VPN 3000 dynamic crypto?
Is it possible to establish a tunnel (LAN-to-LAN) from a VPN 3000 series
Concentrator with a static IP address to another VPN 3000 series
concentrator (or an IOS router) with a dynamic IP address.
That is possible, you just need to configure it on the Base Group of the 3000 with static ip and on the remote 3K or router configure the tunnel as a normal L2L.
Please check this e-mail:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml
Similar Messages
-
Setting up a PIX-PIX VPN with Dynamic and Static IP's
Hey everyone..
I'm recently working to deploy two PIx-506E devices at a remote site and at my home.
I want to be able to connect these together and eventually create a spoke and hub method of deployment to keep several of the places I manage separate but accessible.
The only problem is almost every example I've seem has two static WAN IP's. I cannot have a static WAN at my home, but it will be available for every remote.
How could I go about this? Any articles you can shoot my way and modify so it would work will help me.
Thank you.
Michael Jankowski
Computer Systems ConsultantHi
In addition to what has been said.
If you are looking to set up site to site VPN's and you don't have a static IP at youe home you can use dynamic crypto maps which allow you to use dynamic ip addressing. You can mix and match so you can use a fixed ip for your remote site and a dynamic ip at home. Attached is a link which explains dynamic crypto maps
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
HTH -
Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?
Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James. -
Hi
I got One HQ and 3 Remote Offices ; all branches would need to access application,Email from HQ.
At HQ I got 3845 VPN Server ; 2MB Internet Link with 2 Public IP
AT Branch #1 I got 2801 Router ; 1MB Internet link with 2 Public IP
At Branch #2 I got 887 DSL Router ; 4MB DSL Internet with Dynamic Public Ip
At Branch #3 I got ASA 5510 ; 1MB DSL Internet with 2 Public IP
Site to Site VPN between HQ and Branch# 1 is working ok. What configuration I need on HQ and Branch #2 to setup the VPN
HQ Subnets
192.168.150.0 255.255.255.0 - Users
192.168.151.0 255.255.255.0 - Application Server
192.168.152.0 255.255.255.0 - Windows Server
192.168.153.0 255.255.255.0 - Linux Server
Branch#1 Subnet
192.168.200.0 255.255.255.0 - Users
Branch#2 subnet
192.168.203.0 255.255.255.0 - Users
Branch#3 Subnets
192.168.206.0 255.255.255.0 - Users
HQ_VPN_Configuration
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 123456 address 5.5.5.5
crypto ipsec transform-set VPN_Con_BR1 esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_Con_BR1
match address BR1
Interface tunnel 15
description GRE_Tunel_to_BR1
ip address 10.100.200.1 255.255.255.252
Tunnel source 10.10.12.2
Tunnel destination 172.16.32.2
Interface GigabitEthernet0/0
Description "Connected to BackBone"
ip address 10.10.12.2 255.255.255.248
Interface GigabitEthernet0/1
Description "Public IP Interface"
ip address 1.1.1.1 255.255.255.252
no ip redirect
crypto map VPN
Router ospf 2
network 10.10.12.2 0.0.0.0 area 0
network 10.100.200.1 0.0.0.0 area 0
ip router 0.0.0.0 0.0.0.0 1.1.1.1
ip access-list extended BR1
permit gre host 1.1.1.1 host 5.5.5.5Looking for support on configuring HQ Router for VPN with Dynamic IP on remote end
I managed to built up Branch#2 configuration
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 123456 address 1.1.1.1
crypto isakmp keepalive 300
crypto ipsec transform-set VPN esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN
match address 115
interface Ethernet0
ip address 192.168.203 255.255.255.0
ip nat inside
interface ATM0
bandwidth 4160
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 4160
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username ABCD password 7 ABCD
ppp ipcp address accept
crypto map VPN
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
dialer-list 1 protocol ip permit -
VPN 3000 and Radius authentication/authorization
hello.
I have to configure RADIUS authentication
with a VPN 3000 concentrator.
I'm completely new with this product
(the concentrator).
It seems that, if I want to perform authentication
of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
am I rigth with this supposition?
I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
thank you.
DavideNo, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator
-
How to get the traffic split up in VPN 3000 Concentrator?
Hi,
Requirement:
I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.
Issue:
I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,
<189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested
My Question:
Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?
Please help me in getting this issue resolved.
Thanks to all helping me to resolve the issue.
Thanks.You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.
The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.
Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.
-Shannon -
Site to Site VPN working without Crypto Map (ASA 8.2(1))
Hi All,
Found a strange situation on our ASA5540 firewall :
We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
Is it the bug ?
Thanks in advance,It might be an easy vpn setup.
Could you post a running config output remove any sensitive info. This could help us answer your question more exactly. -
Can't Ciscoworks LMS 4.2.2 back up the configuration of Cisco VPN 3000 concerntrator?
Hi All,
In VPN 3000 concerntrator, I've enabled tftp, telnet, snmp. I've also successfully added the concerntrator into Ciscoworks LMS 4.2.2. All the ports are verified open to Ciscoworks. No question mark shows next to this device in the device management of LMS. However, when I run configuration Achive Job, I always get the following failed message. Can anybody tell me how to to back up the configuration of Cisco VPN 3000 concerntrator in Ciscoworks LMS 4.2.2? Thanks in advance.Sorry, but apparently not. Please see the supported devices table (here).
That table states, among other things:
The following features are not supported:
Network Topology Layer 2 Services
Fault Management
Configuration Deploy Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP
Configuration Fetch Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP -
Maximum number of local users on a Cisco VPN 3000 Concentrator
Hi,
Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
Thanks in advance for your help!
HarryHi Harry,
Please see table 13-1 for that information, and read Authentication Server Limits paragraph
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
Pls rate any helpful posts
Bst Rgds
Jorge -
Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?
Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
My advise - Configure, TEST DEBUG TEST DEBUG! -
Wwan 3G/4G 4G LTE HWIC VPN (with dynamic ip)Configuration assistance to multi context asa
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them too?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access as its not supported yet. Can I possibly use the 1921 router(4lte hwic installed) at the sites as a hardware client?
I have seen the following urls. One has the 3g router as a "remote access" vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router as all traffic will be using the vpn.
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside <--is this needed per interface????
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access <---Remote access config
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
Feisal -
Wwan 3G/4G 4G LTE HWIC VPN (with dynamic ip)Configuration assistance
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them to?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access. Can I possibly use the 1921 as a hardware client?
I have seen the following urls. One has the 3g router as a remote access vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router but will I need
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
FeisalDuplicate post.
Go here: https://supportforums.cisco.com/discussion/12226676/i-want-connect-my-cisco-hq-router-remote-1841-router-using-hwic-3g-gsm-card-and -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
SSL VPN and Dynamic DNS - ddns on IOS
Hello,
I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
Regards
GerardSeems like i have fixed the problem using:
webvpn gateway gateway_1
ip interface Dialer0 port 443
ssl trustpoint local
inservice
However when the router is rebooted, it results in this error:
Invalid ip address First configure an IP address for the gateway
Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ? -
I have 2 CVPN 3000 at my institution. They have both software version 4.7.2.L-k9. Thay also have WebVPN running.
Lately something strange has been happening. One VPN loses connection (ping keepalives stop working) and no one can connect. When this happens I change the dns A record of the vpn service to the 2nd CVPN and, after a while, that 2nd CVPN stops responding. Can this be an attack? What can I search for in the logfile? The logfile cannot handle more than 15, 20 minutes.
Thanks in advance.I have captured some traffic directed to the SSL port. There alots of TCP retransmission packets (ack dup).
Disabling SSL service I have the CVPN running for a day now.. it seems the problems have stopped. Of course nw I don?t have WebVPN service.
Any suggestions? Has anyone experienced such a problem?
Tx
Maybe you are looking for
-
DW CS3 crashes when opening older asp file made in DWMX
I have some asp files that were created in DW MXa dn when I try and anything with CS3, CS3 simply crashes. I get an "informative" ADOBE DREAMWEAVER CS3 has stopped working"......okay thanks. I am using DW CS3 with VIsta Ultimate. I receive the follow
-
How to make the CTI respond to the work area again?
Hello, i suddenly have a unusual problem (4 me). I work on a project and i noticed today that the CTI dose not act according to my work area when i RAM preview. After pressing 0 it just goes after the end of the work area continuing to render . (g
-
I have a first gen MacBook pro with intel chip. All of a sudden when I try to start up instead of the apple logo I see a file folder with a question mark. Phone support wasn't much help since it is a older machine. It's either a software issue or the
-
Customized report result file name?
Hi, If we schedule a report, can we give different name to the resultant report file? For example report file name is ABC_REPORT.rdf and output format is HTML and scheduled daily at 2:00AM. 0n 08/15 report output should be ABC_REPORT_08150200.HTML an
-
Revision: 14806 Revision: 14806 Author: [email protected] Date: 2010-03-17 06:50:37 -0700 (Wed, 17 Mar 2010) Log Message: Fix the same mirroring bug in both mx:WindowedApplication and s:WindowedApplication. When using air, setActualSize is ca