I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on).
View 2 RepliesI am working on a new install where the customer is using local RADIUS servers at each of their many campuses (for local dynamic VLAN assignment), while using a single set of controllers at the core of their network. For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.
Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.
We are using a 1803 ISR for remote vpn users. They use Cisco VPN clients with the EasyVPN server functionality of the ISR. I would like to restrict the ports/protocols which they can use to the remote network they connect to.
This is the (edited) client config in the ISR:
crypto isakmp client configuration group RemoteVPN key remoteaccess dns 192.168.0.1 domain domain.local pool POOL_1 acl 140 netmask 255.255.255.240,access-list 140 remark EasyVPN ACLaccess-list 140 permit ip 192.168.0.0 0.0.0.255 any
I tried to edit the acl 140 with access rules, but they do not seem to have any effect. If I edit acl 140 with deny ip any any, for example, the remote users can still use any protocol to access the remote network.
I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: VPN Client establishes the connection, traffic flow, destination network can be pinged. After a few minutes traffic stops passing the VPN. No ping to IP or DNS names can be made. In order to resole it. Users have to re-establish the VPN again. Occastioanl it stays and continue to work.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option in the IP local pool command.
Configuration:
##############################################################################
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
!
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
[code].....
i'm trying to setup a local DNS server to manage small office local-only domain names for our servers. i have the DNS working properly (resolving local machines and using the ISP dns if it can't). so i put the DNS server ip into the "Static DNS 1" field of the router settings. the other 2 static dns fields are empty.the problem is that the router is still using the ISP dns server as the primary and my local dns server as the secondary. i verify this in two places. first, if i go to the "status" tab, DNS 1 shows the ISP server while DNS 2 shows my local DNS server. secondly, if i connect to the wireless device with a linux-based machine, the /etc/resolv.conf file shows the nameserver ips in the same incorrect order.
View 1 Replies View RelatedI'm a bit new to Cisco and i find this AAA a bit confusing..I've turend on AAA by:aaa new-model
Can I use this "default" list for WebVPN ? And what would be a different if i create new "sslvpn" list..Also when I'll be creating user for VPN remote access.. that user will also exist in local database and have access to router via SSH?Because the research I've done it doesn't seem you can group users in different "aaa groups" e.g. user admin belongs under "admin" aaa group which can do ssh to router, users for VPN can only do remote VPN access and not SSH and login into router.i saw ASA has some attribute for users called remote-user
•admin, in which users are allowed access to the configuration mode. This option also allows a user to connect via remote access.
•nas-prompt, in which users are allowed access to the EXEC mode.
•remote-access, in which users are allowed access to the network.
But i can't find this option in IOS on my 1900 Series ISR router.
what this syslog message means? Being getting this on my 3945e series routers. My gut tells me they are caused by our Security guys scanning my routers with invalid login attempts.
%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
I just found a slightly unsettling bug in the E4200v2 (running the latest firmware 2.0.36 build 126507).Administration > Local Management Access > Access via Wireless ... set to DISABLED. HOWEVER, when I attempted to access the web interface on a handy iPAD I had absolutely no problem getting through to the web interface (after providing username and passsword).Limiting access to wired clients seems like a simple a prudent measure ... which is why this option is there for the paranoid among us.This seems like a black-and-white bug.
View 9 Replies View RelatedI don't seem to be able to connect to my cisco 831 router with easy vpn server configured using my Blackberry Playbook. Looking at the console of the router i can see the debugging but am not sure what it all means.
Current configuration : 2574 bytes!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!enable secret 5 $1$FM71$y4ejS2icnqX79b9gD92E81enable password xxxx!username CRWS_Ritesh privilege 15 password 0 $1$W1fA$o1oSEpa163775446username shamilton privilege 15 secret 5 $1$wFLF$8eRxnrrgVHMXXC0bXdEGi1aaa new-model!!aaa authentication login default localaaa authentication login ciscocp_vpn_xauth_ml_1 localaaa authorization exec default localaaa authorization network ciscocp_vpn_group_ml_1 localaaa session-id commonip subnet-zerono ip
[code]....
I am using an E2500 as an access point, which is working fine. I have an Ethernet cable on one of the LAN ports of the E2500 connected to a LAN port on my gateway router. The LAN address of the E2500 is 192.168.7.3 and the LAN address of the gateway router is 192.168.7.1. Clients on the E2500 wireless network have no problems getting to the Internet through the gateway router. Clients on the E2500 wireless network can reach the E2500 local management port at 192.168.7.3 on port 80. On the gateway router I am forwarding WAN port 8083 to LAN address 192.168.7.3 at port 80. But I cannot access the E2500 local management interface via the gateway router. The E2500 should see the request as from 192.168.3.1 due to NAT in the gateway router, right? I can reach any of my actual access points this way, just not a router being used as an access point. Security/design limitation of the router?
View 2 Replies View RelatedHow to get HTTPS to work for local or remote management? Selecting HTTPS for either local or remote doesn't enable HTTPS for me. It still use HTTP.
View 2 Replies View RelatedHow to setup option 150 in IP pool on VPN Client.
View 2 Replies View RelatedI have been trying to configure Cisco1941/K9 as Easy VPN Server through CiscoCP.The tunnel comes up but I cannot pass any traffic to the secure LAN (GigEth 0/1). When the tunnel comes up, I can ping the Loopback interface and the GigEth 0/1 interface IPs.
View 21 Replies View RelatedI have a Cisco ASA 5510 and a Cisco ASA 5505. I want to configure the ASA 5510 as Easy VPN Server and 5505 as Easy VPN hardware client.Using either CLI or ASDM.
View 1 Replies View RelatedSo I have three ASA 5505 firewall. my firewalls we are in the test environment. I read on the net that when you have a situation like in my company where are headquarter and two offices, i should put in each branch office and headquarter one asa firewall and a firewalls should be configured as easyvpn.
VPN server is in headquarter and easyvpn's are in branch offices. i tried everything, but we could not configure them. maybe it's not a problem that in my test environment at my the external interfaces which have static addresses on these three firewalls, respectively serever 192.168.2.1, 192.168.2.2 and 192.168.2.3 client client. I seted firewalls by following the instructions, but does not work
[URL]...
I solved the problem with the server as a remote access VPN. client workstations that are on the 192.168.2.0/24 network can access a local LAN via VPN. But when you put the ASA 5505 firewall. clients on the LAN side of the firewall can not access the VPN. I use software products Cisco VPN Client 5.0.06, but when I create a connection and try to connect to get an error secure vpn connection terminated locally by the client. reason 412: the remote peer is no longer responding.
We have a number of 5505 ASAs at remote sites all of which are configured to connect to one of two head-end servers.We need to change the primary head-end IP addresses. At the moment devices are successfully connected to the secondary.If we issue vpnclient server i.j.k.l e.f.g.h then the device drops off the network and won't reconnect until it is power cycled.If we make the changes in ASDM using the GUI to remove the old primary and add in the new primary the ASDM says "No changes made".Devices are running 8.2 and 8.4 code and behaviour is the same.
how to change head-end server IP addresses without the device disconnecting and not coming back up? According to the configuration guide the ASA should cycle through the addresses every 8 seconds until it can connect - but it doesn't seem to do this as it won't connect to the good secondary head-end either!
EasyVPN PIX515 server and ASA5505 client?
View 4 Replies View RelatedWe are currently looking to upgrade (re-design) our wireless network at our college. Any experience going from a local, controller-based wireless network to a cloud-based controller? If so, what have you found the pros and cons to be?
If you thought about going to a “cloud solution”, what stopped you?
We are currently running wireless at our 3 primary campus locations, and looking to add it to our 3 satellite locations. We use 4402 WLCs at our primary locations with a mix of 1140 and 1240 APs.
if there was a way in which i could get every username and password associated with my email, sent to my email account. I want to delete some old accounts and stuff but where ive made so many ive forgotten all the passwords and usernames ect?
View 3 Replies View RelatedRegion : UnitedKingdom
Model : TL-WDR3600
Hardware Version : V1
I am trying to restrict external access to a ftp server I have running, to a single external IP address. Is this possible? It can be done for the Remote Management IP Address page, where you can enter a single address or 255.255.255.255 to allow all external hosts. But the set up of a virtual server does not appear to have that option.
im having trouble setting up site to site vpn from my 527w to my 877 series and thought it would be much easier to see whats going on the 527 if i could see command line
so ive ssh'd to the 527s ip address but none of the usernames/password combos work that let me in the web gui, what are the logins?
I'm trying to migrate the running-config from our old 3725 router to our new 3945e router. Almost all of the config is copied over except for a few lines that come up as unrecongnized commands. So it looks like these commands were either removed or changed to something new.
View 12 Replies View Relatedi'm trying to find out whether my e4200 has the possibility to be a local DNS server and if so, how I can configure it. As it is right out of the box, i cant ping any of my local machines on DNS.
View 4 Replies View Relatedi want to create a trunk between 4507 & 3945E router & route two vlans from router 3945E
4507# vlan 99 & 51
# int vlan 99
# ip add 10.22.100.1/24
#int vlan 51
# ip add 10.22.103.1/24
[code].....
4507 version : IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.02.00.SG RELEASE SOFTWARE (fc4)
3945E: 15.1(2)T4 what I am missing?
URL What changes are needed to the 2821 config that is behind another Cisco router? And what static ports should be opened on the MAIN Cisco router that is in front of the 2821?
View 1 Replies View RelatedI am using Cisco configuration professional to set up one easy vpn server on 887-K9,vpn client can dial up the server successfully but can only ping router but on other lan. Looks like there is a nat issues between lan and vpn client?
View 5 Replies View RelatedMy 5508 WLC which runs version 7.4 is configured as a DHCP server for the AP management and here's my problem: My AP can get to the address, and can ping the address of the WLC management,But my AP prompts the following log: [code]
In the switch dhcp we can use to do the WLC option43 specified address, but in this case how the address specified WLC, the AP can be registered up?
I want to use Qos in EA2700. I want to know whether the port in the Qos means the port of local computer or the port of server. Or is it a source port or a destination port?
View 3 Replies View RelatedDoes following configuration is responding to the request of my client asking for 20 T1/E1 connections on a Secure ISR 3945E, by combining on the same router One (01) NM-8CE1T1-PRI card and Three (03) HWIC-4T1/E1 cards.
Here are the router configuration:
CISCO3945E-SEC/K9 Cisco 3945E Security Bundle w/SEC license PAK
MEM-3900-1GU2GB 1GB to 2GB DRAM Upgrade (1GB+1GB) for Cisco 3925/3945 ISR
MEM-CF-256U1GB 256MB to 1GB Compact Flash Upgrade for Cisco 1900,2900,3900
NM-8CE1T1-PRI 8 port channelized T1/E1 and PRI network module
HWIC-4T1/E1 4 port clear channel T1/E1 HWIC
SM-NM-ADPTR Network Module Adapter for SM Slot on Cisco 2900, 3900 ISR
PWR-3900-AC/2 Cisco 3925/3945 AC Power Supply (Secondary PS)
CAB-ACE AC Power Cord (Europe), C13, CEE 7, 1.5M
S39EUK9-15104M Cisco 3925-3945 SPE IOS UNIVERSAL
PWR-3900-AC Cisco 3925/3945 AC Power Supply
3900-FANASSY Cisco 3925/3945 Fan Assembly (Bezel included)
C3900-SPE250/K9 Cisco Services Performance Engine 250 for Cisco 3945 ISR
ISR-CCP-EXP Cisco Config Pro Express on Router Flash
SL-39-IPB-K9 IP Base License for Cisco 3925/3945
SL-39-SEC-K9 Security License for Cisco 3900 Series
I have a NAT setup. Some of my udp packets are dropping. How to find more about the NAT to find whether it missed anything or not. the router is 3945e. [code]
View 3 Replies View RelatedCan Cisco 3945E support VRF-Lite ?
View 4 Replies View Relatedthe feature difference between Cisco 7204vxr vs 3945E.
Wanted to know the limitation in 3945E compared to 7204VXR
Features39457204VXR with G2MemoryPacket processingBandwidth support
I have inherited a 3945E router with an NM-8CE1T1-PRI card installed in slot 2 using the SM-NM adapter card. The command 'card type E1 2' has been issued but I only see interfaces Serial2/0:0 to Serial2/0:30.
Since it as 8 port card I was also expecting there to be
Serial2/1:0 to Serial2/1:30
Serial2/2:0 to Serial2/2:30
etc etc.......
Serial2/7:0 to Serial2/7:30
The router will not allow me to issue a sub slot number with the card type command.
Am I missing something in the configuration or is there an issue with this card and router combination? The show inventory has the following:
NAME: "Network Module Adapter for SM Slot on Slot 2", DESCR: "Network Module Adapter for SM Slot"
PID: SM-NM-ADPTR , VID: V01, SN: FOCxxxxxxxx
NAME: "8 port channelized and PRI T1/E1 NM on Slot 2", DESCR: "8 port channelized and PRI T1/E1 NM"
PID: NM-8CE1T1-PRI , VID: V01 , SN: FOCxxxxxxxx
It doesn't give any errors when booting up and the router is running c3900e-universalk9-mz.SPA.152-1.T.bin IOS.