Tunneling
HI
EXperts
what are step for doing tunneling (idoc-idoc).?
any body help me regareding this .
Thanks for hlep
kumar
The blog explain it all.
Normally when an idoc hits XI it is converted to XML. If you do not want to convert the Idoc to XML ( in case of Idoc to Idoc scnearios ) then you use the concept of Idoc Tunneling.
Look into the blog for exact details.
Regards
Bhavesh
Similar Messages
-
IP Phone SSL VPN and Split tunneling
Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
EvaHi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
IPSec tunnel on sub-interface on ASA 5510
Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
MudsHi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds -
Unable to see logs while using split tunnel for RA
hi everyone,
I have config RA VPN at my home lab using split tunnel.
I can connect fine and able to browse the internet.
When i go to internet sites i do not see logs generated on the VPN ASA?
Need to understand whats the reason behind this?
ASA1# sh conn all
5 in use, 12 most used
UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -
TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
Where 192.168.98.2 is IP of PC.
10.0.0.51 is IP assigned from VPN pool to PC.
Regards
MaheshHi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni -
EZVPN public internet split tunnel with dialer interface
I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run
Building configuration...
Current configuration : 4617 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 *************************
enable password *************************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
ip dhcp pool myDhcp
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4
default-router 192.168.1.1
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
username ************************* privilege 15 password 0 *************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group HomeFull
key *************************
dns 8.8.8.8 8.8.8.4
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group HomeFull
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1740
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ctcp port 10000
archive
log config
hidekeys
interface Loopback10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description TimsInternet
ip flow ingress
ip policy route-map VPN-Client
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template3 type tunnel
ip unnumbered Dialer3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect myfw in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1372
no ip mroute-cache
hold-queue 100 out
interface Dialer0
no ip address
interface Dialer3
ip address negotiated
ip access-group blockall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip policy route-map VPN-Client
no ip mroute-cache
dialer pool 3
dialer-group 1
no cdp enable
ppp chap hostname *************************@direct.telstra.net
ppp chap password 0 *************************
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 101 interface Dialer3 overload
ip access-list extended VPN-OUT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
remark CCP_ACL Category=17
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit tcp any any eq 10000
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map VPN-Client permit 10
match ip address VPN-OUT
set ip next-hop 10.0.0.2
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end
Router#exit
Connection closed by foreign host.Thanks for the response.
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT. -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN
I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
VPN Client Tunnel Connection Pix506E
Situation: Trying to connect to PiX 506e for vpn client tunnel. The tunnel shows the following when using the sho isa sa command:
qm_idle 0 0
then after about 3-4 minutes the client workstaiton is receiving error: Reason 412: the remote peer is no longer responding
The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
I have enabled: nat traversal on the pix506e and tried serveral options on the client side.
The Pix506E also has site to site vpn tunnels that are working without any problems.
Pix Software version: 6.3.5
Any ideas?Try to connect from a different internet connection and see if you are having the same issue.
Also, turn on the logs on the vpn client and see why it's failing. -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
Dynamin VPN/GRE can't ping other side of tunnel
I am new at this VPN stuff and tryiong to setup a GRE Dynamic IP VPN between my offfice and home. Here is what I ahve done thus far:
OFFICE
interface Tunnel0
ip address 172.30.1.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
interface FastEthernet0/0
ip address 40.197.68.9 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
HOME
interface Tunnel0
ip address 172.30.1.2 255.255.255.252
ip mtu 1400
ip nhrp map multicast 40.197.68.9
ip nhrp map 172.30.1.1 40.197.68.9
ip nhrp network-id 1
ip nhrp nhs 172.30.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 40.197.68.9
tunnel key 1
interface GigabitEthernet0/0
description Router
ip address 192.168.30.1 255.255.255.252
duplex auto
speed auto
When I ping 172.30.1.1 from the HOME router, I get 0/5 success. Not good! I have not setup any IPSec yet.
Results for HOME router
show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
172.30.1.1 E priority = 0 cluster = 0 req-sent 53 req-failed 0 repl-recv 0
sh int t0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.30.1.2/30
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.30.1 (GigabitEthernet0/0), destination 40.197.68.9
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:40:28, output 00:00:25, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
106 packets output, 12612 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
sh ip route
Gateway of last resort is 192.168.30.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.30.2
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.110.0.0/24 is directly connected, GigabitEthernet0/1.110
L 10.110.0.1/32 is directly connected, GigabitEthernet0/1.110
C 10.115.0.0/24 is directly connected, GigabitEthernet0/1.115
L 10.115.0.1/32 is directly connected, GigabitEthernet0/1.115
172.16.0.0/30 is subnetted, 1 subnets
S 172.16.2.0 [1/0] via 192.168.30.6
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.1.0/30 is directly connected, Tunnel0
L 172.30.1.2/32 is directly connected, Tunnel0
S 192.168.2.0/24 is directly connected, GigabitEthernet0/0
S 192.168.10.0/24 is directly connected, GigabitEthernet0/0
192.168.30.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.30.0/30 is directly connected, GigabitEthernet0/0
L 192.168.30.1/32 is directly connected, GigabitEthernet0/0
C 192.168.30.4/30 is directly connected, GigabitEthernet0/1.30
L 192.168.30.5/32 is directly connected, GigabitEthernet0/1.30
S 192.168.50.0/24 [1/0] via 192.168.30.6
192.168.69.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.69.0/24 is directly connected, GigabitEthernet0/1.69
L 192.168.69.3/32 is directly connected, GigabitEthernet0/1.69
S 192.168.100.0/24 [1/0] via 192.168.30.6
S 192.168.125.0/24 [1/0] via 192.168.30.6
S 192.168.200.0/24 [1/0] via 192.168.30.6
sh dmvpn
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 50.197.68.90 172.30.1.1 NHRP 02:30:17 S
Results for OFFICE router
show ip nhrp nhs detail
sh dmvpn
sh int t0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.30.1.1/30
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 40.197.68.9 (FastEthernet0/0)
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with FastEthernet0/0
Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:43:56, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
show ip route
S* 0.0.0.0/0 [1/0] via 40.197.68.94
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.197.68.8/29 is directly connected, FastEthernet0/0
L 40.197.68.9/32 is directly connected, FastEthernet0/0
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.1.0/30 is directly connected, Tunnel0
L 172.30.1.1/32 is directly connected, Tunnel0
S 192.168.2.0/24 [1/0] via 192.168.10.5
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.1/32 is directly connected, FastEthernet0/1
S 192.168.69.0/24 is directly connected, FastEthernet0/0
Why can't Io ping from the HOME router to the OFFICE router?I fugured this problem out. I needed to setup PKI/IKE and once that was done on both routers, my tunned now passes some data.
-
How to configure full tunnel with VPN client and router?
I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?
I think it is possible. Following links may help you
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml -
Configure a VPN client and Site to Site VPN tunnel
Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
SiteA config with working VPN tunnel to SiteB:
SITE A
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.x.x.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.x.x.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.x.x.0.0 201.201.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
SiteA-pix(config)#
Lines I add for Cisco VPN clients is attached
I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
Anyone any ideas what this can be?
ThanksHeres my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.11.11.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.255.255.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
ip local pool pix_inside 200.x.x.100-200.220.200.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.x.x.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 match address 80
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup Remote address-pool pix_inside
vpngroup Remote dns-server 200.200.200.20
vpngroup Remote wins-server 200.200.200.20
vpngroup Remote default-domain mycorp.co.uk
vpngroup Remote idle-time 1800
vpngroup Remote password password
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I will attach debug output later today.
Thanks -
SonicWall Global VPN Client and Split tunneling
Hello All,
I searched Google and the forums here and can't find someone with the same problem.
Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet. I know about the different security risks but we have multiple field reps that need internet access while using our CRM program. So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue. They can get into the internal network but can't access the internet. They are both on WRT54G (different Vers.). I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue. I also tried to put their home network on a different subnet. All with no joy. I was wondering if anyone ever ran into something like this or have any clues what to try next.
-Thank You in advance for your time.
Message Edited by Chris_F on 01-11-2010 07:41 AM
Chris F.
CCENT, CCNA, CCNA SecOf course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect. -
RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities
For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN ClientI have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way? -
ASA 5505 VPN Group Policies (RADIUS) and tunnel group
I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username : kaisaron78 Index : 1
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 518483 Bytes Rx : 37549
Group Policy : RemoteAC Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:59:33 CEDT Mon Aug 18 2014
Duration : 0h:00m:23s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username : manintra Index : 2
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 238914 Bytes Rx : 10736
Group Policy : SSLPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:01:02 CEDT Mon Aug 18 2014
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare GiulianiOk, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani
Maybe you are looking for
-
OIM 11.1.1.5.3 vs Siebel Connector log
Hi all, I have a problem with OIM Siebel connector log file. More in details: since I patched OIM from the version 11.1.1.5.0 to the 11.1.1.5.3 one (BP03 - patch ID 14891027), the Siebel Connector stops to log its normal operations (except errors). O
-
How to update a text file?
I am doing an assignment about a bank account. A text file stores the accounts. Account Text file: User1|Password1|Balance1 User2|Password2|Balance2 When user wants to deposit or withdraw the account, then how can update the balance. The problem is t
-
Payload set by API but dataObject remains empty and data does not flow
Hi, We used ADF to programatically set the payload of a new BPM Instance, using JDev 11.1.1.6 and our BPM is also 11.1.1.6. Followed standard documentation.. and payload gets set, and submitted. firstTask.setPayloadAsElement(payload); wfSvcClient_.ge
-
Firewire not showing....tried all the usual
Hi Folks Have been searching around the community but can't find an answer to this, so I thought I'd try asking. I have an iMac core Duo 20" (the white one)running on Tiger (all updates done) I have had it for about 2 years and only recently have I t
-
Hi Gurus I am developing ALV Report. For my Header I have to display Material Number. It is displaying with Leading Zeros. I want to supress those Zeros. Please send me the sample code urgently. Regards, Kumar