VPN GRE QOS tunnel how do i ?

Similar Messages

• Dynamin VPN/GRE can't ping other side of tunnel

  I am new at this VPN stuff and tryiong to setup a GRE Dynamic IP VPN between my offfice and home.  Here is what I ahve done thus far:
  OFFICE
  interface Tunnel0
  ip address 172.30.1.1 255.255.255.252
  no ip redirects
  ip mtu 1400
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  interface FastEthernet0/0
  ip address 40.197.68.9 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  HOME
  interface Tunnel0
  ip address 172.30.1.2 255.255.255.252
  ip mtu 1400
  ip nhrp map multicast 40.197.68.9
  ip nhrp map 172.30.1.1 40.197.68.9
  ip nhrp network-id 1
  ip nhrp nhs 172.30.1.1
  ip tcp adjust-mss 1360
  tunnel source GigabitEthernet0/0
  tunnel destination 40.197.68.9
  tunnel key 1
  interface GigabitEthernet0/0
  description Router
  ip address 192.168.30.1 255.255.255.252
  duplex auto
  speed auto
  When I ping 172.30.1.1 from the HOME router, I get 0/5 success.  Not good!  I have not setup any IPSec yet.
  Results for HOME router
  show ip nhrp nhs detail
  Legend: E=Expecting replies, R=Responding, W=Waiting
  Tunnel0:
  172.30.1.1   E priority = 0 cluster = 0  req-sent 53  req-failed 0  repl-recv 0
  sh int t0
  Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 172.30.1.2/30
    MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 192.168.30.1 (GigabitEthernet0/0), destination 40.197.68.9
     Tunnel Subblocks:
        src-track:
           Tunnel0 source tracking subblock associated with GigabitEthernet0/0
            Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key 0x1, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1472 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 00:40:28, output 00:00:25, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       106 packets output, 12612 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  sh ip route
  Gateway of last resort is 192.168.30.2 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 192.168.30.2
        10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
  C        10.110.0.0/24 is directly connected, GigabitEthernet0/1.110
  L        10.110.0.1/32 is directly connected, GigabitEthernet0/1.110
  C        10.115.0.0/24 is directly connected, GigabitEthernet0/1.115
  L        10.115.0.1/32 is directly connected, GigabitEthernet0/1.115
        172.16.0.0/30 is subnetted, 1 subnets
  S        172.16.2.0 [1/0] via 192.168.30.6
        172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.30.1.0/30 is directly connected, Tunnel0
  L        172.30.1.2/32 is directly connected, Tunnel0
  S     192.168.2.0/24 is directly connected, GigabitEthernet0/0
  S     192.168.10.0/24 is directly connected, GigabitEthernet0/0
        192.168.30.0/24 is variably subnetted, 4 subnets, 2 masks
  C        192.168.30.0/30 is directly connected, GigabitEthernet0/0
  L        192.168.30.1/32 is directly connected, GigabitEthernet0/0
  C        192.168.30.4/30 is directly connected, GigabitEthernet0/1.30
  L        192.168.30.5/32 is directly connected, GigabitEthernet0/1.30
  S     192.168.50.0/24 [1/0] via 192.168.30.6
        192.168.69.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.69.0/24 is directly connected, GigabitEthernet0/1.69
  L        192.168.69.3/32 is directly connected, GigabitEthernet0/1.69
  S     192.168.100.0/24 [1/0] via 192.168.30.6
  S     192.168.125.0/24 [1/0] via 192.168.30.6
  S     192.168.200.0/24 [1/0] via 192.168.30.6
  sh dmvpn
  Interface: Tunnel0, IPv4 NHRP Details
  Type:Spoke, NHRP Peers:1,
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1    50.197.68.90      172.30.1.1  NHRP 02:30:17     S
  Results for OFFICE router
  show ip nhrp nhs detail
  sh dmvpn
  sh int t0
  Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 172.30.1.1/30
    MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 40.197.68.9 (FastEthernet0/0)
     Tunnel Subblocks:
        src-track:
           Tunnel0 source tracking subblock associated with FastEthernet0/0
            Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
    Tunnel protocol/transport multi-GRE/IP
      Key 0x1, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1472 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 00:43:56, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  show ip route
  S*    0.0.0.0/0 [1/0] via 40.197.68.94
        40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        40.197.68.8/29 is directly connected, FastEthernet0/0
  L        40.197.68.9/32 is directly connected, FastEthernet0/0
        172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.30.1.0/30 is directly connected, Tunnel0
  L        172.30.1.1/32 is directly connected, Tunnel0
  S     192.168.2.0/24 [1/0] via 192.168.10.5
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.1/32 is directly connected, FastEthernet0/1
  S     192.168.69.0/24 is directly connected, FastEthernet0/0
  Why can't Io ping from the HOME router to the OFFICE router?

  I fugured this problem out.  I needed to setup PKI/IKE and once that was done on both routers, my tunned now passes some data.

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• Help with Easy VPN client split tunneling.

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

• I do not see where to enter IP addresses in the Open VPN setup. Also, how can I set it up so that I can choose different servers in the same way as I can currently choose them with my VPN app but for PPTP?

  I think I have it working on my iPhone 5. But, I do not see how I can control the exit point that I would like for the VPN. Are all the exit points shown in the VPN setting now going to work with Open VPN, or do they remain PPTP? If I am reading correctly, they look like they remain PPTP. If I cannot control the exit point for open VPN, which exit point is the default in the profile you provided me?I note that Open VPN Connect does not work with any of the new 64 bit devices like the iPhone 5S, the iPad Air, and the new iPad MIni. Is there any chance that you guys will come up with an update for your app so that open VPN can be made to work on all iOS devices? That would be nice, particularly if the Open VPN Connect app does not give me a choice of exit points.Thanks,
  I do not see where to enter IP addresses in the Open VPN setup. Also, how can I set it up so that I can choose different servers in the same way as I can currently choose them with my VPN app but for PPTP?
  Just a quick note to tell you that Open VPN has updated their app so that it is compatible with 64 bit ARM devices like the iPhone 5S, the iPad Air, and the iPad Mini Retina.That does not resolve the problem of how to easily choose among the various possibilities for the exit server. We need to find an easy way to choose.

  Thank you for trying the new Firefox. I'm sorry that you’re unhappy with the new design.
  I understand your frustration and surprise at the removal of these features but I can't undo these changes. I'm just a support volunteer and I do not work for Mozilla. But you can send any feedback about these changes to http://input.mozilla.org/feedback. Firefox developers collect data submitted through there then present it at the weekly Firefox meeting
  I recommend you try to adjust to 29 and see if you can't make it work for you before you downgrade to a less secure and soon outdated version of Firefox.
  Here are a few suggestions for restoring the old design. I hope you’ll find one that works for you:
  *Use the [https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ Classic Theme Restorer] to bring back the old design. Learn more here: [[How to make the new Firefox look like the old Firefox]]
  *Use the [https://addons.mozilla.org/en-US/firefox/addon/the-addon-bar/ Add-on Bar Restored] to bring back the add-on bar. Learn more here: [[What happened to the Add-on Bar?]]

• What does VPN DO? And how to use it ?

  What does VPN DO? And how to use it?

  http://en.wikipedia.org/wiki/Vpn
  Or Google 'what is a vpn' or 'how to use a vpn' many people have explained this better than me.
  In short it wraps your traffic in to an encrypted link to a server (normally on the internet). Then the traffic leaves that server & goes onto the public internet. It is possible for the link to reveal information about you, but a VPN can protect you on open wifi or on bad networks etc.
  Sometimes the VPN terminates inside a corporate network, so users can do work at home securely.
  It is similar to using https for web browsing (secure http makes traffic difficult to intercept & read).

• HT4623 hello ,  i got some icon on my screen on iPhone  it VPN  whats what ? how to remove that ?

  hello ,  i got some icon on my screen on iPhone  it VPN  whats what ? how to remove that ?
  Thank you

  Secure connections.  VPN... http://en.wikipedia.org/wiki/Virtual_private_network
  Some apps use VPN, i.e. Onavo.

• URGENT - tag-switching over gre-tunnel - how ??

  hi,
  my problem is that i want to connect two pe-router
  over a gre-tunnel.
  this is because between the two pe´s i unfortunatly have two cisco828 router as modemrouter inbetween which do no tag-switching.
  so i decided to use a gre tunnel between the two pe´s to do tag-switching.
  but if i want to forward packets greater than 1492 bytes and the df-bit is set - no chance.
  here is the figure and config of the two tunnels:
  c3640 - c828 -LINE- c828 - c3640
  <==========TUNNEL===============>
  first c3640:
  interface Tunnel65052
  description PE-PE Verbdg. Hoersching-Pasching
  ip unnumbered Loopback0
  ip mtu 1512
  load-interval 30
  tag-switching mtu 1512
  tag-switching ip
  keepalive 10 3
  tunnel source 10.20.192.3
  tunnel destination 10.20.192.6
  second c3640:
  interface Tunnel65052
  description PE-PE Verbdg. Hoersching-Pasching
  ip unnumbered Loopback0
  ip mtu 1512
  load-interval 30
  tag-switching mtu 1512
  tag-switching ip
  keepalive 10 3
  tunnel source 10.20.192.6
  tunnel destination 10.20.192.3
  on the 828 router i did no adjustment of mtu !
  if i do a ping:
  r-enns1#pi vrf lkg 172.16.169.121 size 1492 df
  Type escape sequence to abort.
  Sending 5, 1492-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
  Packet sent with the DF bit set
  Success rate is 100 percent (5/5), round-trip min/avg/max = 208/211/212 ms
  r-enns1#
  r-enns1#
  r-enns1#
  r-enns1#
  r-enns1#pi vrf lkg 172.16.169.121 size 1493 df
  Type escape sequence to abort.
  Sending 5, 1493-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
  Packet sent with the DF bit set
  M.M.M
  Success rate is 0 percent (0/5)
  r-enns1#
  please help - thanks

  Here's at least two options you could try:
  1) Lower the MTU on the tunnel-interface and let PMTU on the endpoints take care of the fragmentation. This could have some serious implications all depending on the systems and applications/protocols used on the network, but in most cases it'll work just fine.
  2) Simply remove the DF-bit on incoming packets to the router and lower the MTU on the tunnel-interface and let the router do fragmentation regardless of what the endpoints says. Since you have a 3640 on each end and 828's in the middle, I think it should be capable of this..
  You should do a MSS-modification as well in both cases.
  Change the MTU like this:
  interface Tunnel65052
  ip mtu 1488
  tag-switching mtu 1500
  Then you have set all IP-packets to maximum 1488 bytes (including headers) and let there be room for 3 MPLS labels...
  At least I think it should behave like this... please don't kill me if i'm wrong.. :)
  Remove the DF-bit with route-map's on the inside interfaces:
  interface FastEthernet1/0.100
  description inside interface
  ip policy route-map clear-df
  ip tcp adjust-mss 1424
  route-map clear-df permit 10
  set ip df 0

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• Help getting GRE IPsec tunnel setup

  We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
  There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
  I have attached a PDF that shows a general overview. 
  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
  Main Office
  The external address     198.40.227.50.
  The loopback address   10.254.10.6
  The tunnel address        10.2.60.1
  Offsite Datacenter
  The external address     198.40.254.178
  The loopback address   10.254.60.6
  The tunnel address        10.2.60.2
  The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
  PIX Version 7.2(2)
  interface Ethernet0
  mac-address 5475.d0ba.5012
  nameif outside
  security-level 0
  ip address 198.40.227.50 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 10.10.10.3 255.255.0.0
  access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
  access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
  global (outside) 1 interface
  nat (outside) 1 10.60.0.0 255.255.0.0
  nat (inside) 0 access-list noNat
  route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
  route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
  route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 match address outside_cryptomap_60
  crypto map cr-lakeavemap 10 set peer 198.40.254.178
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 10 retry 2
  tunnel-group 198.40.254.178 type ipsec-l2l
  tunnel-group 198.40.254.178 ipsec-attributes
  The offsite datacenter PIX501 config (again edited)
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
  access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
  mtu outside 1500
  mtu inside 1500
  ip address outside 198.40.254.178 255.255.255.240
  ip address inside 10.60.10.2 255.255.0.0
  route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
  route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
  route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 ipsec-isakmp
  crypto map cr-lakeavemap 10 match address crvpn
  crypto map cr-lakeavemap 10 set peer 198.40.227.50
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap client authentication LOCAL
  crypto map cr-lakeavemap interface outside
  isakmp enable outside
  isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  Output of the “show crypto ipsec sa” command
  From the main office
  Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
         access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
         local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
         remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
         current_peer: 198.40.254.178
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
         local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: D78E63C9
        inbound esp sas:
        spi: 0x5D63434C (1566786380)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4274801/7527)
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xD78E63C9 (3616433097)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4275000/7527)
           IV size: 8 bytes
           replay detection support: Y
  From the offsite datacenter
     local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
     current_peer: 198.40.227.50:500
     dynamic allocated peer ip: 0.0.0.0
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
      #send errors 1156, #recv errors 0
       local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
       path mtu 1500, ipsec overhead 56, media mtu 1500
       current outbound spi: 5d63434c
       inbound esp sas:
        spi: 0xd78e63c9(3616433097)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 1, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4608000/6604)
          IV size: 8 bytes
          replay detection support: Y
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x5d63434c(1566786380)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4607792/6596)
          IV size: 8 bytes
          replay detection support: Y
       outbound ah sas:
       outbound pcp sas:
  I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

  Hi Joe,
  This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
  If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
  Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
  Let me know.
  Mike Rojas.

• VPN and QOS

  Hi,
  Just installed a WRT610N and am connecting my Cisco Softphone through the VPN. Can I still set up QOS priorities? Since it is a softphone, does it have a MAC address or is that the MAC for my laptop running the phone?
  Thanks!
  Paul

  As an edit to my previous post, I've done some more searches and come up with additional details.
  From what I've been able to tell, establishing QOS rules for a softphone is not as simple as choosing a port. Instead I've read about things like GQoS, DSCP, and TOS. At the moment I have no idea if my current softphone (vbuzzer) supports any of these things, but I've installed X-Lite 3.0 which does support QOS packet tagging. So, then, which of these does the WRT610N recognize? How should I configure its QOS settings in combination with the X-Lite settings?
  For what it's worth the X-Lite 3.0 manual does a good job of describing its support of these features; see page 40. Also helpful was this post.
  Thanks very much for any assistance you can offer.
  Message Edited by EnigmaticSoul on 01-21-2010 11:04 PM

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?