Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Remote Access VPN Solutions with Cisco expert Pete Davis. Pete Davis is a Product Manager in VSec VPN Security Business Unit. He is responsible for driving new VPN-related products and features. Remember to use the rating system to let Pete know if you have received an adequate response.
Pete might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 30. Visit this forum often to view responses to your questions and the questions of other community members.
I was wondering if there was any chance we are going to see support for multicast traffic on the VPN 3000 series? If so can you give a ballpark as to when? Thanks in advance!
Thanks for your inquiry. We do not yet have definitive availability information for Multicast support on the VPN 3000 Concentrator.
I wonder if you could give me an answer on this:
When setting up Remote Access EasyVPN's in Network Extension Mode, using PIX501's to connect to a VPN3030 Concentrator, can I use our Cisco Secure RADIUS(ACS for NT 3.0) to configure groups?
Or am I bound to use groups internally configured on the VPN3030 Concentrator?
Thanx in advance!
You are required to define the group name on the device itself, including the link to a certificate or pre-shared key. You are able to define the permissions for the group on a RADIUS server, although most customers choose to do this locally on the device.
Thanx for the info Pete!
Any idea why the "Allow Network Extension Mode" checkbox is missing as a group attribute in our ACS?
I have marked all the Radius 3000 attributes under "Interface Configuration" to be displayed on the group properties page, but I don´t see the checkbox mentioned above.
Unfortunately this attribute seems to have been missed while compiling the list of available attributes. My suggestion would be to open up a TAC case so that a bug can filed against Cisco Secure ACS. Engineering can then work with your TAC engineer to help provide you with a fix.
Hi again Pete!
I had this forwarded to Cisco support as you suggested and the answer I got was that the missing attribute was added in ACS 3.1.
I haven´t confirmed this yet though, since we´re using ACS 3.0.
I have an ACS for user autentications, this ACS is mapping my corporate LDAP. I want to use Domain Markup to filter my Ras connections. The remote users can begin with u010*, u011*, u012* and u013*. How can i configure my LDAP connection, that only users with this users prefix can log on ?
Thanks in advance,
But when I try to configure more LDAP connections, i have the next error --> LDAP Server not reachable.
I have Cisco ACS 3.0.(1) Build 32.
The strange is that the first connections works fine, but the next connections doesn't works.
Any idea ?
You may want to double check the configuration of the second instance. If it still fails, the best route would probably be to open up a case with the Cisco TAC so that one of our Support Engineers can help troubleshoot the problem and determine if there is a misconfiguration or bug. Most likely the TAC will suggest a server software upgrade as part of the troubleshooting process.
I have upgrade my ACS to 3.0.4, and windows to SP4, the TAC says to me to make this actions. ANd now I can make more than 1 LDAP connections, but when I try to log on with my RAS connection with a user in the LDAP i recieve the next message in the ACS reports --> External DB reports an error condition. In the CSAuth I have this message --> AUTH 28/01/2004 15:23:45 A 0266 2108 External DB [DServDll.dll]: Bind Failed to LDAP server sintran.ia.lacaixa.es: 19
AUTH 28/01/2004 15:23:45 A 0266 2108 External DB [DServDll.dll]: Connection FAILED
I don't know whats happening, any idea ?
We are using VPN concentrator 3030 for remote access and the user need to authentication through corporate Active Directory. We have enabled the password policy on the AD that after resetting the password, the user need to change the password for the first logon. The question is that the concentrator will not relay the AD password change option. Is there any way I can do that in the new version or working around?
Unfortuantely this capability is not available to us via any native authentication mechanism (NT or AD). If you proxy through Cisco Secure ACS, then with the NT Domain authentication you can support NT password expiration (MSCHAPv2) for IPsec connections. The ACS server must be installed on a Primary or Backup Domain Controller (PDC/BDC).
My company is looking to implement VoIP to remote offices using Cisco 831 routers and Cisco 3725 multiservice router as the termination for the VPNs. We also have 2 Pix 515e firewalls in failover mode. My question is more on design level. I want the remote offices to use the Cisco 831 router to create a VPN to the 3725 router for VoIP to the call managers. Is it better to run the 3725 in series with the Pix firewall to pass all traffic (Voice and Data) through the pix or in parallel, by-passing the Pix to the call manager VLAN? I figured that the Pix was able to process/filter the IP traffic with little delay, but wasn't sure how it would affect the QoS of VoIP.
These two documents should help answer your design questions.
SAFE: IP Telephony Security in Depth
VOICE AND VIDEO ENABLED IPSEC VPN SOLUTION, Voice and Video Enabled IPSec VPN (V3PN)
We are currently deploying a New VPN for a client who currently is on frame relay. They have 4-5 remote site which utilize non-ip devices(screens,printers) which run over SDLC. We will be using Cisco switches. Is there a middle ware/software or what hardware should we use to allow the client to maintain the current devices remotely and tunnel info through ip VPN and where can I find a resource for this for future reference.
Your client isn't going to make this easy for you. :) Maybe you can recommend converting to IP at the same time.
If you need to support non IP traffic in a Lan-to-Lan VPN environment, the option that comes to mind would be to utilize IOS routers with GRE in IPsec. This would allow you to pass traffic like SNA. There are middleware 'software' packages out there that would tunnel this non IP traffic inside IP in which case you may not need to utilize GRE, but I don't have significant knowledge of such products.
thanks, is there another contact within Cisco who may be up on the middleware? also I have recieved 3 notices via e-mail from my first question and I keep seeing the same answer. Is there another way to see more responses to my question if they exist...
I'll check around. If I find anyone that can be of additional assistance, I will let you know.
To the best of my knowledge, the Notify me by e-mail when there are replies posted is supposed to send you a message when a reply is posted. I am not sure why it's generating multiple emails from your first question.
HI Pete, in case you have one VPN concentrator with multiple groups, each one referring to a different corporate, and with IP addresses assigned by each corporate indipendently, is there a way to handle overlapping IP addresses on the users side?
Thnak you for your help in advance.
Most customers would utilize a group based address pool instead of server assigned addresses. If you utilize server assigned addresses, it would be up to your server (i.e. RADIUS) to ensure that there was no duplication of addresses. The concentrator will not enforce rules for groups to ensure there is no overlap or duplication of addresses provided from an external server.
in my case the VPN is centralized and the corporates want to assign the IP addresses independently. Therefore I need to find a way to handle overlapping IP addresses for the users or ask the corporates to pick a range form a list of non overlapping IP addresses. Any idea?
Unfortunately if you're allowing a RADIUS server to supply an address, you will not be able to accomplish this. The only way to do this would be for you to define the address pools for each group on the device.
The VPN Concentrator will not work properly with overlapping address pools. What I was saying is that if you (at the VPN Concentrator) are entering the pools in, you can ensure that they do not overlap. We do not support virtualization of the routing table that would allow for overlapping address pools associated with unique customers to get to the proper end location.
I have a customer who is beginning to move from frame-relay WAN connectivity to VPNs and I'd like to confirm a design situation please.
The network consists of several small sites connected to one of two central sites - with Site #2 being mainly a disaster recovery site. The remote sites have 1721's and the central sites have 3640's with PIX 515e's in front of them. However, we can change the hardware if needed.
My intent is to connect primarily to one site, with a second VPN to the alternate site as a backup.
The catch: I would like to switch between the VPN's without running a routing protocol, if possible, in order to minimize the configuration. After it is installed I will hand this to the customer to maintain; and they have a small IT staff. If I can stick with purely IPSec, I can provide them the ease of using the GUI config tools - SDM and PDM - to easily build IPsec tunnels from the outside of the PIX to the remote routers.
However, as I move through the available scenarios in the lab, it looks like a routing protocol, and therefore separate GRE tunnels, are required - is this correct? Is there no way to use static routes and run only IPSec tunnels?
I'm pretty sure I know the answer to this; but I would sure appreciate your confirmation, or any alternatives.
You're on the right path. To provide the resiliency that you're looking for, you really do want to look at using GRE combined with routing protocols (with IOS). Without doing this, you really don't have the flexibility to have the failover capabilities that you're looking for. If they don't need this backup capability, then you can stick with basic IPsec tunnels from any of our IPsec devices.
We have a pair of 3030 in production and it work well for most of the clients. However, a number of MacOSX users report some problem about the Cisco client and most want to use the the VPN clients that are built into the Mac OSX. Where can I find information on setting the 3000 to support this.
Thanks in advance