VPNs and address schemes

Years ago I setup my addressing scheme using 192.168.1.x. Now I
sometimes have users connecting to our network over a VPN. And
frequently their local network (home wifi, hotel wifi, etc) are also
using 192.168.1.x. This ends up causing connection problems. I have
had a couple users change their home networks to something else and
their problems went away. Short of me re-doing all my network
addresses, is there something I am missing that would solve this
problem? Some way to handle VPNs so the PCs don't confuse their local
IPs with my IPs?
Thanks,
Ken

> Years ago I setup my addressing scheme using 192.168.1.x. Now I
> sometimes have users connecting to our network over a VPN. And
> frequently their local network (home wifi, hotel wifi, etc) are also
> using 192.168.1.x. This ends up causing connection problems. I have
> had a couple users change their home networks to something else and
> their problems went away. Short of me re-doing all my network
> addresses, is there something I am missing that would solve this
> problem? Some way to handle VPNs so the PCs don't confuse their local
> IPs with my IPs?
I hate this problem, for the same reasons you've mentioned. Personally,
if I had a company network, I'd put it randomly somewhere in the 10.x.x.x
range just to avoid this since most home networks take the 192.168.0.x or
192.168.1.x space. Some hotels may use 172.16.x.x or 10.x.x.x, but with a
random range of your own hopefully it'll work out.
Alternatively, maybe push out explicit routes to what they need so while
they can keep their own network operational any attempts to reach
192.168.1.37 (a specific server they need to access) will have an explicit
route on their machine pushed out by the VPN software, telling the box to
use the VPN connection. Doing that for all of your boxes may be....
onerous. Still, it's the only workaround that comes to mind as being
slightly reasonable and not involving changing your network around.
A slightly less-fun idea: VPN network gets its own range, and then you put
boxes there that people can remote-control which can access the rest of
the network. Terribly inefficient if the person wants to do something
that is not great via a GUI, or if their connection is slow, but you could
make it work. Bleh.
Good luck.

Similar Messages

IpSec VPN and NAT don't work togheter on HP MSR 20 20

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

SSL VPN IP Address Assignment from IAS radius server

Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

Hi,
I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
If you have any question do not hesitate to contact me.

Clientless SSL VPN and ActiveX question

Hey All,
First post for me here, so be gentle. I'll try to be as detailed as possible.
With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports. However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center. I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup. Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective. My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server). I am unable to browse (via bookmark) to the internal address of the remote web server. Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal. I am testing this external connectivity using a cell card to be able to simulate outside access. Is accessing the external IP address by design, or do I have something hosed?
Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions. I am not able to use controls that require my company's ActiveX controls (video, primarily). I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through. The stream only runs at about 5 fps, so it's not an intense stream.
I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail. I do see a decent number of "no translates" from a show nat:
match ip inside any outside any
NAT exempt
translate_hits = 8915, untranslate_hits = 6574
access-list nonat extended permit ip any any log notifications
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_in extended permit icmp any any log notifications
access-list outside_in extended permit tcp any any log notifications
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.16.34 / syslog *****
mtu inside 1500
mtu outside 1500
ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.16.32 255.255.255.224
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
192.168.2.0 is my corp network range
192.168.2.171 is my internal IP for corp ASA5510
97.x.x.x is the external interface for my corp ASA5510
192.168.16.34 is the internal interface for the remote ASA5505
64.x.x.x is the external interface for the remote ASA5505
192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505. I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN. Am I going about this the right way? Anyone have any suggestions, or do I have my config royally hosed?
Thanks much for any and all ideas!

Hey All, I appreciate all of the views on this post. I would appreciate any input - even if you think it might be far-fetched. I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself. Thanks, in advance!!

Performance end to end testing and comparison between MPLS VPN and VPLS VPN

Hi,
I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
I would appreciate any support, guidence, advice.
Thanks
Shahbaz

Hi Shahbaz,
I am not completely sure I understand your request.
MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
Ingress PE impose 2 labels (at least)
Core Ps swap top most MPLS label
Egress PE removes last label exposing underlying packet or frame.
So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
Riccardo

VPN and Remote Desktop Connection

I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
Thanks for your help.
I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls
will be accepted to this port.
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

Morning Trent,
I don't know if this is still an issue for you, did you get it solved?
If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
to use on the server.

Configuring Admin Util to allow me to use VPN AND surf the rest of the net

I am having a problem when I connect to my work network via VPN. When I do, I can no longer connect to the rest of the Internet. I was able to do this until I started using an Express (so it has been allowed by my work network).
Here's my setup: Express is connected via Ethernet to my Verizon Fios modem. When I connect my computer directly to the Verizon modem all works fine. I have been advised that what's happening is that my Airport Express is creating a behind-the-device network that has the same exact IP address space as your office's network (when I'm connected to it via VPN).
To fix this I've been told to "Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again."
The problem is that the advisor is using Airport Admin Util version 5.x and I am using version 4.2. The screen he suggests is not where his is in his version. Could someone advise me of how I can do this via 4.2?

Reset your iPad and see if that fixes this.
Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider if it appears on the screen - let go of the buttons. Let the iPad start up.

WRV54G and VPN and Windows 2003 Server

Hello. I use Windows 2003 Server on my laptop and trying to establish VPN into my WRV54G. QuickVPN is not compatible with the OS, so that's not an option. I tried the manual setup and I got to a point where I had to enter the destination IP address. I use a DynDNS address and so I won't have a static IP.
I'm using firmware version 2.39.2.
Thoughts?
Thanks!

First thing i would like you to check is if you are able to "ping" the WAN ip address for the WRV54G.
Also what are the settings that you have on the WRV ??? typically the remote secure group and remote security gateway should be set at "any".
In the WRV...under the VPn go to advanced VPN and sset the mode to "agressive" , enable keep-alive and netbios broadcast....
let me know if this work or let me know a few more details.

Problem SSO between VPN and NAC

Hello
Description of our problem : SSO doesn't work
-on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
-although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
Step 1 Add Default Login Page =ok
Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
Step 3 Enable L3 Support on the CAS = ok
Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
Step 9 Add VPN Concentrator as a Floating Device =ok
Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
the database for vpn authentication is cisco secure acs(192.168.1.30).
Tanks to any anybody to give us a possible solution.
FILALI Saad
Ares Maroc

Hi
I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
Follow from step 15 in following link
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
Try these things first.
Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
You may find it useful too.
Dale

Multicast Addressing Scheme

Hi,
I've been asked to implement a Multicast addressing scheme for the University i am currently working at and would be grateful if someone could confirm my thinking as i haven't done a lot with Multicast before.
We have 6 main sites at the University that are currenrtly being moved over to a 10.* based addressing scheme with /12 masks:
site 1 - 10.16.0.0 /12
site 2 - 10.32.0.0 /12 etc...
Looking at the Multicast addressing RFC 2365, it would appear that local Multicast addressing needs to be allocated from 239.192.0.0 255.252.0.0 so i am thinking of taking the second octet of the 10.* scheme and using it in the 3rd of the Multicast scheme so we have some kind of addressing structure and allocating the Multicast addressing with /12 masks as follows:
site 1 = 239.192.16.0 /20
site 2 = 239.192.32.0 /20 etc..
Am i on the right track here?
TIA
Paddy

Salman,
Firstly many thanks for the information.
As usual, this leads me on to further questions about implementing multicast in our routed environment :)
As mentioned previously we have 6 main sites on the network, which are connected together using 100 Mbps LAN Extension circuits, they are not in a full mesh but each site is connected to two others so there is some kind of resilience. There are also smaller satellite sites connecting into each of the main sites using WAN links from 2 Mbps serial connections up to 10 Mbps LAN extensions.
As the multicast addressing scheme is going to be based loosely on the 10.* scheme and we will be using sparse mode I am thinking of manually configuring rendezvous points at each major site so all local site multicast traffic (from the satellite sites to the main site) at each location is controlled at the major site router as this is more than likely where the servers supplying multicast services will be located, is this the correct way to go?
If we are using PIM on all the WAN links between all sites, my understanding is that clients at any site will be able to use multicast services from servers at any site as PIM will populate the multicast routing tables on all routers with PIM enabled interfaces, and IGMP will control the queries and reports from around the network populating the multicast groups wherever they reside in the network - does this sound correct?
Also is it best to use CGMP between the LAN and WAN, Ive read that its much less resource intensive than IGMP snooping, does the fact that we are using IGMP on the WAN which I believe is enabled by default when using PIM have any issues with using CGMP between the LAN and WAN?
We have some pretty old switches at some of the network campuses (1900's), these are all being replaced in the next 8 months or so with 3750's. It looks like the 1900's support CGMP, however when looking at the support matrix for multicast the 6000 series switches don't support CGMP and we will be looking to put these into our main sites at the network core. Does this mean that there is a move towards IGMP snooping over CGMP, can both be implemented at the same time. I think there is a push to get multicasting working here quickly so we might have to go with CGMP to start and then move over to IGMP snooping, any thoughts on this would be appreciated
TIA
Paddy

VPN and intergrated email service.

I am wondering if anyone can aid me...
Set up VPN on z10, works through browser but cannot connect to email server thru add email account settings. Tested hotspot with laptop and outlook which works fine.
Carriers ip address is blocked which is why I set up vpn, is their anyway to run the integrated email thru vpn?
Forgive me if the terminology isn't correct but I'm not a networking guru.
Thanks

Hi!
I have 2 VPN, they are home & business, and I can send and receive e-mails through both tunnels, same without VPN as well. So problem lies somewhere at another place
Try to use e-mail without VPN and if You'll can, problem is in VPN settings, if not, then something is wrong with You e-mail account settings.
If problem is with VPN, then something wrong is with server firewall or ports forwarding most probably.
While You aren't network guru, I suggest to talk with e-mail tech support or VPN tech support according which case You have

2 networks ( VPN and local)

I am using an Airport Extreme Base Station that is connected to a cable modem and has a USB cable to an HP Laserjet 1200 printer. When I use VPN access to reach my work network from home (temporary change of IP address occurs) I can longer print via USB. Have to log out of VPN to be able to print. Is there any way to simultaneously be logged in via VPN and also have access to my local printer that is connected as above ?

Sorry -- I may not have been clear enough. Everything
is occurring at home. I am using VPN to access my
network at work
Are you using the OS X to make the VPN connection or third party software.
and I simultaneously want to print at
home using my printer connected to the base station
via USB
What you need to realise is that when your Mac is connected via VPN it is on a different network.
In order to print either your Mac has to disconnect the VPN, or your Airport Express needs to be part of the work network. The only real way to do this is via a compatible router. In other words the router makes the VPN connection rather than the Mac.

OS X Server VPN and OS X Client VPN Kerberos issue

I set up OS X Server Leopard at home. I configured VPN on the server. I opened all of the recommended ports and then some.
I've added the OS X Server to Directory Utility on my OS X client. I've configured a System Preferences > Network > VPN for the connection. I set it up for L2TP using the external address for my server at home, my username in Open Directory, and selected Kerberos for authentication. When I try to connect with the OS X VPN client it asks me to authenticate to [email protected] not [email protected]
Does anyone have any idea where I should look to see why my OS X Client VPN Client is not trying to authenticate me using Kerberos to my home server but rather choosing my home username and my work Open Directory server? I looked on the forums but I don't see anyone describing this problem with VPN and Kerberos.
Thanks in advance

Brandon Macinnis wrote:
Dnar,
Thanks for the follow up bit about using the smbutil statshares command. I used that and could confirm that I am also able to force it to connect with smb2. Oddly though, in the stat share info it still says "AUTO_NEGOTIATE"
SMB_NEGOTIATE AUTO_NEGOTIATE
SMB_VERSION SMB_2.1
But maybe that just means something else and not the fact that it did not auto negotiate to SMB. I guess for now this will be what I have to do to use smb2.
I think in this case the AUTO_NEGOTIATE merely means it will auto negotiate a connection between SMB1, SMB2, and (from your data) also SMB2.1 this would have nothing to do with auto negotiating between SMB2 and AFP, which from this thread appears broken.
I also would like to thank Brandon for the tip about smbutil statshares, I had been looking for a simple way to tell what version of SMB was being used to test my NAS.
For everyone's benefit, it would appear from the above that whilst Apple advertise Mavericks as using SMB2 they have gone as far as implementing SMB2.1 and merely list it only as SMB2 for simplicity and due to the fact there is not a huge different between SMB2 and SMB2.1
See http://en.wikipedia.org/wiki/Server_Message_Block#SMB_2_and_3

VPN and Internet Connection Sharing? (bridging remote networks)

I'd like to try an experiment and some advice from this list will be useful.
+Summary: Can a Mac with two interfaces activate VPN and Internet sharing simultaneously to bridge two remote networks?+
I've created a PPTP VPN server on our XServe at work and opened the appropriate ports on our firewall. This and a second location are linked with standard (but fast) ADSL broadband. I can log in from both Mac and Windows VPN clients at an external location and indeed the experience is just like being at work- printers, file servers and other resources (eg networked Filemaker databases) are all visible. Yay.
Question: Is it possible to extend this concept further by logging onto our VPN with once interface (eg Airport) +and then+ enabling Internet Sharing through the second interface (eg Ethernet)? Will this allow a small network connected through the second interface to all behave as though they are on the work network, with transparent access to fileservers, printers and so on, without each bothering individually with VPNs and so on? I suspect there are physical boxes that will do this, but it would be wonderful to know if I can get a Mac with two NICs to do the same job, acting as a router between the two networks. Are there any limitations to this? I am happy to tweak under the hood if need be. I just need to know if this is possible, even in theory, and what the limitations might be.
Thanks.

Hey Nathan...
My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
With all that said... it may not work at all. Good Luck!

VPNs and address schemes

Similar Messages

Maybe you are looking for