VPN Questions

Hello,
I am looking to use the Cisco 3925 to establish site to site VPNs using traditional IPSEC tunneling. One site is using ASA 5510 and I would like to use my existing Cisco 3925 at my site.
I have a 100mb pipe between the sites although its not totally dedicated.
Are there likely to be any limitations ?
Also what are a rules for using VoIP on IPSEC or GRE tunnels ?
Does anyone know of the limitations of setting up
Sent from Cisco Technical Support iPhone App

Flat IPSec Tunnels and GRE both support marking packets, however over the Internet you cannot guarantee QoS, you control the packets leaving your interfaces to the Internet and once the packets arrive at the remote end but in between sites you won't have any control.
If you got with flat IPSec tunnels (no GRE) you'll need to do QoS Pre-Classify on the crypto-maps to carry the QoS markings over the tunnel.
GRE tunnels will offer you much more scalability since you can run routing protocols over the GRE tunnel, were you cannot over the flat IPSec tunnels. You can reverse route injection but it isn't as clean as true routing. This all depends on how many VPNs you will be running though.
Richard is right, since the ASA does not support GRE that will limit you.
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

Similar Messages

VPN Question (match interesting traffic)

Dear guys
A vpn question see below text diagram
inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
ipsec vpn tunnel ipsec vpn tunnel
we have configured interesting traffic on ASA-2 for each other on 2 side.
we can ping asa-2 inside network from asa-3 and asa-1 but Why ASA-3 inside can not access ASA-1 inside network ?

Hi Yun,
Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment. See example below.
only an example, you change it to fit your network segment.
object-group network ASA1-inside
network-object 192.168.100.0 255.255.255.0
object-group network ASA3-inside
network-object 192.168.200.0 255.255.255.0
access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
nat (outside) 0 access-list nonat-outside
Please let me know, how this coming along.
thanks
Rizwan Rafeek

ASA VPN QUESTION

Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#

Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month.

Dual ISP on ASA VPN question.

Hi all.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ?
Config:
crypto isakmp enable outside
crypto isakmp enable backup
tunnel-group 200.200.2.1 type ipsec-l2l
tunnel-group 200.200.2.1 ipsec-attributes
pre-shared-key CISCO
tunnel-group 200.200.1.1 type ipsec-l2l
tunnel-group 200.200.1.1 ipsec-attributes
pre-shared-key CISCO
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 200.200.1.1
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 20 match address VLAN121_TO_VLAN23
crypto map VPN 20 set peer 200.200.2.1
crypto map VPN 20 set transform-set 3DES_MD5
! Apply crypto-map and enable VPN traffic to bypass ACLs
crypto map VPN interface outside
crypto map VPN interface backup
sysopt connection permit-vpn
Thank you.

We are not abble to make a loop back on the ASA.
The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for first isp ip adddrs.

Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

Dear community,
quite frequently I am now receiving the following error message in my ASA 5502's log:
Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
The VPN Clients (in the last case: A linux vpnc) disconnect with message
   vpnc[7736]: connection terminated by dead peer detection
The ASA reports for that <some_ip> at around the same time:
Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested
A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
   1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
       crippled (I d suppose this happens during rekeying) ?
   2) Any idea where to look for the cause of this
          WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
          SW related (vpnc bug)?
Thanks in advance for any pointer...
Joachim

Yes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom.

Bunch of 3.9 vpn questions

Hi all: I have been reading Craig J's newest edition for
BM3.9 to try and setup a VPN to allow me in from my iMac at
home. OUr BM server (3.9sp1) lives behind a Cisco router.
The Cisco router receives T1 traffic at port (changed IPs
for obvious reasons) 200.10.10.1 and forwards to our BM
server public IP at 200.10.10.2. The private IP of the BM
server is 10.100.1.20.
My first question is which example in Craig's book most
closely matches my setup? I believe we closely match
"MANNY".
The last time I worked with a VPN setup was back when we ran
3.6. At that time I had to configure many filters to allow
the needed VPN traffic across the BM server. Is this still
needed? I assume it is and that I should use the Legacy VPN
filters in Craig's book.
Lastly, on my iMac at home I plan on using VPN tracker as
the client. What do I need for it (public vpn certificate
maybe?)
Thanks for the hand-holding, Chris.

In article <482C139B.CE15.0032.0@N0_$pam.vrapc.com>, Chris wrote:
> My first question is which example in Craig's book most
> closely matches my setup? I believe we closely match
> "MANNY".
Yes, exactly.
>
> The last time I worked with a VPN setup was back when we ran
> 3.6. At that time I had to configure many filters to allow
> the needed VPN traffic across the BM server. Is this still
> needed? I assume it is and that I should use the Legacy VPN
> filters in Craig's book.
No, the filters for IKE-based VPN are different, but the defaults
should be fine.
>
> Lastly, on my iMac at home I plan on using VPN tracker as
> the client. What do I need for it (public vpn certificate
> maybe?)
>
Dunno - never used a Mac for VPN, so no experience debugging it yet.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Some Site to Site VPN questions

When you have an ASA to ASA Site to Site VPN, you do have to configure the routes you want to transverse the tunnel in the routing table with a gateway of the device on the other side correct?
Also does each side have to match the exact subnets within the crypto domain? For instance if I have defined two subnets 10.10.10.0/24 and 10.100.100.0/24, the other side should have those exact subnets, not just a 10.0.0.0/8 correct? If that makes sense?

Hi,
When we consider routing and L2L VPN connections then we generally can presume that they are built through the interface which has the default route. We can also presume that you are not configuring a L2L VPN for a remote network that overlaps with your LAN networks. Considering both of the mentioned things we can determine that naturally any network that is not in your local network will follow the default route when the ASA is making decision about where to forward the traffic.
So generally you wont need to manually configure any additional routes on the ASA for any remote VPN networks. VPN Client connections adds routes automatically for the VPN Pool IP that is assigned to the VPN Client user. On L2L VPN connections you can configure the ASA to add the routes based on the L2L VPN connections ACL that tells the local and remote networks. In this case you will have to add the following configuration for a given L2L VPN connections
crypto map set reverse-route
This will add a route on the ASAs routing table though this wont show in the "route" configurations on the ASA.
With regards to your questions about the local/remote subnets I actually have to say that I am not 100% sure. To my understanding your ACL can have lines/rules that dont match the other side but the ACL does have to have matching local/remote subnets. Any extra lines in the ACL to my understanding dont matter, just that there is a match between the VPN peers.
I have personally never had the need to make very broad local/remote network definitions for the L2L VPN. I have always been for being as specific as I can be. Naturally a very large environment might dictate to follow another approach but I have not run into anything like that myself.
- Jouni

SA 540 General VPN Question

Going to put down the trusty old PIX 506e and considering replacing it with a SA540. Are there any know VPN configuration 'gotchas' on the SA540 when the IPS assigned WAN address is static pppoe?

Hi Bob, Trust me on this one...there is no way on this earth you're ever going to see these SA540's even get within a whisper of touching the levels on a 5510 with web VPN, even if they're were not the buggy POS's that they are.
I'm going through the same pains...been on many a webinar with the SEs from Cisco talking about how great these SA540s are....but they obviously have to real experience with them. If I were you (and I might as well be, I've been in the exact same boat for a couple of months with some of my clients) I would STRONGLY advise you do not try and use the 540 as a replacement for an ASA....you and you're client will be extremely pissed with the results. If your clients needs are large enough to require a 5510 nothing in the SBM space would be an adiquate substitue anyway.
As a SBM Select reseller of many years I cannot say how DEEPLY disappointed I am in Cisco right now. Between having firewalls on back order for three months, lack of taking ownership of the many problems, and just plain lying about this product, I'm beginning to question how much longer I can recommend them to my client base.
Right now the best (Cisco based) option I could recommend is to replace the units with Cisco IOS routers for your web VPN options. Keep in mind, Cisco has recently changed to a licensing model for WebVPN even on the IOS routers...so you'll want to check out that SKU for your quotes

Client SSL Vpn question`

not sure if this is possible /device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers?
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?

I do not know if its just me but I do not understand what you mean with this:
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
Can you try it to explain it one more time?
Now, I think you are saying the following, please look this:
HQ----ASA----INTERNET----------Office2
Now the Office2 will do a clientless SSL vpn to the ASA and afterwards you want the HQ to be able to contact some printers or servers on office 2 via the clientless SSL vpn, If that is the question the answer is NO. the clientless SSL vpn will only allow traffic to go from office2 to the HQ, and not all traffic, it will depend on what you use to configure the clientless ssl ( Smart tunnels, Port-forwarding,Plugins).
Again I am not sure if that was the question.
Regards,
Julio
Do rate all the helpful posts

Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
Joe

Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

ASA 5520 site-to-site VPN question

Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
John

What are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

ASA and Cisco VPN question

I am having an issue on a new ASA. I am able to connect to the customer?s network using the Cisco VPN client, but I am not able to PING or access anything on the customers network. What needs to be done to fix this???
There is a route on the customer?s router pointing back to the firewall for the IP range you get when you VPN in?
Thanks,
Chris

Thanks, please rate.
No, it is needed for pix as well. ASA 7.2, the command is "crypto isakmp nat-traversal".
It is necessary if vpn client is connecting behind nat. Allows ipsec to be encapsulated in udp port 4500. The transport tab I mentioned is in the connection entry properties, if you click modify. You will see enable transparent tunneling over udp.

ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
Is this possible?
Thanks,
Tommy

When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
Regards,
Anuj

ASA 5510 vpn question

Hi all,
I have 1 ISP link terminated on ASA 5510. Can i configure both easy vpn and site to site vpn on that interface ?

Hi,
Do you mean that you would use the ASA5510 as a Easy VPN Server (where clients would connect to) and also build L2L VPN connections from the ASA5510 to other sites?
If that is what you mean then I think that should be possible.
- Jouni

VPN Questions... What program should I use?

I need to connect to a Watchguard Firebox X1000. The only program that I can find that might work is VPN Tracker. I just want to know what program everyone else uses to vpn and why. And if anyone else is in the same predicament as I.

I need to connect to a Watchguard Firebox X1000. The
only program that I can find that might work is VPN
Tracker. I just want to know what program everyone
else uses to vpn and why. And if anyone else is in
the same predicament as I.
It looks like the watchguard supports ipsec and pptp - so you ought to be able to use the built in client.
If you want to use ipsec and are behind NAT, you can go with vpntracker($) - if you aren't behind NAT you can probably use ipsecuritas(free).
As for what I use - I use windows built-in ipsec because NAT-T isn't broken in it (hint hint apple... and I refuse to pay what I consider to be too much for vpn tracker, which is mostly a GUI for raccoon (built in open source IPSEC tool). (of course vpn tracker did fix NAT-T with thier own kernel extension - so I would use it if it were less expensive...)

Remote desktop / screen sharing / VPN questions

Hi all-
OK, I am trying to set up our all-mac environment to do something in particular - but I am only 'novice' level at VPN stuff and 'noob' to the Apple Remote Desktop and Screen Sharing stuff. I already have screen sharing set up, and also have back to my mac set up - but these both seem to be 'whole computer' control methods, where the remote user takes over the entire target machine. I have a different need, but don't know what terms to use to describe it or how I might achieve it.
Environment overview:
2014 iMac, 2009 13" MacBook Pro, 2009 17" MacBook Pro - all running Yosemite.
2013 AirPort Extreme handling the LAN, both wired and wireless. iMac is wired, MacBooks are wireless.
iMac: Two users (UserA and UserB, both admins).
MPB13: Two users (UserB as admin and UserC as standard).
MBP17: Two users (UserA as admin and UserD as standard).
I am wondering if this is possible to do, and if so - HOW? :
UserB sits at the iMac, and is using it. UserA sits at MBP17 and wants to get something done on the iMac, so UserA logs into MBP17 as UserA then remotes into the iMac as UserA and does what they need to do in UserA's iMac account - without making UserB (who is still sitting at the iMac and using it) stop what they are doing.
Hope this makes sense, and am looking forward to your input.

UserA must have a user account set up on the iMac that is different from UserB. With this set up when UserA initiates a Screen Sharing session with the iMac from the MBP17 they will just need to log in with their user account. When they do that a dialog box will pop up asking if they want to share the display with the user currently using the iMac, in this case UserB, or if they want to connect to a Virtual Display, which would give them their own environment separate from UserB who is already logged in and using the iMac.
Here is an example of the dialog box UserA should see when they attempt to start a screen sharing session with another Mac in which another person is already login in and using the Mac. In this case UserA will select the option to connect to the Virtual Display which allows them to work on the iMac without disturbing the user that is already using the computer. Note that the user already using the iMac may experience a slight performance hit because two users are using the resources on the one computer.
As for the acronym VPN, it stands for Virtual Private Network which is a protocol for making a encrypted secure connection over a public network between two or more separate networks. Screen Sharing actually uses a protocol called VNC which stands for Virtual Network Computing.

VPN Questions

Similar Messages

Maybe you are looking for