
  Event-based VPN import introduces three path selection policies:
  •All—Import all available paths from the exporting net that match any route target (RT) associated with the importing VRF instance.
  •Best path—Import the best available path that matches the RT of the VRF instance. If the best path in the exporting net does not match the RT of the VRF instance, a best available path that matches the RT of the VRF instance is imported.
  •Multipath—Import the best path and all paths marked as multipaths that match the RT of the VRF instance. If there are no best path or multipath matches, then the best available path is selected.
  - Ashok
  Please rate the useful post or mark as correct answer as it will help others looking for similar information

• Web based VPN issue wheras anyconnect and VPN client working fine

  Experts,
  We have Cisco ASA 5540 and im running into issues with accessing the webbased VPN(https://X.X.x.x).there are about 8 VPN profiles configured and im unable to login using any of the profiles whereas VPN client and Cisco Any connect are working fine. on accessing web based VPN after providing  the login credentials and hit enter the page is getting refreshed and it throws me back to the same login page again. This is the Production ASA and i cannot run debug.
  Kindly, provide me your valuable inputs.
  Thank you!

  Your problem is the NAT-config. First, the following line is not needed as RDP doesn't work ober UDP:
  ip nat inside source static udp 192.168.10.136 3389 interface Dialer0 3389
  Then, the following command causes the problems:
  ip nat inside source static tcp 192.168.10.136 3389 interface Dialer0 3389
  With that the router assumes that the server 192.168.10.136 should always be reached through the IP of dialer0 and does a translation.
  There are a couple of ways to resolve the problem, but they all have some drawbacks ...
  1) Only access the server through VPN. For that you just delete the NAT-statement above (the one with tcp) and you should be able to reach the server through the VPN.
  2) Restrict the NAT to don't do a translation if a VPN-peer is accessing the server.
  For that you need to attach a route-map to the NAT-statement. But that won't work with the "interface"-keyword in the NAT-Statement. But you can use this if you get a fixed IP from your provider.
  3) Assign a second IP to the RDP-server. The original IP which is used in the NAT-statement is used for accessing the server without the VPN, the second IP is used for accessing the server through VPN.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Select Switch Executive Route based on Socket Index

  Hi,
  I have a sequence set up in TestStand which simultaneously tests up to 4 UUT's. In order to run a current measurments, I need to be able to switch each device through the DMM. I have the routes properly configured in Swith Executive, and everything runs fine when I switch manually using the Test Panel feature. What I need to do now though, is choose which device is routed to the DMM based on its test socket number. 
  So, for the "Measure Current" test step on "Test Socket 0", I go to the Properties>Switching window and just select "Connect_UUT0" route group. This works fine for a single test socket, but how can I dynamically switch route when I have more than one UUT?
  I'm aware of the "RunState.TestSockets.MyIndex" variable, but I can't seem to select a route based on this. ie: In "Routes to Connect" I typed "Str(Connect_UUT)+Str(RunState.TestSockets.MyIndex)" after I read a similar solution on this forum, but I just get an error.
  I'd really appresciate some help on this,
  Thanks,
  Kevin
  Solved!
  Go to Solution.

  Hey Kevin,
  You shouldn't need to do Str(Connect_UUT). You're likely getting the error because it's trying to interpret Connect_UUT as a variable instead of a string. Try this instead:
  "Connect_UUT"+Str(RunState.TestSocks.MyIndex)
  I think that will work, but let us know if you run into any more trouble!
  Daniel E.
  TestStand Product Support Engineer
  National Instruments

• Router based activity  and method call issue

  Hi All
  Iam presently working of Router based task flow(Bounded task flow) and page fragments
  here in above router based task flow i have used the method call.
  In above method call i return status ,and on basis of that status i redirect it to success page or error page(the success and error page are page fragments i.e. .jsff page).
  i have done the drag and drop of the above mentioned router based task flow in my jspx page in a facet as a region.
  below is the code for the my jspx page
  <af:region value="#{bindings.testtaskflowvalidations.regionModel}"
                         id="r1"/>but my problem is that the method call which i included in above router based ,that method is not called(method call is not being happened).
  So what changes i need to make so that the method is being is called.
  currently iam using jdevloper 11.1.1.4.0
  Thanks and Regards
  Bipin Patil.
  Edited by: Bipin Patil on Jun 29, 2011 1:59 AM

  Hi
  iam not getting any kinds of server errors.
  below is my router code
  <?xml version="1.0" encoding="windows-1252" ?>
  <adfc-config xmlns="http://xmlns.oracle.com/adf/controller" version="1.2">
    <task-flow-definition id="ValidationTaskFlow">
      <default-activity id="__1">ValidationTask</default-activity>
      <managed-bean id="__25">
        <managed-bean-name id="__24">validationBean</managed-bean-name>
        <managed-bean-class id="__27">com.test.Validate</managed-bean-class>
        <managed-bean-scope id="__26">pageFlow</managed-bean-scope>
      </managed-bean>
      <router id="ValidationTask">
        <case>
          <expression>#{pageFlowScope.Validationstatus == 'true'}</expression>
          <outcome id="__2">success</outcome>
        </case>
        <case>
          <expression>#{pageFlowScope.Validationstatus == 'false'}</expression>
          <outcome id="__3">fail</outcome>
        </case>
        <default-outcome>fail</default-outcome>
      </router>
      <view id="validationsuccess">
        <page>/pages/main.jsff</page>
      </view>
      <view id="validationerror">
        <page>/pages/hashkeyvalidationerror.jsff</page>
      </view>
      <method-call id="ValidationStatusSupplier">
        <method>#{pageFlowScope.validationBean.onBeforePhase}</method>
        <outcome id="__9">
          <fixed-outcome>ValidateFlow</fixed-outcome>
        </outcome>
      </method-call>
      <control-flow-rule id="__10">
        <from-activity-id id="__11">ValidationTask</from-activity-id>
        <control-flow-case id="__12">
          <from-outcome id="__14">success</from-outcome>
          <to-activity-id id="__13">validationsuccess</to-activity-id>
        </control-flow-case>
        <control-flow-case id="__16">
          <from-outcome id="__15">fail</from-outcome>
          <to-activity-id id="__17">validationerror</to-activity-id>
        </control-flow-case>
      </control-flow-rule>
      <control-flow-rule id="__19">
        <from-activity-id id="__20">ValidationStatusSupplier</from-activity-id>
        <control-flow-case id="__23">
          <from-outcome id="__21">ValidateFlow</from-outcome>
          <to-activity-id id="__22">ValidationTask</to-activity-id>
        </control-flow-case>
      </control-flow-rule>
      <use-page-fragments/>
      <visibility id="__18">
        <url-invoke-allowed/>
      </visibility>
    </task-flow-definition>
  </adfc-config>

• AAA and Certificate Based VPN

  We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
  To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
  However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
  Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
  Thanks

  Hi CrankyMonkey, 
  9.4 image includes new features for SSLTLS that might be impacting your certificate authentication. 
  "Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
  As workaround you can try to use the following cipher configuration and check if works.
  ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA" 
  Reference link
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
  Rate if helps.
  -Randy

• Route based on ip hash policy

  I got ucs chassis connected to 2 7k in vpc mode. Can i use route base on IP hash as a vmware load balancing policy or does it have to be route based on virtual port ID

  yes sorry i mean the ucs chassis to FI and FI to 7k.
  FI connected via VPC. Can i use IP hash load balancing?

• SSL-Based VPN for iPod Touch

  I've been told that my iPod Touch (2nd Gen, iOS 3.x) can use only PPTP-based VPN. In other words, it can not use SSL-based VPN.
  On the VPN configuration screen I see tabs for L2TP and IPSec as well as PPTP.
  Can either L2TP or IPSec be used for SSL-based VPNs?
  Thank you.
  - nello

  Unforunately not, at least not that I have used.  The closest I can get to free that I can vouch for is Remote HD which I use on my iPad, but that works on iPod as well.  It is 5 bucks and while not a full featured VNC works pretty well running a computer remotely.  Sorry I couldn't help more, maybe someone else has more experience

• RV042 inserting bogus route on VPN gateway

  I can not determine where destination route 10.50.0.0/24 to 10.40.0.1 on Lan interface (ixp0) is coming from.  There were some static routes to VPN networks which were not necessary, I deleted them.  After I deleted static routes the routing table looked good and I was able to ping all VPN LAN gateways.  Thought I had it made then tried to access printer in 10.50.0.0/24 network from 10.40.0.0/24 network, could not connect.  Returned to router and saw route 10.50.0.0/24 to 10.40.0.1 had been injected.  Don't have a clue where it came from.
  Anyone have this issue?
  xxx.16.200.72
  255.255.255.252
  xxx.16.200.74
  0
  ixp2
  xxx.16.200.72
  255.255.255.252
  40
  ixp2
  xxx.16.200.72
  255.255.255.252
  45
  ipsec1
  xxx.172.122.192
  255.255.255.224
  xxx.172.122.210
  0
  ixp1
  xxx.172.122.192
  255.255.255.224
  40
  ixp1
  xxx.172.122.192
  255.255.255.224
  45
  ipsec0
  10.70.0.0
  255.255.255.0
  xxx.172.122.193
  10
  ipsec0
  10.50.0.0
  255.255.255.0
  10.40.0.1
  2
  ixp0
  10.50.0.0
  255.255.255.0
  xxx.16.200.73
  10
  ipsec1
  10.60.0.0
  255.255.255.0
  xxx.172.122.193
  10
  ipsec0
  10.40.0.0
  255.255.255.0
  10.40.0.2
  0
  ixp0
  10.40.0.0
  255.255.255.0
  50
  ixp0
  default
  0.0.0.0
  xxx.172.122.193
  15
  ixp1
  default
  0.0.0.0
  xxx.16.200.73
  40
  ixp2
  default
  0.0.0.0
  xxx.172.122.193
  40
  ixp1

  Problem resolved.
  Apparently router does not do a good job on cleaning up routing table when changes are made.
  Reboot of router cleaned up the routes and was able to ping all VPN LAN gateways.

• ASA does not propagate routes to VPN users

  Good afternoon
  I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
  I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
  access-list Inside standard permit 10.1.0.0 255.255.0.0
  access-list Inside standard permit 192.168.15.0 255.255.224.0
  Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
  The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
  Here are my split tunneling settings:
  group-policy DefaultRAGroup attributes
  vpn-idle-timeout 1
  vpn-tunnel-protocol l2tp-ipsec
  pfs disable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  group-policy DfltGrpPolicy attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  Any ideas?
  I apreciate your help
  Best regards

  ajaychauhan
  Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
  ASA Version 8.2(1)
  hostname asa-xxxx
  enable password xxxxxxxxx encrypted
  passwd xxxxxxxxxx encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 197.X.XX.XX 255.255.255.248
  interface GigabitEthernet0/1
  nameif vpncorp
  security-level 50
  ip address 10.X.XX.XX 255.255.255.248
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  duplex full
  nameif mgmt
  security-level 100
  ip address 10.x.xx.xx 255.255.255.240
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name zz.df.es
  access-list Inside standard permit 10.1.0.0 255.255.0.0
  access-list Inside standard permit 192.168.15.0 255.255.224.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 14000
  logging buffered debugging
  logging asdm debugging
  logging facility 21
  logging host mgmt 10.xx.x.x
  logging class auth trap informational
  logging class config trap informational
  logging class ha trap informational
  logging class sys trap informational
  logging class vpdn trap informational
  logging class vpn trap informational
  mtu outside 1500
  mtu vpncorp 1500
  mtu mgmt 1500
  ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
  ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
  ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
  route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
  route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server mgmtt protocol radius
  aaa-server mgmtt (mgmt) host 10.xx.x.xx
  timeout xxx
  key xxxxxxxxxx
  authentication-port xxx
  accounting-port xxxx
  aaa-server mgmtt (mgmt) host 10.xx.xx.xx
  timeout xxx
  key xxxxxx
  authentication-port xxxx
  accounting-port xxxx
  aaa-server Users protocol radius
  accounting-mode simultaneous
  interim-accounting-update
  aaa-server Users (mgmt) host 10.xx.xx.xx
  key xxxxx
  authentication-port xxxx
  accounting-port xxxx
  aaa-server Users-2 protocol radius
  accounting-mode simultaneous
  interim-accounting-update
  aaa-server users-2 (mgmt) host 10.xx.xx.xxx
  key xxxx
  authentication-port xxx
  accounting-port xxxx
  aaa authentication ...
  aaa authentication ...
  aaa authentication ...
  aaa authorization ...
  aaa accounting ...
  aaa accounting ...
  aaa accounting ...
  snmp-server ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec security-association lifetime seconds xxx
  crypto ipsec security-association lifetime kilobytes xxx
  crypto dynamic-map vpn-ra-dyn_map 10 set ...
  crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy ...
  authentication pre-share
  encryption xxx
  hash xxx
  group x
  lifetime xxx
  crypto isakmp policy xxx
  authentication pre-share
  encryption xxx
  hash xxx
  group x
  lifetime xxx
  telnet timeout xxx
  ssh 10.x.x.x 255.255.255.255 mgmt
  ssh timeout x
  ssh version x
  console timeout x
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  vpn-idle-timeout 1
  vpn-tunnel-protocol l2tp-ipsec
  pfs disable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  default-domain value xx.xx.es
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
  vpn-idle-timeout 1
  split-tunnel-policy tunnelspecified
  username ...
  username ...
  username ...
  tunnel-group DefaultRAGroup general-attributes
  authentication-server-group (outside) Users
  accounting-server-group users
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key xxxxx
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  tunnel-group asa type remote-access
  tunnel-group asa general-attributes
  address-pool VPN-user-pool
  authentication-server-group (outside) test
  accounting-server-group test
  tunnel-group asa ipsec-attributes
  pre-shared-key xxxx
  tunnel-group asa ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group tstvpn type remote-access
  tunnel-group tstvpn general-attributes
  authentication-server-group (outside) users-2
  accounting-server-group users-2
  default-group-policy DefaultRAGroup
  tunnel-group tstvpn ipsec-attributes
  pre-shared-key xxxx
  tunnel-group tstvpn ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum xxxx
  policy-map global_policy
  class inspection_default
    inspect xxxx
    inspect ...
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:xxxxxx
  : end

• My router does vpn passthrough and is set up correctly. Does it also have to host the vpn?

  my router does vpn passthrough and is set up correctly. Does it also have to host the vpn?
  Thanks
  Greg

  Not sure I understand your question or problem, but I'll give it a shot.
  No, you do not have to host the VPN server on your router.  That wouldn't do you any good for working around the limitations of the VZW network anyways since you are still on the same VZW network.  When you setup a VPN you normally want it to be on someone else's network so you can enable things like port forwarding and remote access.
  The VPN Passthrough feature only allows your VPN clients to access VPN servers, its not the same thing as hosting.  If you want your router to auto connect to a VPN server (which is more common) that is something different.  VPN clients connect to VPN servers.  VPN clients are normally installed on your personal devices or your router.  VPN servers are geographically located somewhere else and on someone else's network.

• Policy Based Routing with VPN Client configuration

  Hi to all,
  We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
  The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
  The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
  Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
  Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
  This is our sanitized config
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group dc
  key ***
  dns 192.168.5.7
  domain corp.local
  pool SDM_POOL_1
  acl 101
  max-users 3
  netmask 255.255.255.0
  crypto isakmp profile sdm-ike-profile-1
     match identity group dc
     isakmp authorization list sdm_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile SDM_Profile1
  set security-association idle-time 3600
  set transform-set ESP-3DES-SHA
  set isakmp-profile sdm-ike-profile-1
  interface Loopback0
  ip address 10.10.10.1 255.255.255.0
  interface FastEthernet0/0
  description *WAN*
  no ip address
  ip mtu 1396
  duplex auto
  speed auto
  interface FastEthernet0/0.3
  description FAST-WAN-11D-11U
  encapsulation dot1Q 3
  ip address 88.XX.XX.75 255.255.255.248
  ip load-sharing per-packet
  ip nat outside
  ip virtual-reassembly
  interface FastEthernet0/0.4
  description SLOW-WAN-10D-1U
  encapsulation dot1Q 4
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  no cdp enable
  interface FastEthernet0/1
  description *LOCAL*
  no ip address
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1.10
  description VLAN 10 192-168-5-0
  encapsulation dot1Q 10
  ip address 192.168.5.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly max-reassemblies 32
  no cdp enable
  interface FastEthernet0/1.20
  description VLAN 20 10-10-0-0
  encapsulation dot1Q 20
  ip address 10.10.0.254 255.255.255.0
  ip access-group PERMIT-MNG out
  ip nat inside
  ip virtual-reassembly
  !!! NOTE: This route map is used to PBR the http traffic for our server
  ip policy route-map REDIRECT-VIA-FAST-WAN
  no cdp enable
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Virtual-Template3
  no ip address
  interface Virtual-Template4
  no ip address
  ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
  ip forward-protocol nd
  !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
  !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
  ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
  ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
  access-list 101 remark SDM_ACL Category=4
  access-list 101 permit ip 192.168.5.0 0.0.0.255 any
  access-list 101 permit ip 10.10.0.0 0.0.0.255 any
  ip access-list extended FAST-WAN-NAT
  permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit icmp 192.168.5.0 0.0.0.255 any
  permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit icmp 10.10.0.0 0.0.0.255 any
  ip access-list extended REDIRECT-VIA-FAST-WAN
  deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
  permit tcp host 10.10.0.43 eq 443 9675 any
  ip access-list extended SLOW-WAN-NAT
  permit ip 192.168.5.0 0.0.0.255 any
  permit ip 10.10.0.0 0.0.0.255 any
  route-map FAST-WAN-NAT-RMAP permit 10
  match ip address FAST-WAN-NAT
  match interface FastEthernet0/0.3
  route-map REDIRECT-VIA-FAST-WAN permit 10
  match ip address REDIRECT-VIA-FAST-WAN
  set ip next-hop 88.XX.XX.73
  route-map SLOW-WAN-NAT-RMAP permit 10
  match ip address SLOW-WAN-NAT
  match interface FastEthernet0/0.4

  Can you try to use PBR Match track object,
  Device(config)# route-map abc
  Device(config-route-map)# match track 2
  Device(config-route-map)# end
  Device# show route-map abc
  route-map abc, permit, sequence 10
    Match clauses:
      track-object 2
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  Additional References for PBR Match Track Object
  This feature is a part of IOS-XE release 3.13 and later.
  PBR Match Track Object
  Cisco IOS XE Release 3.13S
  The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
  The following commands were introduced or modified: match track tracked-obj-number
  Cheers,
  Sumit

• Routing based on destination IP and traffic type

  Is it possible to route traffic based on the destination IP and the type of traffic?
  ASA5512
  Software 9.2.1
  We have an ASA 5512 that is used as a VPN termination point. Our employees connect from one of our customer sites to this VPN point. The customer also hosts services on the same IP address that our employees use to access our VPN on.
  What I want to do is to use a different route for certain traffic to take to get to these other services provide by our customer, for instance they offer an FTP site and I want to use a different route to get our internal users to this FTP site. Is this possible to achieve?
  Any help would be greatly appreciated.
  Murray

  Technically speaking the ASA doesn't do policy based routing.  However, you might be able to simulate something similar to PBR by using a combination of static routes and NAT.
  If you describe your Network setup, ASA, and how the alternate route is connected to your customer, we might be able to help you better.
  Please remember to select a correct answer and rate helpful posts

• Can't access other computer on Windows 8.1 based VPN

  Hi,
  I have a computer in my office, and my laptop at home.
  I want to be able to access resources at my office when I'm at home.
  Both computers are Windows 8.1 based, and in both I'm the Admin.
  I've successfully created a VPN connection. I've configured my office router to allow PPTP 1793 port connections.
  I've configured the Office computer as the VPN server, and successfully connected to it when I was at home.
  I was expecting to see the office computer as part of the network , but unfortunately I can't get to see that computer when I'm at home.
  I was searching the web for solution. I've found a possible solution, which didn't help me - to set Network to be Private, in Windows settings via registry or network policy, but that didn't help.
  How can I access my office computer, when I am at home?
  Thanks!
  Amir.

  You may also need to verify the network settings of your VPN connection. Check the IP address assigned to your VPN adapter and to the remote computer (VPN server). Verify that you can access the remote computer by IP address (\\x.x.x.x) in File Explorer.
  VPN connections often use a separate subnet and IP range and thus computers detected across this adapter are not seen by network discovery. You will need to enter the computer name (if DNS is working over the VPN link) or IP address to access the remote
  computer.
  Also consider that when a VPN connection is established the client is effectively joining the server network, not the other way around.
  Brandon
  Windows Outreach Team- IT Pro
  Windows for IT Pros on TechNet

• Cant ping behind cisco router (site2site vpn)

  Dears;
  After configure site to site vpn between cisco router and fortigate firewall,
  site A : 10.0.0.0/24     behind fortigate
  site B: 10.10.10.0/24  behind cisco router
  the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
  my cisco router configuration is
  Current configuration : 2947 bytes
  ! No configuration change since last restart
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  boot-start-marker
  boot-end-marker
  enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
  no aaa new-model
  memory-size iomem 10
  clock timezone cairo 2 0
  crypto pki token default removal timeout 0
  ip source-route
  ip dhcp excluded-address 192.168.16.1
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool GUEST
   network 192.168.16.0 255.255.255.0
   default-router 192.168.16.1
   dns-server 8.8.8.8 8.8.4.4
  ip dhcp pool LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8 8.8.4.4
  ip cef
  controller VDSL 0
  ip ssh version 2
  crypto isakmp policy 10
   encr aes
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key 6 *********** address 4.x.x.x no-xauth
  crypto ipsec transform-set myset esp-aes esp-sha256-hmac
  crypto map kon-map 10 ipsec-isakmp
   set peer 4.x.x.x
   set transform-set myset
   set pfs group5
   match address 105
  interface Ethernet0
   no ip address
   no fair-queue
  interface ATM0
   no ip address
   ip mtu 1452
   ip tcp adjust-mss 1452
   no atm ilmi-keepalive
  interface ATM0.1 point-to-point
   ip flow ingress
   pvc 0/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
  interface FastEthernet0
   switchport mode trunk
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   switchport access vlan 2
   no ip address
  interface FastEthernet3
   no ip address
  interface Vlan1
   ip address 10.10.10.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Vlan2
   ip address 192.168.16.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Dialer1
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 1
   ppp authentication chap pap callin
   ppp chap hostname
   ppp chap password 0
   ppp pap sent-username
   crypto map kon-map
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  access-list 100 permit ip 192.168.16.0 0.0.0.255 any
  access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  banner motd ^C^C
  end
  when ping from cisco router
  konsuler#ping 10.0.0.27 source vlan1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
  Packet sent with a source address of 10.10.10.1
  Success rate is 0 percent (0/5)
  help please

  Thank you karsten
  I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
  -counters in
  # sh crypto ipsec sa
  increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
  r#show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer1
  Uptime: 00:03:12
  Session status: UP-ACTIVE     
  Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.x.x.x
        Desc: (none)
    IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
            Capabilities:(none) connid:2001 lifetime:22:39:59
    IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
          Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407