Routing issue for remote vpn user and spoke

Similar Messages

• Routing Issue for Remote Access Clients over Site to Site VPN tunnels

  I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

  Patrick, that was indeed true for a long time.
  But now it is fixed in PIX and ASA version 7.x.
  Please refer to this document for details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Authentication for easy vpn users using windows ad and xauth on pix firewa

  Hii
  We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
  Need the accounting for those vpn users.
  Thanks
  Manish GaurPlease guide me

  Manish,
  Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
  For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
  The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
  Patrick
  Please rate any posts that are helpful.

• PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

  One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           
  Some other info from the client end:
  I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
  Also Tunnel received 0 and sent 115119
  Encryption is 168-bit 3-DES
  Authentication is HMAC-SHA1
  also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
  also Transparent tunneling is selcted but in the stats it states it is inactive
  I am connecting with the Cisco VPN Client Ver 5.0.07.0440
  This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
  I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
  Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
  I still cannot seem to find the issue with this config and any help will be greatly appreciated.
  This is the config
  interface ethernet0 100full
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password somepassword
  hostname hostname
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  object-group network internal_trusted_net
    network-object 192.168.40.0 255.255.255.0
  object-group icmp-type icmp_outside
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    icmp-object source-quench
  access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
  access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list OutToIn permit ip any any
  access-list outbound permit ip any any
  (NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside xxx.xxx.xxx.xxx 255.255.255.248
  ip address inside 192.168.40.2 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.
  nat (inside) 0 access-list no_nat_inside
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group acl_outside_in in interface outside
  access-group outbound in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.40.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community $XXXXXX$
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
  crypto dynamic-map clientmap 50 set transform-set 3des_strong
  crypto map vpn 50 ipsec-isakmp dynamic clientmap
  crypto map vpn client configuration address initiate
  crypto map vpn client configuration address respond
  crypto map vpn client authentication LOCAL
  crypto map vpn interface outside
  isakmp enable outside
  isakmp identity address
  isakmp client configuration address-pool local vpn_client_pool outside
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  vpngroup remote-vpn split-tunnel split_tunnel
  vpngroup remote-vpn idle-time 10800
  vpngroup remote-vpn password ANOTHER PASSWORD
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.40.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 60
  dhcpd address 192.168.40.100-192.168.40.131 inside
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd enable inside
  username AUSER password PASSWORD privilege 15
  terminal width 80
  ****************** End of config
  I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
  Thank you once again.

  Hi,
  PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
  If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
  But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
  I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
  Here is a PDF of the original ASA5500 Series.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  Here is a PDF of the new ASA5500-X Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
  Could you provide the requested outputs?
  From the PIX after connection test
  show crypto ipsec sa
  Screen captures of the VPN Client routing and statistics sections.
  - Jouni

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• VPN hub and spoke topology, hub using two interfaces

  Hi,
  I'm facing a problem with Cisco ASA 5500 running software 8.4.
  I know, i know, VPN hub and spoke was already discussed many times. But all these discussions are about a hub using only one interface, the outside/public interfcae.
  My topology is slightly different.
  LAN-A - VPN peer A <--> (Internet) <--> (outside if)-ASA-B-(inside if) <--> (corporate network) <--> (outside if)-ASA-C-(inside if) <--> LAN-C
  VPN communication should flow between LAN-A and LAN-C.
  Phase I and phase II are working on both tunnels (A-B, B-C). Therefore cryptomaps should be right.
  IPsec SA for tunnel A-B is explicit for LAN-A and LAN-C.
  IPsec SA for tunnel B-C connects any with LAN-C.
  What I can see on ASA-B is incoming traffic from LAN-A on tunnel A-B.
  That does not trigger an SA for tunnel B-C!
  Traffic initiated from LAN-C, I can see on ASA-B as incoming traffic, SA for LAN-A to LAN-C is build up on tunnel B-C.
  Traffic seems to enter tunnel A-B as I can see outgoing traffic on ASA-B.
  Of course, NAT exemption is configured for traffic between LAN-A and LAN-C.
  Why doesn't incoming traffic from LAN-A initiate SA on tunnel B-C?
  It looks like incoming traffic from LAN-A enters ASA-B and is dropped or send anywhere but the right direction.
  I admit I'm clueless.
  Any help would be appreciated.
  Thanks folks.

  Analyzing the config files you revealed the inactiv NAT exemption for traffic flow between LAN-A and LAN-C.
  Furthermore a static route fro LAN-C out the inside interface was missing.
  Fixing both communication works fine.
  Thanks for the real good support.

• 2 tier security for remote vpn ?

  Hi,
  I have a cisco PIX 501 in which remote VPN is configured for our company. Currently, for the remote users, the authentication is just a vpn groupname and a password. All the users use the same credentials for logging in. Can I have separate remote vpn users using their own login crentials with a single vpngroup?

  You can achive this via the x-auth feature, please check out the following links:
  PIX 6.x:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008010a206.shtml
  7.x and later
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
  Regards
  Farrukh

• Remote Desktop Service Manager - configure permissions for Remote Desktop Users to Send Message, Disconnect, Logoff

  Hello, dear colleagues.
  We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info). 
  Send Message, Disconnect, Logoff options works only for users in Administrators group.
  I can't to configure permissions for Remote Desktop Users, specific user or AD group. 
  To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
  RDP-Tcp, Security tab, add specific user account , AD group or configure
  advanced permissions
  for Remote Desktop Users.  
  But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
  Thanks.
  P.S. If move specific user from Remote Desktop Users group to Administrators group on
  Windows Server 2012 R2 - it works. 

  Hi,
  You can prevent administrators from changing the permissions for a connection by applying the
  Do not allow local administrators to customize permissions Group Policy setting. 
  This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
  Apart there is one command with which you can set the permission for that check the related
  article. Additionally checkthis
  thread for more detail.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Group Policy for Remote Desktop Users

  Hi,
  Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
  I am planning a Remote Desktop 2012 environment.
  I have read the following:
  TechNet cc779327
  So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
  Remote Desktop Servers OU
             * RD User GPO (filter on RD User security Group and RD Computer Security Group)
             * RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
  I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
  I then apply all user settings to the RD User GPO (app specific, templates etc.)
  Why not consolidate the two GPOs into one?
  If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
  If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
  Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
  Loopback processing - merge or replace typically for Remote Desktop?

  Hi,
  Thank you for posting in Windows Server Forum.
  Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
  group created in previous step.
  Please check beneath article might useful for better understanding.
  Lock Down Remote Desktop Services Server 2012
  How to secure your remote desktop server with GPO
  Hope it helps!
  Thanks,
  Dharmesh

• I tried to upgrade the ios on the phone and I was asked for my icloud user and password. I don't remember these exactly and I tried several times with different options but unsuccessfully. I also forget my email used to configurate the phone.

  How i said on the question. I tried to upgrade the ios on the phone and I was asked for my icloud user and password. I don’t remember these exactly and I tried several times with different options but unsuccessfully. I also forget my email used to configurate the phone. I have the phone box and the bill. I sent you an email with my problem and attachments with the box informations, the bill and the reset request. What to do? You said to me:
  Your request comes from an unrecognized email domain. Apple accepts email requests only from email domains for Apple-authorized carriers.
  Please re-submit your request using your official carrier domain.
  but this email is authorized, what to do??
                                                                                                            respectfully, Beba

  If you have forgotten then these links are the only way to resolve
  http://www.apple.com/support/appleid/
  As long as you have owned the iPhone from new and your Apple id is the one used to activate when new
  OR have you recently purchased the iPhone secondhand ?

• HT4314 I have two ipods in my house that were set up under the same email.  I have since assigned two different emails.  How can I change the game center account so that is not shared by both ipods because it is for two different users and they are not ha

  I have two ipods in my house that were set up under the same email.  I have since assigned two different emails.  How can I change the game center account so that is not shared by both ipods because it is for two different users and they are not happy?

  By "game center account", do you mean Apple ID?
  If so, you can change it.
  1. Tap settings and navigate to iTunes and App Stores
  2. Tap "Apple ID" and then tap "Sign Out"
  3. Log in with a different ID.

• Known Issues for Windows 10 SDK and Tools

  Please read about Known Issues for Windows 10 developers in the Known Issues for Windows 10 SDK and Tools
  forum

  To fix this issue, your computer must be connected to the internet to download these components.
  Make sure your computer is connected to the internet.
  Open Control Panel, and select Programs and Features. 
  Select Microsoft Visual Studio 2015 RC, click Change, and then click
  Modify.
  Select the feature “Universal Windows App Development Tools”, and click
  Update.

• Procedure for creating a user and assigning him a role

  Hi folks,
  has anyone of you a procedure for creating a user and then assigning him a spezial role?
  The procedure has 2 arguments username and password. I think that its an easy one but I
  have not found the right packages.
  Thanks

  create or replace procedure new_user(username_in IN VARCHAR2, password_in IN VARCHAR2) is
    C_TEMP_TSP     CONSTANT VARCHAR2(30) := 'TEMP';
    C_DEFAULT_TSP  CONSTANT VARCHAR2(30) := 'USERS';
    C_DEFAULT_ROLE CONSTANT VARCHAR2(30) := 'SPECIALROLE';
  begin
    execute immediate 'create user ' || username_in ||
                      ' identified by ' || password_in ||
                      ' default tablespace ' || C_DEFAULT_TSP ||
                      ' temporary tablespace ' || C_TEMP_TSP;
    execute immediate  'grant '|| C_DEFAULT_ROLE ||' to '||username_in;
  end new_user;

• Any know issues for JRE 1.6 and BOXI 3.1

  Any know issues for JRE 1.6 and BOXI 3.1

  Our most stable JRE with which we've had best results has been JRE_1.6.0_07
  Hope this helps.