VPN CON 3005
I would like to confirm that if my office only requires VPN access, NO internet browsing, then a VPN CON would be secure enough and I do not need any FW.
Please let me know if my understanding is correct.
Thanks
Hi,
Most of the time a concentrator and PIX are used in series -
Concentrator on a different segment (DMZ), of the PIX firewall.
So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.
Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.
Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.
All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..
Rate this topic, if it helps
Cheers
Gilbert
Similar Messages
-
VPN CON 3005 to Watchguard X550
I am getting an error in phase 2.
2368 04/16/2008 13:29:10.020 SEV=4 IKEDBG/97 RPT=1056 141.157.24.238
Group [141.157.24.238]
QM FSM error (P2 struct &0x365dac8, mess id 0x60374f02)!
2369 04/16/2008 13:29:10.020 SEV=7 IKEDBG/65 RPT=1101 141.157.24.238
Group [141.157.24.238]
IKE QM Initiator FSM error history (struct &0x365dac8)
<state>, <event>:
QM_DONE, EV_ERROR
QM_WAIT_MSG2, EV_TIMEOUT
QM_WAIT_MSG2, NullEvent
QM_SND_MSG1, EV_SND_MSG
Does anyone know what is going on?
-ThanksThis is a general message indicating something is wrong with quick mode. If the debug level is increased, there should be surrounding messages that will give a better indication of what's going on.
-
Solicto ayuda para poder configurar una VPN con RV180W
Saludos..
Solicito de su ayuda urgentemente , necesito configurar una VPN con CISCO RV180W, ya hice varios intentos pero hasta el momento no he podido.
ya genere los usarios, configure las politicas, utilice los parmetros de fabrica, pero no me ha funcionado. Puedo entrar usar la administarcion ramota del cisco sin problema.
Anteriormente habia configurado la VPN con el CISCO WRVS400N y WRV210
este es el log que me manda
2012/11/03 13:42:06 [STATUS]OS Version: Windows XP
2012/11/03 13:42:06 [STATUS]Windows Firewall is OFF
2012/11/03 13:42:07 [STATUS]One network interface detected with IP address 192.168.1.94
2012/11/03 13:42:07 [STATUS]Connecting...
2012/11/03 13:42:07 [DEBUG]Input VPN Server Address = dcpuebla.dyndns.org
2012/11/03 13:42:08 [STATUS]Connecting to remote gateway with IP address: 189.128.134.13
2012/11/03 13:42:10 [WARNING]Server's certificate doesn't exist on your local computer.
2012/11/03 13:42:13 [STATUS]Remote gateway was reached by https ...
2012/11/03 13:42:13 [WARNING]Remote gateway wasn't reached...
2012/11/03 13:42:13 [WARNING]Failed to connect.
2012/11/03 13:42:23 [WARNING]Remote gateway wasn't reached...
2012/11/03 13:42:23 [WARNING]Failed to connect.
2012/11/03 13:42:23 [WARNING]Failed to connect!
agradecere sus comentariosesta en set cell value gracias
-
one of my student changed login info on our lab vpn concentrator 3005.
how to reset the login name and password ?
the version is 4.1.7.
thanksPlease see this document.
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml
Regards -
VPN Concentrator 3005 will not allocate IP Addresses
Greetings,
I have a very strange issue. I have configured a 3005 concentrator with an address pool that is in the same subnet as the private interface. When I try and connect a client...I get an error stating that NO AVAIL ADDR with a further explanation that an IP address could not be obtained for the remote peer because it exhausted all available addresses.
Further study of the log files shows that the concentrator believes there is a network conflict...however I can assure everyone there isn't.
Can anyone tell me why the concentrator would false think that an IP address had already been assigned when it isn't?
It works fine if I use a different pool...however this is on a DMZ and we really don't want to use another subnet for a few VPN clients.
The exact error it give is:
IP Address Conflict on the network: 192.168.123.101
Marking address as unusable
There is no 123.101 anywhere on the subnet.
The worst part is...I have another concentrator setup the exact same way at a different location and this config works just fine.
Any ideas?
Thank you very much!thank you for your reply...but we are running 4.7.2.O
any other ideas why this would happen? -
VPN CONCERNTRATOR 3005 running at 100 CPU!!
Hi all
We have a customer which has a VPN concerntrator model 3005. They have been complaining that over the last 6-7 months that connectioned from about 20 remote sites (L2L) have been running very slowly. This occurs especially when the VPNC CPU shows that it is running at 100%. As soon as this drops, it all returns to normal. However, it is intermittent and even when there are minimal active sessions the CPU goes to 100%. The VPNC has 64mb ram and the usage is a mere 30%...Can anyone explain what is going on? The remote sites are running cisco routers over broadband. Which pass through a PIX 515E (via ACL) to be authenticated on this VPNC.
Someone help?
Regards
Randeep CCSPHigh CPU utilization may depends on a number of factors, please let me know the following:
1 - Do you have compression turned on for any of the group, how many of those users connected at the same time, compression is extremely cpu intensive?
2 - Is your SEP card(s) taking load, what does "Monitoring | Sessions | SEPs" show?
3 - What other features you have configured on the box, QoS/Routing Protocols?
4 - Do you have logging turned on the box, if yes, what are the severity levels configured, high
severity level will result in high cpu util. -
Unable to access Internal HTTPS through VPN conn
Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP. I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. I am at a total lost as to why...
+++++++++++++++++++++++++++++++
ASA 5520 with 8.4(1) code
VPN Addressing = 172.25.17.0/24
HTTP Server = 172.18.2.13 (port 8443)
Can ping by IP Address or by server name
Can access site internally after responding to the Certificate Warning
++++++++++++++++++++++++++++
Any help is greatly appreciated!
DaveHi,
The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the "HomeOffice" interface because "any any" is configured
You would either have to make the above rule more specific by removing the "any any" and adding the actual networks
OR
You could add a new rule BEFORE the above mentioned NAT configurations
I am not sure what the real local interface "nameif" is (the one where the server IP is actually located) but you would need this kind of configurations
object network SERVER
host 172.18.2.13
object network VPN-POOL
subnet 172.25.17.0 255.255.255.0
nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL
The above rule should match the traffic from the VPN-POOL to the SERVER. The number "1" seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the "HomeOffice"
- Jouni -
Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?
Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
Cheers
Brian -
VPN conn. to Oracle Db: ping timeout!
1. I have a VPN connection to a customer in the US.
2. I am using a remote desktop to work on a first server.
3. Now I am connecting to a secound database server with Toad.
But I always get a timeout error.
Even the ping <ip-address> in DOS-Window return timeouts.
But this had worked from the US-office, but it doesn't work from Germany.
Is it a db connection or a network problem?
Who can help me?And what has this to do with Oracle?
-
RDP conn fails thru AnyConnect
I have an issue that I believe IS NOT ASA or AnyConnect related, but I need to ask the support comm. just the same.
ASA5510 8.2(5) OS; AnyConn Windows 2.5.2017
RDP PC client - Win7 Pro 64-bit
I can make the VPN conn to the ASA
I can ping any pingable IP on the protected net
I can RDP to a W2k8 64-bit server (domain-controller)
I cannot RDP to a W2k3 server (WTS) - I don't even get the Microsoft domain login screen - just times out.
I am connecting to both by IP address to preclude DNS issues.
From a 32-bit OS PC I can RDP to either.
Suggestions?
Thx,
PhilPhil
Thanks for posting back to the forum that the problem turned out to be MTU. I read your description of the problem and it certainly did not look to me like a problem with MTU. But one of the nice things about the forum is being reminded of the variety of things that can cause problems.
HTH
Rick -
Can anyone recommend a replacement for a VPN Cisco 3005 that will also tie into Active Directory so that users of the VPN can change their AD accounts while using the VPN. Total of <100 users.
ThanksRay,
The Cisco ASA 5510 should suit your needs. The ASA is the replacement for the 300 series concentrators. You should be fine integrating active directory using ACS server with the ASA.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Mark -
Whenever I try to connect to a VPN server using L2TP/IPSec I get the message: "The L2TP-VPN server did not respond". I could connect to that server using Snow Leopard and I can connect to it using Windows 7 (which is also installed on my mac).
By the way, when I force Windows 7 to use CHAP authentication instead of PAP I get a similar message. Too bad I can't force Mac OS X to use PAP.Hello,
Dont know if you need help with this still. But here is an article on how to use PAP on Mac OSX:
http://itknowledgeexchange.techtarget.com/it-rant/using-pap-in-osx-l2tp-vpn-conn ections/
Now what I want is the possibility to use PAP on Iphone and IPAD... :/ -
Buenos tardes.
Tengo un RV042 en el que quiero hacer una vpn con el cliente Quickvpn. Lo tengo todo configurado y cuando conecto el cliente quickvpn se queda examinando la red y no paso de ahí.
¿Qué he hecho mal?
Saludos.
Good afternoon.
I have a RV042 with the last firmware available. I want to do a vpn with the client Quickvpn. I have all configuration but when I try to connect with this cliente appears the message network scanning. What is my problem? I do not know?
Thanks and best regards.Good afternoon.
I have a new news. In windows Xp is working. With Windows 7 is not working. Can you help me?
Thanks -
Tego unproblema con un WRV210 y el DYNDNS
Tengo VPN con un WRV210 el problema que me presenta es que no se actualiza con el DYNDNS (tengo cuenta de dyndns), cocnfigure al WRV210 para que se el quien haga la actualizacion, lo tengo con un 2WIRE
Buenos días:
En primer lugar me gustaría aprovechar la ocasión para mencionar que el USB-6008/6009 son plataformas de hardware con recursos muy limitados de propósito académico.
Segundo, dado que ningún hardware mencionado puede lograr medir PWM te invito a leer la siguiente información sobre métodos alternativos (aclaro, esto funciona solo si la frecuencia de la señal es más lenta que las iteraciones del software):
1. USB-6008 and USB-6009 RPM Reading with Counter (Frequency)
2. PWM (square-wave) Frequency and Duty Cycle Detection on Non-Counter DIO
La manera correcta de leer señales PWM es con hardware de mayor precisión que posea mejores contadores (más información aquí: Pulse Width Modulation (PWM) Using NI-DAQmx and LabVIEW), considera un posible cambio de equipo.
Saludos,
Alejandro | Academic Program Engineer | National Instruments -
Swapping out a VPN Concerntrator
Hi All,
I will be swapping out a customer VPN concerntrator 3005 with a replacement VPN Concerntrator 3005 with more RAM. This is the first time i am doing this so am wondering if I will have to re-configure everything all over again or can I offload the config of the old one onto the new one? If so, how?? What is the best procedure? Any links i can look at?
Hope you can help
Regards
RandeepIf it were me I would just slap it in and then using your (with a direct connect to one of your switch ports) browser http to the IP 198.168.1.1. Login using the defaults and set it up that way. You should get a snapshot of your old linksys setting before you pull it off. I installed my first linksys that way and it wasn't till ver 5 that I encountered the CD. For your basic install this should be just fine. I am sure there is a lot of good stuff on the CD, but just get it up and running that is the way I would go.
Oh by the way...Wanna buy a used linksys router? Lookie here in my trunk...gotta a couple extra hubs and switches...
It's Labor Day...just kidding...hope you had a nice weekend.
Maybe you are looking for
-
I lost my I-phone 5 and do not have an I-cloud account .... Is there any other way I can use the "find my phone" app to help me locate it? Or anyother way to locate it?
-
IPod Classic freezes Itunes and wont Restore
I have a IPod Classic 120GB. I was saving a file onto my IPod because i also use it as a hard drive, and the file wouldn't save. Then i noticed that iTunes froze. So i tried saving again and nothing happened. So i unplugged my IPod and had to go to t
-
2 external hard drives with iTunes and Time Machine
Hi folks. My 160gb hard drive on my iMac is full so I've bought 2 x 1tb external hard drives, my plan being to move my iTunes library to one of them (as this uses the majority of space) and run it from there and use the 2nd hard drive with Time Machi
-
EDN: subscribe to the same event deployed on different domain/Servers
We are working on use case where in we would like to publish an Event from an ADF application . We would like to subscribe to the same event deployed on different domain/Servers than the servers on which ADF Application deployed. We would like to get
-
The forthcoming "better" version of BT Yahoo! Mail
Some questions: (1) Can users opt-out of the "improvements", and just stay on the old mail system forever? (2) Assuming the upgrade is forced on us, will it possible to completely disable ALL spam filtering? (3) Will POP3 service be changed, or do th