VPN between RV042 and Cisco 2801

Similar Messages

• VPN between WRVS4400N and CISCO 857 router

  Hi ALL,
  Am trying to VPN the two and have setup the WRVS4400N side using IPSec (seems easy enough). Has anyone any experience on the 857 router side? Would you kindly show how that can be configured? Or just point me to any good source doing it will be good too. Thanks!

  ip nat inside source route-map nonat interface FastEthernet0 overload
  access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 110 permit ip 10.20.10.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 110
  or better (if you have for example the IP public 1.2.3.5)
  ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30
  ip nat inside source list nat-to-internet pool 1.2.3.5 overload
  ip access-list extended nat-to-internet
  deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  permit ip 10.20.10.0 0.0.0.255 any
  deny   ip any any

• IPSEC between Fortinet and Cisco SA540

  Hi,
  We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
  Regards,
  Satish.

    Hello Venkatasatish,
  I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
  In my example i gonna use the following environments:
  Cisco ASA "Zones"
  Inside: 192.168.1.0/24     "Asa inside interface Ip address 192.168.1.1"
  Outside: 200.200.200.0/29  "Asa outside interface Ip address 200.200.200.1"
  Fortigate "Zones"
  inside: 172.16.1.0/24     "Asa inside interface Ip address 172.16.1.1"
  outside: 201.201.201.0/29  "Asa outside interface Ip address 201.201.201.1"
  =================================> VPN Script of ASA <=================================
  access-list inside_access_in remark Firewall rule from ASA to Fortigate
  access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
  access-group inside_access_in in interface inside
  access-list VPN_NONAT remark Nonat to VPN traffic over VPN
  access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
  access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  nat (inside) 0 access-list VPN_NONAT
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
  crypto map OUTSIDE_map 1 set peer 201.201.201.1
  crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
  crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
  crypto map OUTSIDE_map interface outside
  group-policy GP_TO_FORTIGATE internal
  group-policy GP_TO_FORTIGATE attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  tunnel-group 201.201.201.1 type ipsec-l2l
  tunnel-group 201.201.201.1 general-attributes
  default-group-policy GP_TO_FORTIGATE
  tunnel-group 201.201.201.1 ipsec-attributes
  pre-shared-key cisco123
  =================================> VPN Script for Fortigate ==============================
  Phase 1:
  FORTIGATE# config vpn ipsec phase1-interface  "enter"
  FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
          set interface "outside"
          set keylife 86400
          set mode main
          set dhgrp 2
          set proposal 3des-sha1
          set remote-gw 200.200.200.1
          set psksecret ENC cisco123
          next "to apply the configuration"
  Phase 2
  FORTIGATE# config vpn ipsec phase2-interface
      edit 200.200.200.1
          set keepalive enable
          set pfs disable
          set phase1name "200.200.200.1"
          set proposal 3des-sha1
          set dst-subnet 192.168.1.0 255.255.255.0
          set keylifeseconds 3600
          set src-subnet 172.16.1.0 255.255.255.0
          next "to apply the configuration"
  Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
  FORTIGATE# config router static "enter"
  FORTIGATE (static) # edit 100 "enter"
  FORTIGATE (100) #  set device "200.200.200.1"
                     set distance 1
                     set dst 192.168.1.0 255.255.255.0
  Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
  FORTIGATE # config firewall policy "enter"
  FORTIGATE (policy) # edit 100 "enter"
  config firewall policy
      edit 100
          set srcintf "200.200.200.1"
          set dstintf "inside"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access from VPN ASA site"
  FORTIGATE (policy) # edit 101 "enter"
  config firewall policy
      edit 101
          set srcintf "inside"
          set dstintf "200.200.200.1"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access to VPN ASA Site"
  After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
  Please let me know about it!
  Good luck.
  Fabio Jorge Amorim

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• How to create multiple sip trunks between cucm and cisco unified sip proxy

  Dear Expert,
  Is there a way to create multiple sip trunks between CUCM and Cisco Unified SIP Proxy (CUSP)? How to achieve it without creating multiple IP interfaces on the CUSP module.
  CUCM: 8.5.1.10000-9
  CUSP: 8.5.2
  Thank you,
  .wan

  Hello Michael,
  This SIP trunk is part of UCCE solution, which used between CVP, CUSP, and CUCM.
  The requirements:
  1) To have different codecs for different type of calls, as the phones are at few countries
  2) To pass different number of digits from CUSP to CUCM for different call treatments
  .wan

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• Remote VPN between ASA5505 and Netscreen SSG140

  Dears,
  I'm trying to set up a VPN between an ASA 5505 and  SSG40Juniper and the VPN keep flaping:
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, NP encrypt rule look up for crypto map TEST 1 matching ACL ACL_VPN: returned cs_id=cd2e0998; encrypt_rule=cd39bd50; tunnelFlow_rule=cd488220
  Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, Security negotiation complete for LAN-to-LAN Group (89.XXX)  Responder, Inbound SPI = 0xb98f5dbe, Outbound SPI = 0xddd1484a
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE got a KEY_ADD msg for SA: SPI = 0xddd1484a
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Pitcher: received KEY_UPDATE, spi 0xb98f5dbe
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3060 seconds.
  Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:31 [IKEv1]IKE Receiver: Packet received on 81.1XXX:500 from 89.XXX:500
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:31 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3056 seconds.
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:35 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:35 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3052 seconds.
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a4070b7)
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=8977946c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
  Nov 27 04:47:38 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE RECEIVED Message (msgid=8e9a1247) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing hash payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing notify payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a4070b7)
  Nov 27 04:47:39 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:39 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3048 seconds.
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:43 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE QM Responder FSM error history (struct &0xcd58eee8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IPSec delete payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=57422aa9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE Deleting SA: Remote Proxy 172.24.0.0, Local Proxy 10.143.0.0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IKE delete payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=c364409e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
  Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
  Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Session is being torn down. Reason: Lost Service
  Nov 27 04:47:43 [IKEv1]Ignoring msg to mark SA with dsID 1658880 dead because SA delete
  On the Cisco side
  crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto map TEST 1 match address ACL_VPN
  crypto map TEST 1 set peer 89.XXX.XXX.XXX
  crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
  crypto map TEST interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev1 enable outside
  crypto ikev1 policy 1
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 172.24.0.0 255.255.0.0
  On the juniper side:
  set ike gateway "TO_XXX_ASA" address 81.XXX.XXX.XXX Main outgoing-interface "ethernet0/2" preshare "XXXXXXX" proposal "pre-g2-3des-md5"
  set vpn "DATACENTER_XXX_ASA" proxy-id local-ip 172.24.0.0/16 remote-ip 10.143.0.0/16 "ANY" 
  set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
  set vpn "DATACENTER_XXX_ASA" monitor optimized rekey
  set vpn "DATACENTER_XXX_ASA" id 0x78 bind interface tunnel.2
  set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
  set vpn "DATACENTER_XXX_ASA" monitor source-interface ethernet0/2 destination-ip 10.143.0.1 optimized rekey
  set vpn "DATACENTER_XXX_ASA" id 0x7b bind interface tunnel.2
  PFS is disabled.
  Any idea why I receive these errors?
   Duplicate Phase 2 packet detected.  Retransmitting last packet.
  QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!

  Hey,
  anybody any idea on this problem? We encountered this problem also.
  i can see in ASA log that phase1 is completed.
  after that we get the msg for phase2 completed.
  but followed with a "responder resending lost, last msg" this 3 times, than a QM FSM error and the tunnel being shut down on our end.
  the other side, is getting an active SA, but ofc not working.
  any idea?
  5 Jan 23 2015 14:59:14 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
  7 Jan 23 2015 14:59:18 713906 IKE Receiver: Packet received on yy.yy.yy.yy:500 from xx.xx.xx.xx:500
  5 Jan 23 2015 14:59:18 713201 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  6 Jan 23 2015 14:59:18 713905 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Responder resending lost, last msg
  7 Jan 23 2015 14:59:18 715080 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Starting P2 rekey timer: 27357 seconds.
  5 Jan 23 2015 14:59:18 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
  3x times
  3 Jan 23 2015 14:59:30 713902 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0x00007fff2a9921f0, mess id 0x440ce73e)!
  with kind regards,
  Bernd

• Site to site vpn between RV215W and ASA5510

  Hello,
  We're trying to establish a site to site vpn between a RV215W (firmware version 1.0.0.16) and an ASA5510 (ASA 8.2(3)).  The ASA currently has 5 other IPSec VPN tunnels running.  It sure does look like I've dotted all my "i's" and crossed all my "t's" with respect to both sides of the tunnel.  What I'm seeing from the 5510 is that there is some sort of communication between the two devices but there is no IPSec tunnel established and no traffic is getting beyond either device.  It shows the RV215W connected but 0 bytes Tx and 0 bytes Rx.
  From the RV215W side of things it shows an IPSec SA not established.  The protocol is IKE and the encryption used is 3des.  Both sides have the same preshare key and are using the same settings.  From each device I can ping the public IP address of the other, but I get no further.  I believe I have ACL's set up to allow traffic from both internal networks.  (although I may not - I'm hardly a Cisco guru, just fumbling my way through this...)
  Any guidance/direction would be greatly appreciated.
  Thank you in advance!

  Hello,
  I have found an article that may provide some assistance with your VPN. It has information on more advanced settings on VPNs for the RV215W. I hope that it may be of some use to you.
  Advanced VPN Setup on RV215W
  Hope it helps,
  Andrew Mayfield

• VPN between Mac and Windows? share printer and USB drive

  Hey everyone, I'm out at college and have a Windows SP2 desktop set up in my room with the printer and our external hard drive. I travel around campus with my macbook pro (10.5), and it'd be really nice to access the printer and my external hard drive.
  Problem is that since its a huge vast network, I think its near impossible to do a direct "IP" connect to it. So the next option is to use a VPN, which I have experience with Windows and Hamachi, but I have no idea how to incorporate a VPN between a mac and a windows computer.
  Thanks!

  Hi Eric and welcome to Discussions and the Apple world.
  Mac OSX can read and write from Windows partitions (like the BootCamp Windows partition you are about to create) when using FAT32 as file system for Windows.
  However with FAT32 you are limited to a partition size of 32GB.
  Mac OSX can also read from Windows partitions that uses the NTFS file system, but it can not write to them unless you use a third-party helper like either Paragons NTFS for Mac http://www.paragon-software.com/home/ntfs-mac/ or NTFS-3G http://www.ntfs-3g.org/
  Windows can not even see or use a Mac OSX partition without additional help by MacDrive http://www.mediafour.com/products/macdrive/
  Regards
  Stefan

• Remote span between Extreme and Cisco switches

  Hello,
  I need to configure remote span between Extreme Networks X460-24p and Cisco Cataylst 2960X switches. 2 IP phones are connected to ports 15 and 17 on Extreme switch, and should be monitored to port 1/0/47 on Cisco switch. Extreme and Cisco switches are interconnected with trunk (port 28 on Extreme with port 1/0/51 on Cisco).
  I configured the following:
  On Extreme switch:
  configure mirror mode enhanced
  enable mirroring to port 28 remote-tag 1000
  configure mirroring add port 17 ingress-and-egress
  configure mirroring add port 15 ingress-and-egress
  On Cisco switch:
  vlan 1000
   name RemoteSPAN
   remote-span
  monitor session 1 destination interface Gi1/0/47
  monitor session 1 source remote vlan 1000
  But this is not working :(
  Does enyone have experience with this? I really need help to make this work.
  Thanks.

  OK, this configuration is actually working :)

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• Routable VPN Between ASA and Windows RRAS

  Hi all,
  I'm trying to figure out the best way to create a routable VPN between my production network and a small DR server that I have colo'd offsite.
  On the production side I have an ASA 5515-X (10.1.0.0/23) and on the DR side I have a Windows Server 2012 R2 server running RRAS, DHCP, NAT, and Hyper-V.  The DR server has a virtual environment with a subnet of 10.5.0.0/24 behind NAT (diagram attached for a visual).  I've seen some tutorials online for how to create a routable VPN between the two, some utilizing the Windows Advanced Firwall to create an IPSec tunnel.  So far, I've not been able to get the tunnel to come up.
  Before I spend even more time trying to troubleshoot this, I was wondering what the best way to create a secure connection between these two subnets is and if anybody has done something similar successfully.
  Thanks,
  Jason

  None yet, I've been stuck on this for a while now.  My latest attempt caused the DR site to go offline and required hands-on at the colo site to get it back online due to a bad ipsec policy, so I've backed off a bit on trying things.

• LACP between SRW2048 and Cisco 3750

  Hi,
  I have been trying to set up a LACP link between my SRW2048 and Cisco 3750 using two gigabit ethernet links.
  Whenever i plug one cable in the interface does not come back up.
  I have already sucessfully been able to create a LACP link between the 3750 and a catalyst 2960 for two cables.
  Both interfaces at both units are set up as trunks for Vlans 1 (default and untagged), 4, 99, 101, and 102, then the Port-channel / LAG set also as a trunk with the same vlans.
  Does anyone have any ideas why the interface is not even initialising?
  If i plug a SRW2048 LAG'd interface into a normal access (vlan1) port on the 3750 it works fine, and vice versa with the 3750 to the SRW2048.
  Below is a extract of logs from both:
  -- Log from SRW2048
  1   2147483579   07-Oct-2008 16:12:24    Informational   %LINK-I-Up:  ch1            
  2   2147483580   07-Oct-2008 16:12:24    Informational   %LINK-I-Up:  Vlan 102            
  3   2147483581   07-Oct-2008 16:12:24    Informational   %LINK-I-Up:  Vlan 101            
  4   2147483582   07-Oct-2008 16:12:24    Informational   %LINK-I-Up:  Vlan 99            
  5   2147483583   07-Oct-2008 16:12:24    Informational   %LINK-I-Up:  Vlan 5            
  6   2147483584   07-Oct-2008 16:12:24    Informational   %TRUNK-I-PORTADDED: Port g4 added to ch1            
  7   2147483585   07-Oct-2008 16:12:19    Informational   %LINK-I-Up:  g4            
  ## Plugged back into standard vlan1 access port ##
  ## Plugged into LACP enabled port on 3750 ##
  ## Unlugged from standard vlan1 access port ##
  8   2147483586   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  ch1            
  9   2147483587   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  g4            
  10  2147483588   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  Vlan 102            
  11  2147483589   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  Vlan 101            
  12  2147483590   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  Vlan 99          
  13  2147483591   07-Oct-2008 16:11:10    Warning   %LINK-W-Down:  Vlan 5            
  14  2147483592   07-Oct-2008 16:11:10    Warning   %TRUNK-W-PORTREMOVED: Port g4 removed from ch1    
  -- Log from Catalyst 3750
  mercury#terminal monitor
  mercury#
  Oct  7 15:10:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet   1/0/17, changed state to down
  Oct  7 15:10:45: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/17, changed state    to down
  Oct  7 15:11:54: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/17, changed state    to up
  Oct  7 15:11:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet   1/0/17, changed state to up
  mercury#

  The linksys documentation is a little thin on the ground all over.
  However, if i have got this correct the Admin key needs to be the same for all interfaces in the same LAG for one switch i.e not the same for both ends of the cable?
  As for the priority, i assumed this was to do with how the switch dealt with with interfaces were to be active if there were more in the group than could be allowed - to allow for backup links. Is this correct?
  Thanks for your reply.

• Multicasting (IGMP Snoop) between Nortel and Cisco

  We are currently having issues with Zen imaging (multicasting) and our setup is the following.
  Please take into account, our knowledge is very limited with IGMP Snooping setup etc.
  MDF = 6 Nortel 450-24T's using FirmWare -1.48 / SoftWare - 4.5.2.4
  IGMP Settings are such :
  VLAN: [ 1 ]
  Snooping: [ Enabled ]
  Proxy: [ Disabled ] -----> This was on...but once off, runs much smoother.
  Robust Value: [ 2 ]
  Query Time: [ 125 seconds ]
  Set Router Ports: [ Version 1 ]
  In the MDF (anythig directly in those switches) images fine now. (once I disabled PROXY)
  However I have a few IDF's off the MDF that are using OLD Nortel 350F-HD's (no IGMP Snooping support) and it's horrible (can only do a few computers at a time.
  So in one of the IDF's (the biggest one) I pulled out the 350F-HD and replaced it with a CISCO 2950 w/Fiber and it's using 12.1.20EA1 and I left IGMP Snooping on (thinking this will fix it) and couldn't even get ONE machine to connect and image in the multicast session. It's settings were (by default):
  Global IGMP Snooping configuration:
  IGMP snooping : Disabled
  IGMPv3 snooping (minimal) : Enabled
  Report suppression : Enabled
  TCN solicit query : Disabled
  TCN flood query count : 2
  Vlan 1:
  IGMP snooping : Disabled
  Immediate leave : Disabled
  Multicast router learning mode : pim-dvmrp
  Source only learning age timer : 10
  I then completly disabled IGMP Snooping on the CISCO and we're able to Image 5-7 Computers without a crash (more than that and it crashes - disconnects etc)
  In the area's that I have All 450's or all CIsco's the imaging seems to go fine. (with minor errors)
  Can any one give me some advice (or hopefully ran into this mixed setup before)?
  Thank you.

  Bosalaza,
  Thank you for replying (and I read even more on the ip multicast routing). However I've not ran into the same issue at any school that has 100% cisco switches or 100% Nortels (that are setup correctly and not older than dirt). I think we've not needed the multicast routing setup as we only have one router on the network (and it's flat at the moment anyway). As long as IGMP Snooping is enabled correctly (on the switches) it seems to serve us well.
  Although from what I've read (where you pointed me too) it seems even in our setup we would benifeit from taking time to setup "ip pim ....." etc.
  I was able to scrounge from another network and change out a few very old Nortels (that didn't support IGMP Snoop) and all seems well now.
  So long story short (and incase anyone else needs this info. The Nortel 350T and F - HD's were the main issue. It seems (for now) that a mixture of Nortel 350/450-24T's (any model that at least has IGMP Snooping) and Cisco's mixed (also Snoop on) works pretty well.
  I'm going to consider this solved as I was able to fix it with changing out some old product. However I really appreciate your efforts and pointing my towards some good info. (Which I'm going to read up on more, as I'm sure we'll need to get it setup in the near future.)
  Thanks again.

• VPN between IOS and ASA

  Hello my friends,
  I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
  Here are my configuration commands:
  Router:
  crypto isakmp policy 20
  encryption 3des
  auth pre-share
  hash md5
  group 2
  crypto isakmp key XXX address 103.252.AAA.AAA
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map MAP 5 ipsec-isakmp
  set transform 3DES-MD5
  match address VPN
  set peer 103.252.AAA.AAA
  ip access-list extended VPN
   permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
   permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
  ASA commands:
  sysopt connection permit-vpn
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  tunnel-group 203.167.BBB.BBB type ipsec-l2l
  tunnel-group 203.167.BBB.BBB ipsec-attributes
  pre-shared-key XXX
  access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 set transform-set 3DES-MD5
  crypto map VPN 10 match address LIST
  crypto map VPN 10 set peer 203.167.BBB.BBB
  crypto map VPN interface outside
  Do you have any idea what is wrong? Thank you a lot in advance.

  I managed to get this from the show crypto ipsec sa
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
  And  details from show crypto session detail
  Interface: GigabitEthernet0/1
  Session status: DOWN
  Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0