Route Internet over Pix VPN to Sonicwall

Similar Messages

• ASA5505 Firewall: route internet via external VPN?

  Dear Cisco community,
  I would hereby like to inform if it is possible to configure the Cisco ASA5505 firewall to route internet via an external VPN, while a laptop and smartphone connect to the firewall via Cisco AnyConnect VPN.
  The configuration would result into: Laptop on public internet -> Cisco ASA5505 VPN -> External VPN (Unix server) -> internet.
  Is this configuration possible?
  Best Regards,
  Jan

  Dear Jouni,
  Thanks a lot for the help!
  The motivations are:
  the management of webservers that are behind a hardware firewall could be done from a single IP that is traceable to a domain (e.g. serveradminxyz.domain.com)
  the IP is fixed and unlikely to change while the internet connection IP of the firewall may change more likely
  additional security against spying/sniffing and hacking, because the network of the server provider may be more secure then the network of a regular internet provider that hosts individuals, because of the amounts of data that is being processed by the network (it would be harder / more unlikely that hackers try to get/hack VPN traffic from the network of a internet server network / data center)
  Are these motivations wrong? And will a server to server VPN cause a large loss of bandwith (and do you perhaps know how much would be lost by the functioning of the firewall alone?)

• Voice over PIX VPN?

  I have a LAN2LAN VPN between a PIX 501 and 3030. I want to be able to connect a phone at the remote site. The tunnel is up and I can ping the phone but it doesn't connect to the CM. Is there something I have to configure on the PIX to allow the phone to connect?
  Any help is appreciated.
  Thanks

  You can also try telneting to the phone / CM from each end once you have to ports worked out. that way you can test the connectivity at that port. You should also have a traffic monitor on the CM so you can see if the phone is actually trying to register.
  Tim

• VPN - can't access internet over VPN

  Hi,
  I have an issue with VPN.
  For my work I need to be able to log into my office network remotely and then access remote desktop connection from within my work network.
  This won't work unless I am accessing the internet from inside the VPN.
  I have got this working on a PC, just had to select "Use default gateway on remote network" and now when I access the VPN on a windows laptop I am accessing the internet over the VPN.
  When I connect to the VPN on the Mac I can access the network, email server, file servers etc, but can not access the internet through the VPN.
  I have tried:
  - changing the service order
  - ticking and unpicking the send all traffic over VPN setting
  I can get to the point where I can access my work network over the VPN while also accessing the internet over my wifi but cannot get it so I can access the internet over the VPN connection. It is a PPTP VPN.
  Does anyone know how I get my Mac to use the default gateway on the remote network?

  If this server is behind a (NAT-) router you need to turn on "ipforwarding only" in Server Admin NAT configuration otherwise the server wont route packets beyond it's subnet.

• Router-to-PIX VPN Tunnels fade in and out

  Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
  When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
  I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
  Crypto isakmp keepalive 10 5
  crypto ipsec secutity-association lifetime seconds 28800
  I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
  Thank you,
  Chris

  Try using the debug commands and see if you are getting any error messages that might give us some idea.

• Routing Issue in PIX 515E

  Hi all,
  I have a routing problem here with routing in PIX515E version 6.35. I have some Client PCs located in the DMZ interface of the PIX515E, they connect to PIX using Cisco VPN Client (IPSEC VPN), after that these PCs can be routed to access Servers (static route) located behind Internal interfaces of PIX. I have some Servers located remotely having Internet Access, the gateway router remotely connect to PIX Outside Interface (Internet) using IPSEC VPN then routed to inside Interface (static route).
  After establishing IPSEC VPN, the Client PCs behind the DMZ interfaces can access Servers located behind Internal Interface of PIX. So do the remote servers. However, the Client PCs cannot access the remote servers.
  Just wondering if there is any restriction for the routing in PIX?
  Thanks for the answer.

  Hi Jorge,
  Please see the config below;
  Servers behind inside interface 172.16.0.0/16
  Remote Server 172.16.0.199/32
  RA_Client:172.16.45.129-172.16.45.254
  dmz: 192.168.0.0/16
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 dmz security50
  access-list from-outside remark
  access-list from-outside permit icmp any any echo-reply
  access-list from-outside remark
  access-list nonat permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
  access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.45.128 255.255.255.128
  access-list Remote_Server permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
  ip address outside x.x.x.70 255.255.255.248
  ip address inside 172.16.58.20 255.255.255.0
  ip address dmz 192.168.68.20 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool RA_Client_pool 172.16.45.129-172.16.45.254
  global (outside) 1 x.x.x.67 netmask 255.255.255.248
  global (dmz) 1 192.168.68.129-192.168.68.254 netmask 255.255.255.128
  nat (inside) 0 access-list nonat
  nat (inside) 1 172.16.0.0 255.255.0.0 0 0
  access-group from-outside in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
  route outside 172.16.0.199 255.255.255.255 x.x.x.65 1
  route inside 172.16.0.0 255.255.0.0 172.16.58.1 1
  route dmz 172.16.45.128 255.255.255.128 192.168.68.1 1
  route dmz 192.168.0.0 255.255.0.0 192.168.68.1 1
  crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
  crypto dynamic-map map2 40 set transform-set 3des-sha
  crypto map IPSEC 40 ipsec-isakmp dynamic map2
  crypto map IPSEC 50 ipsec-isakmp
  crypto map IPSEC 50 match address Remote_Server
  crypto map IPSEC 50 set peer y.y.y.y
  crypto map IPSEC 50 set transform-set 3des-sha
  crypto map IPSEC 50 set security-association lifetime seconds 900 kilobytes 4608000
  crypto map IPSEC client authentication AuthInbound
  crypto map IPSEC interface outside
  crypto map IPSEC interface dmz
  isakmp enable outside
  isakmp enable dmz
  vpngroup RA_Client address-pool RA_Client_pool
  vpngroup RA_Client dns-server 172.16.9.5
  vpngroup RA_Client wins-server 172.16.9.5
  vpngroup RA_Client split-tunnel 101
  vpngroup RA_Client idle-time 1800
  vpngroup RA_Client password ********

• Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

  crypto ipsec client ezvpn TEST
  connect auto
  group Cisco key cisco123
  mode client
  peer 172.1.1.1
  xauth userid mode interfactive
  interface FastEthernet4
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  ip nat outside
  crypto ipsec client ezvpn TEST
  Internet Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 out
  ip nat inside
  crypto ipsec client ezvpn TEST inside
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254
  ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
  access-list 100 permit ip any any
  access-list 101 permit ip any any
  access-list 103 permit ip 192.168.1.0 0.0.0.255 any
  route-map EzVPN1 permit 1
  match ip address 103
  These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
  Cisco IOS on 871W is 12.3(8)Y12

  1) Isn't your default route supposed to be pointing towards the external interface?
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
  2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
  Have a look at the following (I'm assuming you already have as your config seems to be similar):
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
  For old 6.x code on PIX, have a look at:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
  Regards
  Farrukh

• Dynamic Routing for Failover L2L VPN

  Hi,
  Can someone offer me some guidance with this issue please?
  I've attached a simple diagram of our WAN for reference.
  Overview
  Firewall is ASA 5510 running 8.4(9)
  Core network at Head Office uses OSPF
  Static routes on ASA are redistributed into OSPF
  Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
  Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
  Branch Office WAN uses BGP - Routes are redistributed into OSPF
  The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
  Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
  Backup BO router (.253) only contains a default route to internet
  Under normal operation, traffic to/from BO uses Local Branch Office WAN
  If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
  I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
  I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
  I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
  I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
  Thanks,
  Paul

  Hi Paul,
  your ASA keeps the tunnel alive only because that route exists on ASA.  Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
  Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
  This config will go on ASA,
  route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
  (assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
  route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
  (value 254 is higher cost of the route to go via IPSec tunnel and x =  to default-gateway of ISP)
  sla monitor 99
  type echo protocol ipIcmpEcho 10.10.10.254 interface inside
  num-packets 3
  frequency 10
  sla monitor schedule 99 life forever start-time now
  track 10 rtr 99 reachability
  Let me know, if this helps.
  thanks
  Rizwan Rafeek

• Remote Desktop/Access shared files over PPTP VPN

  Hello,
  I just bought the RV180W so I can connect to my office computer from anywhere as a VPN client. The two things I need to do while I am connected as a VPN client is to be able to access my files on my office desktop and be able to remote desktop to it as well. I have Win7 on all of my computers. Ideally, I would like to do that over PPTP VPN connection but if that is not possible I can try Cisco QuickVPN software.
  I enabled PPTP on my router and created a user account. I was also able to successfully establish the connection remotely. While I was connected as a PPTP VPN client, I was able to access the Internet and my router setup page which is telling me that the connection is good. However, I was not able to either discover my office PC under my network tab in Win7 nor I was able to remote desktop. I keep my office PC on all the time and it never go to sleep. I did not create any connection policy but maybe this is the problem. Please let me know if you know of a solution.
  Thanks!

  Hi David,
  Thank you for the response.
  I was able to access the router configuration using the local IP address (in my case 192.168.1.1). I don't think I would have been able to access it using the public IP address since I have the router remote management feature disabled.
  Now after reading your email, I was finally able to remote desktop and access shared files through a PPTP VPN connection. Here is what I did:
  1- I separted the PPTP VPN IP address range from my DHCP range (in my case, PPTP VPN range is 192.168.1.200 to 210 and my DHCP range is from 192.168.1.100 to 199)
  2- I assigned my office desktop PC that I am trying to remote desktop to a fixed IP address (192.168.1.20)
  3- For remote desktop, I had to type the IP address (192.168.1.20). Typing the PC name (officepc) or searching for was not working.
  4- For shared files, I had to map a network drive as //192.168.1.20/My Pictures for example. I couldn't find my PC when searched for it under Network.
  After doing all that, I was able to do kinda what I wanted. Ideally, I would have liked to avoid using fixed IP addresses and be able to access computers by their name and see them under the Network tab. Is their a way to do this? I noticed that RV220W offers SSL VPN, would that help me?
  I would appreciate it if you could answer my last two questions.
  Thanks!
  Mustafa

• Cisco 2811 routers to route video over ip for polycom equipment.

  Hi forum,
  We are currently using polycom equipments over ISDN links for video conferencing, however, we intend to switch to our EIGRP E1 lines for that. all our sites are currently using 2811 routers to route both data and voip traffic. How do I provision the network so that I can use my E1 lines for video over ip, How should I design it?
  Besides, How do i provide video over ip service to my mobile users who vpn into my network.
  Thanks and best regards,
  paul

  first, on provisioning your network for video over ip, make sure you can implement the QoS required to provide a clear, unchoppy video stream.
  your design could look something like the following:
  polycom >> network >> router >> E1 >> router >> network >> user
  (very basic description, you may require more detail depeding on your needs)
  also, for video over ip to your vpn users, you might be able to use something like cisco IPTV or the likes. (depending on the type of video you want to provide your users)
  please see the following link for video over ip for polycom:
  http://www.cisco.com/en/US/tech/tk1077/technologies_configuration_example09186a0080111c1b.shtml#configqos
  please see the following link for more QoS for video conferencing info:
  http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080094968.shtml
  please see the following link for info on video over ipsec vpn:
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns241/netbr09186a0080125154.html

• Design validation for Internet over MPLS

  We have a Network on MPLS backbone with dual service provider.
  There are 50 spoke location.
  DC and DR location
  Topology is hub and spoke with all sites accessing data hosted at primary DC.
  ALso in case of disaster all the spoke sites will connect to DR site.
  Servers at DR site are on unique IP and failover from DC to DR is taken care by BGP routing intelligence.
  Aim is to give controlled internet access to all the spoke sites from DC and incase of failure internet should be available from DR site.
  As per our design architecture we are planning to upgrade the last mile bandwidth and MPLS port of all spoke sites and central site MPLS port bandwidth to give integrated access on the same last mile for all the locations.
  Both types of traffic private and public will ride on the same MPLS bancbone and come to the primary DC site CE router.
  At CE router we will segreggate the traffic meant for datacentre and internet cloud.
  We will also deploy firewall and separate internet router and proxy server for the proposed internet connectivity to control the spoke sites traffic.
  Is this a good design.
  Pls suggest with configuration on how are we going to achiecve this
  Also currently we are using BGP between CE-PE --- it should take care of the global routing meant for Internet traffic by flooding default route across all the spoke sites
  Pls fins the existing architecute attahced.
  Any inputs on the same will be appreciated.
  Regards

  As per your post you are looking for the solution to route internet via DC and on failure via DR.
  To do this you can inject default routes from both DC and DR. in doing this all the PE's in SP1 and SP2 will have 2 defaults in the VRF table for you. But only 1 would be installed based on regular BGP path selection process.
  To manipulate and select default from DC you can change any BGP path attribute and make the DC default favourable over DR default.
  I did not understand where you are doing PBR, but anyway PBR will work in sync with CEF without putting any load on you CPU since IOS 12.0. So you can run PBR whereever you are running it.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm
  To answer is this a good design or not, more inputs would be required as the current diagram is insufficient with legends, and the logic behind the creation of 3 vlans in the diagram is not explained in the post.
  Its not clear which site are you designating as spoke site, as the remote sites box has dual routers and dual connections.
  Since a good design of a network is more of what your data flow and business needs are and then based upon it, the technical design should meet the requirements put forth and scale as well at the same time. Here if you agree we dont have any of those inputs as well.
  HTH-Cheers,
  Swaroop

• No Internet Over Network

  We recently have been having some problems with our internet over a network. The internet works fine when a computer is directly connected to the modem (we have DSL with DHCP) as that's what I'm using right now. We recently bought a brand new Airport Extreme (802.11n). I've followed the instructions, and for some reason, we can't get an internet connection coming through the base station, wired or wirelessly. Any help would be amazing. Thanks!

  Hello Zzarkc-20. Welcome to the Apple Discussions!
  It's always a good idea to perform a complete power recycle of your network components when changing configurations.
  Try the following, in order, checking for Internet access after each step, until resolved:
  1. If the modem has a reset switch, use it to reset the modem. Wait at least 5-10 minutes for the modem to initialize.
  2. Remove power from the modem. If it has a backup battery, remove this as well. Wait 5-10 minutes. Replace the battery, and add power back to the modem.
  3. Perform a complete power recycle of your network components as follows:
  Modem/Router Power Recycling - Quick
  o Power-off the modem, 802.11n AirPort Extreme Base Station (AEBSn), & computer(s); Wait at least 5 minutes.
  o Power-on the modem; Wait at least 5 minutes.
  o Power-on the AEBSn; Wait at least 5 minutes.
  o Power-on the computer(s)
  If this fails to get the modem to "recognize" the Internet router, then try the "Full" version.
  Modem/Router Power ReCycling - Full
  o Power-off the modem, AEBSn, & computer(s). (Wait at least 30 minutes. If possible, leave the modem off overnight.)
  o Power-on the modem; Wait at least 15 minutes.
  o Power-on the AEBSn; Wait at least 5 minutes.
  o Power-on the computer(s)
  4. Contact your ISP to have them perform a "modem reset."

• Extremely slow Internet over Airport, good speed with Ethernet

  I've been using an airport extreme router (802.11n) for a while and recently I've noticed an incredible slow Internet over wifi. When I do a speed test it shows numbers like 200 kbps and I have a 10 mbps cable Internet connection. When I connect the ethernet from the modem it's perfect speed. Obviously Airport is slowing down my Internet connection. I tried resetting the Airport by pressing the reset button at the back, and it worked perfectly for a while. But after a few days it got back to slow Internet. Anybody have any idea?

  I don't know if this will help anyone else, but I came across some changes (purely by experimentation) that may help. I hope so, at least...
  I opened the Airport Utility and I swapped channels. The default is channel 6, but every other WiFi router defaults to this channel, too. I changed my Airport Extreme to use channel 3 (as well as my Airport Express), and now things are back to what I would have expected for an 802.11g connection.
  I will offer the suggestion that those of you with the same Internet slow-down observed on their iMac G5's try swapping channels. If you have an expanded WiFi home network vis-a-vis an Airport Express, be sure to update it first before you update your Airport Extreme.
  Best wishes and good luck!
  TRB

• Controlling Traffic Over SA520 VPN

  Hi
  We have a site to site VPN between a satellite site and a customer.  Both ends are running SA520s.
  Is there any way to limit the traffic that is allowed to pass over the VPN?  Previously on PIXs and ASAs we've disabled the option to allow all traffic and then used ACLs but I can see a similar way to do this on the SA520.
  Ideally, we'd like to make the VPN one way so we have full access to the customer site but they have no access back to our office.
  Thanks
  Joe

  Hi Joe, thank you for using our forum, my name is Luis I am part of the Small business Support community. In this case you could set an ACL in order to restrict the access from the remote client to your LAN, bellow I will share an article, please follow those steps and if you have any question please let me know.
  IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance
  I hope you find this answer useful
  Greetings,
  Luis Arias.
  Cisco Network Support Engineer.

• Remote access to PC from the Internet over a DSL connection!

  Hello! I have a PC on the local LAN which is hooked to the Internet over a DSL Modem (Speedstream 4100) connection using a 2620 Router with 12.3 IOS. A remote vendor wants to access this PC using "Port forwarding" to Port 3389. He was able to do this using a Linksys Router instead of a 2620.
  There are no leased public IP addresses on this connection. The vendor was able to use some DDNS to accomplish this successfully. Now, the Linksys Router has been replaced with 2620 and I need help configuring this.
  Any ideas? Thanks in advance!

  Try:
  ip nat inside source static tcp 3389 interface fastethernet0 3389
  If the IP address for FA0 is dynamic, you can use DDNS as mentioned (requires additional configuration), or simply look it up in the router and communicate verbally to the vendor.
  Hope this helps, please rate post if it does!