Cisco VPN :: 2811 VPN Client Connection To IOS Firewall Using Certificates
Nov 2, 2011
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
is there a easy to install SSL certificate on ASA, rather than enroll with a public CA? ASDM has a place to import certificates. Can I just upload a SSL certificate I got from my CA to ASA, withou setup CA enrollment? And if yes, how can I generate a SSL certificate request from my ASA 8.2?
I am running Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.4(1). This will be used as a VPN gateway. I am having troubles installing our cert. I can install the cert, but it never connects witht he correct key. It references trustpoint0 when it is trustpoint1. I deleted all trustpoints and it still happens. That.vpngw4# sh run | begin rustcrypto ca trustpoint ASDM_TrustPoint0crl configurecrypto ca trustpoint ASDM_TrustPoint1keypair ASDM_TrustPoint0crl configurecrypto ca certificate chain ASDM_TrustPoint1certificate 0f8e62 308203d5.8c quitI deleted both trust points and when I do a sh run both are gone, but when I then import the cert (via ASDM) it creates trustpoint0 again.
I am working with a client to implement QoS for their Lync environment. Lync 2010 has this feature to mark dscp values based on packets tagged with logical ports. As an example, packets on port 49000 til 49999 will be marked to dscp 46(ef). On Cisco 2811 router, I am basically honouring the markings by the application and placing bandwidth priority on them and sending it out to the WAN.
The behaviour that I notice is that when port based packets are marked with a certain dscp value on the application, the router policy map doesn't pick up any packet increment for that dscp. But when all packets without port assigning to it are marked with certain dscp value, I can see increment on the router policy map for that dscp match. Why is this so???
The client wants the Lync to mark the packets with dscp value and the router is suppose to honour the marking, schedule the priority and send it out. [code]
I have a cisco 2811 with security bundle with IOS 12.4(13r)T I am planing to use this router as a VPN gateway for company ( i.e)
1. LAN 2 LAN VPN ( Supporting if remote site is having dynamic IP)
2. Remote access VPN for VPN client
I have configured the router ( attached is the configuration) I have not tried to use the LAN to LAN VPN ( first i complete remote access VPN and then check L2L) I tried to use the remote access VPN I am able to connect from vpn client software and got the IP address but unable to ping the servers in LAN.
I have an SSL VPN set up on my ASA 5520 with a self signed cert. When I run the AnyConnect install on my desktop machine I have click through a few windows to accept the certificate. When I connect through the mobile client on Android, the connection goes right through without a prompt to import/choose/download a certificate. I'm able to connect but I'm wondering if the phone has actually recieved a certificate. I'm in the 'Advanced Connection Editor' screen and the certificate setting says "Automatic".
I have a 2811 Router (config below) with VPN configured. I can connect through the VPN and access devices on the native VLAN but I can't access the 10.77.5.0 (VLAN 5) network (I don't care to access the 10.77.10.0 - VLAN 10 network). This issue has been plagueing me for quite a while. I believe it's a NAT or ACL issue. VPN client IP pool is 192.168.77.1 - 192.168.77.10. [code]
I have my router connected to my ISP, but for some reason I am getting really slow internet connection compared to a home Linksys router. I can only think it may be to the fact my port is set to auto speed and auto duplex.
Sometime the websites are fast, other times slow. Cannot seem to pinpoint the reason since my code is so basic.
We have two 2811 router with configured interfaces:
Router1 interface FastEthernet0/0.380 encapsulation dot1Q 380 ip address 192.168.232.18 255.255.255.248 no snmp trap link-status crypto map clientmap! interface FastEthernet0/0.382 encapsulation dot1Q 382 ip address 10.132.1.126 255.255.255.252 no snmp trap link-status interface Vlan1 ip address 192.168.5.1 255.255.255.128 ip nat inside ip virtual-reassembly ip route 0.0.0.0 0.0.0.0 192.168.232.17 ip route 10.132.254.35 255.255.255.255 10.132.1.125
Router2 interface FastEthernet0/0.197 encapsulation dot1Q 197 ip address 192.168.222.2 255.255.255.248 ip nat inside ip virtual-reassembly no cdp enable interface Vlan1 ip address 192.168.1.1 255.255.255.128 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452
So my case is: computer from router1's network can ping 192.168.222.2 (router2 -FastEthernet0/0.197 )computer from router2 network can ping 192.168.232.18 (router1- FastEthernet0/0.380),but can't ping 10.132.1.126 (router1- FastEthernet0/0.382).
How can i connect vlan 380 and vlan382.I want the three vlan to see each other.Is this happen with IRB or not?
We just moved to a new place and ISP here have a bit weried connection - they use cable modem that provides "local" IP (through DHCP) to the router and than you have to dial out L2TP to the ISP in order to connect to internet.This setup works fine with "home" routers, like the LinkSys, however I have no clue on how to setup it on 2811.
I have a 2811 that is my HQ router with a 10MB pipe. I was trying to configure a IPSEC tunnel to connect to my ASA that has access to our companies internal servers on the 10.33. and 172.16.31 network. I am having a problem getting phase 1 to even come up. I've looked over the configurations and unless i'm overlooking something I dont see what could be keeping it from at least completing phase 1
Below are the configs. 2811-CFG crypto isakmp policy 10 encr 3des hash md5 [Code] ....
my problem is this:we have two 2811 router with configured interfaces:
Router1
interface FastEthernet0/0.380 encapsulation dot1Q 380 ip address 192.168.232.18 255.255.255.248 no snmp trap link-status crypto map clientmap! interface FastEthernet0/0.382 encapsulation dot1Q 382 ip address 10.132.1.126 255.255.255.252 no snmp trap link-status interface Vlan1 ip address 192.168.5.1 255.255.255.128 ip nat inside ip virtual-reassembly ip route 0.0.0.0 0.0.0.0 192.168.232.17 ip route 10.132.254.35 255.255.255.255 10.132.1.125
Router2
interface FastEthernet0/0.197 encapsulation dot1Q 197 ip address 192.168.222.2 255.255.255.248 ip nat inside ip virtual-reassembly no cdp enable interface Vlan1 ip address 192.168.1.1 255.255.255.128 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452
so my case is:computer from router1's network can ping 192.168.222.2 (router2 -FastEthernet0/0.197 )computer from router2 network can ping 192.168.232.18 (router1- FastEthernet0/0.380),but can't ping 10.132.1.126 (router1- FastEthernet0/0.382)How can i connect vlan 380 and vlan382.I want the three vlan to see each other.Is this happen with IRB or not?
For some reason I cannot seem to get a connection between the router and the switch. I see the FE ports on the siwtch, sh ver includes all 18 FE ports, but it seems that there is no backplane connection. The only way I can get conenctivity to the switch module is to jumper between one of the routers FE ports and a NM port. The switch will not accept any IP addressing on the same network as the router becasue of overlap. Am I just being stupid? My understanding was this NM would have a backplane connection to the router. Some docs mention a GE conneection that should show up and there were two parts to the config, one to set up the interconnect and then to set up the switch.
I try to implement the url filtering feature on a cisco 2811 router and whenever i enable the parameter map patterns the router retuns (after some time)
%Unable to compile obj regex.[code] The result is that the router blocks ALL webpages without giving a block page message.
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)?
While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
what is the simplest way to create backup WAN connection?I have setup 2 WAN connection(2 ISP, 1 is DIA w/ fix ip, 2 is 3G), but if I enable both interface ,then I unplug WAN 1. no traffic goes to WAN 2.I have already have 3G connection enable all the time (w/ command "dialer persistent") Cisco 2811+ Cisco-HWIC-3G,
The Router that I have is 2811 where it contains two Fa ports only, so I put an access switch between the two ISPs and the Fa0/0 then configured the Interface Fa0/0 with two IPs ISP1 and ISP2 as a secondary.
The problem that I faced that when ISP1 become down the another secondary IP (ISP2) stay down and the internal users have no access to the internet.
We have two logical connection which are connected via 1 physical Ethernet interface to 2 routers in central sites. Both connections are 2 Mb/s. How can i classify the output traffic in order to shape both direction to 2-2 Mb/s.
There are not suitable "match" command!!! ??The branch routers are 2650xm and 2811.
I am pretty new to the configuration of a DMZ and I have the task of setting one up.I have a Cisco 2811 Router running Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3), 2 FE interfaces.One FE is connected to the WAN, with a loop back interface configured with the public IP for Internet access in the office.The other FE has 2 sub interfaces configured, one for data and the other for voice traffic.Users within the office are configured to use the data VLAN to access the internet through the WAN.
Now we are setting up some new services and we require to have DMZs setup.I want to setup 3 zones now that the different servers would reside in. How can i achieve this using the existing infrastructure I have?I have an idea to create more subinterfaces and assign them to the zones, but I am still not sure how this would play out. I have been on this for the whole day and unable to make significant progress.
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and V LAN 101 of the 6509's. This works as I can ping yahoo and Google just fine from the 6509 switch. I can't get from my laptop connected to V LAN 23 to the internet.
It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101. I then have the public address assigned to V LAN 100. I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from V LAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers? 2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM? 3. I'll take any examples you may have as I am stuck.
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
I am a total new comer for Cisco Router. All I know is plug the console cable to a serial port on a PC, fire-up HyperTerminal to view and that's it. I don't know any command or scripts.
I am trying to setup my client connection, I already receive the required configuration settings from ISP. It is a Leased Line Serial connection.
How to setup the router with the below configuration.
Serial IP : 1.X.XX.222 Serial Netmask : 255.255.255.XXX LAN IP : 1.X.XXX.1 to 1.X.XXX.31 LAN Netmask : 255.255.255.XXX [Code] ....
I'm looking into upgrading my WAN link to 100Mb via Fast Ethernet link. I'm waiting to hear from ISP about what exact technology they use, but according to my manager they will be coming in over fiber and then terminate to copper. I currently have 2811 in production with two T1 cards bundled together. 2811 has basic configuration with only 2 ACLs. I have ASA 5510 for NAT, Ipsec and other services. What router or networking device (layer 3 switch, such as 3560G perhaps??) should I use to accomodate 100Mb link? It seems that 2811 will not handle that kind of bandwith..In short the max recommended bandwidth limits for the 28xx series are as follows:
2801--2 Mbps 2811-4 Mbps 2821-8 Mbps 2851-12 Mbps
I don't want to create a bottleneck and am looking for appropiate solution to accomodate 100Mb link. Also, could ASA 5510 become a bottleneck in my scenario?According to Cisco docs ASA5510 can handle 300Mbps of firewall througput, but I'm not sure how it'd work in production...
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
I came across this site. I wanted to produce a better incoming ACL at home and work to prevent known bad sites
Here is their list of the Top 10 Global Spammers is out. The biggest surprise on the list is Korea, as it takes over the number one global spammer spot from China. With the improved high speed internet infrastructure in Korea and ease of network access, who knew Korea would be on the rise.
Here is the complete Global Spanner Top Ten List for the first quarter
[URL]
Korea China India Russia Turkey Viet Nam Ukraine Brazil Venezuela Pakistan
When I sort the list, it is over 16k lines of ACL!
My question relates to what performance limits I would find. Can I actually put that many lines in an ACL? Will the router choke and do any other work
I have attached the sorted ACL list for you to review
Any of the following router lines will accept a list that large and still run acceptably?
I have a Cisco 2811 running Advance Enterprise v 15.1-2. I've just configured it using ccp for internet access (on 2 lines) and a firewall. The configuration is pretty much all default and I used the ccp wizard to create a 'medium-secure' firewall. I have 2 blocks of public IP addresses for my internal network and for the DMZ. The 2800 is configured as follows:
- 2 x default routes. one to each dialer.
- 6 zone pairs as follows: - ccp-zp-self-out (seems to mostly work... I can ping any IP address from a console but not a hostname) - ccp-zp-in-out (works fine, both interfaces seem to be in use) - ccp-zp-in-dmz - which by default set to ccp-permit-dmzservice - which inspects ccp-dmz-traffic - which matches group dmz_traffic and has a class map dmz-traffic
- cnc-zp-dmz-out which is set to ccp-inspect. (my own zone pair to allow systems in the DMZ zone to see the internet. This works fine.)
- ccp-zp-out-dmz (works fine. I can see my web server from any system outside my own network)
- ccp-zp-out-self (which, I guess allows anything permitted to get to the 2811)
Internet works from within the DMZ and in-zone. The outside can access my dmz servers. The inside can access most things on the outside using the firewall rules.
1) Although I have the zones set up to allow the same access from in->dmz as I do from out->dmz and out->dmz seems to work, I cannot seem to access anything in the dmz from the inside.
2) When setting up the firewall I ticked the box for 'allow PPTP clients to make connections from the inside' (or something like that). I cannot seem to make a PPTP connection from my workstation.
I have scoured the internet for guides, looked through these forums & the cisco configuration guides and experimented all day but still cannot figure this out.Do I need a special route between the inside and dmz? I have seem references to static routes on ASA firewalls but the command 'static (inside,dmz)...' does not work on a 2800 series router.
I am having trouble setting up a EHWIC-VA-DSL-A= card on my cisco 2811 running the following the following:c2800nm-adventerprosek9-mz.151-4.M2.bin and C2800NM_RM2.srec.124-13r.T11
My hardware supplier tells me its the right adsl card (have 1 existing working card not the same) but the card will not detect on the system to be configured.is this the right card? am I missing something?
I would like to set up a POTS Dial connection between 2 Cisco routers, using the modem card WIC-1AM-V2. I'd like to use this as an out-of-band connection to a remote site, if the primary internet connection fails. So, this setup will only be used in one direction, 1 router placing calls, the other one receiving calls.Here's my config of the receiving router:
chat-script dial "" ATZ AT OK "ATX3D T" ATS0=8 TIMEOUT 120 CONNECT C interface Async0/2/0 description out of band for network no ip address encapsulation slip async mode interactive line 0/2/0 session-timeout 5 absolute-timeout 10 script connection dial login local modem InOut transport input all escape-character BREAK autoselect ppp stopbits 1 speed 115200 flowcontrol hardware
[code]....
This config is working fine, when dialing in via a Windows Hyperterminal Dial connection. After a while of dialing I get the login prompt of the router.Now I want to have a router placing calls instead of a Windows Server. I can't figure out how to tell a router to place calls to a POTS phone number.
I have a Cisco 2811 router and i want to experiment on the IOS firewall.The thing is, none of the commands that are proposed in online guides - like ip inspect, ip audit, etc. - seem to be working. I just get "unrecognized command" on a router that is supposed to support such features. I'm wondering if it has something to do with the IOS image.
My show version output is this:
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.3(11)T9, RELEASE SOFTWARE (fc3) Technical Support: [URL] Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Tue 13-Dec-05 08:24 by ccai
What are my best options to secure branch office connection to HQ over Provider MPLS cloud. Our existing Setup
<<HeadQuarter>> :: DataCenter hosting Email, ERP, Intranet, Voice Services 10mb link to Service Provider over MPLS CloudMPLS is terminated on a 3825 Router running advance Services
<<BrancOffice>>::Total 10 In Country Branch Offices2mb Link to Service Provider over MPLS CloudTotal users in each branch : 20 MPLS is terminated on a 2811 Router running advance Services
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
