Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Jazib Frahim about configuration and troubleshooting of the remote-access VPN tunnel on Cisco devices. Jazib started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Jazib holds two CCIEs, one in routing and switching and the other in security.

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 5, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

  • Expert Corner
164 REPLIES
New Member

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

hi jazib . good to have u in the forum. here's my query.

how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.

sebastan

Bronze

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Sebastan,

With a AAA server, you can send the name of the IP pool that you want to assign an address from. Here is a sample configutation that can help you

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

hope that helps

-Jazib

New Member

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

hi jazib. i am not able to refer to the link u have send to me. it asks for a login. which i don;t have . can u help.

regards

sebastan

Bronze

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

New Member

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Hi Jazib,

I have one PIX 525 at central site configured with EZVPN Server, and two remote sites, each site uses PIX 501 with cable modem and configured as EZVPN client and network- extension-mode, all the PCs and IP phone on the remote LANs could communicate with the Networks at Central offic behind the PIX 525, but, the PC or IP phone at one remote office could not communicate with the PC or IP Phone at the other Remote office. Any work around or solutions. Thanks in advance

Bronze

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

If you are using 7.x code, there is a fewature in there to allow ipsec hairpinning. With that feature you can send traffic from one spoke to another through the hub site

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Hi, Jazib

Nice to have you on the forum.

Here´s my question:

I have two sites connected to the Internet using ADSL and dynamic IP´s.

Is there any way to configure a tunnel between the routers without using static IP´s?

Perhaps mapping an ip host to a domain name (using a dynamic DNS and ddns updates on the router),

and using that host as the tunnel destination. The tunnel would be used by ODR,

so it would not have to be up all the time nor for long periods of time.

If the IP address of one othe routers would change and drop the

tunnel, the other router could perform dns lookup to resolve the new IP.

Is this scenario possible? How would the config be?

I know that you can configure the tunnel destination using a domain name, but

it is replaced by the resolved ip address in the running config, so the router

would not perform a dns lookup the next time the tunnel is used (...and the ip address

would be outdated).

As always, any info will be much appreciated.

Regards,

Eduardo

Bronze

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Hi Eduardo,

Is it possible to get a static IP address at least for one site. If so, then teh configuration will be doable and you can setup an IPSec tunnel in anyway you like

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT–TROUBLESHOOTING REMOTE ACCESS VPNs

Thanks, Jazib.

Yes, that´s possible. I think we´ll do that.

Do you have a document for the config (preferably that doesn´t need a CCO account)?

Thanks very much for your help, Jazib.

Regards,

Eduardo

242
Views
12
Helpful
164
Replies
This widget could not be displayed.