Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Satellite VPN

I have an IPSEC VPN across a satellite connection. My satellite provider provides TCP acceleration from both ends to make the experience better, which it does for most traffic. However, with my IPSEC VPN (router on my end and pix on the other), the traffic is encrypted in UDP 500 traffic so the TCP headers are never seen and can't be accelerated. My thoughts on this is to use IPSEC over TCP, much like some people do when NAT comes into play or some weird firewall. Would this work? If I configure my 2811 to use IPSEC over TCP (isakmp ctcp port 45 or something similar), then the TCP acceleration would be able to do it's job. My only fear is the PIX 515e on the other end of the tunnel won't support this feature. Any help is appreciated.

21 REPLIES
Super Bronze

Satellite VPN

Hi,

The Command Reference for PIX software 7.0 does include the following command. I have never tried this but does seem to point to the fact that you could configure what you are talking about

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1645243

isakmp ipsec-over-tcp

To enable IPSec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPSec over TCP, use the no form of this command.

isakmp ipsec-over-tcp [port port1...port10]

no isakmp ipsec-over-tcp [port port1...port10]

Syntax Description


port port1...port10

(Optional) Specifies the ports on which the device accepts IPSec over  TCP connections. You can list up to 10 ports. Port numbers can be in the  range 1-65535. The default port number is 10000.

Defaults

The default value is disabled.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Command History


Release
Modification

7.0

This command was introduced.

Examples

This example, entered in global configuration mode, enables IPSec over TCP on port 45:

hostname(config)# isakmp ipsec-over-tcp port 45

- Jouni

New Member

Satellite VPN

OK, I'll give it a shot. Thanks!

New Member

Hi Robert, did you finally

Hi Robert, did you finally managed to get the IPSec tunnel working and TCP accelerated using Easy VPN with ctcp?
 

Satellite VPN

Hi,

Are we talking about a L2L tunnel?

The isakmp ipsec-over-tcp port command enables the PIX to connect to a Cisco VPN Software and Hardware Client on any port for IPsec over TCP, not L2L tunnels.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080645722.shtml#intro

Please let me know if you have any questions.

New Member

Re: Satellite VPN

Oh, actually, yeah I guess it would be a L2L tunnel. What is my situation considered then? Pix 515E to 2811. All traffic going to Pix LAN gets caught by a route-map, otherwise all traffic goes out regular internet. Oh, and the goal of this whole project is to extend VOIP services to users hanging off of satellite. CUCM is located behind PIX and satellite users using a local CME with H323 trunk to CUCM.

Re: Satellite VPN

Hi Robert,

Since you have a Router and a PIX, I would suggest Easy VPN. With this topology IPsec over TCP is supported.

To define who is the client and the server its up to you.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html#wp1017851

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdm5505.pdf

Please let me know.

* Please do not forget to rate the posts if you find some help.

New Member

Re: Satellite VPN

OK, I might try that method. If I do it this way, do you think my satellites TCP acceleration will kick in and help things?

Re: Satellite VPN

Dear Robert,

As long as the VPN connection gets established with IPsec over TCP on port 10000, then the ISP will see these packets traversing their transit networks, I just hope this TCP accelaration does not manipulate or change the TCP packet in a way that the tunnel would not work, however, this is something you might want to try since it is quite simple to test.

Please let me know.

Thanks.

New Member

Re: Satellite VPN

OK, I'll try it tonight. Just to make sure, I need to apply isakmp ctcp port 10000 on both devices?

Re: Satellite VPN

Yes, It would be better.

Thanks.

New Member

Re: Satellite VPN

OK. My pix also terminates other VPN tunnels that use the standard UDP 500 port. If I apply this command, will it break those connection or will it allow the PIX to use either one?

Re: Satellite VPN

Should not be a problem.

If the client does not have IPsec over TCP enabled, then it will not use it.

LAN-to-LANs will ignore it.

Keep me posted.

Thanks in advance.

New Member

Re: Satellite VPN

Will do! Thanks!

New Member

Re: Satellite VPN

OK, so I tried it remotely from my office and ended up kicking the  router off the VPN. I used the below link to configure the 2811. On the  PIX I just created another client policy with the ASDM. However, the  link never came back up. Do I have to do any static routing at the 2811  or on the PIX for each others LAN to work with EZVPN?

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html

Re: Satellite VPN

Did you try with IPsec over TCP enabled?

Please try if first without this feature enabled.

Which device is acting as the server and which as the client?

Thanks.

New Member

Re: Satellite VPN

No, I turned it on and then turned off the crypto map command and left the client one in there. I am watching my PIX log (pix is server and 2811 is client) and Phase 1 completes, but Phase 2 doesn't. Now I'm stuck because the remote end lost connectivity and I don't have anyone there to get in right now. Any ideas of what I missed?

Re: Satellite VPN

We would need the configuration of both units to identify the issue.

Please share that information.

Thanks.

New Member

Re: Satellite VPN

Will do.

New Member

Re: Satellite VPN

OK, attached are the configs. I left both versions of IPSEC on the 2811 so that I could still remote in. Again, the PIX logs show that Phase 1 completes, but then Phase 2 never completes.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.11 12:12:43 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...

Current configuration : 12673 bytes

!

! Last configuration change at 19:12:30 UTC Wed Apr 11 2012 by craigrobertlee

! NVRAM config last updated at 19:12:25 UTC Wed Apr 11 2012 by craigrobertlee

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname craig_afg_router

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9_ivs-mz.124-24.T7.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

no logging console

enable secret 5 XXXXXXXX

!

no aaa new-model

!

!

!

dot11 syslog

ip source-route

!

!

ip cef

!

ip dhcp pool DATA

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

   option 150 ip 192.168.11.1

   dns-server 109.235.205.49 109.235.204.7

!

ip dhcp pool VOICE_LAN

   network 192.168.11.0 255.255.255.0

   default-router 192.168.11.1

   option 150 ip 192.168.11.1

!

!

ip domain name craig.net

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW bittorrent

ip inspect name FW http

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

voice service voip

allow-connections h323 to h323

fax protocol cisco

h323

sip

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

dspfarm

dsp services dspfarm

!

!

!

username craigrobertlee privilege 15 password 7 XXXXXXXXXXX

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key XXXXXXXX address 68.0.184.178 no-xauth

!

!

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac

crypto ipsec transform-set SET2 esp-3des esp-sha-hmac

crypto ipsec transform-set SET3 esp-aes esp-sha-hmac

crypto ipsec transform-set SET4 esp-3des esp-md5-hmac comp-lzs

!

crypto ipsec client ezvpn VPN1

connect auto

group afghanclient key XXXXXXX

mode network-extension

username afghanrouter password XXXXXXXX

xauth userid mode local

!

!

crypto map ipsec-maps 10 ipsec-isakmp

set peer 68.0.X.X

set security-association idle-time 60

set transform-set SET1

match address 102

qos pre-classify

!

crypto ctcp port 10000

archive

log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh source-interface Vlan1

ip ssh rsa keypair-name craigkey

ip ssh version 2

!

class-map match-any WEB_BROWSERS

match protocol dns

match protocol secure-http

class-map match-all TORRENTS

match protocol bittorrent

match protocol edonkey

match protocol directconnect

match protocol fasttrack

match protocol gnutella

match protocol kazaa2

class-map match-any packet-40

match packet length min 40 max 89

class-map match-any packet-90

match packet length min 90 max 159

class-map match-any VOIP_PHONES

match protocol rtp

match  dscp ef

match access-group 103

class-map match-any VOIP_SOFTWARE

match protocol h323

match protocol skype

class-map match-any DOWNLOADERS

match protocol ftp

match protocol secure-ftp

!

!

policy-map PRIORITIZE_PROTOCOLS

class VOIP_PHONES

    bandwidth percent 28

class VOIP_SOFTWARE

    bandwidth percent 20

class WEB_BROWSERS

    bandwidth percent 50

class DOWNLOADERS

    bandwidth percent 1

  set dscp cs1

class TORRENTS

   drop

class class-default

    fair-queue

policy-map POLICE

class class-default

    shape average 200000 220000 0

  service-policy PRIORITIZE_PROTOCOLS

!

!

!

!

!

interface FastEthernet0/0

description Link to SAT Modem

bandwidth 240

bandwidth receive 900

ip address 109.235.X.X 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect FW out

no ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map ipsec-maps

crypto ipsec client ezvpn VPN1

service-policy output POLICE

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1/0

description Trunk to Switch

switchport mode trunk

load-interval 30

!

interface FastEthernet0/1/1

description David Gray/Javier Aanonsen

switchport voice vlan 11

load-interval 30

spanning-tree portfast

!

interface FastEthernet0/1/2

description Wireless Router

switchport voice vlan 11

!

interface FastEthernet0/1/3

description Craig

switchport voice vlan 11

!

interface FastEthernet0/1/4

description Thomas Coulbourne

switchport voice vlan 11

shutdown

!

interface FastEthernet0/1/5

description Keith Sifford

switchport voice vlan 11

!

interface FastEthernet0/1/6

description Joe Jordan

switchport voice vlan 11

!

interface FastEthernet0/1/7

description Rene Mendez

switchport voice vlan 11

shutdown

!

interface FastEthernet0/1/8

description Wayne Bradley

switchport voice vlan 11

shutdown

!

interface GigabitEthernet0/2/0

no ip address

shutdown

negotiation auto

!

interface Vlan1

description DATA VLAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip inspect FW in

no ip virtual-reassembly

crypto ipsec client ezvpn VPN1 inside

!

interface Vlan11

description VOICE LAN

ip address 192.168.11.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

h323-gateway voip bind srcaddr 192.168.11.1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 109.235.205.49

no ip http server

no ip http secure-server

!

ip flow-cache timeout active 5

ip flow-export version 5

ip flow-export destination 192.168.1.10 2055

ip flow-export destination 192.168.10.36 2055

!

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

access-list 5 remark SSH_ACL

access-list 5 permit 192.168.10.0 0.0.0.255

access-list 5 permit 192.168.0.0 0.0.3.255

access-list 6 permit 192.168.1.10

access-list 6 remark SNMP

access-list 6 permit 192.168.10.0 0.0.0.255

access-list 101 remark NO_NAT

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.11.0 0.0.0.255 any

access-list 102 remark CRAIG_HOME_VPN

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

!

!

!

!

route-map nonat permit 10

match ip address 101

!

!

snmp-server community CRAIGNET RW 6

snmp-server trap-source Vlan1

snmp-server source-interface informs Vlan1

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps ds1

snmp-server enable traps gatekeeper

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps xgcp

snmp-server enable traps flash insertion removal

snmp-server enable traps adslline

snmp-server enable traps ds3

snmp-server enable traps envmon

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps license

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps bgp

snmp-server enable traps bstun

snmp-server enable traps bulkstat collection transfer

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dial

snmp-server enable traps dlsw

snmp-server enable traps dsp card-status

snmp-server enable traps dsp oper-state

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmobile

snmp-server enable traps ipmulticast

snmp-server enable traps mpls ldp

snmp-server enable traps mpls traffic-eng

snmp-server enable traps mpls fast-reroute protected

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps stun

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps pw vc

snmp-server enable traps event-manager

snmp-server enable traps firewall serverstatus

snmp-server enable traps rf

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ccme

snmp-server enable traps srst

snmp-server enable traps mpls vpn

snmp-server enable traps voice

snmp-server enable traps dnis

snmp-server host 192.168.1.10 version 2c CRAIGNET

!

control-plane

!

!

!

!

!

!

dspfarm profile 20 transcode 

codec g711ulaw

codec g711alaw

codec g729ar8

codec g729abr8

maximum sessions 4

!

!

dial-peer voice 1 voip

description 11 Digit Dialing

destination-pattern 1[2-9].........

session target ipv4:192.168.2.5

dtmf-relay h245-alphanumeric

no vad

!

dial-peer voice 2 voip

description 10 Digit Dialing

destination-pattern [2-9].........

session target ipv4:192.168.2.5

dtmf-relay h245-alphanumeric

no vad

!

dial-peer voice 3 voip

destination-pattern 10..

session target ipv4:192.168.2.5

dtmf-relay h245-alphanumeric

no vad

!

dial-peer voice 4 voip

incoming called-number .

dtmf-relay h245-alphanumeric

no vad

!

dial-peer voice 5 voip

description International Dialing

destination-pattern 9800*

session target ipv4:192.168.2.5

dtmf-relay h245-alphanumeric

no vad

!

!

!

!

gatekeeper

shutdown

!

!

telephony-service

video

max-ephones 10

max-dn 10

ip source-address 192.168.11.1 port 2000

auto assign 1 to 1

service phone VideoCapability 1

service phone videoCapability 1

max-conferences 8 gain -6

transfer-system full-consult

create cnf-files version-stamp 7960 Mar 09 2012 00:47:38

!

!

ephone-dn  1  dual-line

number 2001

!

!

ephone-dn  2  dual-line

number 2002

!

!

ephone-dn  3  dual-line

number 2003

!

!

ephone  1

no phone-ui speeddial-fastdial

no phone-ui snr

no multicast-moh

device-security-mode none

video

mac-address 0019.E89A.834F

codec g729r8

type 7911

!

!

!

ephone  2

device-security-mode none

video

mac-address B8AC.6F79.3677

codec g729r8

type CIPC

button  1:2

!

!

!

ephone  3

device-security-mode none

mac-address 0019.E89A.8E4F

codec g729r8

type 7911

button  1:1

!

!

!

ephone  4

device-security-mode none

video

mac-address 001F.166B.89D3

codec g729r8

type CIPC

button  1:3

!

!

!

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 5 in

login local

transport input ssh

line vty 5 15

login

no exec

!

scheduler allocate 20000 1000

ntp server 192.43.244.18

end

craig_afg_router#exit

New Member

Re: Satellite VPN

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.11 12:38:43 =~=~=~=~=~=~=~=~=~=~=~=

show run

: Saved

:

PIX Version 8.0(4)28

!

hostname 10

domain-name dyndns-at-home.com

enable XXXXXX encrypted

passwd XXXXXX encrypted

names

name 192.168.3.0 WIFI_LAN

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.128

!

interface Ethernet1.2

vlan 2

nameif VLAN2

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet1.3

vlan 3

nameif VLAN3

security-level 100

ip address 192.168.1.253 255.255.255.252

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name dyndns-at-home.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service radius udp

port-object range 1812 1813

object-group service DM_INLINE_UDP_1 udp

port-object eq snmp

port-object eq snmptrap

object-group network DM_INLINE_NETWORK_2

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 192.168.10.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp host 192.168.0.1 host 192.168.1.126 range 1812 1813

access-list outside_access_in extended permit udp host 192.168.0.5 host 192.168.1.10 object-group DM_INLINE_UDP_1

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list VLAN2_access_in extended permit icmp any any

access-list VLAN2_access_in extended permit tcp any any

access-list VLAN2_access_in extended permit udp any any

access-list vpnclient_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit WIFI_LAN 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.11.0 255.255.255.0

access-list voice_client_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.252.0 192.168.16.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 192.168.16.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 192.168.15.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.128 192.168.2.96 255.255.255.224

access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.252.0 192.168.15.0 255.255.255.0

access-list VLAN3_access_in extended permit icmp any any

access-list VLAN3_access_in extended permit tcp any any

access-list VLAN3_access_in extended permit udp any any

access-list VLAN2_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.96 255.255.255.224

access-list afghanclient_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu VLAN2 1500

mtu VLAN3 1500

ip local pool vpn_client_pool 192.168.2.101-192.168.2.120 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (VLAN2) 0 access-list VLAN2_nat0_outbound

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group VLAN2_access_in in interface VLAN2

access-group VLAN3_access_in in interface VLAN3

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route VLAN3 WIFI_LAN 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.126

key XXXXXXXX

authentication-port 1812

accounting-port 1813

radius-common-pw XXXXXXXX

aaa authentication telnet console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http WIFI_LAN 255.255.255.0 VLAN3

http 192.168.2.0 255.255.255.0 VLAN2

http 192.168.10.0 255.255.255.0 outside

snmp-server host inside 192.168.1.10 community craighome1 version 2c

snmp-server location Home

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

sysopt connection timewait

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 184.179.X.X

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 174.79.X.X

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 109.235.X.X

crypto map outside_map 4 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map VLAN2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VLAN2_map interface VLAN2

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable VLAN2

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 VLAN2

ssh 192.168.10.0 255.255.255.0 VLAN2

ssh WIFI_LAN 255.255.255.0 VLAN3

ssh timeout 5

console timeout 0

management-access VLAN2

dhcpd address 192.168.1.50-192.168.1.100 inside

dhcpd dns 8.8.8.8 8.8.8.8 interface inside

dhcpd option 150 ip 192.168.2.5 interface inside

dhcpd option 3 ip 192.168.1.1 interface inside

dhcpd enable inside

!

dhcpd address 192.168.2.100-192.168.2.115 VLAN2

dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN2

dhcpd option 3 ip 192.168.2.1 interface VLAN2

dhcpd option 150 ip 192.168.2.5 interface VLAN2

dhcpd enable VLAN2

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy vpnclient internal

group-policy vpnclient attributes

banner value Welcome to the ATW (Arizona Hub) Network...

dns-server value 192.168.1.252 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

group-policy afghanclient internal

group-policy afghanclient attributes

dns-server value 192.168.1.126

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value afghanclient_splitTunnelAcl

default-domain value craignetwork.net

group-policy voice_client internal

group-policy voice_client attributes

banner value Welcome to the Craig Voice network...

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value voice_client_splitTunnelAcl

username craigrobertlee password XXXXXX encrypted privilege 15

username jonathan.thiessen password XXXXXXXXXX encrypted

username jonathan.thiessen attributes

vpn-group-policy vpnclient

service-type remote-access

username rene.mendez password XXXXXXx encrypted

username rene.mendez attributes

vpn-group-policy vpnclient

service-type remote-access

username afghanrouter password XXXXXXXXxx encrypted privilege 0

username afghanrouter attributes

vpn-group-policy afghanclient

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

address-pool vpn_client_pool

authentication-server-group RADIUS LOCAL

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

tunnel-group 184.179.X.X type ipsec-l2l

tunnel-group 184.179.X.X ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

tunnel-group 174.79.X.X type ipsec-l2l

tunnel-group 174.79.X.X ipsec-attributes

pre-shared-key *

tunnel-group voice_client type remote-access

tunnel-group voice_client general-attributes

address-pool vpn_client_pool

default-group-policy voice_client

tunnel-group voice_client ipsec-attributes

pre-shared-key *

tunnel-group afghanclient type remote-access

tunnel-group afghanclient general-attributes

address-pool vpn_client_pool

default-group-policy afghanclient

tunnel-group afghanclient ipsec-attributes

pre-shared-key *

tunnel-group 109.235.X.X type ipsec-l2l

tunnel-group 109.235.X.X ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e36be22e54d44c329a8cbbee6cf07535

: end

New Member

Re: Satellite VPN

Did anyone see where I miss something?

1013
Views
5
Helpful
21
Replies