VPN and ISDN configurations

Similar Messages

• Configuring Admin Util to allow me to use VPN AND surf the rest of the net

  I am having a problem when I connect to my work network via VPN. When I do, I can no longer connect to the rest of the Internet. I was able to do this until I started using an Express (so it has been allowed by my work network).
  Here's my setup: Express is connected via Ethernet to my Verizon Fios modem. When I connect my computer directly to the Verizon modem all works fine. I have been advised that what's happening is that my Airport Express is creating a behind-the-device network that has the same exact IP address space as your office's network (when I'm connected to it via VPN).
  To fix this I've been told to "Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again."
  The problem is that the advisor is using Airport Admin Util version 5.x and I am using version 4.2. The screen he suggests is not where his is in his version. Could someone advise me of how I can do this via 4.2?

  Reset your iPad and see if that fixes this.
  Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider if it appears on the screen - let go of the buttons. Let the iPad start up.

• Cipher- and TLS configurations for SSTP VPN Client

  Hi!
  We use TMG to terminate our SSTP VPN's.
  TMG is configured to use TLS1.0 and 1.2 and ECDHE SHA 256/384 based ciphers.
  If I connect to some of our published web services from my Win7/8/8.1, the web browser is using TLS1.2 and latest ciphers.
  If I connect to the same TMG with SSTP VPN (and capture data to get these results), the Windows VPN uses TLS 1.0 and basic SHA handshake (naturally, since TLS 1.2 isn't kicking in).
  Can someone tell me, does SSTP VPN use schannels or is there some other place where i should enable TLS1.2 to get the latest protection levels also to our VPN solution?
  .. Or is this a TMG thing? :)
  Antti
  Antti Laatikainen IT Security Manager Santen Europe

  Hi,
  To enabling TLS 1.2 in TMG, please refer to this article:
  TMG 2010 and enabling TLS 1.2
  http://gnawgnu.blogspot.com/2011/09/tmg-2010-and-enabling-tls-12.html
  In addition, Antti, I can only help you on this since I am not the professional on TMG and TSL.
  To better help you, I suggest contacting the TMG support:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. 
  Thank you for your understanding.
  Kate Li
  TechNet Community Support

• IpSec VPN and NAT don't work togheter on HP MSR 20 20

  Hi People,
  I'm getting several issues, let me explain:
  I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
  I'm missing something but i don't know what it is !!!!, See below the configuration.
  Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
  Note: I just have only One public Ip address.
  version 5.20, Release 2207P41, Standard
  sysname HP
  nat address-group 1 186.177.159.93 186.177.159.93
  domain default enable system
  dns proxy enable
  telnet server enable
  dar p2p signature-file cfa0:/p2p_default.mtd
  port-security enable
  acl number 2001
  rule 0 permit source 192.168.100.0 0.0.0.255
  rule 5 deny
  acl number 3000
  rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
  vlan 1
  domain system
  access-limit disable
  state active
  idle-cut disable
  self-service-url disable
  ike proposal 1
  encryption-algorithm 3des-cbc
  dh group2
  ike proposal 10
  encryption-algorithm 3des-cbc
  dh group2
  ike peer vpn-test
  proposal 1
  pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
  remote-address <Public Ip from VPN Peer>
  local-address 186.177.159.93
  nat traversal
  ipsec proposal vpn-test
  esp authentication-algorithm sha1
  esp encryption-algorithm 3des
  ipsec policy vpntest 30 isakmp
  connection-name vpntest.30
  security acl 3000
  pfs dh-group2
  ike-peer vpn-test
  proposal vpn-test
  dhcp server ip-pool vlan1 extended
  network mask 255.255.255.0
  user-group system
  group-attribute allow-guest
  local-user admin
  password cipher .]@USE=B,53Q=^Q`MAF4<1!!
  authorization-attribute level 3
  service-type telnet
  service-type web
  cwmp
  undo cwmp enable
  interface Aux0
  async mode flow
  link-protocol ppp
  interface Cellular0/0
  async mode protocol
  link-protocol ppp
  interface Ethernet0/0
  port link-mode route
  nat outbound 2001 address-group 1
  nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
  ip address dhcp-alloc
  ipsec policy vpntest
  interface Ethernet0/1
  port link-mode route
  ip address 192.168.100.1 255.255.255.0
  interface NULL0
  interface Vlan-interface1
  undo dhcp select server global-pool
  dhcp server apply ip-pool vlan1

  ewaller wrote:
  What is under the switches tab?
  Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
  If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
  I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
  Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
  So here is what it is under the switches tab

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• VPN and Remote Desktop Connection

  I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
  other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
  Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
  be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
  is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
  I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
  Thanks for your help.
  I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
  Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls
  will be accepted to this port.
  A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.
  The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
  retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

  Morning Trent,
  I don't know if this is still an issue for you, did you get it solved?
  If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
  to use on the server.

• Problem SSO between VPN and NAC

  Hello
  Description of our problem : SSO doesn't work
  -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
  -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
  The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
  Step 1 Add Default Login Page =ok
  Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
  Step 3 Enable L3 Support on the CAS = ok
  Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
  Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
  Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
  Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
  Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
  Step 9 Add VPN Concentrator as a Floating Device =ok
  Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
  the database for vpn authentication is cisco secure acs(192.168.1.30).
  Tanks to any anybody to give us a possible solution.
  FILALI Saad
  Ares Maroc

  Hi
  I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
  First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
  1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
  This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
  2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
  3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
  Follow from step 15 in following link
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
  4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
  Try these things first.
  Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  You may find it useful too.
  Dale

• ISDN configuration for backup of backup

  Hello Guys..
  I have an MPLS connection where I have running BGP with service provider and I have an ISDN configured (default route with higher AD) as a Backup of that. My customer wants to implement another ISDN connection which should act the backup of backup. Could anybody help me to find a solution to make it work. I can set the priority for the dialer interface , but I am worried about the routing configuration..

  Try configuring them as a multilink group:
  http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a0080094a6c.shtml

• AnyConnect VPN and HP Office Jet Pro 8500 A910

  I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
  This question was solved.
  View Solution.

  Hi,
  In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
  However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
  Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
  Regards,
  Shlomi
  Say thanks by clicking the Kudos thumb up in the post.
  If my post resolve your problem please mark it as an Accepted Solution

• Conflict between VPN and Airport disk

  Hello Folks, I just bought a brand new airport extreme 802n.
  I thought it would be working fine with my Macbook pro, but it doesn't.
  I can't access any externe hard disk or USB Stick through the airport extreme, although the format is FAT32. I checked and checked but found nothing useful. All the settings are default.
  Worth to mention, I always use a cisco VPN client to get connected to the Internet (university student).
  There are few times when I disconnected the VPN Client, the USB Client can be found and read, but not be written.
  I though it is a conflict between VPN and Airport disk. So I tried without VPN, but the USB stick and the extern hard disk still didn't work properly. I have no idea what is happening could somebody help?
  By the way is it possible to set Airport extreme as a VPN router so I don't have to use the cisco VPN client anyway?
  Any reply is appreciated
  Thank you !

  I have an Airport Extreme connected to a cable modem
  with comcast as my isp. The Extreme is connected to
  a G4 dual processor mac via ethernet. I also have 3
  airport expresses around the house to work as range
  extenders. When I had the G4 connect to the Extreme
  via its internal airport card, I had no difficulty
  connecting to any of the Expresses around the house
  with my g4 powerbook. Now that I have the G4 Dual
  directly connected by ethernet to get the fastest
  speed, I cannot get my expresses or my laptop to
  connect through my laptop to the base station. all
  lights are green on the expresses, but running
  network diagnostics on the powerbook shows red or
  yellow for the last two buttons on the right. Do I
  have a configuration problem or an Extreme that won't
  bridge properly?
  Check that the G4 Dual has a location configured with
  only "Built-In Ethernet" activated, and that its
  Ethernet connection isn't shared on AirPort.
  Turn off all your AX and check that your
  PB G4 is able to connect to "your" AirPort network.
  Take advantage of this silence of all your AX
  to run an analysis of your wireless environnement:
  - check that you don't have any neighbor wireless
  network,
  - check that on each of your AX settlement you have a
  very good reception of "your" AirPort network.
  If everything works fine to that point, add one AX to
  your network, and check the reachability of your network
  where you wanted to extend it.
  dan    

• VPN settings from configuration utility needs reboot

  The device is iPhone 3GS.
  .mobileconfig generated with iPhone Configuration Utility.
  All settings work as expected except that the VPN profile does not show up unless i reboot the phone.
  Anyone else experienced this. Any solution?
  This is most likely a bug, right?

  We are seeing the same issue on our iOS 4 devices. Roughly 80% of the time a reboot is required. Our mobile config includes the following three payloads: Wi-FI, VPN, and Passcode. I was using iPCU 3.0 (22?) beta build of iPCU to create the mobileconfig profiles.
  Today (July 14) Apple posted the production version of iPCU 3.0 (build 235). I haven't fully tested this version to see if it has improved.
  A related issue we have witnessed is that if a person resets their network settings, our enterprise VPN entry will disappear from the VPN panel. The mobile config profile is still there, but user's can't find our settings to start a VPN session.

• OS X Server VPN and OS X Client VPN Kerberos issue

  I set up OS X Server Leopard at home. I configured VPN on the server. I opened all of the recommended ports and then some.
  I've added the OS X Server to Directory Utility on my OS X client. I've configured a System Preferences > Network > VPN for the connection. I set it up for L2TP using the external address for my server at home, my username in Open Directory, and selected Kerberos for authentication. When I try to connect with the OS X VPN client it asks me to authenticate to [email protected] not [email protected]
  Does anyone have any idea where I should look to see why my OS X Client VPN Client is not trying to authenticate me using Kerberos to my home server but rather choosing my home username and my work Open Directory server? I looked on the forums but I don't see anyone describing this problem with VPN and Kerberos.
  Thanks in advance

  Brandon Macinnis wrote:
  Dnar,
  Thanks for the follow up bit about using the smbutil statshares command.  I used that and could confirm that I am also able to force it to connect with smb2.  Oddly though, in the stat share info it still says "AUTO_NEGOTIATE"
                                SMB_NEGOTIATE                 AUTO_NEGOTIATE
                                SMB_VERSION                   SMB_2.1
  But maybe that just means something else and not the fact that it did not auto negotiate to SMB.  I guess for now this will be what I have to do to use smb2.
  I think in this case the AUTO_NEGOTIATE merely means it will auto negotiate a connection between SMB1, SMB2, and (from your data) also SMB2.1 this would have nothing to do with auto negotiating between SMB2 and AFP, which from this thread appears broken.
  I also would like to thank Brandon for the tip about smbutil statshares, I had been looking for a simple way to tell what version of SMB was being used to test my NAS.
  For everyone's benefit, it would appear from the above that whilst Apple advertise Mavericks as using SMB2 they have gone as far as implementing SMB2.1 and merely list it only as SMB2 for simplicity and due to the fact there is not a huge different between SMB2 and SMB2.1
  See http://en.wikipedia.org/wiki/Server_Message_Block#SMB_2_and_3

• Connecting to non-VPN and VPN simultaneously

  Ahoy there, I'm on high-speed (130 Mbit) restricted internet right now. The service filters certain ports and services (VoIP + P2P + FTP) and as such, I have to connect to a VPN to unblock these services. With this in mind, I ask the following questions:
  (The VPN is configured as such that I currently "Send all network traffic over this connection" with a unique server, account, password and shared L2TP key, or a PPTP connection without a shared secret and just server-account-password)
  Is it possible to
  A. Configure Firefox to use the native Ethernet direct connection and not use the VPN to get to the internet, regardless of the fact that I have "Send all network traffic" selected. (Like, maybe disabling Send all network traffic over this connection and configuring Transmission to just use the VPN)
  B. Configure Transmission (the P2P client) to only connect to the VPN and use it -solely- for P2P traffic.
  C. Use BOTH an Airport connection AND an Ethernet connection to increase speed or throughput.
  Any of these things would really help my dilemma, because while I'm connected to the VPN, Firefox's/the general internet speed goes down the drain, with the tradeoff being access to those services, which is immensely frustrating.
  Any thoughts?
  P.S. I had considered using Parallels Desktop to run another OS and use Parallels Shared Network connection and using that for P2P/VoIP and have that connect to the VPN only while the regular half of my computer is connected to the rest of the internet, but I don't know the logistics of such a thing.

  I am looking to do the exact same thing. Can anyone help?
  I would like to use Firefox for normal web browsing (non-VPN) and then Safari for VPN browsing. Currently, once I start up VPN all network data is going through it. I need to specify which program uses the VPN and which uses my normal "Built-in Ethernet" non-VPN.
  Thanks!

• VPN and what can I expect to see?

  When I establish a VPN connection to a Snow Leopard Server will I be able to see or use applications from other servers on the same network?
  Or do I only get to use what is on the Server I connected to?
  And the only way I have found of using anything on the Snow Leopard Server is connecting to it with Apple remote desktop? Is that it or am I missing something?
  I can connect to a server with VPN and I have all data routed through VPN ad I can not browse for server and see anything?
  I have a functioning VPN into my newest Snow Leopard Server but I would love to use data from the Leopard Server that sits next door. I am able to install client software on the Snow Leopard Server and start it up and have it connect to my database but I am hoping to bring 2 or 3 remote users into the network simultaneously and have them use the database on the Leopard Server?
  Does Apple have a VPN setup guide anywhere?
  Thanks group.

  The Airport and Time Capsule are good home routers, and good WiFi devices.
  They're also configurable as good access points, which is handy if you're running multiple WiFi devices to get coverage in a larger area.
  The devices are not particularly capable firewalls for use with servers; that's not their target market.
  Specific device suggestions? I've worked with various stuff over the years, and I generally end up either following the client's gear preferences, or running some research based on the bandwidth and expectations and features for the installation. And the budget; for a bigger budget, you can often get better features or easier integration. And the products and offerings and features change regularly in this market; each time I do this, I find different gear.
  Here's the general path...
  There are commercial and open-source options available.
  The open-source packages can generally convert a two-controller spare PC into a firewall, and most (all?) can operate with a selection of embedded x86 boxes.
  In general, I look for support of VPN (L2TP and PPTP minimally, other protocols if and as available), look for explicit listings of Linux and Mac OS X details in the manuals (not because you're going to necessarily use Linux or any particular operating system here, but because the vendor went to the effort to test with a variety of platforms), and I look for a vender that does not require downloading a VPN client, for NAT, reasonably programmable port-forwarding, and possibly (as additional features, or as specific requirements) DMZ, RADIUS, anti-malware and anti-spam mechanisms.
  Oh, and download and read the product manual before you buy the box. See if it makes any sense. (I've found this step invaluable for reducing the numbers of candidate boxes I need to evaluate.)