VPN Gateway with traffic filtering
I am working in the lab on a small scale setup in which client PC establishes a IPSEC VPN with a Cisco 1921 Router, i have two questions in this regard.
(1) For Wireless clients PC's, Is using an IPSEC VPN Client the best possible option or should i prefer other options. the wireless clients also use Radius server for authentication.
(2) i want to ensure that no other traffic can access or pass the LAN interface other than the Client VPN traffic, what do i need to configure on the Router to ensure that no other traffic can pass other than the VPB traffic.
First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.
Your questions:
(1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.
(2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.
Similar Messages
-
Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices
Hello
I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
So I am stuck...
What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
I was hoping Azure's VPN solution would be very flexible.
ThanksHello RTF_Admin,
1. Which is the Series of CISCO ASA device you are using?
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
I hope that this information is helpful
Thanks,
Syed Irfan Hussain -
Cisco 827 with Intel VPN Gateway
Have a simple question, but I can get to the solution, so I'm posting it here.
I have one Cisco 827 router and an old Intel 3110 VPN Gateway (and firewall) behind the cisco router. The scenario is this:
internet <--> Cisco 827 <--> Intel 3310 <--> LAN
Cisco 827 ethernet ip: 10.0.0.1
Intel 3110 ethernet 1 (insecure network): 10.0.0.2
Intel 3110 ethernet 0 (secure network): 192.168.0.250
lan: 192.168.0.250Hi jacampanini,
Maybe u try and post your question too... ;-)
Regards,
Sebastian -
802.1x deployment with MAC filtering
Hi All
I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
"AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
ThanksHi Sam
Thank you for your reply.
I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
Anyway, I will try the second way you suggest.
Thanks a lot. -
Botnet Traffic Filtering option in CSM 4.0 evaluation
I have CSM evaluation 4.0. (about 50 days left) and deployed Botnet Traffic Filtering rules with traffic classification rule according to http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/configuration/example/sm400bot.html#wp51455.
I don't see any botnet activity logs neither via ASDM nor via CSM.
Does this logs include all activities according to access rules for Botnet Traffic Filtering or only detected botnet traffic?
How can I be sure that Botnet Filtering checks all the packets to my test zone?
Does this evaluation version support monitoring activities logs and access to blacklist server?
Thanks in advance.Hi,
mm, I could not find the proper documentation (i see it for LMS...) anyway, you can try the following:
1- stop the server
net stop crmdmgtd
2- Erase the DBs
set NMSROOT=c:\progra~2\cscopx
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=cmf dmprefix=Cmf npwd=admin
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=vms dmprefix=vms npwd=admin
If using Performance Monitoring (MCP):
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=mcp dmprefix=mcp npwd=admin
NOTE:
NMROOT is the root where CSM is installed. I am assuming you are using default settings for Win2008 but you need to change if you installed somewhere else
3- restart the server.
net start crmdmgtd
Please note that all you data will be lost. Also, make sure to have the license handy as it might be required to install the license again.
Also I would suggest you do a backup of your DB before you perform these steps
Stefano -
How can I enable VPN passtrough with 881-K9 Security Router?
Hi Space!
I need help, because I really cannot find the error in my configuration.
What I want to do is, to enable simple VPN passtrough with a 881 K9 Security Router.
So all VPN traffice travells directly from the internet trough the router (I don't need any inspection or else of this traffic) to a Windows Server behind (and back to the client of course).
[ Internet -> Cisco 889 router -> Windows Server ]
Enclosed you will find my configuration.
The VPN connection cannot be established and the clients are getting connection error 800 most of the time.
Thanks for any hint!
Kind regards,
ChrisActiveX is proprietary to IE and Firefox has never supported ActiveX.
-
MGCP Gateway With ISDN BRI interface
Hi Guys,
I have a voice gateway with a BRI card on slot 0/3/0 (port 0/1) and I wanted to terminate both WAN and PSNT connection to the same gateway with MGCP protocol, and as I'm new to voice over IP world can anyone suggest/recommand me a proper guide which includes the stepts and proper explanations to acheive this task.
Thank you
Regards,
SuthakarHi Aman,
As discussed please find the attached output as follows,
#sh isdn status
Global ISDN Switchtype = basic-net3
%Q.931 is backhauled to CCM MANAGER 0x0003 on DSL 0. Layer 3 output may not apply
ISDN BRI0/0/0 interface
dsl 0, interface ISDN Switchtype = basic-net3
L2 Protocol = Q.921 0x0000 L3 Protocol(s) = CCM MANAGER 0x0003
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x80000003
%Q.931 is backhauled to CCM MANAGER 0x0003 on DSL 1. Layer 3 output may not apply
ISDN BRI0/0/1 interface
dsl 1, interface ISDN Switchtype = basic-net3
L2 Protocol = Q.921 0x0000 L3 Protocol(s) = CCM MANAGER 0x0003
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 1 CCBs = 0
The Free Channel Mask: 0x80000003
ISDN BRI0/3/0 interface
dsl 12, interface ISDN Switchtype = basic-net3
Layer 1 Status:
ACTIVE
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 12 CCBs = 0
The Free Channel Mask: 0x80000003
%Q.931 is backhauled to CCM MANAGER 0x0003 on DSL 13. Layer 3 output may not apply
ISDN BRI0/3/1 interface
dsl 13, interface ISDN Switchtype = basic-net3
L2 Protocol = Q.921 0x0000 L3 Protocol(s) = CCM MANAGER 0x0003
Layer 1 Status:
ACTIVE
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
--More-- Active dsl 13 CCBs = 0
The Free Channel Mask: 0x80000003
Total Allocated ISDN CCBs = 0
#sh ccm-manager
MGCP Domain Name: xxxxx.com
Priority Status Host
============================================================
Primary Registered x.x.x.x
First Backup None
Second Backup None
Current active Call Manager: x.x.x.x
Backhaul/Redundant link port: 2428
Failover Interval: 30 seconds
Keepalive Interval: 15 seconds
Last keepalive sent: 11:10:43 AEDST Nov 21 2013 (elapsed time: 00:00:11)
Last MGCP traffic time: 11:10:43 AEDST Nov 21 2013 (elapsed time: 00:00:11)
Last failover time: None
Last switchback time: None
Switchback mode: Graceful
MGCP Fallback mode: Enabled/OFF
Last MGCP Fallback start time: 05:28:32 AEDST Nov 18 2013
Last MGCP Fallback end time: 11:57:01 AEDST Nov 20 2013
MGCP Download Tones: Disabled
TFTP retry count to shut Ports: 2
Backhaul Link info:
Link Protocol: TCP
Remote Port Number: 2428
Remote IP Address: x.x.x.x
Current Link State: OPEN
Statistics:
Packets recvd: 3
Recv failures: 0
Packets xmitted: 5
Xmit failures: 0
BRI Ports being backhauled:
Slot 0, VIC 0, port 1
Slot 0, VIC 0, port 0
Slot 0, VIC 3, port 1
Configuration Auto-Download Information
=======================================
Current version-id: 1384908973-2cefe363-d1ae-423b-a6ef-a85a0d4216af
Last config-downloaded:00:00:00
Current state: Waiting for commands
Configuration Download statistics:
Download Attempted : 6
Download Successful : 3
Download Failed : 1
TFTP Download Failed : 8428
Configuration Attempted : 3
Configuration Successful : 3
Configuration Failed(Parsing): 0
Configuration Failed(config) : 0
Last config download command: New Registration
FAX mode: disable
Configuration Error History:
Regards,
Suthakar -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions? -
Creating Report using EPM Functions with Dynamic Filters
Hi All,
I am new to BPC, In BPC 7.5 i seen like we can generate EPM report using EVDRE function very quickly and easy too. Is the same feature is existing in BPC 10.0 ? if no how can we create EPM reports using EPM Functions with Dynamic Filters on the Members of the dimension like in BPC 7.5.
And i searched in SDN, there is no suitable blogs or documents which are related to generation of Reports using EPM Functions. All are described just in simple syntax way. It is not going to be understand for the beginners.
Would you please specify in detail step by step.
Thanks in Advance.
Siva NagarajuSiva,
These functions are not used to create reports per se but rather assist in building reports. For ex, you want to make use of certain property to derive any of the dimension members in one of your axes, you will use EPMMemberProperty. Similary, if you want to override members in any axis, you will make use of EPMDimensionOverride.
Also, EvDRE is not replacement of EPM functions. Rather, you simply create reports using report editor (drag and drop) and then make use of EPM functions to build your report. Forget EvDRE for now.
You can protect your report to not allow users to have that Edit Report enabled for them.
As Vadim rightly pointed out, start building some reports and then ask specific questions.
Hope it clears your doubts. -
How to configure AMconfig.properties on gateway with 2 portal servers
Hello,
I run into an issue where I want to setup 1 portal gateway with 2 portal servers(+ access manager) all on separate machines. How can I define in AMconfig.properties that there are possible two portal servers.
All is version 2005Q1
Please see part of my actual AMconfig.properties :
# grep portal AMConfig.properties
com.iplanet.am.directory.host=portal1.domain.int
com.iplanet.am.server.host=portal1.domainl.int
com.iplanet.am.console.host=portal1.domain.int
com.iplanet.am.profile.host=portal1.domain.int
com.iplanet.am.naming.url=http://portal1.domain.int:80/amserver/namingservice
com.iplanet.am.notification.url=http://portal1.domain.int:80/amserver/notificationservice
com.iplanet.am.localserver.host=portal1.domain.int
com.sun.identity.liberty.interaction.wspRedirectHandler=http://portal1.domain.int:80/amserver/WSPRedirectHandler
Kind Regards
Roland VlerickSee this thread.
Error Installing Groupware Portlets for WLP 10.3.2
Brad -
Thoth Gateway with APEX 4.2.2
Hello,
We have been using the Thoth Gateway with APEX for years and are very satisfied with it, since it allows us to benefit from our IIS servers infrastructure and their native Kerberos integration.
Recently, we have encountered an issue specific to the 4.2.2 version of APEX: a PL/SQL exception, such as invalid number in a "on load - after footer" page process, does not get notified and the screen rendering seems normal (though there are missing closing tags in the HTML).
Replacing the Thoth gateway with Oracle Fusion Middleware web tier (going to the same database) delivers a normal behaviour, with the regular PL/SQL error showing on screen (and no missing HTML closing tags).
Same thing when exporting the application and importing it on apex.oracle.com.
We reduced the application to a single page and a single page process generating the exception, same thing.
Has anybody had the same experience ?
AlainHi Alain,
this is Morten, developer of the Thoth Gateway. I have not yet tried the gateway with Apex 4.2.2 myself, but I'd like to investigate this issue.
First, I suggest you turn on DEBUG-level logging in the gateway, and see if there is anything interesting to be found in the logs.
Second, sounds like you have been able to reproduce the problem with a simple application. If you upload the application to the project site, here:
https://code.google.com/p/thoth-gateway/issues/list
Then I will take a look.
- Morten
http://ora-00001.blogspot.com -
XML gateway with multiple XML structures??
Hi,
I have a requirement to import data using XML gateway with different XML structures. Third party system sometimes will not provide certain tags itself if there is no data for the tag like contacts in below sample xmls. In that case we need to ignore those tags (CONTACTS in below sample). As per my understanding, we must have tag in XML though it may not have any value.
We have 2 XMLs
XML1 for supplier with contacts
<SUPPLIER>
<NAMES>
<NAME1>XYZ </NAME1>
<NAME2>ABC</NAME2>
</NAMES>
<SITE>
<SITE1>XYZ </SITE1>
<SITE2>ABC</SITE2>
</SITE>
<CONTACT>
<CONTACT1>XYZ </CONTACT1>
<CONTACT2>ABC</CONTACT2>
</CONTACT>
</SUPPLIER>
XML2 for supplier without contacts
XML1
<SUPPLIER>
<NAMES>
<NAME1>XYZ1 </NAME1>
<NAME2>ABC1</NAME2>
</NAMES>
<SITE>
<SITE1>XYZ1 </SITE1>
<SITE2>ABC1</SITE2>
</SITE>
</SUPPLIER>
Can we upload data in both these xmls using only one generic dtd and xgm using XML gateway which will skip any missing tag.
Thanks
RishiHi, you can FOR XML PATH for a finer degree of control over your XML. Use the @ symbol to create attributes. Here's a simple example:
DECLARE @t TABLE ( rowId INT IDENTITY PRIMARY KEY, [address] VARCHAR(50), city VARCHAR(30), floor INT, suite INT, doorType VARCHAR(20) )
INSERT INTO @t VALUES
( '123 Fake St', 'Springfield', 10, 512, 'Metal' )
SELECT
[address] AS "Address",
city AS City,
[floor] AS "Location/@Floor",
suite AS "Location/@Suite",
doorType AS "Location/@DoorType"
FROM @t
FOR XML PATH ('Company'), ROOT ('Companies'), ELEMENTS; -
Post Author: srinath
CA Forum: Publishing
In BO XI, I am facing problems with drill filters. I have a report with eight tabs and each tab has data corresponding to a particular value in the drill filter. A particular value is selected from the drill filter and the corresponding data is displayed in each tab. I need to select a value from the drill filter and display the corresponding data in the tab; while doing so when i save the report and open it again, the data corresponding to the particular filter value is not present instead it displays all the data. The only other way i could solve this problem was by creating a report level filter in each tab but this doesnt seem to work in other reports. What is the proper way of using the drill filter in this case?How did you configure the filter?
-
Filter Lens Correction is missing from the menu, along with adjacent filters.
Filter > Lens Correction is missing from the menu, along with adjacent filters.
I updated 1 day ago via Adobe Connect and it is now missing from the menu drop down. As well as the other filters in that general area.hi ffadler
i experience the same on my laptop,
do you have an solution already?
regrds
piet
Maybe you are looking for
-
2nd gen nano not recognized by MBA / Lion 10.7.4 / iTunes 10.6.3
I have this 2nd gen nano (and a bunch of other ones) set to manage music manually. This particular device has worked fine while connected to MBP mid 2010 running SL and most recent iTunes. But, this 2nd gen nano does not show up on the MacBook Air, m
-
AE 7.0 Professional won't install on Windows 7 64bit
When I insert the disc and the Autoplay comes up, I click on the first option "Install After Effects 7.0". A window pops up asking me what language I am using. I select English and then the setup window comes up with an error message window behind it
-
*FCP capture & compatibility problems with JVC BR-HD50 deck*
Please help. I’m looking for someone who has shot w/ JVC GY-HD200 cameras, using JVC Pro HD MINI dv tape stock and uses a JVC BR-HD50 deck and edits on the most recent (6.03 update) version of FCP. Or some amazing, savvy whiz that has solved this pro
-
When i'm on a page and I want to bookmark it I right-click and choose "Bookmark this page" and then the dialog box shows where you see 5 of your folders to where you can place the page. This dialog box doesn't show up since upgrading to FF13
-
Cast and Crew Credits for Home Videos
Hi Folks, When I purchase a movie from the iTunes store It comes with limited cast and crew credits shown alongside the cover art. How can I add similar information for my Home Videos? I have looked in "Get Info" on a purchased Movie, but can't see w