Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Jazib Frahim about configuration and troubleshooting of the remote-access VPN tunnel on Cisco devices. Jazib started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Ciscos Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Jazib holds two CCIEs, one in routing and switching and the other in security.
Remember to use the rating system to let Jazib know if you have received an adequate response.
Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 5, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
hi jazib . good to have u in the forum. here's my query.
how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
With a AAA server, you can send the name of the IP pool that you want to assign an address from. Here is a sample configutation that can help you
hope that helps
hi jazib. i am not able to refer to the link u have send to me. it asks for a login. which i don;t have . can u help.
I have one PIX 525 at central site configured with EZVPN Server, and two remote sites, each site uses PIX 501 with cable modem and configured as EZVPN client and network- extension-mode, all the PCs and IP phone on the remote LANs could communicate with the Networks at Central offic behind the PIX 525, but, the PC or IP phone at one remote office could not communicate with the PC or IP Phone at the other Remote office. Any work around or solutions. Thanks in advance
If you are using 7.x code, there is a fewature in there to allow ipsec hairpinning. With that feature you can send traffic from one spoke to another through the hub site
Hope that helps
Nice to have you on the forum.
Here´s my question:
I have two sites connected to the Internet using ADSL and dynamic IP´s.
Is there any way to configure a tunnel between the routers without using static IP´s?
Perhaps mapping an ip host to a domain name (using a dynamic DNS and ddns updates on the router),
and using that host as the tunnel destination. The tunnel would be used by ODR,
so it would not have to be up all the time nor for long periods of time.
If the IP address of one othe routers would change and drop the
tunnel, the other router could perform dns lookup to resolve the new IP.
Is this scenario possible? How would the config be?
I know that you can configure the tunnel destination using a domain name, but
it is replaced by the resolved ip address in the running config, so the router
would not perform a dns lookup the next time the tunnel is used (...and the ip address
would be outdated).
As always, any info will be much appreciated.
Is it possible to get a static IP address at least for one site. If so, then teh configuration will be doable and you can setup an IPSec tunnel in anyway you like
Hope that helps
Yes, that´s possible. I think we´ll do that.
Do you have a document for the config (preferably that doesn´t need a CCO account)?
Thanks very much for your help, Jazib.