Setting up site to site IPSec VPN with RV 120W

Hi All,
I am looking to set up a site to site VPN between a local and remote office, with a RV 120w as the gateway at either side. Aside from changing the remote site's IP and Subnet, what do I need to do to get this functional? to call myself a well tooled novice would be appropriate. Any help is appreciated.
Thanks,
Scott

You will most likely need to call the Cisco Small Business Support Center at 1-866-606-1866 so that
we can assist you in setting up the Gateway to Gateway VPN Tunnel.
THANKS
Rick Roe
Cisco Small Business Support Center

Similar Messages

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

  • Cisco ASA 5505 site to site IPSec VPN with RV220W issue

    I have a ASA5505 connected to RV220W through IPSec VPN. When  using SMB to transfer large file, the ASA5505 will show error message:
    CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
    The error message from the debug crypto engine. When  the message show, the speed of the transfer will slow down quickly, and  even no data can be go through between ASA and the RV220W. But the IPSec  SA and the IKE SA is active, and can ping the inside network in both  site.
    Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
    Any suggestions on where to look would be much appreciated.
    Thanks in advance
    Terry

    Hi Ted thanks for your reply and information.
    The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
    I am already surrander for this issue......

  • RV180W ipsec vpn with multiple networks

    Hello,
    I am setting up a customer site.  One side is RV180W and the other side is Checkpoint 500W.
    RV180W side
    LAN - 192.168.100.0/24
    Checkpoint side
    LAN - 172.26.1.0/24
    VOIP - 172.26.2.0/24
    Need to setup an ipsec tunnel between the site.  However, from the RV180W side, I can only ping the VOIP network, but not LAN.  Need help.  I have heard that RV180W only can talk to one remote network via ipsec, correct?  Any other way to workaround this other than changing out the RV180W?  Thanks.
    Ho

    Hi Tom,
    I have a similar situation, needing to setup 3 tunnels to the same endpoint.  Each tunnel has a different remote LAN setting, but I can only get one tunnel to work at a time.  I have to disable the other two.  For more details, see my posting: https://supportforums.cisco.com/message/3781143#3781143
    How can I setup 3 IPSEC tunnels to the same endpoint?
    Marshall

  • IPSec VPN with VTI behind DSL router

    Hi All,
    Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
    Router gi0/1        -->        DSL Modem     -->     Internet  --> to HQ (Firewall with static IP)
    Outside 192.168.1.2            WAN static public IP
                                                           LAN 192.168.1.1
    Interface config:
    interface GigabitEthernet0/1
     ip vrf forwarding Internet-VRF
     ip address 192.168.1.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
    end
    Tunnel config:
    crypto isakmp policy 282
     encr aes 256
     authentication pre-share
     group 2
     lifetime 28800
     hash sha
    crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
    crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
     mode tunnel
    crypto ipsec profile VPN
     set transform-set aes256-sha
     set pfs group2
    interface Tunnel1
     ip vrf forwarding Internet-VRF
     ip address 172.27.82.254 255.255.255.252
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     tunnel source Gi0/1
     tunnel mode ipsec ipv4
     tunnel destination xxx.xxx.xxx.xxx
     tunnel protection ipsec profile VPN
    I have been digging into Cisco documentation but have no answer found.
    Thanks in advance.

    Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Solaris 10 site to site VPN with netscreen or linux freeswan

    Hello,
    Have anybody made Solaris site to site ipsec VPN with netscreen firewall or linux freeswan?

    a.alekseev,
    It works! Thank you very much. I somehow have overlooked that command entirely. I am very grateful.

  • Site to site VPN with windows server 2012

    I am trying to connect our server to cisco site-to-site IPSec VPN with one of our partners servers, they asked us to implement the settings they gave us into our router, but actually we don't have access to the router, we are just connected directly with
    our ISP. alternatively, we were informed that we can use software VPN instead, and yes we found a working one, tested and verified, but we have to pay for it to keep running.
    Now my question is, having that we are running windows server 2012 R2, how can we establish this VPN connection directly from windows without the need to use third parties tools?
    The only parameter that we have to connect are:
    Gateway IP: xxx.xxx.xxx.xxx
    Authentication Pre-shared Key: ######
    Encryption: 3DES
    Hash authentication: MD5
    DH: Group1
    No username or password is needed with this type of VPN.
    Any help is appreciated.
    Best regards, Abed

    Hi,
    You may try to configure the Windows Server 2012 (RRAS) as VPN router to connect to the 3rd party VPN server(compatible with Windows Server VPN).
    Some samples just for your reference:
    Checklist: Implementing a Site-to-Site Connection Design
    https://technet.microsoft.com/en-us/library/ff687867(v=ws.10).aspx
    TMG Configuring site-to-site VPN access
    http://technet.microsoft.com/en-us/library/bb838949.aspx
    More about how to deploy the RRAS on TMG please post in the TMG forum:
    Forefront support forum
    http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
    Best Regards,
    Eve Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ASA Cannot access https device via Clientless VPN bookmark, site to site works fine

    We've got two offices connected via an IPSEC tunnel.  This site to site VPN works great, we can access our remote devices fine from a PC on either LAN at each office.  The device's address is https://192.168.210.2
    However, if we make a bookmark on the Clientless VPN for that same address the conneciton just times out if it has to go over the site to site VPN. 
    We plugged the exact same web enabled device on the local side of the VPN, put in a bookmark for its https address and it works fine.  Its just remote bookmarks for devices on the other side of the tunnel do not work.
    Looking at the debug log I see the request going out from the source to the destination on port 443 but nothing more.  The NAT exemption etc are all right because people on the LAN have no problem accessing this device remotely with their browser. 
    I haven't been able to adequately describe this problem to find a matching Cisco example, anyone know how to fix this?

    hi luis,
    thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.
    what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.
    here's how i set up the rule:
    from zone: UNSECURE (WAN/optional WAN)
    to zone: LAN
    service: ANY
    action: ALLOW always
    schedule: (not set)
    source hosts: Single address
    from: public ip of one of the aforementioned servers
    source NAT settings > external IP address: WAN interface address (cannot change this setting)
    source NAT settings >WAN interface: dedicated WAN (cannot change this setting)
    destination NAT settings > internal ip address: 192.168.11.123 (ip address of my machine)
    enable port forwarding: unchecked
    translate port number: empty
    external IP address: dedicated WAN

  • SA520: problem when trying to access HTTPS over custom port in a site-to-site vpn

    We've set up a site-to-site VPN between our SA520 and our SmoothWall running at our data center. The tunnel is always connected, so that part runs fine
    What works fine:
    - Client 192.168.11.1 is able to start an RDP session (on it's default port 3389) to server 192.168.3.5
    - Client 192.168.11.1 can open a webpage which is hosted on server 192.168.3.5 (hosted on the default HTTP port 80)
    What doesn't work:
    - Client cannot open web page which is hosted on server 192.168.3.1 at the following url: https://192.168.3.1:441
    - or, for that matter, any https service in the 192.168.3.x LAN which runs on a different port
    To summarize:
    from the 192.168.11.x subnet, accessing services running on default ports (i.e. 80, 3389, 21) in the 192.168.3.x subnet works fine. doing the same for services running on custom ports (i.e. https over port 441) the connection to the webserver times out.
    Thanks in advance for any help you may provide.
    Glen

    hi luis,
    thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.
    what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.
    here's how i set up the rule:
    from zone: UNSECURE (WAN/optional WAN)
    to zone: LAN
    service: ANY
    action: ALLOW always
    schedule: (not set)
    source hosts: Single address
    from: public ip of one of the aforementioned servers
    source NAT settings > external IP address: WAN interface address (cannot change this setting)
    source NAT settings >WAN interface: dedicated WAN (cannot change this setting)
    destination NAT settings > internal ip address: 192.168.11.123 (ip address of my machine)
    enable port forwarding: unchecked
    translate port number: empty
    external IP address: dedicated WAN

  • Site to Site and Remote Access VPN

    Hi All,
        Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
    Regards
    Abhishek
    This topic first appeared in the Spiceworks Community

    A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
    PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

  • Very slow Windows domain login over IPSec VPN

    Hi
    I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
    I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
    Does anybody know what the problem can be ?
    Regards
    Remco

    Hi Remco,
    The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
    1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
    If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
    Also take a look at the below article for MTU Issues
    http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
    Thanks,
    Naman

  • ASA IPSEC VPN Design Question; ARP Between ASA

    I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.
    Thanks!
    Matt

    Matt,
    AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.
    The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.
    Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.
    HTH>

  • Static NAT and IPSec VPN

    This maybe stupid but may somebody help on this.
    Site A --- Internet --- Site B
    An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
    But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
    May someone advise me how to overcome this? Thanks.

    Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

  • How to reduce the IPSec VPN connection establishment time

    Hi,
    I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as  a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
    The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
    Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
    Or this is the minimum amount of time required for the first connection establishment?
    Thank you for your help.

    Sara,
    Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
    Thanks,
    Raga

Maybe you are looking for

  • Posting of Exchange rate differences in parallel currencies

    Hello experts,, We are on ECC 6. When we enter an incoming invoice with MIRO and the current exchange rate differs from that in the PO, the exchange rate differences in local currency and in parallel currency (group currency) post to different accoun

  • Captch not working in .jsff

    Hi...i'm using oracle jdeveloper 11.1.1.4.0. i am trying to use the simple captcha project in .jsff page, but its not working. In jspx its working fine. Can u pls help on this.

  • BLACKBERRY 8700 on O2

    I have recently purchased a 2nd hand BLACKBERRY 8700, I am trying to get it setup using my O2 sim card on Pay As you Go... I need to get my BBM working, and also access the internet.... I have no idea where to change my settings and how to get a web

  • Adobe doesn't work on websites

    I tried to open a file in Adobe on a website by pressing the link. It came back saying "Adobe PDF Document The adobe Acrobat/Reader that is running can not used to view PDF files in a web browser. Adobe Acrobat/Reader Version 8 or 9 is required. Plea

  • I may have a bad GPU...?

    Hello all, I'll get straight to it. I have a 2006 MacBook Pro and when starting up, the Apple logo screen appears but the logo is slightly pixelated. The spinning gear will appear and after some time the screen will go to a light blue screen and stay