ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Unanswered Question
Sep 21st, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on platforms which can be used to terminate various IPSec VPN services to meet the need for ubiquitous connectivity. Aamir is a product manager for remote-access VPN's in Cisco's router security group in San Jose. He is responsible for bringing advanced IOS security products to market, while integrating customer and market requirements with Cisco products and services to create solutions. He previously worked as a technical marketing engineer in Cisco's security technology group where he was responsible for building technical marketing presentations and training the Cisco partners and systems engineers on newly introduced IOS security technologies and platforms. He has over 9 years of experience in the computing and networking industry including networking, training and systems administration. Aamir has authored many Cisco online technical documents and configuration guidelines and delivered numerous technical presentations for Cisco customers and partners.


Remember to use the rating system to let Aamir know if you have received an adequate response.


Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 5, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.

I'll start out with a few general questions:


It seems like the ASA and IOS are overlapping in many areas relating to site-to-site VPNs. However, the IOS offers some advanced features in many areas.


Going forward, would a company be best suited to position their site-to-site VPNs on an ASA or an IOS as a standard?


Obviously either will suit for basic needs, but, for instance, will we see faster innovation from Cisco with the IOS method and/or will the features eventualy merge to some extent?


Or does Cisco really see them as two different platforms each serving a specific need indpendently?


Thanks!

awaheed Mon, 09/24/2007 - 08:44
User Badges:
  • Cisco Employee,

Hi Strine,


Thanks for being the first one to start the discussion :)


As you rightly pointed out, that the basic site-to-site functionality will always be available in both the ASA & IOS devices.


Looking at the breadth of solutions available for Site-to-Site IPSec VPN's (DMVPN, GETVPN, EasyVPN, IPSec/GRE) in the IOS software to easily deploy and scale site-to-site VPNs for any topology, from hub-and-spoke to the more complex full-mesh IPSec VPN's. In addition, the Cisco IOS Advanced Security feature set combines a rich VPN feature set with advanced firewall and extensive Cisco IOS Software capabilities including QoS, multiprotocol, multicast, and advanced routing support.


You can find more clear direction and details on our IPSec/SSL product portfolio at the following link, where we specifically discuss the IPSec/SSL solution portfolio: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/netbr09186a00801f0a72.html


Hope this helps,

Rgds,

Aamir

ROBERTO TACCON Tue, 09/25/2007 - 11:04
User Badges:

Hi Aamir,


I've some questions about VPN solutions :


1- which are the features of Cisco EZVPN ? why using it ?


2- any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?


3- when in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?


4- any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)


5- any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)


6- with DMVPN it's better OSPF or EIGRP (are there any diff.)?


7- please can you link me a good configuration example of DMVPN with vrf lite ?


8- please can you link me a good configuration example of IPSec L2L HA and load balancing ?


9- can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?



Thanks in advance

Roberto


awaheed Wed, 09/26/2007 - 09:48
User Badges:
  • Cisco Employee,

Hi Roberto,

Thanks for your questions, Answers inline AW>


1- Which are the features of Cisco EZVPN ? why using it ?

AW> Cisco EasyVPN is an IPSec solution which provides both Site-to-Site and Remote-access IPSec based connectivity. More details available at: www.cisco.com/go/ezvpn


2- Any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?

AW> Cisco's solution extends the Hybrid Auth model by additionally requiring a group pre-shared key for VPN group identification. The group pre-shared key is used solely to associate users with their appropriate VPN groups, followed by the XAUTH exchange that then authenticates the user. In any case, Cisco is planning to add support for IKEv2 in upcoming versions of the Cisco IOS and the Adaptive Security Appliance (ASA) software.


3- When in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?

AW> SHA-2 is already supported in the 12.4T IOS release (SHA-2 includes SHA-256 support)


4- Any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)

AW> Using the defaults should work just fine for most cases. Work with the TAC for your specific scenario to get their recommendation.


5- Any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)

AW> No problems


6- With DMVPN it's better OSPF or EIGRP (are there any diff.)?

AW> Both work and mostly it depends on what customers are already running in their network before they deploy DMVPN. EIGRP & OSPF can both scale pretty well although EIGRP is what we normally see deployed in DMVPN deployments


7- Please can you link me a good configuration example of DMVPN with vrf lite ?

AW> http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034be03.shtml


8- Please can you link me a good configuration example of IPSec L2L HA and load balancing ?

AW> http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd80278edf.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd803498b1.shtml


9- Can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?

AW> Please contact your local sales folks to get more details.

Hope this helps,

Rgds,

Aamir

shejuckyy Thu, 10/04/2007 - 04:38
User Badges:

00:03:02: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan10 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan30 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan150 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan160 from LOADING to FULL, Loading Done

00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor

00:00:05: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.



Firmware compiled 18-Apr-05 17:29 by integ Build [100]



00:01:21: %OIR-SP-STDBY-6-CONSOLE: Changing console ownership to route processor




00:01:21: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.


00:02:16: %PFREDUN-SP-STDBY-6-STANDBY: Initializing for SSO mode

00:02:16: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.


00:02:41: %SPANTREE-SP-STDBY-5-EXTENDED_SYSID: Extended SysId enabled for type vlan

00:02:42: SP-STDBY: SP: Currently running ROMMON from S (Gold) region

00:02:43: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimum Diagnostics...

00:02:56: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online Diagnostics

00:03:14: %SYS-SP-STDBY-5-RESTART: System restarted --

Cisco Internetwork Operating System Software

IOS (tm) s72033_sp Software (s72033_sp-PK9SV-M), Version 12.2(18)SXD7, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

--More-- Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Tue 13-Dec-05 22:57 by kellythw

00:03:14: %PFREDUN-SP-STDBY-6-STANDBY: Ready for SSO mode

00:03:15: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.


00:03:19: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.27.122 on Vlan10 from LOADING to FULL, Loading Done

00:03:23: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.27.124 on Vlan10 from LOADING to FULL, Loading Done

00:03:24: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.2 on Vlan10 from LOADING to FULL, Loading Done

00:03:25: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.22.121 on Vlan10 from LOADING to FULL, Loading Done

00:03:46: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.200 on GigabitEthernet1/36 from LOADING to FULL, Loading Done

bjjjsolucas Wed, 09/26/2007 - 05:49
User Badges:

I have a question for you. It might not pertain to the current discussion.


I am currently using a vpn connection with broadband internet service. i want to move to a more rural location. The only type of internet I can get there currently is satellite. Is there a satellite internet provider that I can use my vpn connection with. I need IPSec for work. Any suggestions would be appreciated.

awaheed Wed, 09/26/2007 - 10:12
User Badges:
  • Cisco Employee,

Hi Solucas,


Thanks for your question. I would suggest searching on www.google.com for list of Satellite Internet providers. I really donot have any recommendations in that respect.


Sorry couldn't be of more help,

Rgds,

Aamir

Alejandro Corte... Wed, 09/26/2007 - 13:49
User Badges:
  • Silver, 250 points or more

Hi I have satellite service provider but Ive been having problem, the vpn client get disconected very often, I thing is for the delay in the core I have a cisco ASA.

Do you have some solution to this problem?

awaheed Wed, 09/26/2007 - 14:49
User Badges:
  • Cisco Employee,

Hi Maiden,


My suggestion would be to increase the Idle timeout on the ASA so it doesn't drop the connection based on some missed keepalives. TAC can surely help you with that and your administrator would need to make the change on the head-end ASA


Hope this helps,

Rgds,

Aamir

Alejandro Corte... Wed, 09/26/2007 - 14:56
User Badges:
  • Silver, 250 points or more

Im the administrator of the ASA, can u help me with the configuration to increase the ldle timeout on the ASA?

Thak u for your help.

jcosgrove Thu, 09/27/2007 - 10:12
User Badges:

We need to support a Hot Site Data center over an Intenet connection and need to use Site to Site VPN. The server group wants to have about 1 Gig of thruput to this site. I am sure that with the overhead of VPN and the limitation of our Internet connectio being 1 Gig we will have trouble getting this but what platform would be best to get this amount of thruput over site to site VPN?

awaheed Thu, 09/27/2007 - 12:27
User Badges:
  • Cisco Employee,

Hi Grove,


I would have to say the VPN SPA module with the Cat6500 would be the best route to take. You Cisco account team can help you with the design aspects to fulfil your requirments.


Rgds,

Aamir

spkolla Fri, 09/28/2007 - 02:10
User Badges:

Hi Aamir,


I have a basic question. How to configure S2S & remoteaccess VPN in a Cisco Router. Since we have to only a single crypto map for the interface when we configure remote access the S2S not able to connect.


Any good example we can look at.


Regards

Siva Prasad K.

awaheed Fri, 09/28/2007 - 02:17
User Badges:
  • Cisco Employee,

Hi Siva,


Here are the links for the configuration that you are looking to do: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml


Additionally if one of the S2S peers has a dynamic IP address that you need to connect then you can look at: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml


Hope this helps,

Rgds,

Aamir

spkolla Fri, 09/28/2007 - 03:23
User Badges:

Hi Aamir,


Great... it works. Thanks for your help.


I missed out earlier the no-xauth.


Regards

Siva Prasad K



pgrichmondbell Fri, 09/28/2007 - 04:43
User Badges:

One of our clients has a requirement for a simple three site LAN 2 LAN VPN (two hubs and one spoke) to be run over long haul dark fibre. The traffic is citrix based and averages 250Kbps with 500Kbps peaks. I am currently looking the low end ISR routers.


Which would Cisco devices would be recommended to provide a low cost solution which will natively terminate Fibre LX on the box.



awaheed Tue, 10/02/2007 - 13:40
User Badges:
  • Cisco Employee,

Hi Mondbell,


Sorry for the delay in answering this, I was checking with the platform folks.


You can use an LX SFP in the HWIC-1GE-SFP. The 2800 series supports 1 of these interfaces and the 3800 series supports 2.


Hope this helps,

Rgds,

Aamir

bbadmin13 Fri, 09/28/2007 - 13:57
User Badges:

Hi Aamir,


I got a question, I have a client that is having trouble connecting using the cisco vpn client because of the security policy he has at another company that do not allow him to keep UDP ports 500 and 4500 open to traffic originating from outside his network

He is using cisco vpn client version 5. I got a cisco 2811 running IOS Version 12.4(11)XJ3 . I don't seem to be able to program the router to enable transparent tunneling IPSec over TCP. IPSec over UDP works fine. Please Advise.


Thank You

Ben

khallaoui Sat, 09/29/2007 - 17:59
User Badges:

Hi I have an ASA as VPN server all vpn client from windows work but when I want to connect with router 877 as remote ezyvpn, I connect but I cann't acces to lan, i have this message from my syslog server "deny protocl 50 ".

My question he work with simple client but thasn't work remote ezyvpn from router ?

awaheed Sun, 09/30/2007 - 00:14
User Badges:
  • Cisco Employee,

Hi Khallaoui,


Below is the configuration that you should use for the IOS EasyVPN client side.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml


This would get you where you need to be, if it doesn't work then please go ahead and check your acl/firewall configuration on the router as the syslog also points out that esp (ip protocol 50) packets might be getting dropped due to some config you have here so try opening it up exclusively.


Hope this helps,

Rgds,

Aamir

roperry Mon, 10/01/2007 - 05:40
User Badges:

Is it possible to support site to site and DMVPN on the same Hub router using the same interface for transition purposes? Basically we have point to point tunnels and would like to transition to DMVPN without tearing down the existing connections until the transition is complete.

awaheed Mon, 10/01/2007 - 09:17
User Badges:
  • Cisco Employee,

Hi Perry,


Yes it is possible. For transitioning over to the DMVPN based solution, you would need to control the traffic flow through routing.


Basically, the order of the crypto map determines what gets encrypted and with which IPSec policy, also routing determines what traffic goes on the tunnel and the DMVPN, so if it is not going on the tunnel interface, the physical interface crypto policy takes effect.

So to transition to DMVPN, simply bring up the tunnel, with lower routing metric and it takes precedence


You should go through some of the links below to better understand the DMVPN configurations.

www.cisco.com/go/dmvpn and then you can call TAC to help you transiton over.


Hope this helps,

Rgds,

Aamir

jkeeffe Thu, 10/04/2007 - 12:38
User Badges:

Is there a document that describes configuring up a 3002 as a hardware IPSec client connecting to a ASA5540?


The 3002 will have a static outside address assigned and the inside/private network will be configured with its own IP pool.

msadagop Mon, 10/01/2007 - 23:36
User Badges:

Hi

I am trying to configure the ASA 5540 (running ver 8.0) to accept VPN connections *without* encryption. To achieve this, I set the encryption to "esp-null" on the ASA.


The built-in L2TP-IPSec client on Windows XP establishes the VPN connection but drops out exactly after 1 minute and 11 seconds.


I suspect that this is some kind of timeout - do any ports need to be opened up specifically on the ASA Outside interface?


"sysopt connection permit-vpn" is present in the configuration.


Thanks for your assistance.

awaheed Thu, 10/04/2007 - 11:05
User Badges:
  • Cisco Employee,

Hi,


Looks like we can terminate the L2TP/IPSec connections without any problem.


I loaded up the latest 8.0.2 interim and it works as designed. I am able to stay connected and pass data with no problems (see below). If you still have a problem or wish to obtain the latest interim, please open a TAC case


Session Type: IPsec Detailed

Username : l2tp Index : 4

Assigned IP : 90.208.1.105 Public IP : 70.208.1.2

Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT

License : IPsec

Encryption : none Hashing : MD5 SHA1

Bytes Tx : 21595 Bytes Rx : 27116

Pkts Tx : 225 Pkts Rx : 261

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup

Login Time : 12:10:45 UTC Wed Oct 3 2007

Duration : 0h:04m:05s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsecOverNatT Tunnels: 1

L2TPOverIPsecOverNatT Tunnels: 1


Find more details on the configuration at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml


Rgds,

Aamir

clarson Tue, 10/02/2007 - 09:39
User Badges:

Is it possible to disable aggressive mode for on IOS for vpns. Using DMVPN with preshared key. what can I do to disable or mitigate aggressive mode with redesign network. I want to force main mode only. This is needed to to pass a security audit.

awaheed Tue, 10/02/2007 - 13:41
User Badges:
  • Cisco Employee,

Hi Clarson,


You can surely use an IOS command to disable Aggressive mode. The command is:


crypto isakmp aggressive-mode disable


Hope this helps,

Rgds,

Aamir

mannschaft Wed, 10/03/2007 - 06:59
User Badges:

hi awaheed


i can't find unswers to some questions ! can you please help. i have Cisco 877 and ASA 5505, i would like to connect 15 clients to my LAN.this is my arch :


internet----> Cisco 877----> ASA5505---->LAN


1- what is the best architecture to use ? Cisco 877 as concentrator or ASA ?


2- how many public IP adress i need to buy from my ISP for my solution ?


3- if i got the remote users connected to the LAN, is it a great idea to allow them access to internet from inside ?


many thanks Waheed.


awaheed Fri, 10/05/2007 - 02:27
User Badges:
  • Cisco Employee,

Hi Schaft,


Thanks for your questions,


Answers inline AW>


1- what is the best architecture to use ? Cisco 877 as concentrator or ASA ?


AW> The Cisco 877 can only be configured as an EasyVPN client and NOT as an EasyVPN server. Same holds true for ASA5505. The best bet here is to configure a Site-to-Site tunnels between the two sites. Sample config at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml


2- how many public IP adress i need to buy from my ISP for my solution ?


AW> You can just get a single IP address per device and PAT the internal devices to the same external IP address easily. Sample config at:

870: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

ASA: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042445


3- if i got the remote users connected to the LAN, is it a great idea to allow them access to internet from inside ?


AW> That should be fine and you can check what scenario's you can use at the link mentioned above for the ASA: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042445


Hope this helps,

Rgds,

Aamir

mannschaft Fri, 10/05/2007 - 05:03
User Badges:

Hi Aamir


thanks for your unswers ! very helpfull, i can see more clear now, but i have some doubts.


1- you said : The best bet here is to configure a Site-to-Site tunnels between the two sites.

i don't want to connect 2 sites, i want to combine the 877 with the ASA to allow remote users to connect to the lan and chek their mails. So if i base on the S2S config will this resolve my issue ?


2- you said : You can just get a single IP address per device.

actualy i have one ADSL IP that i use for my testes with 877, if i understand i need a seconde one for the ASA !?


thanks & Regards.

awaheed Fri, 10/05/2007 - 14:32
User Badges:
  • Cisco Employee,

1- answer> Yes the S2S will be able to provide you with access between the two sites. None of the devices you have can act as an EasyVPN server so S2S is the only option here.


2- Answer> Yes you would need an IP address per device at the very least, which means one for the 877 and one for ASA and then you can PAT all the internal traffic using their outside IP address for them to access the internet.


Hope this helps,

Rgds,

Aamir

cyclone_vortex Wed, 10/03/2007 - 07:53
User Badges:

I have a cisco vpn concentrator. We have been having password problems on it. The problem is there is not a notification in advance of passwords expiring. I am wondering; if you can tell me how to fix this annoying issue.


Thank you,

Troy F.

awaheed Fri, 10/05/2007 - 02:42
User Badges:
  • Cisco Employee,

Hi Troy,


I am attaching the CVPN3000 Password recovery mechanism:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml

I have not heard of Admin passwords changing on the CVPN3000 at all, till you change it.


If you are talking about the VPN client Password expiry then please check the config details at the links below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946b9.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml


Hope this helps,

Rgds,

Aamir

joseph-sheena Wed, 10/03/2007 - 13:59
User Badges:

Hi Aamir. I'm planning to have VPN connections (IPsec GRE tunnels) from 10 spoke sites terminating on a 3700 series router. Is there a sample hub site configuration I can use to get started.

Thank you

SJ

jonathancr Wed, 10/03/2007 - 16:38
User Badges:

Hi Aamir,


My computer (XP sp2) accesses the internet via VPN on a wireless network. I connect to the VPN using Cisco VPN Client (v5.0.01.0600), and to the wireless network using the Linksys Network Monitor.


I have an internet phone requires an ethernet cable to connect to the internet.


I need to make the LAN port on my computer act in the same way as a port on a router/hub, and be connected through the VPN to the outside internet.


I tried to bridge the VPN Adapter to the Local Area Connection, but then I consistently received Error 442, stating it couldn't enable the VPN Adapter. Bridging my wireless card directly to the LAN port is useless, because then I cannot connect to the VPN and thus the internet.


Please advise on how to configure the connection so that my internet phone can talk to the outside internet through the VPN when I plug it into my computer's LAN port.


Thanks!

fallkaired Thu, 10/04/2007 - 05:57
User Badges:

Hi all,


Can somebody help me please


An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.

A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).


Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.

The remote network should connect to inside network by the 172.20.20.6.

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.


This is my config below




access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0


static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 192.168.111.200

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal


service-policy global_policy global

tunnel-group 192.168.111.200 type ipsec-l2l

tunnel-group 192.168.111.200 ipsec-attributes

pre-shared-key *


Thanks for answers

awaheed Fri, 10/05/2007 - 14:34
User Badges:
  • Cisco Employee,

Hi Falk,


Looks like you will have to post this to the FW experts as I am not as knowledgeable with the FW Static/Global concepts, so will not be able to help you here.


Sorry about that,

Rgds,

Aamir

awaheed Fri, 10/05/2007 - 14:30
User Badges:
  • Cisco Employee,

Hi Jonathan,


Sorry for not being able to provide an answer for this as I am not an expert on the VPN Client. Please post this question on the VPN client forum for someone more knowledgeable on it to help you.


Rgds,

Aamir

anith Thu, 10/04/2007 - 22:55
User Badges:

hello,


We are using 2801 for our VPN needs. we already configured a site to site VPN in it. My current scenario is to create Multiple VPNs i.e like to diffrent sites and a remote client VPN server for our road warriors (the use cisco VPN client to connect).


Let me know how can i accomplish the scenario. currently we don't have in VPN profiling in place. can i complete the scenario using VPN profiles, how it can be used. Kindly advice me at the earliest.


please find attached the live 2801 configuration file which is very much working fine


Thanks in advance.


Anith.



awaheed Fri, 10/05/2007 - 01:59
User Badges:
  • Cisco Employee,

Hi Anith,


Thanks for your question.


Configuring IPsec Between Two Routers and a Cisco VPN Client 4.x: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml


As for the VPN (IKE) profiles, please look through the following link for all the details that you would need to implement it, it includes sample configurations: http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml


If you face any issues with configuration, please call the Cisco TAC for further help with the debugs that have been specified at these links. As a rule of thumb, I would suggest not to share your config on a public forum


Hope the links help,

Rgds,

Aamir

awaheed Fri, 10/05/2007 - 14:25
User Badges:
  • Cisco Employee,

Great to hear that..


Rgds,

Aamir

ivanwood Fri, 10/05/2007 - 06:13
User Badges:

Aamir,

We have deployed EzVPN for a few remote sites and terminated them on a 3020 Concentrator. We used static routes for all the tunnels. Now we are looking to deploy a failover capable site-2-site VPN deployment with dynamic routing, and 2 Central head-end sites. We have 3845?s at the central site, and 1811s or 1841s at the remote sites. The 2 Central sites are connected through a managed MPLS infrastructure which uses BGP routing. The Central sites each run OSPF internally and then redistribute into BGP.

Is there a way to use DMVPN, GRE tunnels, or EzVPN that will setup a primary VPN tunnel to one Central site and update the routing tables there. Then if the primary tunnel fails, have the secondary tunnel come up and start advertising over that link?


Thank you for the help,

Ivan


awaheed Fri, 10/05/2007 - 14:24
User Badges:
  • Cisco Employee,

Hi Ivan,


Thanks for your question


EasyVPN doesn't support routing protocols sent over it, so for you to achieve this you should use DMVPN instead and it will fulfil your requirements without any issues. The only thing you will have to keep in mind is that DMVPN is only supported in IOS Routers (ISR's, 7200 etc) so you cannot use VPN3020, ASA as part of the DMVPN network although you can always connect to them with plain Site-to-Site tunnels while DMVPN is being used for other IOS VPN Routers. More details with sample configs are available at: www.cisco.com/go/dmvpn


Hope this helps,

Rgds,

Aamir

ivanwood Fri, 10/05/2007 - 15:40
User Badges:

Aamir,

I was going to use ISRs for the setup (3845s for the head end, and 1800's for the remote side). I can not find any information on a primary (preferred) tunnel and a secondary (backup) tunnel in DMVPN. It seems to be more for 2 concurrent tunnels that will both participate in routing protocols. If they both participate, then I end up with a routing loop with the WAN. Is there a way to have only one tunnel be "active" and participating in routing. Then when there is a failure in that tunnel interface, to fail over to the other tunnel interface and start routing protocols with the backup head-end device?


Thank you.

Actions

This Discussion