Which device for L2L VPN

Similar Messages

• Which devices for J2me

  Hi everyone, I don't know if this is the right topics, but here you can find a lot of J2me programmers...
  I want to buy a J2me enabled phone, because I need to test games that I developed. But some devices are not useful for this, for example Sharp GX10: it has a IR port, but you can not use it to download code.
  Do you know which devices can I use to download and test J2me programs? I know that Nokia 7650 can... do you know others?

  do u mean download via a datacable, or wap?
  via datacable is much better for developers, however, most manufacturers in their infinite wisdom have stopped using datacables.

• Which device for 24/7 home monitoring?

  I want a device for monitoring my vacation home with a security camera system and control the heat from afar.  There is no hardline internet available;  I currently get 2-3 bars on my Note 3 and use it as a Mobile Hotspot, but want to leave a device there for controlling the heat or sending an intruder email.  Please recommend a device.  Also, any idea about how much data the cameras or thermostats use?

  Jeffin,
  All Jetpacks are not designed to be left online 24x7.  Jetpacks are mobile broadband devices designed for short usage in traveling situations.  If you attempt to treat your Jetpack as a normal home modem or router you will have lots of complaints about its performance.
  VZW offers a few other products that would be better suited for this scenario. The best would be a USB modem and router combo from pepwave or cradlepoint.  Reviews always appear to be the best with those devices.  VZW also offers its own 4G LTE router which would perform better than a Jetpack too.  HomeFusion is normally the best choice for home internet replacement but installation and maintenance may not be ideal for you as a remote home user. 
  Granted anything that depends on wireless tech is going to need to be rebooted every now and then.  Leaving a wireless connection in a location that you do not have common physical access to could be a chore to maintain.  It might be a good idea to find a neighbor in your neighborhood who you trust a key with and work out a deal where you are able to call them and have them reboot you every now and then.

• Seeing duplicate hops for L2L VPN?

  With a site to site VPN is it normal to see the destination twice in the results of a traceroute?
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1    <1 ms     1 ms     1 ms  10.170.2.2
    2     *       39 ms    40 ms  10.32.1.101
    3    38 ms    39 ms    40 ms  10.32.1.101
  Trace complete.
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1     5 ms    17 ms     7 ms  10.170.2.2
    2    39 ms    38 ms    39 ms  10.32.1.101
    3    39 ms    38 ms    38 ms  10.32.1.101
  Trace complete.
  H:\>
  10.170.2.2 is the core, which then has a route that states to get to this network (10.32.1.101) go to my ASA firewall, which then crosses a L2L tunnel.

  With a site to site VPN is it normal to see the destination twice in the results of a traceroute?
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1    <1 ms     1 ms     1 ms  10.170.2.2
    2     *       39 ms    40 ms  10.32.1.101
    3    38 ms    39 ms    40 ms  10.32.1.101
  Trace complete.
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1     5 ms    17 ms     7 ms  10.170.2.2
    2    39 ms    38 ms    39 ms  10.32.1.101
    3    39 ms    38 ms    38 ms  10.32.1.101
  Trace complete.
  H:\>
  10.170.2.2 is the core, which then has a route that states to get to this network (10.32.1.101) go to my ASA firewall, which then crosses a L2L tunnel.

• Is there any way to configure domain name in place of IP address for "Peer VPN device"

  Hi,
  When I configure site to site vpn on asa it asks for the ip address for the remote vpn device and it works pretty fine if I confgure like this.
  The problem is that the remote vpn device does not have static IP address, it changes on every reboot. I have configured Dymamic DNS for the interface but the problem is ASA does not take domain name as the "peer vpn device" address.
  Is there any work around for this issue so that I don't need to configure vpn from scratch everytime the ip address of the remote device changes.
  P.S. ASA vpn configuaration also does not allow me to change just the ip address of the remote device in the VPN configuration, I have to delete the current vpn and confgure a new one from the sratch everytime the ip address changes.
  Thanks

  Hello Mahendra,
  yes you can set a hostname in the 'crypto map set peer' command insetad of IP address, however, the ASA will resolve that name only once it is applied, hence, it will take the IP that name currently holds, and if it changes, it will not update it.
  the easy solution for your case is to use static-to-dynamic L2L configuration. on your ASA, configure a dynamic crypto map, assign it to the static crypto map you have, and then add the pre-shared key to the Default L2L tunnel-group.
  an example is given below:
  crypto dynamic-map dyn_map set transform-set
  crypto map VPN ipsec-isakmp dynamic dyn_map
  tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key
  this way, you must initiate the tunnel from behind the remote device (not your ASA where the dynamic crypto map is configured) and it should work fine.
  the document below explains that in details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
  hope that help
  Othman

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• TS1646 We have several apple devices in our family who use my debit card for itune charges.  I need to find out which device (itune account) these charges are coming from.  Can you help?

  We have several apple devices in our family who use my debit card for itune charges.  I need to find out which device (itune account) these charges are coming from. Can you help?

  You can't tell which device a purhcase was made on, but if your family members each have their own iTunes account to which your card is linked then you can check the purchase history on each of those accounts via the Store > View Account menu option on your computer's iTunes - that should have 'purchase history' section with a 'see all' link to the right of it

• Which device do I get for my iphone 5 to charge in the car

  Which device do I purchase to charge my Iphone 5 in the car?

  You will need to send the phone. You can call apple care to set this up. They can send to you first but it does require a hold onn your card for the full ammount of the new phone untill they get the old one back. Again apple care can help with this.

• Have received an email from apple to say my ID has been used to download an emoticon package for £15.99 - it was not me. is there a way to find out which device it is? and to get my money back? ta

  have received an email from apple to say my ID has been used to download an emoticon package for £15.99 - it was not me. is there a way to find out which device it is? and to get my money back? ta

  It is a phishing attempt. Do not respond. Do not divulge any personal or financial information. You can use the address below to forward the suspect email message to Apple.
  [email protected]
  The link below has information to help identify fraudulent emails.
  http://support.apple.com/kb/HT4933

• [Android] Choose on which device i like to download for offline mode

  On slider to turn avaliable offline, will be nice an option to choose which device to do that, for example: I'm listening in desktop app in work, and I found a playlist that will be nice listen on a travel this weekend, I simply click "to turn avaliable on my phone" to listen later.
  That's is a button I would use a lot!
  Hope I helped, thanks!

  Updated: 2015-08-04Hi and thanks for your contribution! A similar idea has also been suggested here:
  https://community.spotify.com/t5/Live-Ideas/Your-Music-Add-and-Remove-Offline-music-on-Desktop-for-mobile/idi-p/1139538
  Add your kudos and comments there please!

• HT1420 hi, i need to deauthorize computers for home-sharing but i don't know which deviced they are. how can i identify them?

  hi, i need to deauthorize computers for home-sharing but i don't know which deviced they are. how can i identify them?

  There's no list available from your end. If you're out of authorizations, use the Deauthorize All function.
  (74515)

• Which wireless router do I need for multiple VPN tunnels?

  I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
  Message Edited by nolesworld on 11-27-200606:38 PM

  hi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....

• For a shared apple ID (in the family), can I tell which device purchased a song

  My family shares an apple ID.  How do I determine which device purchased a song?

  Hi spunsilk327,
  Take a look at the family member to see what purchases that can share and that should help figure out who purchased what. If you want to make it easier, turn on Ask to Buy and that way in the future, you will be notified who is making a purchase. 
  Sharing purchased content with Family Sharing
  http://support.apple.com/en-us/HT201085
  Request and make purchases with Ask to Buy
  http://support.apple.com/en-us/HT201089
  Regards,
  -Norm G. 

• L2L VPN Issue - one subnet not reachable

  Hi Folks,
  I have a strange issue with a new VPN connection and would appreciate any help.
  I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
  I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
  VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
  VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
  There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
  Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
  There is a route to both customer subnets via the same next hop.
  There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
  I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
  Here is the relevant vpn configuration:
  crypto map MY_CRYPTO_MAP 90 match address VPN_2
  crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
  crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP 100 match address VPN_1
  crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
  crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP interface isp
  ASA# sh access-list VPN_2
  access-list VPN_2; 6 elements; name hash: 0xa902d2f4
  access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
    access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
    access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
    access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
  ASA# sh access-list VPN_1
  access-list VPN_1; 3 elements; name hash: 0x30168cce
  access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
  access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
  access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
  nat (dmz144) 0 access-list nonatdmz144
  nat (dmz211) 0 access-list nonatdmz211
  ASA# sh access-list nonatdmz144
  access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
  access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
  access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
  access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
  access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
  access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
  ASA# sh access-list nonatdmz211 | in 192.168\.1\.
  access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
  ASA# sh access-list nonatdmz211 | in 10.2.1.
  access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
  route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
  route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
  Thanks in advance to anyone who gets this far!

  Darragh
  Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
  It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
  Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
  HTH
  Rick

• HA between Dedicated T1 and L2L VPN

  I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
  We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
  What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
  Feel free to include an ideas that would use routing protocols.

  I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
  But it is not failing?
  I have attached a diagram.