RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

Similar Messages

• How to configure full tunnel with VPN client and router?

  I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

  I think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Cisco ASA 5505, Cisco VPN Client and Novell Netware

  Hi,
  Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
  I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
  When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
  The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

  If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

• Boot camp with Cisco VPN client and smart card

  Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
  Thanks

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit

  Hi there
  I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
  I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
  Could anyone help me?
  Thanks to all.

  You can try to update Deterministic Network Enhancer to the below listed release which supports
  WWAN Drivers.
  http://www.citrix.com/lang/English/lp/lp_1680845.asp.
  DNE now supports WWAN devices in Win7.  Before downloading the latest version of DNEUpdate from the links below,  be sure you have the latest
  drivers for your network adapters by downloading them from the vendors’ websites.
  For 64-bit: ftp://files.citrix.com/dneupdate64.msi
  Hope that helps.

• Difference between instant client and full oracle client

  Everyone,
  I had read the below lines from a goldengate pdf. Someone please explain me what is the difference between instant client and full oracle client?
  What is the use of XDK libraries.?
  " The full Oracle client must be used with GoldenGate so that the GoldenGate programs
  have access to the Oracle XDK libraries. Do not use Oracle Instant Client, which lacks
  those libraries. You can download the full client from Oracle’s website."
  Regards,
  SAKTHi

  The dealio is this:
  When you install client software, you have several options as to the degree of what you get/install. The big chicken dinner is administrator, so you get all kinds of extra features, add-ons, libraries, utilities, etc. At the hard candy Christmas end is instant client, and that has just enough functionality to, as you may surmise by now, connect a client and that's about it. Various libraries have functionality built in to do whatever extra is required. An example is FAN, or fast application notification, used in Data Guard failover. A FAN API (Java) will detect a failover and re-direct a client connection to the new primary. What GG uses XDK for (specifically) isn't of importance to a user, just the fact that it is available for connecting to Oracle is.

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

• Configure a VPN client and Site to Site VPN tunnel

  Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
  SiteA config with working VPN tunnel to SiteB:
  SITE A
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.x.x.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.x.x.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.x.x.0.0 201.201.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  SiteA-pix(config)#
  Lines I add for Cisco VPN clients is attached
  I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
  Anyone any ideas what this can be?
  Thanks

  Heres my config:
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.11.11.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.255.255.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool pix_inside 200.x.x.100-200.220.200.150
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.0 0.0.0.x.x.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
  crypto dynamic-map DYNOMAP 10 match address 80
  crypto dynamic-map DYNOMAP 10 set transform-set AAADES
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup Remote address-pool pix_inside
  vpngroup Remote dns-server 200.200.200.20
  vpngroup Remote wins-server 200.200.200.20
  vpngroup Remote default-domain mycorp.co.uk
  vpngroup Remote idle-time 1800
  vpngroup Remote password password
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  I will attach debug output later today.
  Thanks

• I cannot route to remote subnets from cisco vpn client and pptp client

  Hi guys,
  I've a big problem, I configured a 877 cisco router as a cisco vpn server (the customer use it to connect to his network from pc) and a pptp vpn server (he use it to connet to the network from a smartphone).
  In this router I created 2 vlan, one for wired network (192.168.10.0/24) and the second one (10.0.0.0/24) for wireless clients and I use fastethernet 3 port to connect these to the router.
  this is the issue, when the customer try to connect to a wireless network from both of vpn clients he cannot do this, but if he try to connect to a wired network client all working fine.
  following the addresses taken from the router.
  - encrypted vpn client -
  ip address. 192.168.10.20
  netmask 255.255.255.0
  Default Gateway. none (blank)
  - pptp vpn client -
  ip address. 192.168.10.21
  netmask. 255.255.255.255
  Default Gateway. 192.168.10.21
  Is possible that I cannot reach the remote subnet because the clients doesn't receive a gateway (in the first case) or receive the wrong subnet/gateway (in the second one)..?
  There is anyone can help me..?
  Thank you very much.
  Many Kisses and Kindly Regards..
  Ilaria

  The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).
  The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.
  The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.
  The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.
  Here's the format of the command:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

• Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

  Hi Community.
  I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
  I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
  VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
  The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
  I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
  My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
  I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
  What do you think?

  Hi,
  Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
  This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
  - Jouni

• VPN Client and DNS settings

  Hello,
  here are few posts (quite some time ago) telling the same trouble:
  The VPN Client does *NOT* restore the original DNS settings.
  Upon BM3.8.2 Massimo told, that this is a bug in that version of the VPN
  client. I face this issue with 3.8.16 and nwclient 4.91.4 with or without
  the three currently available hotfixes [1]
  Anybody else facing this trouble with the current VPN client release?
  May be an older one works better, any experiences?
  This trouble is fact even after clean disconnects. But it happens only now and then,
  I might need to try it 50 times to see it once.
  a followup in CMD boxes with ipconfig /all does show, that the times
  to restore the original DNS settings vary from 2 to 30 seconds. Mostly about 5 seconds.
  Massimo also told, that a "VPN-down" due to a Win-Shutdown can cause this: So is
  there a possibility to trigger a "clean-VPN down" in the Win-shutdown sequence?
  As a workaround I packed this line into all users "run" key:
  netsh int ip set dns name="LAN-Verbindung" source=dhcp
  so at least after a reboot it's corrected.
  Any suggestions appreciated,
  [1]
  Novell Client 4.91 Post-SP2/3/4 NWSPOOL.DLL
  Novell Client post-4.91 SP4 LGNCXW32.DLL
  Novell Client 4.91 Post-SP4 NWGINA.DLL 1
  IT-Beratung Rudolf Thilo
  Schweinfurter Str. 131
  97464 Niederwerrn
  t: +49 (0)9721/6464840
  f: +49 (0)9721/6464841
  m: +49(0)171/685 9 685

  Hello Craig,
  thanks for your answer.
  [VPN Client sometimes doesn't restore DNS settings after disconnecting]
  e.g. TID 10096552 is telling such a trouble, that should be fixed with
  BM VPN Client 3.8.10
  > > Any suggestions appreciated,
  > >
  > This one seems to be so related to the design of the VPN client that
  > you may need to open an incident to get it fixed, if that even would
  > help.
  >
  > There used to be a utility designed to clean up after the VPN client,
  > but I can't remember now what it was. I never tried it that I can
  > remember.
  Anybody else who knows about that tool?
  After doing some "teachment" to these VPN users the incidents of this
  trouble didn't show up as frequent as before. So I assume, that one
  reason might be this:
  Scenario
  VPN connect
  PCA connect to host in corporate LAN
  PCA full screen *SHOULD* be activated (ALT+ENTER)
  working, working, working
  shutdown PC in corporate LAN
  close VPN tunnel
  shutdown local home office PC.
  When it was missed to activate PCA fullscreen without noticing this,
  then the "remote" start button is not visible.
  So instead of shutting down the remote PC, the local PC is shut down.
  By that, the local shutdown is killing (not cleanly disconnecting)
  the VPN client. When this happened (and I 100% can reproduce this)
  after the next boot of the home office PC the VPN connect will *ALWAYS*
  fail. After another reboot the VPN connect will succeed again without
  any problems.
  Is this a known issue? (I cannot find that TID I found before telling
  missbehaviour when VPN connects are not disconnected clean. IIRC this
  was something fixed in a VPN client version /several/ subversions ago)
  Home Office PC = XPSP2+Hotfixes, VPN Client BM 3.8.16, nici from that
  one first, now taken from NWClient 4.91.4, no difference.
  Regards, Rudi.
  IT-Beratung Rudolf Thilo
  Schweinfurter Str. 131
  97464 Niederwerrn
  t: +49 (0)9721/6464840
  f: +49 (0)9721/6464841
  m: +49(0)171/685 9 685

• VPN client and radius or CAR

  Hello:
  I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
  the vpn client user needs to be authenticated by group id and password, and user id and password.
  How should I setup CAR, could someone provides me an example?
  I saw this sample, but there is no relationship between user and group.
  Any suggestions?
  thx
  [ //localhost/RADIUS/UserLists/Default/joe-coke ]
  Name = joe-coke
  Description =
  Password = <encrypted>
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ =
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  [ //localhost/RADIUS/UserLists/Default/group1 ]
  Name = group1
  Description =
  Password = <encrypted> (would be "cisco")
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ = group1profile
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
  AV-pairs:
  [ //localhost/RADIUS/Profiles/group1profile/Attributes ]
  cisco-avpair = ipsec:key-exchange=ike
  cisco-avpair = ipsec:tunnel-password=cisco123
  cisco-avpair = ipsec:addr-pool=pool1
  Service-Type = Outbound

  you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
  The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

• Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

  Hi Guys
  I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
  I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
  However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
  When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
  Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
  My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
  Also want to be able to set logging to debug mode for the Racoon application on mac clients.
  Your help is much appreciated
  Kind Regards
  Mohamed

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• Problem with VPN Client and PIX 7.0(5)

  Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
  sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
  and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
  I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
  This is the configuration i apply
  access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
  access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
  access-list acl-vpn-sap-remoto extended permit ip any any
  access-list acl-vpn-sap-remoto extended permit icmp any any
  ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
  nat (inside) 0 access-list cryptomap-scada
  group-policy VPN_SAP_PED internal
  group-policy VPN_SAP_PED attributes
  vpn-filter value acl-vpn-sap-remoto
  vpn-tunnel-protocol IPSec
  username vpnuser password **** encrypted
  username vpnuser attributes
  vpn-group-policy VPN_SAP_PED
  crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
  crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
  crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
  crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
  isakmp policy 7 authentication pre-share
  isakmp policy 7 encryption 3des
  isakmp policy 7 hash sha
  isakmp policy 7 group 2
  isakmp policy 7 lifetime 43200
  tunnel-group VPN_SAP_PED type ipsec-ra
  tunnel-group VPN_SAP_PED general-attributes
  address-pool pool_vpn_sap
  default-group-policy VPN_SAP_PED
  tunnel-group VPN_SAP_PED ipsec-attributes
  pre-shared-key clavevpnsap
  Thanks in Advanced

  Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
  PIX-Principal(config)# show running-config nat
  nat (inside) 0 access-list cryptomap-scada
  nat (inside) 9 JOsorioPC 255.255.255.255
  nat (inside) 9 GColinaPC 255.255.255.255
  nat (inside) 9 AlfonsoPC 255.255.255.255
  nat (inside) 9 AngelPC 255.255.255.255
  nat (inside) 9 JerryPC 255.255.255.255
  nat (inside) 9 EstebanPC 255.255.255.255
  nat (inside) 9 GiancarloPC 255.255.255.255
  nat (inside) 9 WilliamsPC 255.255.255.255
  nat (inside) 9 PerniaPC 255.255.255.255
  nat (inside) 9 ElvisDomPC 255.255.255.255
  nat (inside) 8 LBermudezPC 255.255.255.255
  nat (inside) 9 HelpDeskPC 255.255.255.255
  nat (inside) 9 OscarOPC 255.255.255.255
  nat (inside) 9 AnaPC 255.255.255.255
  nat (inside) 9 RobertoPC 255.255.255.255
  nat (inside) 9 MarthaPC 255.255.255.255
  nat (inside) 9 NOCPc5-I 255.255.255.255
  nat (inside) 9 NOCPc6-I 255.255.255.255
  nat (inside) 9 CiraPC 255.255.255.255
  nat (inside) 9 JaimePC 255.255.255.255
  nat (inside) 9 EugemarPC 255.255.255.255
  nat (inside) 9 JosePC 255.255.255.255
  nat (inside) 9 RixioPC 255.255.255.255
  nat (inside) 9 DaniellePC 255.255.255.255
  nat (inside) 9 NorimarPC 255.255.255.255
  nat (inside) 9 NNavaPC 255.255.255.255
  nat (inside) 8 ManriquePC 255.255.255.255
  nat (inside) 8 MarcialPC 255.255.255.255
  nat (inside) 8 JAlbornozPC 255.255.255.255
  nat (inside) 9 GUrdanetaPC 255.255.255.255
  nat (inside) 9 RVegaPC 255.255.255.255
  nat (inside) 9 LLabarcaPC 255.255.255.255
  nat (inside) 9 Torondoy-I 255.255.255.255
  nat (inside) 9 Escuque-I 255.255.255.255
  nat (inside) 9 Turbio-I 255.255.255.255
  nat (inside) 9 JoseMora 255.255.255.255
  nat (inside) 8 San-Juan-I 255.255.255.255
  nat (inside) 8 Router7507 255.255.255.255
  nat (inside) 8 NOCPc4-I 255.255.255.255
  nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255