Cisco VPN :: 2921 Virtual-ice Independent Instances For Ipsec Tunneling
Sep 28, 2011
I have one Cisco ISR 2921 with VPN module. I'd like to be able to use it in order to "virtual-ice" independent instances for ipsec tunneling.
What I need is something like Asa security contexts, but the problem with Asa contexts is that don't support Vpns.
I'd like to use something like independent crypto maps, so if I need to take one down, or reconfigure, I need the others to keep working. It'll be for a production environment that must be up 99.9999
View 1 Replies
ADVERTISEMENT
Mar 27, 2011
Is it possible to tunnel IPSec through a 6509 with an FWSM installed without the packets being interferred with?My question arises because myself and a colleague were attempting to form an IPSec tunnel in just this environment last week and no amount of resetting policies, key phrases etc would allow the tunnel to come up. The 2821 was complaining about Phase 2 not matching but the policies were definitely matching and configured the same on both ends. If there shouldn't be an issue with the 6509 and the FWSM then I will post configs from both ends. The 6509 is configured to all all ports through for the two IP addresses for now and is performing a one-to-one NAT for the PIX that is behind it.
View 5 Replies
View Related
Aug 22, 2012
Is it possible to configure Layer 2 Tunneling Protocol (L2TP) over IPsec on a cisco router like 1921 ISR? This link shows basically what i want to achieve but instead of an ASA, i would like to use just a router with sec..
[URL]
View 3 Replies
View Related
Feb 17, 2007
setup CE500-24TT switch Port FE2 router / ports FE1,3-24 desktop / Ports GE1-2 Switch ports - MAC filtering is NOT enabled
FE1 - Cisco PIX501
FE2-24 Desktops/Printers
G1 - Empty
G2 - 8 port Gig Switch
8 Port G Switch = SBS2008 / Win2003 with Citrix / Win2K8 Management Server - plus a couple of desktops for Gig to server accessIs it possible to configure a PIX 501 to allow internet access for a Cisco VPN Client 4.8 without Split tunneling.The idea would be to have all raffic traverse the tunnel, be routed out the local WAN link on the PIX and then have the reply be forwarded back to the client over the IPSec tunnel.
View 5 Replies
View Related
May 20, 2013
We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
View 16 Replies
View Related
Aug 28, 2012
I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
View 4 Replies
View Related
Mar 15, 2013
I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
View 3 Replies
View Related
Nov 28, 2012
I have a situation where the site-to-site tunnel is already established using PPTP IPSec VPN with non Cisco Gateways terminating the link on each end. These non Cisco Gateways do not support L2TP tunneling, and there is no plan to change them.Beyond the Gateways on both ends, we have a Cisco 4500 series switch. We need to forward the 802.1q tagged VLANs between the two sites. Is it possible to use 802.1Q tunneling in this case, going via a PPTP tunnel ?
Cisco's setup uses dot1q-tunnel over a L2protocol-tunnel to preserve the original client VLAN tagging, so does this mean that the only option we have is to setup a L2TP tunnel at the Cisco device endpoints, and have that tunnel go through the existing PPTP tunnel (established between the 2 non Cisco VPN Gateways) ?
View 1 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
May 11, 2013
currently I have a Cisco 2921 router and I have one active site-to-site VPN connection through the internet.my question is; how I can create another Ipsec site-to-site VPN connection ? I have to keep the 1st VPN connection active.
View 11 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Dec 5, 2012
I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]
View 6 Replies
View Related
Jul 13, 2011
My network routing (both routers are consumer-grade NETGEAR WNDR3700) is like this:
Modem ==> Router 1 ==> Router 2 WAN Port
I have Router 1 set to DHCP the entire home network. I want Router 2 to section off a web server from the home network in case it gets compromised, but I want computers on the home network to be able to administer the web server.
As it stands, the web server can access PCs on Router 1, and not vice-versa. In effect, I want this to be reversed. Can this be done without changing the physical configuration?
All right, I bit the bullet and switched the router chain so Router 2 comes before Router 1. Set up was so easy and though it's not perfect, it's all ready!
View 4 Replies
View Related
Jul 24, 2011
Is it possible to to have Multiple AS instances on an ASA5510?
View 1 Replies
View Related
Nov 1, 2011
CPU and memory graps are showing up in pollers on left of Monitoring page.
When trying to graph switchports using histo graph, some ports show up in Available instances, but most are ports that are in admin down.
I do not have the capability to graph the ports I want to see.
View 1 Replies
View Related
Mar 16, 2010
I've been collecting information on principles of SHDSL connection. I have found plenty of examples on how to configure only one SHDSL link. Very soon I'm going to the site to install two independent SHDSL links in Cisco 2811 which has one Cisco HWIC-2SHDSL module, so I can route one type of traffic through one connection and another type of traffic through another. Both SHDLS links have static IP addresses and probably different VPI/VCI values. how to install two SHDSL links into one HWIC-2SHDSL module, set one value for VPI/VCI on one link and another value for VPI/VCI on another link, also set one IP address on one link and another IP adddress on another link?
View 13 Replies
View Related
Feb 15, 2012
Our sister site had a new building and the network it was supposed to resemble the network on this site with link redundancy as far as the edge switches.After 6 months asking for the password to the equipment I finaly got it and started to plan the deployment of some phones, I got a little confused as to the layout of what had been done as CDP was not showing what I had expected.
I then used CNA to map out the site.We have 1 main server room (at the top of the picture with the two 4507 cores and a number of fixed config 1U switches)And 3 further wiring rooms at other points in the building with fixed config 1U switches.
(And a wan link to this site)In my opinion the design as it stands is significantly flawed in redundacny with multiple points of failure, and its efficiency is very poor.
View 7 Replies
View Related
Aug 4, 2012
I am Implementing Cisco IP Routing (CCNP ROUTE FLG) book and right now I am reviewing IPv6 chapter. This part of OSPFv3 multiple instances over a single physical interface caught my attention
View 6 Replies
View Related
Mar 28, 2012
My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
View 1 Replies
View Related
Nov 1, 2012
I have a WS-C3750G-24T-S layer 3 switch and I need to configure independent routes for a specific network, I'm trying to use VRF but it is not working for me. I tried using route-map but it seems the switch doesn't support that, so I'm stuck with VRF, but I think I'm not doing it right. The topology is as follows:
I have a network directly connected to a vlan and I need to forward all the traffic I get on this VLAN using a tunnel to a router. I think the problem is that in order to use the tunnel I need to utilize another VLAN which isn't part of that VRF. I attach the configuration I'm using to better understand what I'm trying to do:
layer-3 switch:
ip vrf TEST
rd 1:1
interface Tunnel1
ip vrf forwarding TEST
ip address 172.17.0.1 255.255.255.252
tunnel source 10.245.0.9
tunnel destination 10.250.4.31
[Code]....
And this is how my routing table looks on this router:
172.17.0.0/30 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Tunnel4
C 10.250.4.0/24 is directly connected, Vlan404
S 10.245.0.8/29 [1/0] via 10.250.4.1
S* 0.0.0.0/0 [1/0] via 10.1.60.15
View 2 Replies
View Related
Apr 24, 2013
I read that maximum spanning tree instance number is 128, is there any switches that can go more than128 instances ? or can we do this from IOS updates ?
View 3 Replies
View Related
Jan 12, 2012
I have 2 3550 12G switches that I use as core fiber switches. Switch 1 is the primary for 1/2 the V LANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance). I am using HSRP to provide redundancy. So far so good.
Recently a tenant in my building would like to use their own switch for data but still needs access to a V LAN on mine for voice. Again not a problem as I can configure a trunk port and give them what they need. My concern is that if they try to configure STP on their switch can they take down mine. Are there some preventions that I can put into place, such as root guard, that work with MST? What happens if they too set up MST can they kill mine?
Switch 1 is the root for 1/2 the v lans and Switch 2 is the backup root. The scenario is flipped for the other 1/2.
View 3 Replies
View Related
Sep 9, 2010
I'm having some weird issues with our 3560 that's connected to an MPLS line. The speed of the port plugged into the providers equipment is 100Mb, but we're only allocated 10Mb of bandwidth from them, I tried to police our traffic out of the port using srr-queue bandwidth limit 10, however when I do that I get some really weird bandwidth results.
Using iperf I've run bandwidth tests with srr-queue bandwidth limit enabled and with it disabled, when it's disabled I get the full 10Mb as expected, however once I enable it I'm lucky to get 5Mb, and while the test is running connectivity between sites is almost useless (which is not the case if I disabled bandwidth limit). Is there anything special I should be doing when I have this enabled? I also have priority-queue out enabled with only one dscp marking placed in queue 1, with very little traffic hitting that queue, but regardless of what I do I can't get the expected bandwidth with the bandwidth limit command, even if I place my iperf traffic in that priority queue.
View 3 Replies
View Related
Nov 16, 2011
My clients switch is running out of Spanning-Tree instances (c3560 only supports 128 instances). I know that running RSTP with VSTP can mitigate this that all instances over 128 will be handeled by RSTP, but before I implement this are there any other thoughts out there on how to mitigate this. Would MSTP be able to handle more STP instances or MISTP perhaps?
View 3 Replies
View Related
Mar 20, 2013
3 different sites which are directly/indirectly connected to cisco VPN router RV042 and we want to make a vpn between them, how can we make it
View 2 Replies
View Related
Jul 16, 2011
I just moved our vpn over to using LDAP/DAP instead of the previous RADIUS we were using before. First of all, the group policy split tunnel is setup for Tunnel Network list Below Network list has a group of networks named "split-tunnel" setup with all of our internal subnets in it. Which seems to be working fine, users are hitting internal networks no problem.Where the issue lies is surfing the web while they are connected to the VPN.I think I know what one of the the issues are, I'm just not sure how to get around it. I have a proxy server setup that all domain traffic goes through say 10.20.30.40. That is obviously on our internal subnet. Our remote users has a policy on their laptops set to where if they can see/get to the proxy server then it pushes all traffic through there, however if they can not, it goes straight to the internet. That way they can still surf the web when they aren't connected to the domain network.
With the new DAP vpn policies, it seems as though they are trying to go through the proxy but failing so all http traffic is getting blocked on their computer as I can still ping say google.com...just can't open the web page.In my SALES-VPN access lists there isn't any acl that allows any traffic to 10.20.30.40(proxy server) so there isn't any reason their laptop would think it could get to it correct?I can't put an access-list SALES-VPN extended deny ip any any log critical at the end of the acl list because then it doesn't show up as an option to apply to the DAP since the acls have to be either permit or deny, not a mix.Also, if I just create an ACL access-list DENY-VPN extended deny ip any any log critical and apply it to the DAP *after* the SALES-VPN ACLs thinking all traffic would flow down as in go through all the permit acls first, and then hit the deny acl after, it just blocks all traffic.It almost seems that some traffic that isn't specifically being permitted by the permit acls is still getting through which is obviously not wanted. However, if I try to rdp into a server that isn't specifically permitted in the SALES-VPN acls it doesn't work so I'm kind of at a loss..
View 5 Replies
View Related
Aug 23, 2011
I'm using an ASA5510 for remote access IP Sec VPN clients and it is configured for split-tunneling. The client computers are running Cisco VPN client software. All of the client computers running Win 7 work perfect, but the client computers running Win XP Pro cannot browse the internet, they only connect to the inside network.
1) Does XP Pro support split tunneling when using the Cisco VPN client software?
2) Does the ASA require a special config to support split tunneling with Win XP clients?
View 1 Replies
View Related
Mar 29, 2012
I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520. I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505. I get no internet access. Have been trying to troubleshoot this for days.Hee are soe specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:
vpnclient server **.***.***.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup dbernstein-5505 password *****
vpnclient username dbernstein password *****
vpnclient ipsec-over-tcp port 10000
vpnclient enable
and the downloaded dynamic policy:
Current Server : 12.***.163.**
Primary DNS : ***.160.***.39
Default Domain : cisco.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : ***.160.***.0/255.255.255.0
Backup Servers : None
View 9 Replies
View Related
Oct 14, 2012
Can a 2504 WLC on a remote site provide guest access on one SSID, drop taht out locally on that site and provide corporate access on a second WLC that it then tunnls to a 5508 at the main corporate site ?
View 4 Replies
View Related
Dec 25, 2012
How to successfully run the dot1q tunneling on Cat4500 with Sup7L-E? I tried that on IOS XE 3.3 and newest 3.4. It is in feature navigator but i am not able to connect two access switching using trunk - only native vlan is translated. Apparently STP BPDU frames are dropped somewhere. I have the same configuration on 3750X with ip services licence and this works well.
View 2 Replies
View Related
Jul 25, 2011
my company has used Split Tunneling for all of our VPN uses, however we recently purchased 2 ASA5505s for use at various jobsites, and have been running into problems with Local Network Administrators blocking certain traffic that we need to operate. They allow full VPN connectivity to traverse their networks, so we are able to use our LAN Resources over the split tunnel no problem.
We have it set up as a Dynamic L2L Connection, and this ASA is operating flawlessly minus the traffic being blocked upstream by the network admin. Our VPN topolgy is Hub & Spoke. Below is excerpts from our config on how the VPN is set up: [code]
What we'd like to achieve is being able to pass ALL traffic (LAN & Internet) through the VPN tunnel, then be processed by the Hub ASA (192.168.9.1) on the other end. I am guessing crypto map + routing would have to be changed?
access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 0.0.0.0 0.0.0.0route inside 0.0.0.0 0.0.0.0 192.168.9.1Disable NAT on Spoke. Is this how I would go about doing this??? We need ip address dhcp setroute so our ASA can find the other end and form the VPN tunnel, and I am not sure how this would affect things. [code]
View 1 Replies
View Related
Feb 2, 2011
Is GRE tunneling technique for IPv6 based on RFC2473 or Cisco proprietary standard?
View 2 Replies
View Related
May 28, 2012
I have some troubles configuring split-tunneling on ASA 5520.Number of remote users establish ipsec connection with ASA 5520 (in central office) using ubuntu vpnc-client.Split-tunneling is in use, to allow remote users to surf Internet using their ISP.The goal is to remove the possibility to ssh/telnet servers inside corporate LAN for remote users. [code]
There is nat enabled on interface, but there is special statement in nat0 ACL for 192.168.100.0 subnetwork access-list INSIDE_LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0.The problem is that remote users can easely ssh and telnet servers in INSIDE_LAN network. Whatever i put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in REMOTE_split ACL don't work either.
View 2 Replies
View Related
