f



VPN router-cisco vpn client routing issue

Hello

I have problem with VPN connection. My configuration is:
client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
Everything with VPN connections looks very good.
I can succesfully establish new connection, but after that
I can reach by ping only cisco router.
PC gets static default route through the router,
router adds static route to the PC (RRI - revers route),
but I can reach only router from PC (from router PC is accessible too).

I  am waiting for some clue.....

regards,
Michal


Below is attached current configuration.


Pings between router and PC are encrypted and decrypted,
this is part of my show crypto ipsec sa:

interface: FastEthernet0/0
Crypto map tag: dynmap, local addr. 212.244.176.125
protected vrf:
local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
current_peer: 213.238.96.166:30304
PERMIT, flags={}
pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
pkts compressed: 0, #pkts decompressed: 0
pkts not compressed: 0, #pkts compr. failed: 0
pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv 
errors 0

Current configuration : 2839 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pilagw_vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5
!
username root privilege 15 password
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login default local
aaa authorization network vpn local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip cef
!
!
no ip domain lookup
ip domain name winkowski.pl
!
no ip bootp server
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20 10
!
crypto isakmp client configuration group vpn
key cisco
domain winkowski.pl
pool remote-pool
!
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set t1
reverse-route
!
!
crypto map dynmap isakmp authorization list vpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 211.224.126.xxx 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.18.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
ip local pool remote-pool 192.168.18.50 192.168.18.99
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 212.244.176.65
ip route 192.168.5.0 255.255.255.0 192.168.18.1
!
!
logging history debugging
logging trap debugging
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 3600 0
privilege level 15
transport input telnet
line vty 5 15
exec-timeout 3600 0
privilege level 15
transport input ssh
!
scheduler allocate 4000 1000
! 


0
oz7785 (1)
1/12/2005 10:42:16 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

3 Replies
937 Views

Similar Articles

[PageSpeed] 22

OZ wrote:
> Hello
> 
> I have problem with VPN connection. My configuration is:
> client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
> Everything with VPN connections looks very good.
> I can succesfully establish new connection, but after that
> I can reach by ping only cisco router.
> PC gets static default route through the router,
> router adds static route to the PC (RRI - revers route),
> but I can reach only router from PC (from router PC is accessible too).
> 
> I  am waiting for some clue.....
> 
> regards,
> Michal
> 
> 
> Below is attached current configuration.
> 
> 
> Pings between router and PC are encrypted and decrypted,
> this is part of my show crypto ipsec sa:
> 
> interface: FastEthernet0/0
> Crypto map tag: dynmap, local addr. 212.244.176.125
> protected vrf:
> local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
> remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
> current_peer: 213.238.96.166:30304

The above is wierd.  The sa is automatically building wrong.  Without a 
crypto acl on the  vpn group, it should build from local idnet 
0.0.0.0/0.0.0.0/0/0.  This is the problem.  Try creating an acl like this

ip access-list extended vpn
  permit ip 0.0.0.0 255.255.255.255 192.168.18.0 0.0.0.255

Then apply it to the group vpn

crypto isakmp client configuration group vpn
  acl vpn

I know I will get flamed for this because it is not advised to use any 
in an acl for crypto.  However, any as the source is the same as 
disabpling split tunneling.

> PERMIT, flags={}
> pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
> pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
> pkts compressed: 0, #pkts decompressed: 0
> pkts not compressed: 0, #pkts compr. failed: 0
> pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv 
> errors 0
> 
> Current configuration : 2839 bytes
> !
> version 12.3
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname pilagw_vpn
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 debugging
> enable secret 5
> !
> username root privilege 15 password
> no network-clock-participate slot 1
> no network-clock-participate wic 0
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authorization network vpn local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> ip tcp synwait-time 10
> ip cef
> !
> !
> no ip domain lookup
> ip domain name winkowski.pl
> !
> no ip bootp server
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> no ftp-server write-enable
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp keepalive 20 10
> !
> crypto isakmp client configuration group vpn
> key cisco
> domain winkowski.pl
> pool remote-pool
> !
> !
> crypto ipsec transform-set t1 esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 1
> set transform-set t1
> reverse-route
> !
> !
> crypto map dynmap isakmp authorization list vpn
> crypto map dynmap client configuration address respond
> crypto map dynmap 1 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !interface FastEthernet0/0
> description $FW_INSIDE$$ETH-LAN$
> ip address 211.224.126.xxx 255.255.255.192
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> crypto map dynmap
> !
> interface Serial0/0
> no ip address
> shutdown
> no cdp enable
> !
> interface FastEthernet0/1
> ip address 192.168.18.254 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> duplex auto
> speed auto
> no cdp enable
> crypto map dynmap
> !
> ip local pool remote-pool 192.168.18.50 192.168.18.99
> ip http server
> ip http authentication local
> ip http secure-server
> ip classless
> ip route 0.0.0.0 0.0.0.0 212.244.176.65
> ip route 192.168.5.0 255.255.255.0 192.168.18.1
> !
> !
> logging history debugging
> logging trap debugging
> no cdp run
> !
> snmp-server community public RO
> snmp-server enable traps tty
> !
> line con 0
> transport output telnet
> line aux 0
> transport output telnet
> line vty 0 4
> exec-timeout 3600 0
> privilege level 15
> transport input telnet
> line vty 5 15
> exec-timeout 3600 0
> privilege level 15
> transport input ssh
> !
> scheduler allocate 4000 1000
> ! 
> 
> 


-- 
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
0
PES
1/12/2005 11:02:59 PM
In article <cs4942$gso$1@213.238.96.166.adsl.inetia.pl>,
OZ <oz@vio.pl_cutit> wrote:
:I have problem with VPN connection. My configuration is:
:client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
:Everything with VPN connections looks very good.
:I can succesfully establish new connection, but after that
:I can reach by ping only cisco router.
:PC gets static default route through the router,
:router adds static route to the PC (RRI - revers route),
:but I can reach only router from PC (from router PC is accessible too).

:crypto isakmp client configuration group vpn
:key cisco
:domain winkowski.pl
:pool remote-pool

:crypto map dynmap isakmp authorization list vpn
:crypto map dynmap client configuration address respond
:crypto map dynmap 1 ipsec-isakmp dynamic dynmap

:!interface FastEthernet0/0
:description $FW_INSIDE$$ETH-LAN$
:ip address 211.224.126.xxx 255.255.255.192
:crypto map dynmap

:interface FastEthernet0/1
:ip address 192.168.18.254 255.255.255.0
:crypto map dynmap

You probably don't want the same crypto map applied to both
interfaces. You only want to apply the crypto map to FE0/1
if you have -inside- hosts that will be VPN'ing to the router.

:ip local pool remote-pool 192.168.18.50 192.168.18.99

:ip route 192.168.5.0 255.255.255.0 192.168.18.1

Where did that 192.168.5.0 come from? You don't have any
other reference to it.

It appears to me that your problem is that you hand the remote
system an IP address from remote-pool which is the same
IP range as your inside interface. When your inside hosts try
to send to that IP, they are going to expect the IP to be
local, not remote, and so are not going to try sending to
the IP via the router. The only way to get that to work would
be if your inside hosts were paying attention to routing
information such as RIP2 and you configured RIP to 'redistribute
static' in the information it sent out to the inside hosts.

The easiest way to cure the problem is to use a different IP range
for the remote-pool, after which you can probably turn off reverse route.

ip local pool remote-pool 192.168.19.50 192.168.19.99

This IP range is not the inside IP range, so inside hosts will
use the default gateway and send traffic to those IPs to the router.
The router will then find the security association in its
tables and know to send the traffic to the VPN client.

See for example the below example. It is a more complicated case
than what you need, but it's what I found first ;-) Notice
in particular that the IP range assigned to the client is not
that of any of the interfaces of the routers involved.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml

Do not, by the way, just change your pool to 192.168.5/24 without
getting rid of that ip route statement -- you don't want the
traffic outbound to the clients to be redirected to the inside LAN.
-- 
'ignorandus (Latin): "deserving not to be known"'
   -- Journal of Self-Referentialism
0
roberson
1/12/2005 11:11:53 PM
> The easiest way to cure the problem is to use a different IP range
> for the remote-pool, after which you can probably turn off reverse route.
>
> ip local pool remote-pool 192.168.19.50 192.168.19.99
>
> This IP range is not the inside IP range, so inside hosts will
> use the default gateway and send traffic to those IPs to the router.
> The router will then find the security association in its
> tables and know to send the traffic to the VPN client.
>
> See for example the below example. It is a more complicated case
> than what you need, but it's what I found first ;-) Notice
> in particular that the IP range assigned to the client is not
> that of any of the interfaces of the routers involved.
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml
>
Thank you Walter very much, Your advices was very usefull.
I changed pool to antoher, removed crypto map from inside interface. But it 
was still not good.
I had to add NAT, it began working fine!

regards,

Michal 


0
OZ
1/14/2005 9:22:19 PM
Reply:

Similar Artilces:

Trying to access the PDM of a Cisco pix over a Remote Access VPN with Cisco VPN Client
I am trying to configure the cisco pix (501) to allow access to the PDM over a Cisco VPN Client IPSEC tunnel. I found a situation for accessing the PDM ove a site-site tunnel but am not able to configure it for remote access VPN http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml I setup VPN by the wizard and enable split tunnel and excempt complete LAN from nat, so not the outside interface ip. Tried with management-access none, inside and outside I am running Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)...

Trouble Installing Linux/Cisco VPN Client Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1
Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1 Wed Apr 21 20:19:18 EDT 2004 x86_64 x86_64 GNU/Linux ../vpn_install Cisco Systems VPN Client Version 4.0.3 (B) Linux Installer Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved. By installing this product you agree that you have read the license.txt file (The VPN Client license) and will comply with its terms. Directory where binaries will be installed [/usr/local/bin] Automatically start the VPN service at boot time [yes] In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running. For RedHat 6.x users these files are installed in /usr/src/linux by default For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by de fault Directory containing linux kernel source code [/lib/modules/2.4.22-1.2188.nptl/b uild] * Binaries will be installed in "/usr/local/bin". * Modules will be installed in "/lib/modules/2.4.22-1.2188.nptl/CiscoVPN". * The VPN service will be started AUTOMATICALLY at boot time. * Kernel source from "/lib/modules/2.4.22-1.2188.nptl/build" will be used to bui ld the module. Is the above correct [y] y Making module In file included from Cniapi.h:15, from linuxcniapi.c:24: GenDefs.h...

Cisco VPN Client vs MS VPN Client
I have to install vpn clients on 6 laptops. They will connect to PIX 515. What is the difference, whether I use Cisco or MS vpn clients ? regards Jarek Carnowski ...

Site to Site VPN routing
I am trying to connect a Cisco 1841 router to a Nortel VPN Router 1010 via a IPSEC VPN tunnel. I actually have the tunnel up and running. My problem is that I cannot figure out how to tell the Cisco Router to route traffic from its private network to the private network on the Nortel Router. The Nortel Router seems to just route traffic to the Cisco Router's public interface and it works. If I put a static route in the Cisco Router to route to the Nortel Router's public interface, I get nothing. Any help would be appreciated. On Sep 21, 1:46 pm, peachma...@yahoo.com wrote: > I...

Cisco 1760 router and VPN client Connection Issues
I have a Cisco 1760 router with IOS 12.4 connected to the Internet with a WIC-1ADSL card. It has a dynamic external IP address. The fastethernet 0/0 has ip address 192.168.1.254 and now I want to be able to log into the 1760 through the Internet with a VPN connection. I have changed the configuration to the one below, but I still am not able to log in, the Cisco VPN client starts making a connection, but it say in the end that it can not get access. Is there anything that I missed in this configuration? Thx Jeroen c1760#sh run Building configuration... Current configuration : 3618 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log uptime service password-encryption ! hostname c1760 ! boot-start-marker boot-end-marker ! enable password 7 1304191C020705 ! aaa new-model ! aaa authentication login my_userauthen local aaa authorization network my_groupauthor local ! aaa session-id common ! resource policy ! ip cef ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.254 ip dhcp excluded-address 192.168.1.1 192.168.1.20 ! ip dhcp pool my_dhcp network 192.168.1.0 255.255.255.0 dns-server 212.71.8.11 212.71.0.2 default-router 192.168.1.254 ! ip domain name dyndns.org ip host members.dyndns.org 63.208.196.96 ip name-server 212.71.8.11 ip name-server 212.71.0.2 ip ddns update method my_dyndns HTTP add http://xxx:xxx@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 28...

IPSec VPN problem with a CISCO C827 ADSL Router and a Nortel Contivity VPN Client
Hi, I'm a newbie and I'm facing a problem. I need to connect to a VPN, through IPSec. I have a CISCO C827 ADSL Router. I'm using Nortel Contivity VPN Client. If I connect by a modem to any provider, it works great. If I try to do it through the C827, no way. It says on my side : Server not responding, and on the server side : Client not responding. Anybody knows how I could/should configure my router to have it work ? Here's a piece of my configuration : ip dhcp pool maison network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server xxxxxxxxxx xxxx...

Cisco VPN client OK
Hi, I have my PIX set up allowing VPN clients in. A Cisco VPN client (v4.0.3D) can get in OK but a Checkpoint client (R56 Build 311) can't. The Checkpoint client never appears to hit the outside interface of the PIX as no debug info appears when he tries to connect. I hardly need to deinstall my Cisco client sw beofre firing up the Checkpoint - do I? TIA, Ned ...

Cisco PIX vpn and vpn client
I have cisco pix 501 with IOS 6.3(4). and running Cisco VPN client 4.6.04.config is IPSEC over UDP I have a linksys router behind which the pix sits, I have forwarded UDP port 4500, 500, 10000, 50 to the pix. for some reason the vpn client connects from some internet connections and from some it does not and I do not get any error messages. I have attached the log file from the vpn client, when it was not connecting. Thanks for the help. MC -------------------------------------------------------------------------------------------------------------------------- 1 23:42:27.997 12/14/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 71.78.123.220. 2 23:42:28.017 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 71.78.123.220 3 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 4 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 5 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 6 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220 7 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 8 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220 9 23:42:43.048 12/14/06 ...

Cisco 1750 Router Cisco QoS Device Manager Cisco VPN Device Manager
Hello can my tell who can find the installfiles for 1750 Router Qos Device Manager and Cisco VPN Device Manager!!! thanks R. Kuhn ...

VPN from Cisco to VPN
Does anyone know how to create a VPN (ANy type) from a Cisco 1601 to a Netscreen 100? Or where to get the information. I have emailed you a stepthrough Dave Sinclair NCSA NetScreen Certified Security Associate NCSI NetScreen Certified Security Instructor Equip Technology.com NetScreen Authrorised Training Centre in the UK ...

Cisco VPN Client 4.6.00.0049 to Cisco router 12.3.8T5, ACL's ?
Hello, I regulary implement Cisco routers for our customers. About a year ago the demand for being able to VPN rose, and after some TAC calls I succeeded in configuring this on a Cisco router. At that time it were mostly 1700 series routers (running IOS 12.2.15Tx) with the Cisco 4.0x VPN Client. That configuration has been implemented at numerous sites since then, and works perfect. But since we started implementing routers with IOS 12.3.8Tx and the Cisco VPN Client 4.6.00.0049 I'm seeing differences in how the routers act in processing the VPN traffic. In my original config I ne...

Cisco vpn client to Cisco 837 problem
hi, I have trouble to solve this issue and would like to get your help. I try to set up remote access vpn with cisco client software to a cisco 837 vpn server but I can only get the tunnel up but d'ont be able to ping router ethernet interface nor all computer in the LAN site. cisco client 4.0.2b--------Internet--------ADSL_Cisco 837_vpn_server-------LAN_Windows2003_terminal_server Building configuration... Current configuration : 3499 bytes version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ho...

Adding additional routes to a VPN client (PIX515E and Cisco client)
Lets say I have a local network at 10.20.2.0/24 and a dmz at 192.168.216.0/24 on a PIX515E. VPN works fine using the cisco vpn client to anything in 10.20.2.0, however I can't reach anything on 192.168.216.0 presumably because its not being routed through the VPN tunnel. The VPN client only shows the route to 10.20.2.0 in the statistics page. Is there a command on the PIX when setting up the VPN tunnel that tells the VPN client to also add a route to 192.168.216.0? Thanks. Nevermind - managed to figure it out since I was already most of the way there with my existing split-tunnel confi...

ASA5510 with Cisco VPN client. No traffic over VPN tunnel
Hi all, In the hopes anyone sees my error in my config (I'm almost sure it's a config error on my part but i can't find it). I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the manual config way and the ASDM way through the wizard. The problem is not that i can't get any ipsec connection. That works. But when the VPN connection is established i can't get any trafic from my Client VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24). The logs in the ASDM keep giving me the same error (this is another error but the error for opening a RDP connection from src to dst is the same): 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group foun...

Cisco VPN client through a Hotbrick VPN 600/2
Hi If i setup a vpn using the Cisco client on a pc behind the Hobrick it's not possible to start a remote desktop session. If i setup a vpn using the Cisco client on a pc NOT behind the Hobrick it is possible to start a remote desktop session. If i setup a vpn using Microsoft Windows XP network connection on a pc behind the Hobrick it is possible to start a remote desktop session. What could be the problem? Why isn't it possible to run a remote desktop session on a Cisco vpn behind the Hotbrick firewall? Thank's Perry ...

cisco asa 8.4 + cisco vpn client
explain that I did not do so. need to arrange a remote connection, for those who do not know, much has changed in 8.4. this configuration of the docks from the site cisco.com hostname(config)# interface ethernet0 hostname(config-if)# ip address 10.10.4.200 255.255.0.0 hostname(config-if)# nameif outside hostname(config-if)# no shutdown hostname(config)# crypto ikev1 policy 1 hostname(config-ikev1-policy)# authentication pre-share hostname(config-ikev1-policy)# encryption 3des hostname(config-ikev1-policy)# hash sha hostname(config-ikev1-policy)# group 2 hostname(config-ikev1-policy)# lifetime 43200 hostname(config)# crypto ikev1 outside hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 hostname(config)# username testuser password 12345678 hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type remote-access hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet hostname(config)# crypto dynamic-map dyn1 1 set reverse-route hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 hostname(config)# crypto map mymap interface outside nat (inside,outside) source static any any destination static 192.168.0.0 192.168.0.0 route-lookup hostname(...

W2K vpn client to Cisco 3005 VPN concentrator
I've got a project to configure a Cisco 3005 vpn concentrator to allow connections from the w2k builtin vpn client. The concentrator currently has users connecting via the Cisco client using IPSec, and authenticating against an Active Directory server. The way I understand things is, PPTP is supported, but only without encryption when authentication against Active Directory. And the only other option is L2TP/IPSec, which is mutually exclusive with the IPsec-only that's currently in use. (Have I got this all correct?) So, the only option open here is PPTP without encryption, correct?...

VPN to ASA from Cisco VPN Client Getting Error
Hi, I am trying to set up remote access VPNs and am having trouble. I used: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml as a guide as was recommended by someone in a previous post. When I connect from the Cisco VPN client I am getting an error: "Secure VPN Connection terminated locally by client. Reason 412: The remote peer is no longer responding." My network looks like this. Router-----ASA----LAN I can see the traffic getting through my router when I attempt to connect. The IP connecting to is my outside interface's IP on the ASA and is a public IP. It is also the IP that is nat'ed to my mail server. Does this cause a problem? (I hope not because I am out of IP's and I don't want to have to buy more). Please find the relevant part of my ASA config below. thanks for your help. Result of the command: "sh running" : Saved : ASA Version 7.0(5) ! hostname domain-name enable password names dns-guard ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address PUBLIC IP ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is p...

Cisco 837 and Cisco VPN client wierdness.. any ideas?
With my current configuration I can VPN connect from anywhere on the web and authenticate as a local user with an 837 router. Once auth'd the VPN client is allocated an IP from the vpn pool. From a VPN connected laptop I can ping any address on the LAN and any other machine on the LAN can ping the IP the VPN client has been allocated. However I can't access all resources via all protocols on all machines. This part is inconsistent and has me baffled. e.g. from a VPN client I can mount SMB shares on 192.168.16.250 but I can't see the webserver (:80) on the same IP). From a LAN connected laptop I can see the webserver running on the VPN client (192.168.17.x:80). However the VPN client can't see a webserver on the same LAN connected laptop (192.168.16.10:80). This is my first ever contact with Cisco gear and while i'm quite chuffed with getting as far as I have on setting this box up.. i'm now way out of my depth on working out what the problem is. Any suggestions would be greatly appreciated! Client s/w is v4.6 (0045) on Mac OS 10.3.9 sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4 Router config (security edited) is cut/pasted below: ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxx ! logging queue-limit 100 no logging buffered enable secret 5 xxxx ! username xxxx password 7 xxxx username xxxx password 7 xxx...

asa 5505 + l2l vpn + cisco client vpn
Hi, I'm trying to replace PIX 506[working ok] with asa 5505. But just after swaping them some of the vpn links doesn't work. I can't ping sites. Cisco vpn client access doesn't work too. I was following few cisco manuals but I can't figure out what is missing in my config. Could you pls have a look at my config maybe sth obvious - I hope so. Many thanks. : Saved : Written by enable_15 at 01:48:02.989 UTC Tue Jan 13 2009 ! ASA Version 8.0(4) ! hostname pb domain-name zzzzzzz enable password zzzzzzzzzzzzzz encrypted passwd zzzzzzzzzzzz encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address zzzzzzzzzzzzz 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name zzzzzz access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 access-list inside_nat0_outbound ...

Cisco VPN Client <-> XP VPN
Hello, I'm a little bit confused about the differences between Microsoft's build-in VPN Client (for XP) and Cisco's VPN client. I wanna set up a connection to a network using Cisco's client (which I'm using for other networks as well). For the new network detailed instructions for the XP client are given, but nothing for the Cisco client. I thought - please correct me, if I'm wrong - that XP and Cisco both use the L2TP technique, so I should be able to use any client for those connections. But Cisco's client needs much more information than the IP of the...

Cisco VPN Client connection issue
I'm trying to start a VPN session using the Cisco VPN Client 4.0.1a for Linux on a Redhat 9 box. Kernel loads, vpnclient connect starts up and it requests my domain authentication which it accepts (and fails if I typo, so I know it's communicating to the VPN server), but once I get to "Securing communication channel.", it hangs for about two minutes and then comes back with "The VPN sub-system is busy or has failed.". I've disabled the firewall on the desktop to make sure it's not a port blocking issue. It works fine from the same desktop booted into Wind...

Cisco IOS Router as VPN Client
I have a Cisco VPN Client that connects no problem to corporate LAN but then as you know it only connects that one device that has the client installed. How might I configure a Cisco IOS router to connect to the same corporate LAN and bridge multiple devices, such as laptop & 7960 voip phone to that VPN. As you might guess, my laptop has no problems, but voip phone has no way to VPN in!! So can I setup IOS router (I have 3620 with multiple E port) to connect to this LAN using same parameters. I have my NT Domain name and PW, as well as the VPN Group name and key. I also have IP of the...

VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005
Hello all, I got a problem with a vpn connection from a cisco pix 506E to a cisco 3005 concentrator. The problem is that the lan on the pix is also used to another remote side. so I tried to activate NAT on the pix to translate the ip adresses of the network. after that I entered the information at the concentrator which are nessassray for the lan-to-lan connection. But I did not get a connection. I tried to ping the outside address of the pix but I did not get a reply. I post the output of the logfile for that connection below: 29437 02/15/2005 14:25:21.890 SEV=4 IKE/41 RPT=43758 213.183.66.179 IKE Initiator: New Phase 1, Intf 2, IKE Peer 213.183.66.179 local Proxy Address 192.168.0.0, remote Proxy Address 213.183.66.179, SA (L2L: to PIX) 29507 02/15/2005 14:26:02.300 SEV=4 IKEDBG/65 RPT=36896 213.183.66.179 Group [213.183.66.179] IKE MM Initiator FSM error history (struct &0x3b7510c) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG6, EV_TIMEOUT MM_WAIT_MSG6, NullEvent MM_SND_MSG5, EV_SND_MSG and here is the config of the pix: PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Cisco-Firewall-VPN domain-name pk-intern.de clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup pro...

Web resources about - VPN router-cisco vpn client routing issue - comp.dcom.sys.cisco

Cisco router break-ins bypass cyber defences
&#8203;Security researchers say they have uncovered previously unknown attacks on routers which direct traffic around the internet, allowing ...


BlackEnergy cyberespionage group targets Linux systems and Cisco routers
Threatpost BlackEnergy cyberespionage group targets Linux systems and Cisco routers PC World Magazine A cyberespionage group that has built ...

Cisco router malware discovered on more devices
'SYNful Knock' found to be more widely spread.

SDN system controls hundreds of Cisco routers; saves contractor time, money
A global environmental engineering company is turning to software-defined networking as a way to boost productivity and save money.

Patent troll gets 3.2 cents per Cisco router after lawsuits against end users fail
Patent troll gets 3.2 cents per Cisco router after lawsuits against end users fail Afterdawn.com Patent troll gets 3.2 cents per Cisco router ...

Photos of an NSA “upgrade” factory show Cisco router getting implant
... the NSA’s Access and Target Development department (S3261) includes photos (above) of NSA employees opening the shipping box for a Cisco router ...

Some Cisco routers impacted by vulnerability are you affected?
... Apple Airport Extreme, but I know many people who swear by Cisco especially in business. Sadly though, Cisco announces that some of its routers ...

Scary, sophisticated malware found attacking Cisco routers
... in Android and iPhone this week, a new security report says that Cisco might have a severe malware problem with some of its routers. Continue ...

Cisco router attacks duck cyber defenses, hit 4 countries
So far, Mandiant has found 14 instances of router implants in India, Mexico, Philippines and Ukraine.

Resources last updated: 3/28/2016 7:43:31 PM