Tunneling

HI
EXperts
what are step for doing tunneling (idoc-idoc).?
any body help me regareding this .
Thanks for hlep
kumar

The blog explain it all.
Normally when an idoc hits XI it is converted to XML. If you do not want to convert the Idoc to XML ( in case of Idoc to Idoc scnearios ) then you use the concept of Idoc Tunneling.
Look into the blog for exact details.
Regards
Bhavesh

Similar Messages

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • IPSec tunnel on sub-interface on ASA 5510

    Hello All,
    I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
    I would be greatul if someone please reply post this with some details.
    Regards,
    Muds

    Hi Jennifer,
    Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
    Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
    Regards,
    Muds 

  • Unable to see logs while using split tunnel for RA

    hi everyone,
    I have config RA   VPN at my home lab using split tunnel.
    I can connect fine and able to browse the internet.
    When i go to internet sites i do not see logs generated on the VPN ASA?
    Need to understand whats the reason behind this?
    ASA1# sh conn all
    5 in use, 12 most used
    UDP outside  10.0.0.51:138 inside  10.0.0.255:138, idle 0:01:38, bytes 201, flags -
    TCP outside  192.168.98.2:49509 NP Identity Ifc  192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
    TCP outside  192.168.98.2:49507 NP Identity Ifc  192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
    UDP outside  192.168.98.2:49903 NP Identity Ifc  192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
    TCP outside  192.168.99.2:35902 NP Identity Ifc  192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
    Where 192.168.98.2 is IP of PC.
    10.0.0.51 is IP assigned from VPN pool to PC.
    Regards
    Mahesh

    Hi Mahesh,
    You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
    This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
    The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
    This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
    If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
    If you want to look at the current configuration on the CLI you would first have to issue
    show run tunnel-group
    And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
    Then you could issue the command
    show run group-policy
    This would list you the Group Policy configuration for the VPN connection and would show something like this under it
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value
    The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
    Hope this helps
    - Jouni

  • EZVPN public internet split tunnel with dialer interface

    I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
    So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.  
    So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
    Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
    I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
    http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html 
    And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site.  I also have a home server on the network that is reached so I can definitly reach into the network at home which is  the test for the corporate network I am trying to reach.
    Its a cisco 870 router and here is the config
    Router#sh run
    Building configuration...
    Current configuration : 4617 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    enable secret 5 *************************
    enable password *************************
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization exec default local 
    aaa authorization network ciscocp_vpn_group_ml_1 local 
    aaa session-id common
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.1.1
    ip dhcp excluded-address 192.168.1.2
    ip dhcp excluded-address 192.168.1.3
    ip dhcp excluded-address 192.168.1.4
    ip dhcp excluded-address 192.168.1.5
    ip dhcp excluded-address 192.168.1.6
    ip dhcp excluded-address 192.168.1.7
    ip dhcp excluded-address 192.168.1.8
    ip dhcp excluded-address 192.168.1.9
    ip dhcp excluded-address 192.168.1.111
    ip dhcp pool myDhcp
       network 192.168.1.0 255.255.255.0
       dns-server 139.130.4.4 
       default-router 192.168.1.1 
    ip cef
    ip inspect name myfw http
    ip inspect name myfw https
    ip inspect name myfw pop3
    ip inspect name myfw esmtp
    ip inspect name myfw imap
    ip inspect name myfw ssh
    ip inspect name myfw dns
    ip inspect name myfw ftp
    ip inspect name myfw icmp
    ip inspect name myfw h323
    ip inspect name myfw udp
    ip inspect name myfw realaudio
    ip inspect name myfw tftp
    ip inspect name myfw vdolive
    ip inspect name myfw streamworks
    ip inspect name myfw rcmd
    ip inspect name myfw isakmp
    ip inspect name myfw tcp
    ip name-server 139.130.4.4
    username ************************* privilege 15 password 0 *************************
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp client configuration group HomeFull
     key *************************
     dns 8.8.8.8 8.8.8.4
     pool SDM_POOL_1
     include-local-lan
     netmask 255.255.255.0
    crypto isakmp profile ciscocp-ike-profile-1
       match identity group HomeFull
       client authentication list ciscocp_vpn_xauth_ml_1
       isakmp authorization list ciscocp_vpn_group_ml_1
       client configuration address respond
       virtual-template 3
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec profile CiscoCP_Profile1
     set security-association idle-time 1740
     set transform-set ESP-3DES-SHA 
     set isakmp-profile ciscocp-ike-profile-1
    crypto ctcp port 10000 
    archive
     log config
      hidekeys
    interface Loopback10
     ip address 10.0.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    interface ATM0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     no atm ilmi-keepalive
    interface ATM0.1 point-to-point
     description TimsInternet
     ip flow ingress
     ip policy route-map VPN-Client
     pvc 8/35 
      encapsulation aal5mux ppp dialer
      dialer pool-member 3
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Virtual-Template3 type tunnel
     ip unnumbered Dialer3
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile CiscoCP_Profile1
    interface Vlan1
     ip address 192.168.1.1 255.255.255.0
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip inspect myfw in
     ip nat inside
     ip virtual-reassembly
     no ip route-cache cef
     no ip route-cache
     ip tcp adjust-mss 1372
     no ip mroute-cache
     hold-queue 100 out
    interface Dialer0
     no ip address
    interface Dialer3
     ip address negotiated
     ip access-group blockall in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression
     ip policy route-map VPN-Client
     no ip mroute-cache
     dialer pool 3
     dialer-group 1
     no cdp enable
     ppp chap hostname *************************@direct.telstra.net
     ppp chap password 0 *************************
    ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer3
    ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source list 101 interface Dialer3 overload
    ip access-list extended VPN-OUT
     permit ip 10.0.0.0 0.0.0.255 any
    ip access-list extended blockall
     remark CCP_ACL Category=17
     permit udp any any eq non500-isakmp
     permit udp any any eq isakmp
     permit esp any any
     permit ahp any any
     permit tcp any any eq 10000
     deny   ip any any
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    route-map VPN-Client permit 10
     match ip address VPN-OUT
     set ip next-hop 10.0.0.2
    control-plane
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     password cisco
    scheduler max-task-time 5000
    end
    Router#exit
    Connection closed by foreign host.

    Thanks for the response.
    Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client.  The policy route map makes the L10 the next hop and it has NAT.

  • Cisco ASA 5505 - IPsec Tunnel issue

    Issue with IPsec Child SA
    Hi,
    I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
    hostname GARPR-COM1-WF01
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
     description Failover Link
     switchport access vlan 950
    interface Ethernet0/1
     description Outside FW Link
     switchport access vlan 999
    interface Ethernet0/2
     description Inside FW Link
     switchport access vlan 998
    interface Ethernet0/3
     description Management Link
     switchport access vlan 6
    interface Ethernet0/4
     shutdown
    interface Ethernet0/5
     shutdown
    interface Ethernet0/6
     shutdown
    interface Ethernet0/7
     shutdown
    interface Vlan1
     no nameif
     no security-level
     no ip address
    interface Vlan6
     nameif management
     security-level 100
     ip address 10.65.1.20 255.255.255.240
    interface Vlan950
     description LAN Failover Interface
    interface Vlan998
     nameif inside
     security-level 100
     ip address 10.65.1.5 255.255.255.252
    interface Vlan999
     nameif outside
     security-level 0
     ip address ************* 255.255.255.248
    boot system disk0:/asa922-4-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
     domain-name ***************
    object network North_American_LAN
     subnet 10.73.0.0 255.255.0.0
     description North American LAN
    object network Queretaro_LAN
     subnet 10.74.0.0 255.255.0.0
     description Queretaro_LAN
    object network Tor_LAN
     subnet 10.75.0.0 255.255.0.0
     description Tor LAN
    object network Mor_LAN
     subnet 10.76.0.0 255.255.0.0
     description Mor LAN
    object network Tus_LAN
     subnet 10.79.128.0 255.255.128.0
     description North American LAN
    object network Mtl_LAN
     subnet 10.88.0.0 255.255.0.0
     description Mtl LAN
    object network Wic_LAN
     subnet 10.90.0.0 255.254.0.0
     description Wic LAN
    object network Wic_LAN_172
     subnet 172.18.0.0 255.255.0.0
     description Wic Servers/Legacy Client LAN
    object network Mtl_LAN_172
     subnet 172.19.0.0 255.255.0.0
     description Mtl Servers/Legacy Client LAN
    object network Tor_LAN_172
     subnet 172.20.0.0 255.255.0.0
     description Tor Servers/Legacy Client LAN
    object network Bridge_LAN_172
     subnet 172.23.0.0 255.255.0.0
     description Bridge Servers/Legacy Client LAN
    object network Mtl_WLAN
     subnet 10.114.0.0 255.255.0.0
     description Mtl Wireless LAN
    object network Bel_WLAN
     subnet 10.115.0.0 255.255.0.0
     description Bel Wireless LAN
    object network Wic_WLAN
     subnet 10.116.0.0 255.255.0.0
     description Wic Wireless LAN
    object network Mtl_Infrastructure_10
     subnet 10.96.0.0 255.255.0.0
     description Mtl Infrastructre LAN
    object network BA_Small_Site_Blocks
     subnet 10.68.0.0 255.255.0.0
     description BA Small Sites Blocks
    object network Bel_LAN
     subnet 10.92.0.0 255.255.0.0
     description Bel LAN 10 Network
    object network LAN_172
     subnet 172.25.0.0 255.255.0.0
     description  LAN 172 Network
    object network Gar_LAN
     subnet 10.65.1.0 255.255.255.0
     description Gar LAN
    object network garpr-com1-wf01.net.aero.bombardier.net
     host **************
     description Garching Firewall
    object-group network BA_Sites
     description Internal Networks
     network-object object BA_Small_Site_Blocks
     network-object object Bel_LAN
     network-object object Bel_LAN_172
     network-object object Bel_WLAN
     network-object object Bridge_LAN_172
     network-object object Mtl_Infrastructure_10
     network-object object Mtl_LAN
     network-object object Mtl_LAN_172
     network-object object Mtl_WLAN
     network-object object Mor_LAN
     network-object object North_American_LAN
     network-object object Queretaro_LAN
     network-object object Tor_LAN
     network-object object Tor_LAN_172
     network-object object Tus_LAN
     network-object object Wic_LAN
     network-object object Wic_LAN_172
     network-object object Wic_WLAN
    access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
    access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
    pager lines 24
    logging enable
    logging timestamp
    logging buffered warnings
    logging trap informational
    logging asdm informational
    logging host outside 172.25.5.102
    mtu management 1500
    mtu inside 1500
    mtu outside 1500
    failover
    failover lan unit primary
    failover lan interface Failover_Link Vlan950
    failover polltime interface msec 500 holdtime 5
    failover key *****
    failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-731-101.bin
    asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
    route outside 0.0.0.0 0.0.0.0 ************* 1
    route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
    route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
    route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
    route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
    route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
    route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 10.65.1.0 255.255.255.0 inside
    http 172.25.5.0 255.255.255.0 inside
    http 10.65.1.21 255.255.255.255 management
    snmp-server host inside 172.25.49.0 community ***** udp-port 161
    snmp-server host outside 172.25.49.0 community *****
    snmp-server host inside 172.25.5.101 community ***** udp-port 161
    snmp-server host outside 172.25.5.101 community *****
    snmp-server host inside 172.25.81.88 poll community *****
    snmp-server host outside 172.25.81.88 poll community *****
    snmp-server location:
    snmp-server contact
    snmp-server community *****
    snmp-server enable traps syslog
    crypto ipsec ikev2 ipsec-proposal aes256
     protocol esp encryption aes-256
     protocol esp integrity sha-1
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association pmtu-aging infinite
    crypto map GARCH 10 match address 101
    crypto map GARCH 10 set pfs group19
    crypto map GARCH 10 set peer *******************
    crypto map GARCH 10 set ikev2 ipsec-proposal aes256
    crypto map GARCH 10 set security-association lifetime seconds 3600
    crypto map GARCH interface outside
    crypto ca trustpool policy
    no crypto isakmp nat-traversal
    crypto ikev2 policy 10
     encryption aes-256
     integrity sha256
     group 19
     prf sha256
     lifetime seconds 86400
    crypto ikev2 enable outside
    telnet 10.65.1.6 255.255.255.255 inside
    telnet timeout 5
    ssh stricthostkeycheck
    ssh 172.25.5.0 255.255.255.0 inside
    ssh 172.19.9.49 255.255.255.255 inside
    ssh 172.25.5.0 255.255.255.0 outside
    ssh 172.19.9.49 255.255.255.255 outside
    ssh timeout 30
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 30
    management-access inside
    dhcprelay server 172.25.81.1 outside
    dhcprelay server 172.25.49.1 outside
    dhcprelay enable inside
    dhcprelay timeout 60
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 172.19.109.41
    ntp server 172.19.109.42
    ntp server 172.19.9.49 source outside
    tunnel-group ********* type ipsec-l2l
    tunnel-group ********* ipsec-attributes
     ikev2 remote-authentication pre-shared-key *****
     ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
    : end
    I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
    GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
              remote selector 172.19.0.0/0 - 172.19.255.255/65535
    where for destination network 10.92.0.0/16 there is only one child sa:
    GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
              remote selector 10.92.0.0/0 - 10.92.255.255/6553
    Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
    Thanks
    Jonathan

    Hi there,
    I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
    I don't know, the device is too old to stay alive.
    thanks

  • CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

    I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
    The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
    My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
    I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
    Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

    Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
    access list rule:
    access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
    nat rule:
    nat (inside,outside) source static server interface service voip-range voip-range
    - 'server' is a network object *
    - 'voip-range' is a service group range
    I'd assume you can do something similar here in combination with my earlier comment:
    access-list incoming extended permit tcp any any eq 5900
    Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

  • VPN Client Tunnel Connection Pix506E

    Situation:  Trying to connect to PiX 506e for vpn client tunnel.  The tunnel shows the following when using the sho isa sa command:
    qm_idle 0 0 
    then after about 3-4 minutes the client workstaiton is receiving error:  Reason 412:  the remote peer is no longer responding
    The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
    I have enabled:  nat traversal on the pix506e and tried serveral options on the client side.
    The Pix506E also has site to site vpn tunnels that are working without any problems.
    Pix Software version:  6.3.5
    Any ideas?

    Try to connect from a different internet connection and see if you are having the same issue.
    Also, turn on the logs on the vpn client and see why it's failing.

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

  • Routing Issue for Remote Access Clients over Site to Site VPN tunnels

    I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

    Patrick, that was indeed true for a long time.
    But now it is fixed in PIX and ASA version 7.x.
    Please refer to this document for details:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  • Dynamin VPN/GRE can't ping other side of tunnel

    I am new at this VPN stuff and tryiong to setup a GRE Dynamic IP VPN between my offfice and home.  Here is what I ahve done thus far:
    OFFICE
    interface Tunnel0
    ip address 172.30.1.1 255.255.255.252
    no ip redirects
    ip mtu 1400
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip tcp adjust-mss 1360
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 1
    interface FastEthernet0/0
    ip address 40.197.68.9 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    HOME
    interface Tunnel0
    ip address 172.30.1.2 255.255.255.252
    ip mtu 1400
    ip nhrp map multicast 40.197.68.9
    ip nhrp map 172.30.1.1 40.197.68.9
    ip nhrp network-id 1
    ip nhrp nhs 172.30.1.1
    ip tcp adjust-mss 1360
    tunnel source GigabitEthernet0/0
    tunnel destination 40.197.68.9
    tunnel key 1
    interface GigabitEthernet0/0
    description Router
    ip address 192.168.30.1 255.255.255.252
    duplex auto
    speed auto
    When I ping 172.30.1.1 from the HOME router, I get 0/5 success.  Not good!  I have not setup any IPSec yet.
    Results for HOME router
    show ip nhrp nhs detail
    Legend: E=Expecting replies, R=Responding, W=Waiting
    Tunnel0:
    172.30.1.1   E priority = 0 cluster = 0  req-sent 53  req-failed 0  repl-recv 0
    sh int t0
    Tunnel0 is up, line protocol is up
      Hardware is Tunnel
      Internet address is 172.30.1.2/30
      MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive not set
      Tunnel source 192.168.30.1 (GigabitEthernet0/0), destination 40.197.68.9
       Tunnel Subblocks:
          src-track:
             Tunnel0 source tracking subblock associated with GigabitEthernet0/0
              Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
      Tunnel protocol/transport GRE/IP
        Key 0x1, sequencing disabled
        Checksumming of packets disabled
      Tunnel TTL 255, Fast tunneling enabled
      Tunnel transport MTU 1472 bytes
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Last input 00:40:28, output 00:00:25, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         0 packets input, 0 bytes, 0 no buffer
         Received 0 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         106 packets output, 12612 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    sh ip route
    Gateway of last resort is 192.168.30.2 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 192.168.30.2
          10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
    C        10.110.0.0/24 is directly connected, GigabitEthernet0/1.110
    L        10.110.0.1/32 is directly connected, GigabitEthernet0/1.110
    C        10.115.0.0/24 is directly connected, GigabitEthernet0/1.115
    L        10.115.0.1/32 is directly connected, GigabitEthernet0/1.115
          172.16.0.0/30 is subnetted, 1 subnets
    S        172.16.2.0 [1/0] via 192.168.30.6
          172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.30.1.0/30 is directly connected, Tunnel0
    L        172.30.1.2/32 is directly connected, Tunnel0
    S     192.168.2.0/24 is directly connected, GigabitEthernet0/0
    S     192.168.10.0/24 is directly connected, GigabitEthernet0/0
          192.168.30.0/24 is variably subnetted, 4 subnets, 2 masks
    C        192.168.30.0/30 is directly connected, GigabitEthernet0/0
    L        192.168.30.1/32 is directly connected, GigabitEthernet0/0
    C        192.168.30.4/30 is directly connected, GigabitEthernet0/1.30
    L        192.168.30.5/32 is directly connected, GigabitEthernet0/1.30
    S     192.168.50.0/24 [1/0] via 192.168.30.6
          192.168.69.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.69.0/24 is directly connected, GigabitEthernet0/1.69
    L        192.168.69.3/32 is directly connected, GigabitEthernet0/1.69
    S     192.168.100.0/24 [1/0] via 192.168.30.6
    S     192.168.125.0/24 [1/0] via 192.168.30.6
    S     192.168.200.0/24 [1/0] via 192.168.30.6
    sh dmvpn
    Interface: Tunnel0, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:1,
    # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
         1    50.197.68.90      172.30.1.1  NHRP 02:30:17     S
    Results for OFFICE router
    show ip nhrp nhs detail
    sh dmvpn
    sh int t0
    Tunnel0 is up, line protocol is up
      Hardware is Tunnel
      Internet address is 172.30.1.1/30
      MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive not set
      Tunnel source 40.197.68.9 (FastEthernet0/0)
       Tunnel Subblocks:
          src-track:
             Tunnel0 source tracking subblock associated with FastEthernet0/0
              Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
      Tunnel protocol/transport multi-GRE/IP
        Key 0x1, sequencing disabled
        Checksumming of packets disabled
      Tunnel TTL 255, Fast tunneling enabled
      Tunnel transport MTU 1472 bytes
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Last input 00:43:56, output never, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         0 packets input, 0 bytes, 0 no buffer
         Received 0 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         0 packets output, 0 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    show ip route
    S*    0.0.0.0/0 [1/0] via 40.197.68.94
          40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        40.197.68.8/29 is directly connected, FastEthernet0/0
    L        40.197.68.9/32 is directly connected, FastEthernet0/0
          172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.30.1.0/30 is directly connected, Tunnel0
    L        172.30.1.1/32 is directly connected, Tunnel0
    S     192.168.2.0/24 [1/0] via 192.168.10.5
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.1/32 is directly connected, FastEthernet0/1
    S     192.168.69.0/24 is directly connected, FastEthernet0/0
    Why can't Io ping from the HOME router to the OFFICE router?

    I fugured this problem out.  I needed to setup PKI/IKE and once that was done on both routers, my tunned now passes some data.

  • How to configure full tunnel with VPN client and router?

    I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

    I think it is possible. Following links may help you
    http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

  • Configure a VPN client and Site to Site VPN tunnel

    Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
    SiteA config with working VPN tunnel to SiteB:
    SITE A
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 webdmz security20
    enable password xxx
    passwd xxx
    hostname SiteA-pix
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 200.x.x.0 SiteA_INT
    name 201.x.x.201 SiteA_EXT
    name 200.x.x.254 PIX_INT
    name 10.10.10.0 SiteB_INT
    name 11.x.x.11 SiteB_EXT
    access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list acl_inside permit icmp any any
    access-list acl_inside permit ip any any
    access-list acl_outside permit ip any any
    access-list acl_outside permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu webdmz 1500
    ip address outside SiteA_EXT 255.x.x.128
    ip address inside PIX_INT 255.255.0.0
    no ip address webdmz
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside 0.0.0.x.x.0.0 201.201.201.202 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer SiteB_EXT
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    SiteA-pix(config)#
    Lines I add for Cisco VPN clients is attached
    I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
    Anyone any ideas what this can be?
    Thanks

    Heres my config:
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 webdmz security20
    enable password xxx
    passwd xxx
    hostname SiteA-pix
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 200.x.x.0 SiteA_INT
    name 201.x.x.201 SiteA_EXT
    name 200.x.x.254 PIX_INT
    name 10.10.10.0 SiteB_INT
    name 11.11.11.11 SiteB_EXT
    access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list acl_inside permit icmp any any
    access-list acl_inside permit ip any any
    access-list acl_outside permit ip any any
    access-list acl_outside permit icmp any any
    access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu webdmz 1500
    ip address outside SiteA_EXT 255.255.255.128
    ip address inside PIX_INT 255.255.0.0
    no ip address webdmz
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pix_inside 200.x.x.100-200.220.200.150
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside 0.0.0.0 0.0.0.x.x.201.202 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
    crypto dynamic-map DYNOMAP 10 match address 80
    crypto dynamic-map DYNOMAP 10 set transform-set AAADES
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer SiteB_EXT
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    vpngroup Remote address-pool pix_inside
    vpngroup Remote dns-server 200.200.200.20
    vpngroup Remote wins-server 200.200.200.20
    vpngroup Remote default-domain mycorp.co.uk
    vpngroup Remote idle-time 1800
    vpngroup Remote password password
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    I will attach debug output later today.
    Thanks

  • SonicWall Global VPN Client and Split tunneling

    Hello All,
    I searched Google and the forums here and can't find someone with the same problem.
    Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
    So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
    -Thank You in advance for your time.
    Message Edited by Chris_F on 01-11-2010 07:41 AM
    Chris F.
    CCENT, CCNA, CCNA Sec

    Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
    I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
    Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
    Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
    So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

  • RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

    For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
    This is mostly a question, and partly "in use" observations.
    Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
    If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
    Summary of VPN modes I've gotten to work with an RV220W:
    Client
    Split Tunnel Works?
    Full Tunnel Works?
    OS?
    Notes
    SSL VPN
    Yes
    Yes
    Win7/64
    IE10 or IE11
    QuickVPN
    Yes
    No
    Win7/64
    IPSec VPN
    Yes
    No
    Win7/64
    Shrew Soft VPN Client

    I have to mark this as not a correct answer.
    Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
    To Michal Bruncko who posted this:
    1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
    2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

  • ASA 5505 VPN Group Policies (RADIUS) and tunnel group

    I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
    I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
    Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
    I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
    Session Type: WebVPN
    Username     : kaisaron78             Index        : 1
    Public IP    : 172.16.0.3
    Protocol     : Clientless
    License      : AnyConnect Premium
    Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
    Bytes Tx     : 518483                 Bytes Rx     : 37549
    Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
    Login Time   : 10:59:33 CEDT Mon Aug 18 2014
    Duration     : 0h:00m:23s
    Inactivity   : 0h:00m:00s
    VLAN Mapping : N/A                    VLAN         : none
    Audt Sess ID : c0a801fa0000100053f1c075
    Security Grp : none
    Asa5505# sh vpn-sessiondb webvpn
    Session Type: WebVPN
    Username     : manintra               Index        : 2
    Public IP    : 172.16.0.3
    Protocol     : Clientless
    License      : AnyConnect Premium
    Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
    Bytes Tx     : 238914                 Bytes Rx     : 10736
    Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
    Login Time   : 11:01:02 CEDT Mon Aug 18 2014
    Duration     : 0h:00m:05s
    Inactivity   : 0h:00m:00s
    VLAN Mapping : N/A                    VLAN         : none
    Audt Sess ID : c0a801fa0000200053f1c0ce
    Security Grp : none
    As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
    ! ADDRESS POOLS AND NAT
    names
    ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_27
     subnet 192.168.10.0 255.255.255.224
    access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
    ! RADIUS SETUP
    aaa-server OpenOTP protocol radius
    aaa-server OpenOTP (inside) host 192.168.1.8
     key ******
     authentication-port 1812
     accounting-port 1814
     radius-common-pw ******
     acl-netmask-convert auto-detect
    webvpn
     port 10443
     enable outside
     dtls port 10443
     anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
     anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
     anyconnect enable
    ! LOCAL POLICIES
    group-policy SSLPolicy internal
    group-policy SSLPolicy attributes
     vpn-tunnel-protocol ssl-clientless
     vlan 3
     dns-server value 10.5.1.5
     default-domain value management.local
     webvpn
      url-list value Management_List
    group-policy RemoteAC internal
    group-policy RemoteAC attributes
     vpn-tunnel-protocol ikev2 ssl-client
     vlan 1
     address-pools value AnyConnect_Pool
     dns-server value 192.168.1.4
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value Split_Tunnel_Anyconnect
     default-domain value home.local
     webvpn
      anyconnect profiles value AnyConnect_Profile_client_profile type user
    group-policy SSLLockdown internal
    group-policy SSLLockdown attributes
      vpn-simultaneous-logins 0
    ! DEFAULT TUNNEL
    tunnel-group DefaultRAGroup general-attributes
     authentication-server-group OpenOTP
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group OpenOTP
    tunnel-group VPN_Tunnel type remote-access
    tunnel-group VPN_Tunnel general-attributes
     authentication-server-group OpenOTP
     default-group-policy SSLLockdown
    !END
    I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
    Any help will be more than appreciated.
    Cesare Giuliani

    Ok, it makes sense.
    Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
    Thank you again for your precious and kind help, and for your patience as well!
    Cesare Giuliani

Maybe you are looking for

  • OIM 11.1.1.5.3 vs Siebel Connector log

    Hi all, I have a problem with OIM Siebel connector log file. More in details: since I patched OIM from the version 11.1.1.5.0 to the 11.1.1.5.3 one (BP03 - patch ID 14891027), the Siebel Connector stops to log its normal operations (except errors). O

  • How to update a text file?

    I am doing an assignment about a bank account. A text file stores the accounts. Account Text file: User1|Password1|Balance1 User2|Password2|Balance2 When user wants to deposit or withdraw the account, then how can update the balance. The problem is t

  • Payload set by API but dataObject remains empty and data does not flow

    Hi, We used ADF to programatically set the payload of a new BPM Instance, using JDev 11.1.1.6 and our BPM is also 11.1.1.6. Followed standard documentation.. and payload gets set, and submitted. firstTask.setPayloadAsElement(payload); wfSvcClient_.ge

  • Firewire not showing....tried all the usual

    Hi Folks Have been searching around the community but can't find an answer to this, so I thought I'd try asking. I have an iMac core Duo 20" (the white one)running on Tiger (all updates done) I have had it for about 2 years and only recently have I t

  • To Supress Leading Zeros

    Hi Gurus    I am developing ALV Report. For my Header I have to display Material Number. It is displaying with Leading Zeros. I want to supress those Zeros. Please send me the sample code urgently. Regards, Kumar