VPN license in Cisco 1841
Does the below BOQ configure for the cisco router allow me to config site to site VPN or do we need any othe VPN license
CISCO1841
Modular Router w/2xFE, 2 WAN slots, 64 FL/256 DR
1
00
CAB-ACE
AC Power Cord (Europe), C13, CEE 7, 1.5M
1
0
S184ASK9-15101T
Cisco 1841 IOS ADVANCED SECURITY
1
0
HWIC-1ADSL
1-port ADSLoPOTS HWIC
1
0
CAB-ADSL-RJ11X
ADSL Cable RJ11 to RJ11, Cross-over
1
0
HWIC-AP-G-E
AP HWIC w 2.4 Ghz Radio for 802.11 b/g Europe
1
00
1
0
MEM1800-64CF
64MB Cisco 1800 Compact Flash Memory
1
0
MEM1841-128U256D
128 to 256MB SODIMM DRAM factory upgrade for the Cisco 1841
1
0
CAB-ADSL-RJ11
Lavender Cable for xDSL, Straight-through, RJ-11, 6 feet
1
0
AIR-ANT2422D-R
2.4 GHz 2.2 dBi Dipole Swivel Antenna Black, RP-TNC
2
0
ISR-CCP-EXP
Cisco Config Pro Express on Router Flash
1
0
CON-SNT-CISCO1841
SMARTNET 8X5XNBD Modular Router w/2xF
1
139
Does the below BOQ configure for the cisco router allow me to config site to site VPN or do we need any othe VPN license
CISCO1841
Modular Router w/2xFE, 2 WAN slots, 64 FL/256 DR
1
00
CAB-ACE
AC Power Cord (Europe), C13, CEE 7, 1.5M
1
0
S184ASK9-15101T
Cisco 1841 IOS ADVANCED SECURITY
1
0
HWIC-1ADSL
1-port ADSLoPOTS HWIC
1
0
CAB-ADSL-RJ11X
ADSL Cable RJ11 to RJ11, Cross-over
1
0
HWIC-AP-G-E
AP HWIC w 2.4 Ghz Radio for 802.11 b/g Europe
1
00
1
0
MEM1800-64CF
64MB Cisco 1800 Compact Flash Memory
1
0
MEM1841-128U256D
128 to 256MB SODIMM DRAM factory upgrade for the Cisco 1841
1
0
CAB-ADSL-RJ11
Lavender Cable for xDSL, Straight-through, RJ-11, 6 feet
1
0
AIR-ANT2422D-R
2.4 GHz 2.2 dBi Dipole Swivel Antenna Black, RP-TNC
2
0
ISR-CCP-EXP
Cisco Config Pro Express on Router Flash
1
0
CON-SNT-CISCO1841
SMARTNET 8X5XNBD Modular Router w/2xF
1
139
Similar Messages
-
VPN between 2 cisco 1841 behind NAT Device
Hello,
i have to configure 2 Routers 1841 for an IPSEC VPN. My Problem is, that on the Path between the Router is a NAT Device.
On the HUB Router i can see the NAT IP Address but the Router expects the Source IP from the Spoke.
Can anybody tell me what is the Problem?
Thanks in advance
LorenzCan you create a static NAT on your NAT device for your spoke VPN router and then use the NATed address on your peer IPSEC/ISAKMP statements on your HUB router.
Rgds
Paddy -
CIsco ASA 5505 and VPN licenses
Hi,
Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
How those licenses are counted? Will I need a license per one IPSec SA?
If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
Thank you.
Regards,
AlexAlex,
In an ASA 5505, it should say something like this...when you do sh ver.
VPN Peers : 25
It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
Its a per tunnel license.
Rate this, if it helps!
Gilbert -
2008 R2 NPS wont connect to Cisco 1841 via Cisco VPN 5.0.03.0560
I am migrating our IAS server from 2003 R2 to 2008 R2 NPS that we use to authenticate VPN conenctions through AD. Currently works without issue on 2003 R2 server. Does not want to work on 2008 R2 NPS server.
We are using Cisco VPN client 5.0.03.0560 as the VPN client. Below is the log file when I try to connect. Can someone tell me what needs to be done on NPS to get this working? If more info is needed please ask and will supply.
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 10:55:10.906 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
2 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
3 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
4 10:55:10.921 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
5 10:55:10.937 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
6 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
7 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
8 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
10 10:55:11.203 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
11 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
12 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
14 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
15 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
16 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
17 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x078F, Remote Port = 0x1194
18 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
19 10:55:11.140 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
20 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
21 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
22 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
23 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
24 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
25 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
26 10:55:11.203 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
28 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 10:55:15.484 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
30 10:55:15.484 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
31 10:55:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 10:55:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 10:55:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 10:55:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 10:55:52.593 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
36 10:55:52.593 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
37 10:55:52.609 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
38 10:55:52.593 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
39 10:56:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 10:56:07.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
41 10:56:07.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
42 10:56:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 10:56:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 10:56:22.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
45 10:56:22.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
46 10:56:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 10:56:37.765 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
48 10:56:37.765 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
49 10:56:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 10:56:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 10:56:52.812 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
52 10:56:52.812 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
53 10:57:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 10:57:07.562 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
55 10:57:07.562 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
56 10:57:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 10:57:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 10:57:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
59 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
60 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
61 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
62 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
63 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
64 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
65 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
66 10:57:33.046 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
67 10:57:33.062 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
68 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
72 11:00:54.656 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
73 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
74 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
75 11:00:54.687 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
76 11:00:54.703 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
77 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
78 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
79 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
80 11:00:54.953 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
81 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
82 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
83 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
84 11:00:55.015 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
85 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
86 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
87 11:00:54.953 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
88 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
89 11:00:54.968 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
90 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0798, Remote Port = 0x1194
91 11:00:54.968 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
92 11:00:54.968 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
93 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
94 11:00:55.000 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
95 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
96 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
97 11:00:55.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
98 11:00:55.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
99 11:00:55.015 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
100 11:00:58.765 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
101 11:00:58.765 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
102 11:01:05.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
103 11:01:15.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
104 11:01:25.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
105 11:01:30.312 06/05/14 Sev=Info/6 GUI/0x63B0000D
Disconnecting VPN connection.
106 11:01:30.312 06/05/14 Sev=Info/4 CM/0x63100006
Abort connection attempt before Phase 1 SA up
107 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
108 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
109 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
110 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
111 11:01:30.328 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
112 11:01:30.328 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
113 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
114 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
115 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
116 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
117 11:01:44.875 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
118 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
119 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
120 11:01:44.906 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
121 11:01:44.921 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
122 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
123 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
124 11:01:45.296 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
125 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
126 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
127 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
128 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
129 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
130 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
131 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
132 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079B, Remote Port = 0x1194
134 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
135 11:01:45.234 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
136 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
137 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
138 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
139 11:01:45.281 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
140 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
141 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
142 11:01:45.296 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
143 11:01:45.296 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
144 11:01:45.296 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
145 11:01:53.625 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
146 11:01:53.625 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
147 11:01:53.640 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
148 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
149 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
150 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
151 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
152 11:01:53.640 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
153 11:01:53.640 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
154 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
155 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
156 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
157 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
158 11:02:00.406 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
159 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
160 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "com"
161 11:02:00.421 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
162 11:02:00.437 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
163 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
164 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
165 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
166 11:02:01.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
167 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
168 11:02:01.109 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
169 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
170 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
171 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
172 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
173 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
174 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
175 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
176 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079E, Remote Port = 0x1194
177 11:02:01.031 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
178 11:02:01.031 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
179 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
180 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
181 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
182 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
183 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
184 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
185 11:02:01.078 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
186 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
187 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
188 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
189 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
190 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
191 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
192 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
193 11:02:06.406 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
194 11:02:06.421 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
195 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
196 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
197 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
198 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stoppedI am using 2008 R2 NPS as radius server. 1841 ISR as VPN device. Here are debug loghs from Cisco 1841
1430434: .Jun 9 2014 12:06:59.187 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430435: .Jun 9 2014 12:06:59.187 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/140
1430436: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430437: .Jun 9 2014 12:06:59.191 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430438: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430439: .Jun 9 2014 12:06:59.191 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430440: .Jun 9 2014 12:06:59.191 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430441: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430442: .Jun 9 2014 12:06:59.191 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430443: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Response (140) failed decrypt
1430444: .Jun 9 2014 12:07:05.246 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430445: .Jun 9 2014 12:07:05.246 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430446: .Jun 9 2014 12:07:05.250 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430447: .Jun 9 2014 12:07:05.250 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430448: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430449: .Jun 9 2014 12:07:05.250 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430450: .Jun 9 2014 12:07:05.250 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430451: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430452: .Jun 9 2014 12:07:05.250 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430453: .Jun 9 2014 12:07:05.254 PDT: RADIUS: Response (140) failed decrypt
1430454: .Jun 9 2014 12:07:08.574 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp x.x.9.47(21303) -> x.x.109.122(5038), 1 packet
1430455: .Jun 9 2014 12:07:09.826 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430456: .Jun 9 2014 12:07:09.826 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430457: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Received from id 1645/140 10.1.x.x:1645, Access-Reject, len 20
1430458: .Jun 9 2014 12:07:09.830 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430459: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430460: .Jun 9 2014 12:07:09.830 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430461: .Jun 9 2014 12:07:09.830 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430462: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430463: .Jun 9 2014 12:07:09.830 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430464: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Response (140) failed decrypt
1430465: .Jun 9 2014 12:07:14.210 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430466: .Jun 9 2014 12:07:14.210 PDT: RADIUS: No response from (10.1.4.7:1645,1646) for id 1645/140
Log Buffer (4096 bytes):
6E7C
1430534: .Jun 9 2014 12:09:50.586 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430535: .Jun 9 2014 12:09:50.586 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430536: .Jun 9 2014 12:09:50.590 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430537: .Jun 9 2014 12:09:50.590 PDT: RADIUS: Response (141) failed decrypt
1430538: .Jun 9 2014 12:09:51.902 PDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 12 packets
1430539: .Jun 9 2014 12:09:55.638 PDT: %SEC-6-IPACCESSLOGP: list 112 denied tcp x.x.245.x(1602) -> x.32.x.x(445), 1 packet
1430540: .Jun 9 2014 12:09:55.974 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430541: .Jun 9 2014 12:09:55.974 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430542: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Received from id 1645/141 10.1.4.7:1645, Access-Reject, len 20
1430543: .Jun 9 2014 12:09:55.978 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430544: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430545: .Jun 9 2014 12:09:55.978 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430546: .Jun 9 2014 12:09:55.978 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430547: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430548: .Jun 9 2014 12:09:55.978 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430549: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Response (141) failed decrypt
1430550: .Jun 9 2014 12:09:58.070 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp 27.x.x.x(33281) -> 12.x.x.x(80), 1 packet
1430551: .Jun 9 2014 12:10:00.326 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430552: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.x.x:1645,1646 is not responding.
1430553: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.x.x:1645,1646 is being marked alive.
1430554: .Jun 9 2014 12:10:00.326 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/141
1430555: .Jun 9 2014 12:10:00.330 PDT: RADIUS: Received from id 1645/141 10.1.x.x:1645, Access-Reject, len 20
1430556: .Jun 9 2014 12:10:00.330 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430557: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430558: .Jun 9 2014 12:10:00.330 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430559: .Jun 9 2014 12:10:00.330 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430560: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430561: .Jun 9 2014 12:10:00.330 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430562: .Jun 9 2014 12:10:00.334 PDT: RADIUS: Response (141) failed decrypt
1430563: .Jun 9 2014 12:10:01.713 PDT: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 175.x.x.x -> x.x.x.104 (3/3), 1 packet
1430564: .Jun 9 2014 12:10:05.841 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430565: .Jun 9 2014 12:10:05.841 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430566: .Jun 9 2014 12:10:05.845 PDT: RADIUS: Received from id 1645/141 10.x.x.x:1645, Access-Reject, len 20
1430567: .Jun 9 2014 12:10:05.845 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430568: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430569: .Jun 9 2014 12:10:05.845 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430570: .Jun 9 2014 12:10:05.845 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430571: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430572: .Jun 9 2014 12:10:05.849 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430573: .Jun 9 2014 12:10:05.849 PDT: RADIUS: Response (141) failed decrypt -
Cisco 1841 as PPTP client Does not work
Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway#Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway# -
Remote Access VPN posturing with Cisco ISE 1.1.1
Hi all,
we would like to start using our ISE for Remote VPN access.
We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
I know ISR's are support NADs but what about ASRs? There is no mention.
Any advise will be appreciated!
MarioOK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
essentially my requirements are
2-factor authentication VPN using a Certificate & RSA Token
Posturing of the VPN endpoint.
Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
Can anyone help?
Mario -
How to configure Multiple PPTP VPN Clients on cisco 3g supported Router
I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available. -
Hi All,
My company wants to place a Cisco Router on to a new lease line setup. With the requirement of
1) 3 site-to-site VPN to directors.
2) 30-40 client vpn from marketing team.
3) MPLS to other branch office
4) Also act as firewall.
I've suggested placing a Cisco 2951-HSEC/K9. It says recommended no. of users upto 150 and for 2921 its 100. Some forums suggest VPNs are part of the HSEC incense.
But am still not sure whether do I need to buy additional VPN licenses to cover-up all users or not. If yes, what kind of licenses shall we go for?
We have found FL-SSLVPN25-K9 compatible VPN license pack for Cisco 29XX but can we also use IPSec VPNs as well if we buy this pack. If not is there a pack that give us options to use both technologies. Are these licenses one-off or yearly subscription?
Also can Cisco 2921-HSEC/K9 do the job for us? We are use 1 LAN interface and 1 WAN along with HWIC ADSL for failover.
Thanks in advance.
Regards
KuldeepHello Kuldeep,
Not sure if you found the answer in the meantime. For site to site VPN, you would need the security packets but for SSL VPN, staring from 15.0(1)M, you need a separate license as well. This link will explain it in more details:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ssl_vpn.html
When it comes to the license, I can only see licenses for 25 and 100 users:
http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985_ps10537_Products_White_Paper.html#wp9000798
Warm Regards,
Rose -
Content Security Licensing on Cisco ASA
Hi Guys,
Need help on licensing of content security on Cisco ASAs. Hope someone would be able to help.
Our customer has a ASA5520-CSC20-K9 (default 500 users) appliance. When the appliance was first bought, they upgraded it to 750 user license and PLUS feature license. They want to renew these licenses. Kindly advise the following:
1. In order to do so, is it right that the customer has to purchase both the following (to cater to the 750 users and PLUS features)?
• L-ASACSC20-500UP1Y ASA 5500 CSC-SSM-20 500-User w/ Plus Lic. Renewal (1-year)
• L-ASACSC20-250UP1Y ASA 5500 CSC-SSM-20 250-User w/ Plus Lic. Renewal (1-year)
2. Do the renewal licenses above include BASE features (Anti-Virus, Anti-Spyware, File-Blocking)?
Thanks!
CitraThat unfortunate. It seems like with the VPN licensing they realized if you were in an active/standby configuration then you should only have to pay for one license, thus the license change in 8.3+ only requires you to purchase one license. I thought this would have carried over into IPS.
Beings we haven't failed over to the standby unit in 2 years, would it be possible to install the IPS module in both the active and standby appliances, but just license the one in the active mode? I don't care if we are running without IPS on the standby if we did have to failover for some amount of time. Or does having it licensed on one and not the other mess with being in active/standby failover mode? -
QOS on Cisco 1841 between MS TMG and managed Cisco 1841?
Replicating our VM data from our Site A to a Hosted Provider (Site B) for DR purposes.
Crude annotaion of our network:
VIRTUAL HOSTS-----NORTEL L3 SWITCH-----MS TMG 2010 EDGE FIREWALL-----ISP MANAGED CISCO 1841-------------------CLOUD---------------SITE B
At times the replication traffic is hogging the connection and causing degraded performance for VPN clients amongst other things.
TMG 2010 doesn't support QOS and we cannot make any changes to the ISP managed Cisco router, nor can we request changes to be made.
My plan was to get a hold of a small switch that supported QOS and place this between the MS TMG and the managed router but we actually have another Cisco 1841 sitting doing nothing, would I be able to use the spare 1841 for this purpose?
Many thanks
SteveDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
10 Mbps is around the limits of an 1841. It might or might not have enough capacity. You could try using it and monitor its CPU when it's dealing with saturated 10 Mbps.
You can police or shape before the 10 Mbps bottleneck. That will insure you can guarantee bandwidth for the non-replication traffic.
You can only police after the 10 Mbps bottleneck. If the replication traffic is TCP based, dropped packets should slow the sender, but the sender can often still burst saturate the link before it detects the drops and slows. If you set a very low bandwidth allowance for the replication traffic, you can often keep it from burst saturating the link. The other issue with policing, it cannot dynamically allow bandwidth utilization (i.e. prioritization) as you can do with a shaper.
If most of the replication traffic bandwidth consumption is one way, insert the 1841 anywhere upstream (where all traffic will pass through it) of the 10 Mbps bottleneck, and shape or police. I would recommend shaping with a very low bandwidth allowance for replication (e.g. 1%). This will allow replication traffic to use all 10 Mbps, but any other traffic will get priority.
If the replication traffic bandwidth consumption is two way, you'll really want a 2nd device, on the other side of the bottle neck.
PS:
BTW, in lieu of shaping, having your upstream (of bottleneck) also with a physical 10 Mbps interface works even better. Again, de-prioritize the replication traffic.
e.g.
class-map replication
match
policy-map phy-10m
class replication
bandwidth percent 1
(optionally random-detect)
class class-default
fair-queue
int 10m
service-policy output replication -
Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions? -
Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M
Dear Community,
I have a strange issue that I am hoping some of you will be able to assist with.
I am running an environment with the following specifications
Cisco ISR G2 2901 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
VPN Licence enabled
Cisco ISR G2 2951 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
SM with ESX server.
Desktop Environment
Windows XP SP3
Internet Explorer 8
Desktop Environment 2
Windows 8
Internet Explorer 10
I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
If anyone can assit me here it would really make my day.
Thanks,
WillCan anyone help with this ?
-
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
-
Creating "A" record in Cisco 1841
Hello All,
We are using Cisco 1841 router. Our requirement is to configure "A" record in the router i.e. we wanted this router to act as a Primary DNS server.
I can bit explain the scenario.
We have connected Internet Lease line ILL to this router with a static ip assigned to it. We have a domain name registered say e.g. www.xyz.com at www.namecheap.com. We wanted to host the web server inside our office network for our website. We did the necessary changes at www.namecheap.com to the domain www.xyz.com pointing it to our static ip. But we are not able to ping or browse the domain www.xyz.com and we contacted www.namecheap.com technical support and they informed us that we need to create a "A" record where ever the web server is hosted.
I tried to search the internet and i couldn't able to find the necessary online resources for creating "A" record in the router for the domain name. But i could find the below link for creating soa record http://blog.ipspace.net/2006/09/use-your-cisco-router-as-primary-dns.html and created a namesever entries like ns1.xyz.com
But this doesn't create "A" record
Any assistance would be really helpful.
Thanks
SundarDear Daniele,
Thanks for your reply.
You solution worked great for me.
We are able to ping the domain name.
Now we are facing another problem in reaching our web server. I will explain it below.
1. When i type the domain name in the browser we are getting a authentication popup asking for username & password, the popup says "a username and password are being requested by says level_15_access ..."
2. I provided the router username & password it redirect to the following link http://www.sitename.com/archive/flash:home/html/home_aux.shtml. and load the SDM (Cisco router and security device manager) page.
NOTE: we have installed Cisco SDM.
What i wanted is, the site should reach our website hosted in our IIS server inside the network. The IIS server has an local IP address 192.168.1.x and the router gateway has a IP address 192.168.1.y
Any assistance would be really helpful.
Thanks
Sundar -
How to enable GUI for a Cisco 1841?
How to enable GUI for a Cisco 1841?
Hi,
install SDM or CCP on your PC then on the router :
en
conf t
ip dhcp excluded-address 192.168.1.254
ip dhcp pool MYPOOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
ip http server
ip http authentication local
username xxx privilege 15 secret xxxx
int f0/0
ip address 192.168.1.254 255.255.255.0
no shutdown
Regards.
Alain.
Maybe you are looking for
-
I can't see my ipod nano in itunes
I am setting up my new nano and can't see it as an option under devices in ITunes
-
Trackpad gestures in Safari for Windows
Basically I'm one of those mac users who still has just 1 windows pc left and it's become a bit mac already. I'm running windows 7 and primarily use it for software that doesn't run on a mac, or games that myself and my nephew play from time to time.
-
Project Setup: NTSC or PAL
In connection with a recent post I made: When you begin a project in DVD Studio Pro, you have the option to set the project as NTSC or PAL. What would happen if I shot/edited an NTSC video, but selected the DVD studio pro project to be PAL? Would the
-
Xcode 3.1.4 on OSX 10.5.8
Hi, Are there any issues in installing Xcode 3.1.4 on a mac running OSX 10.5.8? I ask as Xcode 3.1.4 came out when OSX 10.5.7 was current and I don't want to cause any corruption. ...and please don't suggest upgrading to OSX 10.6.x because I'm waitin
-
HI We've been using Ekahau Site Survey to plan and extend our wifi infrastructure. Comparing WCS and Ekahua on some installs, WCS seems to want probably couple more APs. My question is, When using WCS to plan the installation / extend existing n