VPN internet issue.
Hello Experts.
I want to connect RA VPN from different location(not site to site) and need to share file by making it under one network.
I have installed VPN in a remote location and when i try to connect using Cisco VPN client, my internet is automatically disconnecting. I was trying to fix it with split tunneling.. and i installed a Radius Server. Actually i messed up everything. My configuration is pasted below. please go through the configuration and check what stupid things i have done in the configuration. I want to get the internet from the remote location not from local. I have given the demo IP for the location
This is the diagram.
My Configuration
Building configuration...
Current configuration : 3147 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Test-VPN
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 $1$F1NSDS@#M$lK5HoK1ekziowNPFLjhKV1
enable password 7 1533180F0234321243F212B3B647040
aaa new-model
aaa authentication login AUTHEN group radius local
aaa authentication login RAS-Users group radius local
aaa authorization network AUTHOR local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name www.domain.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
username administrator password 7 12346568845678767545
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group GROUP
key Cisco123
dns 6.6.6.6
wins 7.7.7.7
domain www.domain.net
pool POOL
acl SPLIT-TUNNEL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ISAPRO
match identity group GROUP
client authentication list default
isakmp authorization list default
client configuration address initiate
client configuration address respond
virtual-template 1
crypto ipsec transform-set SET esp-3des esp-sha-hmac
crypto ipsec profile IPSECPRO
set security-association idle-time 120
set transform-set SET
crypto dynamic-map DYNAMICMAP 10
set transform-set SET
reverse-route
crypto map MAP client authentication list NOCAUTHEN
crypto map MAP isakmp authorization list NOCAUTHOR
crypto map MAP client configuration address respond
crypto map MAP 10 ipsec-isakmp dynamic NOC-DYNAMICMAP
archive
log config
hidekeys
interface Loopback0
no ip address
interface FastEthernet0/0
ip address 88.88.88.88 255.255.0.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map MAP
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description Remote access tunnel interface
ip unnumbered FastEthernet0/0
no ip redirects
no ip unreachables
ip flow ingress
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
ip local pool POOL 192.168.1.1 192.168.1.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
ip route 192.168.1.0 255.255.255.0 <gateway ip>
no ip http server
no ip http secure-server
ip access-list extended SPLIT-TUNNEL
remark RA Split Tunnel VPN ACL
permit ip any 88.88.88.0 0.0.0.255
ip radius source-interface FastEthernet0/0
route-map VPN-Client permit 10
match ip address 144
set ip next-hop <gateway ip>
radius-server host 5.5.5.5 auth-port 1645 acct-port 1646 key 7 096D5D0A1C0B03170804557878
control-plane
line con 0
password 7 083B454342D400339544541
line aux 0
line vty 0 4
password 7 1113100B1DJHJ5568325A5E57
scheduler allocate 20000 1000
end
Sorry to change the real IPs.. Hope you can understand the security issue.
What routing and ACL should i do with this IPs to access the internet through my VPN client.
Hi Folks,
We
have a internet link with site to site VPN connection. We are facing
performance issues on this link for past few days. We analyzed that
internet interface of our router was negotiating with service provider
modem on 10Mbps/half duplex and there was some collisions on the
circuit. We asked the provider to hard code the settings to
100Mbps/Full on thier modem so that our router will negotiate
100Mbps/full settings. Will it make the performance better now? We have
internet link speed of 768K upload & download..
Please let me know, if more information required.
Mahi
Hi Mahi,
It will give you a better performance compare to 10 Mbps configuration setup because in 10 Mbps/half duplex and peer end 100Mbps/full duplex will end in always poor performce and lots of port error and frame error in network.Better recomendation for having a good performance port and router and modem ports need to full duplex with 100 Mbps.
and Min. requirement for site to site von connection is 512Kbits/sec of internet bandwidth at each site
Hope to help
If helpful do rate the post
Ganesh.H
Similar Messages
-
Hi all,
I am having a VPN speed issue. When I am using the internet and not connected to the VPN, I experience speeds of 25mbps/25, which is what my contract with Verizon calls for. When I connect to the VPN with my laptop, speeds drop to about 3/2 mbps. (I am connected via Ethernet hardwire not wireless)
I ran Ethernet wire to the Verizon box and then had Verizon activate. Unfortunately this did not solve my problem. Internet is fine until I connect to the VPN.
I also was able to conduct a test: I connected wireless to an open local network while in the office and then to my work server via the VPN with no noticeable speed issues. This leads me to believe the issue lies with the Actiontec router issued from Verizon?
I only work remotely 1x per week so have been hobbling along with this problem for the past 3 months since our switch from Comcast. (Speed was fine with Comcast ) It is painful as it causes a 5-10 second lag for each click when navigating folders on the remote server. This means it can take me 5 minutes to pull down one PDF file.
Is there a suggested solution for this - should I buy another router?
thanks,
SteveNo, usually, you dont have to wait. You do have to log into the router and go in and release the IP, but most of the time this is all you have to do.
Once in a while it wont release properly, in which case you do have to wait a couple of hours. But most of the time it will release just fine.
====================================================================================
Error exists between keyboard and chair. -
10.3.9 Internet issues
Hi All
i have been trawling through the fourms and still cannot find a solution to my iMac internet issues. I have done a complete format and reinstall of Mac OS X 10.3.9 (to be fair i downloaded update on another computer and instelled via USB stick) everything works great can import into firewire from camcorder etc. Airport card can see the wireless connection but when i enter the password it states there is a problem and connot connect. I have tried everying (to what i can understand anyway) and teh main reason for a clean install was to get rid of any possible conflicts that may have been there.
everything else can use the internet including my MacBook (intel) fine. Some one did suggest once that DNS settings were not correct which to be honest i did not userstand how to alter them, plus if eberying else was ok why just this iMac playing up.
Please can you assist just want to this to connect so my son can upload his filming to pleople for his re school assignments.
thank you in advance
PeterOops!
Could you specify what iMac you have, the specs of the system & computer,
as that may help research or find workable ideas for you to try. This would
help in troubleshooting, or in discovering Support articles to link you to in
the course of a discussion.
I just re-read your post and had thought it was for a later
mac + OS X that would not run in PowerPC vintage!
(The mention of MacBook threw me off, as did a recent newer
OS X upgrade that may run -- in that newer hardware 10.9.3)
So you've upgraded a PowerPC iMacG4 to Leopard 10.3.9
and the internet doesn't work? The wireless router may be
using a different security protcol than the old Airport Card
can support; you may have to test the unit via Ethernet to
be sure the computer itself is fully updated. It may go to
Apple servers to look for Software Updates.
The settings for the wireless security may be incorrect,
since later WPA2, won't apply to vintage AirPort card.
With a later OS X such as Tiger 10.4(.11) the odds do
improve for connectivity to the internet.
The DNS settings should not be an issue if you can use the
internet with a recent version computer and later OS X.
Not sure how to help, except to try as a test, to run without
the security you'd really want with the wi-fi (WPA2, etc)
turned on, to see if the old iMac can then use it.
Another issue would be the lack of correct frequency; a
newer Wi-Fi system may not be set to be backward
compatible to 802.11a/b, newer ones use 802.11/b/g/n/+
You may check to see if the router has a setting to allow
use of lower or older spec connection.
•Solutions for connecting to Internet, set up sm Network & troubleshooting:
http://support.apple.com/kb/HT1714
•Creating a small ethernet network:
http://support.apple.com/kb/HT1433
Panther is a very old OS X and hardly finds any support.
There is an area in ASC discussions for 10.3.x & earlier:
https://discussions.apple.com/community/mac_os/mac_os_x_v10.3_and_earlier
You may be able to get a download .PDF manual for Panther
http://manuals.info.apple.com/en_US/MacOSX10.3_Welcome.pdf
Or later Tiger, in .PDF from this Manuals support site:
http://support.apple.com/manuals#macos
Sorry to not have more info... -
my computer has been taken in three times for internet issues. each time they say it is fixed. I have rest my safari several times, all the internal parts have been checked and are said to be in perfect working order, and i have had the entire profile of my computer wiped clean, having to reinstall everything. now it is doing this and will stay on this gray screen for up to a half hour, until the box that says safari has quit working, or the flash player plug in has quit working. Has anyone else had this problem, if so any help would be great, casue I really do not want to take the computer in again only for them to tell me its fine.
my computer has been taken in three times for internet issues. each time they say it is fixed. I have rest my safari several times, all the internal parts have been checked and are said to be in perfect working order, and i have had the entire profile of my computer wiped clean, having to reinstall everything. now it is doing this and will stay on this gray screen for up to a half hour, until the box that says safari has quit working, or the flash player plug in has quit working. Has anyone else had this problem, if so any help would be great, casue I really do not want to take the computer in again only for them to tell me its fine.
-
Hi there
It's been a while since I last posted on these forums with an internet issue, but my connection is really messed up. I'll see if I can do the speedtester stuff in between the constant disconnections that I am getting.
My router stats are at the end of this message. Despite the fact my Downstream speed keeps switching between 6Mbps - 7.9Mbps, I am getting around 1.6Mbps, which I expect. The very high number of errors is telling me that my line is really noisy: my parents have told me that the line, when using the phone, was very noisy when calling other people, which would confirm that theory.
I do know that there are some works being done in a plot of land right next to the telephone exchange and I suspect it's BT adding the fibre broadband exchange in preparation of activating fibre in my area by the end of the year, is it possible this is causing line issues ? I know we've also had really bad weather and I'm suspecting this to be a factor in my connection issues.
Many thanks for any help I can get.
Connection Information
Line state:
Connected
Connection time:
0 days, 00:05:55
Downstream:
6.375 Mbps
Upstream:
448 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.1 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
9.2 dB / 22.0 dB
Line attenuation (Down/Up):
7.5 dB / 4.0 dB
Output power (Down/Up):
12.0 dBm / 12.3 dBm
FEC Events (Down/Up):
9986496 / 638
CRC Events (Down/Up):
12054 / 615
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
143872 / 649
Error Seconds (Local/Remote):
933 / 604
YouTube Channel: http://youtube.com/lpsajuuk
Follow me on Twitter @supersajuuk
Solved!
Go to Solution.john46 wrote:
the infinity upgrade will have no effect on standard broadband services are you connected to the test socket also have you tried the quiet line test dial 17070 option 2 you should here no noise any noise heard need reporting to BT Faults on 151 with no mention of broadband in the call
I'm not connected to test socket, but I doubt that would make a difference to a noisy line ?
I'll do quiet line test, but my router settings do seem to be indicating the line is noisy. Here's another set of stats from just now.
ADSL Line Status
Connection Information
Line state:
Connected
Connection time:
0 days, 00:26:38
Downstream:
6.375 Mbps
Upstream:
448 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.1 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
12.8 dB / 22.0 dB
Line attenuation (Down/Up):
7.5 dB / 4.0 dB
Output power (Down/Up):
12.0 dBm / 12.3 dBm
FEC Events (Down/Up):
13286918 / 840
CRC Events (Down/Up):
16125 / 833
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
221506 / 887
Error Seconds (Local/Remote):
1084 / 707
YouTube Channel: http://youtube.com/lpsajuuk
Follow me on Twitter @supersajuuk -
Is July 9 internet issue a problem for Mac Pro users?
Is the July 9 internet issue a problem for Mac Pro users or has Apple taken care of this issue in updates?
It is a only a problem for users affected by the malware that replaces their DNS IPs on their macs. They already have a serious problem which they should fix. Follow the url in sig's post to determine if you are infected and how to remove it.
-
I seem to be having a massive amount of random internet issues after upgrading to Leopard. The first and most apparent is that Mail and iChat both get randomly disconnected and Mail often insists that it cannot connect to the IMAP server one moment, only to work perfectly again within a minute while no other internet services (Safari, Transmission) are affected.
Safari has decided that http://news.bbc.co.uk is actually http://www.apple.com. I kid you not. I try and look at BBC news and I am consistently redirected to Apple's website. news.bbc.co.uk/iphone goes to apple.com/iphone. I've never seen anything like it before in my life.
Mail's RSS feeds seem to randomly disappear. No trace of their existence is left. After switching the 'default RSS reader' preference to Safari and then back to Mail, they re-appear - with all articles unread.
On the whole, quite a number of confusing bugs.So, what happens if you go here: http://212.58.226.73/ ? That's the IP address that news.bbc.co.uk is supposed to point to. I found that by looking in Tiger's Network Utility as my Leo is still on it's way to me. If you want to know what that IP is before going there ( a good idea ), you can put that in the lookup tab on Net Util and see what comes back.
If the IP works, then DNS is hosed somewhere. See what Net Util says news.bbc.co.uk translates to. If it the number above, it's a Safari thing. If it's apple (starts with 17 IIRC) then it might be fixable by flushing the DNS cache though I don't know how to in Leo (shouldn't be hard).
If you did an upgrade install, you might want to reinstall using Archive and Install. -
I have a Mac OS X Server with VPN (L2TP and PTP) enabled. I am able to connect to the VPN service from my iMac (I also tried another computer) from within my LAN, but VPN over LAN isn't very useful, of course.
The problem is, I cannot connect to the VPN by typing in my public IP (with the rest of the settings the same) instead of the private IP. I've enabled port forwarding for UDP 1701, 4500, and 500, and TCP 1723. I also tried making my Mac OS X Server machine (a Mac Mini) a DMZ host, and that didn't work. I turned my router's firewall off, too.
So if I can connect to my VPN locally but not over the Internet even though I've enabled a DMZ host, which shouldn't fail, some setting must be wrong somewhere. Does anyone know what it could be?
By the way, the Mini is on WiFi for now (we recently got it and haven't set up a place for it yet).Jeff: Sorry to sound inexperienced, but I can't find a VPN or network related log in Console. Which one is it? Anyway, I doubt that it's the connection settings but something with my router. I know all routers are different, but I was wondering if there was some generic problem with VPN and routers. Strangely enough, my other services work on the server (HTTP, AFP, SSH, VNC) by port forwarding. Again, DMZ hosting did NOT solve the problem, so I'm guessing that there's more to do if you want VPN???
Basically (to anyone), my VPN works fine over the network, so my settings must be correct, and I am almost sure that when I connect over the internet, the request does not even touch my server.
As for the other reply: I've forwarded the same ports and made my server's IP static like in the thread. The only difference is that DD-WRT firmware. Was that the final solution?
P.S. My server is temporarily down (due to some nasty irrepairable permissions issues) as I reinstall Mac OS X, so I can't really test anything on the server until it's up.
Message was edited by: Mac OS 9000 -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
ASA 5505 vpn connection issues
Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
hostname ciscoasa
domain-name .com
enable password w3iW.W8jLtqmhFnt encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.xxx.xx.xx 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name .com
access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
55.255.0
access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
.255.0
access-list OUTSIDEACL extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/flash
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONATACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDEACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 13 match address VPNACL
crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
crypto map VPNMAP 13 set transform-set ESPDESMD5
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 13
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.1.1.6 192.1.1.4
dhcpd wins 192.1.1.6 192.1.1.4
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd address 10.10.10.10-10.10.10.40 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 76.xxx.xxx.xx type ipsec-l2l
tunnel-group 76.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 68.xx.xxx.xxx type ipsec-l2l
tunnel-group 68.xx.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:229af8a14b475d91b876176163124158
: end
ciscoasa(config)#reciatedHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
Thanks
Dave
Result of the command: "sh run"
: Saved
: Serial Number: *****
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(5)21
hostname Main-ASA
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 12
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.252
interface Vlan12
nameif Outside
security-level 0
ip address dhcp setroute
banner login *************************************
banner login Unuathorized access is prohibited !!
banner login *************************************
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DefaultDNS
domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN54
subnet 192.168.54.0 255.255.255.0
description VLAN 54
object network Management
subnet 192.168.80.0 255.255.255.0
description Management
object network VLAN51
subnet 192.168.51.0 255.255.255.0
description VLAN 51
object network VLAN52
subnet 192.168.52.0 255.255.255.0
description VLAN 52
object network VLAN53
subnet 192.168.53.0 255.255.255.0
description VLAN 53
object network VLAN55
subnet 192.168.55.0 255.255.255.0
description VLAN 55
object network VLAN56
subnet 192.168.56.0 255.255.255.0
description VLAN 56
object service 443
service tcp destination eq https
object service 80
service tcp destination eq www
object service 8245
service tcp destination eq 8245
object service 25295
service udp destination eq 25295
description Blocking 25295
object network VPN-Connections
subnet 192.168.59.0 255.255.255.0
description VPN Connections
object-group service No-IP
description no-ip.com DDNS Update
service-object object 80
service-object object 8245
service-object object 443
access-list inside_access_in remark No-ip DDNS Update
access-list inside_access_in extended permit object-group No-IP object VLAN51 any
access-list inside_access_in extended permit ip any any
access-list VPN standard permit 192.168.0.0 255.255.0.0
access-list Outside_access_in remark Blocking 25295 to HTPC
access-list Outside_access_in extended deny object 25295 any object VLAN54
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
router eigrp 1
no auto-summary
network 192.168.0.0 255.255.255.252
network 192.168.59.0 255.255.255.0
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.51.1
server-port 636
ldap-base-dn cn=users,dc=spicerslocal
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=users,dc=*****
sasl-mechanism digest-md5
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Main-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
group-policy GroupPolicy_AnyC-SSL-VPN internal
group-policy GroupPolicy_AnyC-SSL-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value *****
webvpn
anyconnect profiles value AnyC-SSL-VPN_client_profile type user
username Dave password ***** encrypted privilege 15
username Don password ***** encrypted privilege 15
tunnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
: endHi Dave,
It seems to be an issue with the NAT, I saw your VPN configuration:
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
unnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
access-list VPN standard permit 192.168.0.0 255.255.0.0
You will need to set up a NAT exemption as follow:
object-group network obj-192.168.59.0-Pool
network-object 192.168.59.0 255.255.255.0
object-group network obj-192.168.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
Please proceed to rate and mark as correct this post, if it helps!
David Castro,
Regards, -
Server 2012 R2 RRAS NAT VPN connectivity issues
Hello all,
I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
working properly.
Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
no issues connecting to my VPN server remotely.
Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
2. How can I test if NAT-T is working outside of VPN testing?
3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
that server? What are the security implications for running VPN from the router?
Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
Respectfully yours,
Ron ArestiaHi Ron,
Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
For detailed information, please refer to the link below:
http://support.microsoft.com/kb/926179
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Hello everybody.
I have an issue making my VPN Server work. here is my situation:
I have a router R1 with 2 ethernet interfaces
interface N°1 : 192.168.1.1/24
interface N°2 : 192.168.2.1/24
the first interface is connected to the subnet to which some computers and servers (DHCP,DNS,Active directory servers) are connected.
the second interface is connected to my VPN server.
the VPN server has 2 interfaces.
one connected to the intranet (precisely R1) with the ip 192.168.2.2 and the second has a public ip address.
the VPN server successfully get its pool of addresses from the dhcp server with the ip 192.168.1.4.
and since the VPN server use the interface with the ip 192.168.2.2 to reach the DHCP server it gets a subset of 192.168.2.0/24.
so I end up with a VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.
the connection between the server and clients is established correctly and the clients get the correct ip addresses. and yet I can't ping any device except the VPN server interface.
so I captured the packets flow and I discovered that the ECHO message reach it's destination. The problem occur when the Router R1 try to forward the reply to the client.it send an ARP request but it don't get any response.
in this situation based on what a read on internet the VPN server is supposed to act as a proxy ARP replying with it's own MAC address on behalf of the vpn client and then routing the packet to it's destination.
when I configured the VPN server with a static pool from 192.168.3.0/24 and added a static route in R1 everything worked perfectly.
ThanksHi,
Could you clarify “so I end up with a
VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.” Have you disable the 192.168.2.2 interface or make others action on it’s configuration?
•If the static IP address pool consists of ranges of IP addresses that are for a separate subnet, then you need to either enable an IP routing protocol on the remote access
server computer or add static IP routes consisting of the {IP Address, Mask} of each range to the routers of the intranet. If the routes are not added, then remote access clients cannot receive traffic from resources on the intranet.
•If the DHCP server is on the same subnet as the RRAS server, then you do not have to configure the DHCP relay agent. RRAS can find DHCP servers on the same subnet by using
broadcast network packets.
The related KB:
Configure the Way RRAS Assigns IP Addresses to VPN Clients
http://technet.microsoft.com/en-us/library/dd469667.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
"“so I end up with a
VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.” means that the interface of my server that is connected to my private network has an ip from 192.168.2.0/24 its the interface used to get to my network
ressources like the DHCP server.
the DHCP relay agent is configured correctly and my vpn server can contact the dhcp server.
when I used a static pool from 192.168.3.0/24 and added a static route to my router everything work perfectly but when I configure my vpn server to get ip addresses
from DHCP server The vpn client can't access my intranet ressources even though it get a correct ip. -
More 525 VPN phone issues.
So I have a VPN setup on a customers UC560 that has been working just fine for close to a year. The 525 phone worked well at a remote location for 6 months and has been nothing but problems since.
I have wiped it to factory defaults, updated the firmware to 7.5.5, re-configured it via the wizard in CCA, increased the VPN DHCP pool to 10 from 3, and it tests out fine on our shop network here at work. After that it is 50/50 whether it wants to sync up and work properly off-site. The client brings it to his house where he has cable internet and a basic Linksys router and it boots up, shows the VPN icon on the top bar as connected but just sits at downloading some .xml file. Bypasses the router and same thing so it can't be a weird firewall issue.
I was under the impression that if this phone finds an internet connection it would work. Don't understand all the hit and miss whether it's going to sync up or not.Thanks for the response.
I have verified we're on the latest IOS...
Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
And I always use the 2.5.6005 version of Anyconnect. Not sure about the DART thing.
Thanks for reminding me about the subnet. The client is taking the phone home with him for testing and keeps reporting that the vpn connects but doesn't fully sync up with the phone system. I bet he is on the same subnet of the system. The data VLAN is 192.168.0.X which is common with home routers.
Thanks again,
Jim -
IPad and PPTP VPN - Internet access (e-mail & Safari) not working
Hi there!
I've got an iPad2 (WiFi only) and need to configure it to use Witopia PPTP VPN, which is the VPN provider I've been using for a long time on my desktop and netbook.
Configure the iPad was an easy task, and I was able to successfuly authenticate and establish a PPTP session with any of the Witopia servers.
The problem is that once established the PPTP session, if the "send all traffic" option is ON, I have no Internet access at all (no e-mail neither browsing with Safari). Then, if I stop VPN, turn OFF the "send all traffic" option in the iPad, and start VPN again, I have Internet communication back and everything starts working fine. I've been fiddling with this in my home network (D-Link Dir-655 router using the IP 192.168.0.1 addressing scheme for my LAN).
Obviously, I decided to leave the "send all traffic" option OFF, but then I discovered that doing this my Safari traffic is not encrypted and my IP is not masked, i.e. the VPN is up and running, I have normal Internet traffic, but the service to be provided by the VPN for some inknown reason is not happening.
Does anyone have a clue about what's going on ?
TIA
RTadeuHave you tried a battery pull? If not, give that a try and then try again.
1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!
Maybe you are looking for
-
0IC_C03 Error in start routine when activating
Hi gurus! I have a SAP NetWeaver BI 7.0 patch level 14 installation with business content SAPKIBIIP6 and BASIS patch level 12 When activating infocube 0IC_C03, the transformation have a start routine that throws the following error: E:In PERFORM or C
-
Error while creating the proxy object to connect to a third party tool.
Hi, I tried creating a proxy object with the wsdl file. I even created a HTTP connection to the third party tool. but when I try to execute the whole proxy object, I am getting the below error. Can anyone help me on this? "Proxy-Generierung: Fehler a
-
E-mail replies === time lag !!
Dear Adobe team. e-mail replies more or less work now (apart from the still unfixed formatting issues). But ... sometimes there are considerable delays between the e-mail reply and the time that it's posted to your website. Sometimes 10-30 minutes. O
-
Metadata with defining Derived Associations valided failed.
Hey all, I am developing a MySQL plugin, and want to use "Derived Associations" to make a topology to display the relationship between mysql objects and its cluster group. However I run into some trouble. Could anyone help me out? I am really confuse
-
I am using the AIR HTML component to load various website directories with. However, any directory that gets loaded into the HTML control that uses CAPTCHA, only loads maybe 2 pixels high worth of the image. Is this a bug with the HTML control itself