VPN 3000 problem

Similar Messages

• VPN 3000 and Radius authentication/authorization

  hello.
  I have to configure RADIUS authentication
  with a VPN 3000 concentrator.
  I'm completely new with this product
  (the concentrator).
  It seems that, if I want to perform authentication
  of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
  am I rigth with this supposition?
  I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
  thank you.
  Davide

  No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

• How to get the traffic split up in VPN 3000 Concentrator?

  Hi,
  Requirement:
  I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.
  Issue:
  I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,
  <189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested
  My Question:
  Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?
  Please help me in getting this issue resolved.
  Thanks to all helping me to resolve the issue.
  Thanks.

  You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.
  The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.
  Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.
  -Shannon

• Can't Ciscoworks LMS 4.2.2 back up the configuration of Cisco VPN 3000 concerntrator?

  Hi All,
  In VPN 3000 concerntrator, I've enabled tftp, telnet, snmp. I've also successfully added the concerntrator into Ciscoworks LMS 4.2.2. All the ports are verified open to Ciscoworks. No question mark shows next to this device in the device management of LMS. However, when I run configuration Achive Job, I always get the following failed message. Can anybody tell me how to to back up the configuration of Cisco VPN 3000 concerntrator in Ciscoworks LMS 4.2.2? Thanks in advance.

  Sorry, but apparently not. Please see the supported devices table (here).
  That table states, among other things:
  The following features are not supported:
  Network Topology Layer 2 Services
  Fault Management
  Configuration Deploy Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP
  Configuration Fetch Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP

• Maximum number of local users on a Cisco VPN 3000 Concentrator

  Hi,
  Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
  Thanks in advance for your help!
  Harry

  Hi Harry,
  Please see table 13-1 for that information, and read Authentication Server Limits paragraph
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
  Pls rate any helpful posts
  Bst Rgds
  Jorge

• VPN 3000 dynamic crypto?

  Is it possible to establish a tunnel (LAN-to-LAN) from a VPN 3000 series
  Concentrator with a static IP address to another VPN 3000 series
  concentrator (or an IOS router) with a dynamic IP address.

  That is possible, you just need to configure it on the Base Group of the 3000 with static ip and on the remote 3K or router configure the tunnel as a normal L2L.
  Please check this e-mail:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

• Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?

  Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
  We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?

  Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
  I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
  My advise - Configure, TEST DEBUG TEST DEBUG!

• Out of ideas diagnosing VPN connection problems

  I'm having trouble narrowing down what's causing the VPN connection problems to my new Mini Server. Sometimes I can connect just fine with my MacBookPro and use all the resources like file sharing, etc. So, this leads me to believe it has been setup correctly. But then, for no reason at all (maybe it's later in the same day, or a completely different day) it will just stop working and I cannot connect at all.
  *MacBook and iMac at home cannot connect, but iPhone can*
  This is what's really throwing me off. This afternoon, I cannot connect to the server from home with my MacBook or my iMac. BUT, my iPhone can -using the same WiFi network my computers are on, not the cellular network. How could that be? The VPN settings on all 3 devices match exactly.
  *Colleagues with other ISP's can connect, while I cannot*
  I've called Comcast business (which provides the static IP for our office server) and they tell me all my settings are correct for allowing VPN traffic through. Likewise, Comcast Residential tells me there is nothing that would block VPN traffic from my home. They tell me to talk with Apple. argh!
  *Web and Server Admin services are still accessible when VPN is not working*
  We have exposed the Server's Web and Admin services without needing a VPN connection to access them. Since these services are accessible to me even when the VPN is not working, this leads me to believe the server is operating normally and capable of receiving incoming traffic.
  I'm out of ideas and I'm starting to lose my mind!!! Any ideas on why my 2 computers sometimes can connect, yet sometimes cannot...all the while, my iPhone can connect just fine over the same network???

  I don't have an explanation for the erratic nature of your connections. It's only as I've said before, in my experiences with such problems it has always traced back to misconfigured network or DNS settings. mDNS is multicast DNS and it's a protocol Apple uses so its devices can find each other easily. That may be the reason why your iPhone can connect when other things can't.
  To take a step back, here is how I think things should be set up:
  \- Your dedicated IP address should be assigned to your router automatically through PPPoE
  \- The name servers as set in your router should be your ISP's name servers
  \- Make sure the server has only one connection to the router that is managing the dedicated IP, either wired or wireless, but not both
  \- A static network address should be assigned to your server's MAC address in the router's DHCP settings
  \- The server's network address should be put in the DMZ on the router or set as the default server in the NAT settings, depending on the router
  \- The network settings in System Preferences on the server should be set to DHCP with manual address and the server's network address entered correctly
  \- The router address should be listed correctly in the network settings in System Preferences on the server
  \- The name servers in the network settings in System Preferences on the server should be 127.0.0.1 and the router's IP address, nothing else.
  \- The zone files on the server should have a primary and reverse zone for each domain name and its network address. Do not use the dedicated IP address in the zone files on the server.
  If everything is set as I described, it should work. If it doesn't, it's time to call a witch doctor or an exorcist.

• Remote access vpn ESP problem

  I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but  it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?
  Thanks in advance

  Hello,
  Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).
  NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.
  So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).
  So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.
  Julio
  Do rate all helpful posts!!

• VPN connection problem

  I am currently unable to connect to my VPN server with either of 2 Lion machines 2010 white MacBook and a black MacBook .  I run iVPN (L2TP) on an old PPC Mac Mini, my iPhone and iPad still connect instantly.  When the Lion machines try to connect for they try for about a minute and fail returning  "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."  I currently have my router setup to port foward and use a dynamic DNS.  I tried connecting straight to the VPN directly by changing to the internal LAN IP still no luck.  Any suggestions

  I've been out of my SonicWall VPN since I upgraded to Lion last week.  Found a trick and succeeded.  I had to reconfigure the settings on the Sonicwall and make sure that the phase 1 and phase 2 authentications were using AES encryption rather than 3DES.
  That did the trick and I was back in.
  Of course now my 10.6.8 clients are out - I'll post more on that front if I figure it out.

• Vpn authentication problem

  I have 2 AD account in 2 domain, Singapore and China. Both dom are under 1 forest. Problem is when I used Cisco VPN to connect to Singapore firewall but used China AD account & password, authentication failed. But when I used Cisco VPN to connect to China firewall but used Singapore AD account & password, authentication works. Why ? Please help an thanks.

  Muhammad,
  I think you have an issue with your AD search order....try adding the domain OU prefix with a "\" then the username i.e:-
  domain\username
  HTH.

• VPN tunnel Problem

  Hi all ,
  I need create VPN tunnels between two  ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is  a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

  I hve allready configured following configuration.
  no crypto map newmap interface outside
  no crypto map newmap 171 set peer 195.11.199.144
  no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
  crypto map newmap 171 set peer 195.11.204.5
  isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
  clear crypto ipsec sa
  clear crypto isakmp sa
  crypto map newmap interface outside
  Setting were applied successfully however Still VPN tunnel is not been initiated.

• VPN Communication Problem

  I have created a working VPN between a remote PC with Cisco VPN Client and Easy VPN server on Cisco 1802 (DSL). The Router has an dynamic external IP and is accessible over DynDNS. The problem is not the VPN connetion, but the communication between the remote PC and LAN behind the router.
  Ping functions to all devices on the LAN
  telnet 25 functions
  DNS functions
  Access to shares is taking ages, functions then sometimes, usually runs it into a Timeout
  HTTP is taking ages and breaks then
  Remotedesktop to a 2k server breaks
  Remotedesktop to a 2k3 server opens the server window, but before the login mask breaks
  Application Security Log of the SDM:
  JAN 16 14:09:35.902 PC Time DROP PKT Dropping tcp pkt 192.168.121.15:80 => 192.168.122.5:4293
  JAN 16 14:11:35.662 PC Time DROP PKT Dropping tcp pkt 192.168.122.5:4302 => 192.168.121.15:3389
  Any idea's what's wrong with the config?

  Hi there,
  I see some issues here:
  1. Increase the value in the command:
  ip tcp synwait-time 10
  2. Remove following command from the interface Dialer0 config:
  ip route-cache flow
  3. On the VPN client PC, open the SetMTU utiliy (in the VPN client folder) and set the MTU on the interface to 1300.
  Start the above steps and test after each.
  Please rate if this helped.
  Regards,
  Daniel

• VPN CLIENT PROBLEM

  Hi
  I have a problem with ping in VPN Client,
  In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
  The router is able to ping Z.Z.Z.0/24.
  The Tunnel and VPN client are working.
  1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
  2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
  3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
  4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
  5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
  6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
  This is my config on ASA-1 and ASA-2:
  hostname ASA-1
  interface G0/0
  nameif Outside
  security-level 0
  ip address x.x.x.1 255.255.255.224
  NO SHUT
  interface G0/3
  nameif Inside
  security-level 100
  ip address 20.20.0.1 255.255.0.0
  NO SHUT
  route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
  object-group network DM_INLINE_NETWORK_1
  network-object 10.10.10.0 255.255.255.0
  network-object 20.20.0.0 255.255.0.0
  network-object z.z.z.0 255.255.255.0
  ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
  access-list 100 extended permit icmp any any
  access-group 100 in interface Outside
  global (Outside) 1 interface
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp enable Outside
  tunnel-group y.y.y.1 type ipsec-l2l
  tunnel-group y.y.y.1 ipsec-attributes
  pre-shared-key 1234
  group-policy ATA internal
  group-policy ATA attributes
  vpn-tunnel-protocol IPSec
  username TEST password TEST privilege 0
  username TEST attributes
  vpn-group-policy ATA
  tunnel-group ATA type remote-access
  tunnel-group ATA general-attributes
  address-pool ATA
  default-group-policy ATA
  tunnel-group ATA ipsec-attributes
  pre-shared-key 1234
  access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
  access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map Outside_map 1 set pfs group1
  crypto map Outside_map 1 set peer y.y.y.200
  crypto map Outside_map 1 match address Outside_1_Cryptomap
  crypto map Outside_map 1 set transform-set ESP-3DES-SHA
  crypto map Outside_map 1 set security-association lifetime kilobytes 10000
  crypto map Outside_map interface Outside
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
  access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
  access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
  nat (Inside) 0 access-list Inside_nat0_Outside
  nat (Inside) 1 0.0.0.0 0.0.0.0
  policy-map global_policy
  class inspection_default
    inspect icmp
  same-security-traffic permit intra-interface
  management-access Inside
  hostname ASA-2
  interface E0/0
  nameif Outside
  security-level 0
  ip address y.y.y.1 255.255.255.192
  NO SHUT
  interface E0/3
  nameif Inside
  security-level 100
  ip address 10.10.10.20 255.255.255.0
  NO SHUT
  route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
  route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
  access-list 100 extended permit icmp any any
  access-group 100 in interface Outside
  global (Outside) 1 interface
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp enable Outside
  tunnel-group x.x.x.1 type ipsec-l2l
  tunnel-group x.x.x.1 ipsec-attributes
  pre-shared-key 1234
  access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
  access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map Outside_map 1 set pfs group1
  crypto map Outside_map 1 set peer x.x.x.1
  crypto map Outside_map 1 match address Outside_1_Cryptomap
  crypto map Outside_map 1 set transform-set ESP-3DES-SHA
  crypto map Outside_map 1 set security-association lifetime kilobytes 10000
  crypto map Outside_map interface Outside
  access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
  access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
  nat (Inside) 0 access-list Inside_nat0_Outside
  nat (Inside) 1 0.0.0.0 0.0.0.0
  policy-map global_policy
  class inspection_default
    inspect icmp
  same-security-traffic permit intra-interface
  management-access Inside
  Regards

  Hi,
  My suggestion to your puzzle  is to  either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with  information  and some clues on what the issue could be.  You may also try  to packet capture in ASA-2  , either way,  I would start with easiest one which is  realtime log on ASDM.
  Could you provide the folloing:
  1 - Post output of    c:\ipconfig /all    from PC-4  z.z.z.2/24
  2 - Post output of     show ip route     from Router   where PC-4 subnet is routed from
  Regards

• VPN / NAT Problem

  Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
  1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
  2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
  New Requirement
  If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
  What I've done
  On W-FW2
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
  nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
  On W-FW1
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
  nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
  At this point packet tracer said the traffic was being blocked by ACL so I added
  access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
  access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
  access-group inbound in interface outside
  Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
  W-FW1 can ping S-Client
  Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
  Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
  Help!

  First check if the packet from the S client is making it back to the W-F1. 
  Configure Captures on the interface that is connected to the 106.200.194 subnet. 
  #cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
  #show cap capin
  Capture is bidirectional. Hence no need to enable it in the opposite direction.
  If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
  #capture asp type asp-drop all
  send the traffic.
  #show cap asp | in <Sclient IP>
  If the packet is see in this capture then the ASA is dropping it.
  Then do a packet tracer to see why it is dropping it.
  #packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
  Check why the packet is dropping.
  if the capin capture does not see the reply packet then check the reply path and routing.