SSL VPN and Dynamic DNS - ddns on IOS

Similar Messages

• Cisco 1841 SSL VPN and Anyconnect Help

  I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks
  Current configuration : 7741 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname buchanan1841
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  enable secret 5 XXXXXXX
  enable password XXXX
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  crypto pki trustpoint buchanan_Certificate
  enrollment selfsigned
  revocation-check crl
  rsakeypair buchanan_rsakey_pairname
  crypto pki certificate chain buchanan_Certificate
  certificate self-signed 01
    30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
    170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
    311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
    0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
    AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
    79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
    0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
    68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
    97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
    DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
    4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
    3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
          quit
  dot11 syslog
  ip source-route
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  username buchanan privilege 15 password 0 XXXXX
  username cybera password 0 cybera
  username skapple privilege 15 secret 5 XXXXXXXXXX
  username buckys secret 5 XXXXXXXXXXX
  crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key p2uprEswaspus address XXXXXX
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set cybera esp-3des esp-md5-hmac
  crypto ipsec profile cybera
  set transform-set cybera
  archive
  log config
    hidekeys
  ip ssh version 1
  interface Tunnel0
  description Cybera WAN - IPSEC Tunnel
  ip address x.x.x.x 255.255.255.252
  ip virtual-reassembly
  tunnel source x.x.x.x
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile cybera
  interface FastEthernet0/0
  description LAN Connection
  ip address 192.168.1.254 255.255.255.0
  ip helper-address 192.168.1.2
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  description WAN Connection
  ip address x.x.x.x 255.255.255.224
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface ATM0/0/0
  no ip address
  shutdown
  atm restart timer 300
  no atm ilmi-keepalive
  interface Virtual-Template2
  ip unnumbered FastEthernet0/0
  ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
  ip local pool LAN_POOL 192.168.1.50 192.168.1.99
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  ip route 4.71.21.0 255.255.255.224 x.x.x.x
  ip route 10.4.0.0 255.255.0.0 x.x.x.x
  ip route 10.5.0.0 255.255.0.0 x.x.x.x
  ip route x.x.x.x 255.255.240.0 x.x.x.x
  ip route x.x.x.x 255.255.255.255 x.x.x.x
  ip route x.x.x.x 255.255.255.255 x.x.x.x
  ip http server
  no ip http secure-server
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
  ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
  access-list 1 permit 192.168.1.0 0.0.0.255
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  password xxxxx
  transport input telnet ssh
  scheduler allocate 20000 1000
  webvpn gateway gateway_1
  ip address x.x.x.x port 443
  http-redirect port 80
  ssl trustpoint buchanan_Certificate
  inservice
  webvpn install svc flash:/webvpn/anyconnect-w
  in-3.1.04059-k9.pkg sequence 1
  webvpn context employees
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  policy group policy_1
     functions svc-enabled
     svc address-pool "LAN_POOL"
     svc default-domain "buchanan.local"
     svc keep-client-installed
     svc dns-server primary 192.168.1.2
     svc wins-server primary 192.168.1.2
  virtual-template 2
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_2
  gateway gateway_1
  max-users 10
  inservice
  endbuchanan1841#

  Perhaps you have changed the host-/domainname after the certificate was created?
  I'd generate a new one ...
  Michael
  Please rate all helpful posts

• Ssl vpn and soft phone

  Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
  thank you

  Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

• Works windows mobile with SSL VPN and anyconnect

  Hello,
  do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
  windows mobile 5.0 Premium phone edition
  windows mobile 6.0
  windows embedded CE,Net
  windows mobile 2003
  Thank you for your help
  Michael

  [url=http://fztodds.24fast.info/washington225.html] washington [/url]
  [url=http://fztodds.24fast.info/washington16e.html] washington [/url]
  [url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
  [url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
  [url=http://fztodds.24fast.info/washington00b.html] washington [/url]
  [url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington766.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington777.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
  [url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
  [url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• Anyconnect ssl vpn and acl

   Hi Everyone,
  I was testing few things at my home lab.
  PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
  anyconnect ssl is working fine and i am also able to access internet.
  I am using full tunnel
  i have acl on outside interface of ASA
  1
  True
  any
  any
  ip
  Deny
  0
  Default
  i know that ACL is used for traffic passing via ASA.
  I need to understand the traffic flow for access to internet via ssl vpn.?
  Regards
  MAhesh

  As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
  You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

• SSL VPN and dedicated IP address

  Hello
  I have an ASA 5505 8.3 and i setup it with ADSL 6.3
  I am trying to dedicate IP addresses to clientless SSL VPN user: is it possible ?
  If not is it possible with Anyconnect client ?
  If yes i can't perform it !
  I have a user test and i want dedicated him an IP address . After authentification user can connect to a web application but when i see the netstat, it is the IP adress of the ASA which is connected ...
  Could you help me ?
  Regards
  L.Malandain

  Two ways -
  Frist create pool with one IP address and assign that to group policy.
  Second- modify the user atributes-
  username test password xxxxx
  username test attributes
  vpn-framed-ip-address
  Thanks
  Ajay

• FIOS and Dynamic DNS

  I'm thinking about switching from Verizon DSL to FIOS, but I have a few concerns.
  Right now I am able to directly connect form my linux-based router to the DSL modem via PPPoE.  If for some resaon the PPP link drops the router just re-establishes it, and it always knows my outside IP.  It can also update my multiple dyanamic DNS addresses automatically when this happens.  My DSL IP address seems to change only when I shut down my router - it lasts weeks at a time.
  With FIOS it sounds like you are forced to use NAT with the supplied router.  I can go ahead and disable wireless on it, and then just set up my own router to use a static IP and put it in the DMZ to get as close to a bypass as I can.  However, if my outside IP changes my internal router isn't going to know about it, and won't be able to update my dynamic DNS/etc.  It looks like the FIOS routers will update dynamic DNS addresses, but I'm not sure if they support namecheap, and I also don't know if they support updating more than one dynamic DNS service when my IP changes.
  It also sounds like they cut the copper connection, so if it doesn't work out right it will be very hard to go back to DSL.
  Does anybody know:
  1.  Will the supplied router update more than one dynamic DNS service automatically?
  2.  Will the supplied router update a namecheap hosted dynamic DNS record? 
  3.  When updating a namecheap DNS record will it only touch the A record and not mess with all my other DNS settings?
  4.  Can I somehow configure the router to provide my external IP to a single internal computer via DHCP (ie router gets an address from verizon, and then the router offers that address to my own router)?  Obviously this won't work with more than one computer on the router.
  5.  Can I alternatively connect to the verizon-provided router using PPPoE or a similar protocol to just get my external IP directly tunneled through the router?
  6.  Does a FIOS TV standard definition tuner box require a network connection? 
  7.  What happens if the tuner it isn't connected to the network?  I won't be using any kind of interactive services anyway since the tuners will just be connected to my DVR.
  8.  Does the network connection have to be on the same subnet as the verizon-provided router, or is it sufficient that it be able to reach that router or the internet via NAT (there would be a NAT layer between my internal network and the verizon-powered router)?
  9.  If this stuff doesn't end up working right, can I just pull the plug on FIOS and go back to Verizon DSL and POTS?
  In case it isn't clear, here is how I envision the network looking:
  Verizon - Verizon Router - NAT with My Router in the DMZ - My Router - NAT - My internal network
  I guess if I get really desperate I could try to find a tunnel broker of some kind - not sure if anybody does that for IPv4 the way it is done for IPv6.  That would allow me to get my external IP through the NAT and potentially give me a static one as well...
  I REALLY don't want to pay an extra $50 for a static IP.  I'd probably just stick with the DSL if it came to that even though it is actually more expensive than switching (for dynamic service) and it is a lot slower...
  Solved!
  Go to Solution.

  Hmm - that idea might not actually work out all that well.  It might or might not work at all, but one thing that it would probably do is make it impossible to access the router's web interface (since the router wouldn't have an IP address of its own on any of the ports).  So, if it did work it would be a once-and-done configuration and then I'd need to reset it to do anything else with it.  This would also make it impossible to attach set-top-boxes directly to the actiontec router, but then again they'd be only one NAT layer away from verizon if I attached them to my home network.
  I suspect I might be better off with the DMZ approach and just living with a single dynamic dns entry.  The main reason I use more than one of those is so that if my IP address changes I don't have to wait for the DNS TTL to run out to find out what the new IP is - I can just wait a few minutes to be safe and resolve one of my other dynamic addresses which won't be cached anywhere so it will get the fresh entry. 
  I guess my other option is to fire up nslookup and point it directly at the appropriate DNS server so that I"m not seeing a cached response.
  I've heard mixed reports on how often the FIOS IPs change anyway.  If they only change once in a blue moon I'm not terribly concerned about this stuff. 
  (Why can't everybody just switch to IPv6 and end all this NAT nonsense anyway...?) 

• OS X 10.6.1:  bootpd, named, and dynamic DNS zone updates

  I have OS X 10.6.1 installed on a Mac Pro. It is configured to be the name server and DHCP server for my home network, i.e. /etc/named.conf and /etc/bootpd.plist have been modified to provide these services.
  I've encountered no problems with either the name server or the DHCP component of bootpd after upgrading to OS X 10.6(.1); however, one thing that continues to bug me is how to configure bootpd to dynamically update the DNS zone files whenever a lease is issued, released, or expires.
  At work, I use the Internet System Consortium's DHCP software and have it configured to dynamically update DNS whenever leases change state. I would really like to have DNS done the same way at home.
  What changes need to be made to /etc/bootpd.plist that would allow dynamic DNS updates to occur?

  Did you ever get an answer to this? Would rather not change the DHCP server in Snow Leopard....
  Thanks

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• VPN and Split-DNS problem connecting 851 to 3030 Concentrator

  I have configured a Cisco 851 (IOS 12.4(11)T) to connect to the Cisco 3000 Concentrator (v4.72G). I am having multiple problems:
  1. On the concentrator I have specified multiple domain names for split DNS "hq.portablesunlimited.com,hq.cellfonestore.com". However I see only the first name created for the dns views.
  2. We have a static WAN IP address with a fixed DNS Server name given by our ISP. I am using the same DNS name on the client PCs connected to the 851. I am able to resolve any external names for e.g. "www.google.com". When I try to resolve a DNS address (Split-DNS) for e.g. server.hq.portablesunlimited.com, it fails to resolve the address. I tried to specify the address of 815 (10.0.0.1) as the DNS server for the clients, in this case the clients do not resolve any address. However if I go to the 851 console and ping say "www.yahoo.com" it works and then I can resolve that address "www.yahoo.com" from the client PCs also.
  I don't have any firewall or NAT enabled on the 851.
  Here is the 851 config file:
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname firewall
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 xxxxxxxxxxxx
  no aaa new-model
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.220.1.1 10.220.1.99
  ip dhcp excluded-address 10.220.1.201 10.220.1.254
  ip dhcp pool sdm-pool1
  import all
  network 10.220.1.0 255.255.255.0
  dns-server 129.x.x.80
  default-router 10.220.1.1
  ip cef
  ip domain name mydomain.com
  ip name-server 129.x.x.80
  crypto pki trustpoint TP-self-signed-3072999871
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3072999871
  revocation-check none
  rsakeypair TP-self-signed-3072999871
  crypto ipsec client ezvpn VPN1
  connect auto
  group xyz key xyz
  mode network-extension
  peer x.x.x.x
  username xyz password xyz
  xauth userid mode local
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description $FW_OUTSIDE$$ES_WAN$
  ip address 129.34.x.x.255.255.240
  duplex auto
  speed auto
  crypto ipsec client ezvpn VPN1
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 10.220.1.1 255.255.255.0
  ip tcp adjust-mss 1452
  crypto ipsec client ezvpn VPN1 inside
  ip route 0.0.0.0 0.0.x.x.34.7.82
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns view ezvpn-internal-view
  domain name-server 10.128.1.10
  ip dns view-list ezvpn-internal-viewlist
  view ezvpn-internal-view 10
  restrict name-group 1
  view default 20
  ip dns name-list 1 permit HQ.PORTABLESUNLIMITED.COM
  ip dns server view-group ezvpn-internal-viewlist
  no cdp run
  end

  Someone please reply to the post as this issue is critical for us to decide the purchase of the above equipment for our 40 remote locations.
  Thanks
  Srikant

• Trying to set up a ssl vpn and can't get to it from outside?

  I have a barracuda sslvpn and a
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  When I try and edit the vpn service object to say destination 444 source default insted of source 444 I get this.
  [OK] object service VPN
        object service VPN
  [ERROR] service tcp destination eq 444
  Object is used in IPv6 access-list out_in. Can't change IP to IPv4.
  ERROR: object (VPN) updation failed due to internal error

  HI franklyhollywood:
  Joomla is easy to set up (install) once Mysql and PHP is properly set up. CMS (Content Management
  System) websites are the way to go. I am migrating all my sites to CMS, either full CMS or Partial
  CMS. The Server Guys (and Girls) can help you get it set up properly. If you don't want the hassle
  of configuring MySql and PHP on your Mac, use the preconfigured MAMP setup:
  http://www.mamp.info/en/index.html
  I am only interested in the final product (the website), so I chose MAMP to handle the database and
  scripting language (PHP) chores. MAMP can be Installed, configured and up and running in minutes,
  leaving me free to develop and make ready my sites for uploading to their eventual home on my
  hosting provider's server.
  Kj ♘

• AnyConnect (SSL VPN on IoS) - Connection stuck on Android

  Hiya,
  I have an Any Connect WebVpn (ssl vpn?) set up on an IOS 15.2(4)M4. My current WebVPN is set up for Cisco Phones to use SSL VPN to connect to a Cisco Call Manager (CUCM 9.x). I also tried connecting with an Any Connect client from a PC and it seems to work fine.
  The issue is when I try to connect through an Android device, I get the following output from 'debug webvpn':
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.220: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2930, data: 0xD9E7658, len: 0,
        offset: 0, domain: 0)
  Jan 10 16:04:17.224: WV: Fragmented App data - buffered
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2470, data: 0xEA4D858, len: 884,
        offset: 0, domain: 0)
  tbr-edi-2901#
  Jan 10 16:04:17.224: WV: http request: / with no cookie
  Jan 10 16:04:17.224: WV: validated_tp :  cert_username :  matched_ctx :
  Jan 10 16:04:17.224: WV: failed to get sslvpn appinfo from opssl
  Jan 10 16:04:17.224: WV: Error: Failed to get vw_ctx
  Jan 10 16:04:17.224: WV: Appl. processing Failed : 2
  Jan 10 16:04:18.344: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.348: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.376: WV: sslvpn process rcvd context queue event
  and then the messages in italics above keep on appearing in an endless loop.
  Any ideas what could be the issue.
  Any help is highly appreciated.
  Thanks,
  David

  Hi,
  I'm having the same issue please let me know if yo found the solution. Thanks in advance

• Dynamic DNS for ipv4 AND ipv6?

  tl;dr: do you know any dynamic dns service and updater daemon that supports both ipv4 and ipv6?
  Hi,
  ever since my provider supplied me with a proper dual stack account (real ipv4, real ipv6) for internet access I got some kind of little problem regarding the services I host at home. So this is mainly about email. I have a server sitting behind my router that has an open submission and IMAPS port. For ipv4 I've been using the NAT and dyndns features of my router (fritzbox) without any problem. For ipv6 there is no NAT (at least as far as my router is concerned). What I can do though is to open the firewall for incoming ports dynamically based on the interface identifier. So if someone wants to connect to an ipv6 address that would map to my server the router knows to not block the traffic. For this to work though I need update a dynamic DNS record with the public ipv6 address that my server gets to use (something out of the prefix my provider assignes me). This server is an arch linux box. I tried to use inadyn-mt with some systemd unit file I found through google but this does not seem to work right. When I'm in ipv4-only networks (on a mobile connection for example) I often can't resolve the right ip address of my server through dyndns. The thing is that my server doesn't know about a changed ipv4 address because this is handled by the router. It does only know about when his own ipv6 address changes/expires. Based on when this happens inadyn-mt might fire an update to dyndns and with that also pick up the new ipv4 address, but this is not guaranteed.
  Any suggenstions, tool and/or service proposals? Is there a way dns-wise to add a CNAME alias just for A records and not for AAAA?

  I currently use cloudflare as the DNS servers for my domain as it's free and allows to update certain records with their API. I only use it for IPv4, but since they support AAAA records, I assume it will work for IPv6 just as well. It should be quite simple for you to update the script to get the ip of a given interface instead of fetching it from the net.
  #!/bin/sh
  # modified by jfro from http://www.cnysupport.com/index.php/linode-dynamic-dns-ddns-update-script
  # Uses curl to be compatible with machines that don't have wget by default
  # modified by Ross Hosman for use with cloudflare.
  cfkey=<your api key>
  cfuser=<your username>
  cfhost=<hostname you want to update>
  WAN_IP=`curl -s http://icanhazip.com/`
  if [ -f $HOME/.wan_ip-cf.txt ]; then
  OLD_WAN_IP=`cat $HOME/.wan_ip-cf.txt`
  else
  OLD_WAN_IP=""
  fi
  perl -i -pe 'chomp if eof' /var/log/cfclient.log
  if [ "$WAN_IP" = "$OLD_WAN_IP" ]; then
  echo -ne "." >> /var/log/cfclient.log
  else
  echo $WAN_IP > $HOME/.wan_ip-cf.txt
  echo -ne "\nUpdating IP to $WAN_IP\n" >> /var/log/cfclient.log
  curl -s https://www.cloudflare.com/api.html?a=DIUP\&hosts="$cfhost"\&u="$cfuser"\&tkn="$cfkey"\&ip="$WAN_IP" >> /var/log/cfclient.log
  fi
  echo -ne "\n" >> /var/log/cfclient.log

• Actiontec MI424WR-GEN3I with ChangeIP dynamic dns

  I'm trying to configure my router (Actiontec MI424WR-GEN3I, v. 40.21.10.3) with ChangeIP.com dynamic DNS.  It's listed in the provider drop-down in the Dynamic DNS section of the router GUI, so i figured i'd be all set.  I setup an account with ChangeIP, and then got a hostname from them.
  In the router i'm configured as follow..
  Hostname: MyHost.changeip.com  (<-- actually MyHost.onmypc.org; "onmypc.org" being one of the domains ChangeIP offers for free.)
  Connection: Broadband Connection (Ethernet/Coax)
  Provider: changeip.com
  Username: My changeip username
  Password: My changeip password
  Dynamic DNS System: Dynamic DNS
  Offline: (not checked)
  SSL Mode: None
  In the status area it just says "Error - Unknown changeip.com error".  There's nothing in the changeip knowledgebase.  Has anyone tried configuring changeip on their router?  I know they have something called homeing beacon, but really i just want this to work as configured without having to install anything extra.
  Thanks!

  Hello, I had the exact same problem.  It seem Verison FiOS router is not very flexible.  You can't enter another Dynamic DNS (DDNS) and can only use one on the list. The only two free one I found was no-ip.com and changeip.com. 
  The no-ip.com came back with a host not found cause they've changed the name to noip.com (without the dash) so the dumb router is not able to find it.
  The changeip.com is no help either as you've found out.  I keep getting Error but it does not say why.  Fortunetely I did found a solution.  You can download changeip.com's DDNS Update Client (for Windows, Linux, or OSX).  The called this software as Homeing Beacon.
  http://www.changeip.com/accounts/downloads.php
  In Windows it runs as a self startup service so you don't to remember to run it but you will need a Windows PC to be on for the update to occur.  Basically instead of updating changeip.com's DDNS entry from the router, you have a Windows client that somehow figures out what the router's IP and act as a proxy agent and update your DNS entry on changeip.com.  This is a workable workaround, I think.  The drawback is you need a PC running every so often on your home network so updates occur.  But, the price is FREE and you can't beat that.