Cisco VPN :: C3660 Passing IP Routes To VPN Clients
May 19, 2013
We've got a fairly plain-vanilla VPN configuration on a C3660 router running IOS 12.3(26) so that our employees can initiate VPN sessions to our office using their Windows or Linux workstations. In a typical windows L2TP VPN configuration, the default route is set to the VPN server, and no other routes are passed to the clients, which means that if the client disables "use default route" setting, even getting to the office network fails.
I know there's a way to do this, but I haven't found it yet. What I want to do is pass local routes to the client so that only those routes transit the VPN, and permit the clients to use their own default routes.
View 1 Replies
ADVERTISEMENT
Apr 8, 2013
We've put in a 3750 at our corp hq (Detroit). We did this to break up the current flat 172.16.0.0 /16 network into separate VLAN's for various purposes. We plan on doing that at another site (Farmington), which will become a DR site. We are running EIGRP throughout the organization over an OPTEMAN netowrk and also sending routes to a managed MPLS network which uses BGP. BGP redistributes into EIGRP and vice versa. I've attached a pdf of the network. The 3750 core at the corp hq is a temp core, hopefully upgrading to Nexus within a year or two. This problem didn't exist until the 3750 was introduced and became the gateway for the site. The OPTEMAN router was the gateway and was on the same VLAN as the MPLS router.
So, in detroit we have an Detroit-MPLS router, Detroit-3750, and Detroit-OPTEMAN. What I'm seeing is that the routers I'm getting from the MPLS router make it to the 3750. The 3750 advertises those routes to the Detroit-OPTEMAN router. However, the OPTEMAN router doesn't advertise these routes any further..
In Farmington, it is currently set up like Detroit used to be set up. There is a flat network and both routers are on the same VLAN, no L3 core switch. Routes come in from the MPLS, get advertised to the Farmington-OPTEMAN router, distributes the routes out to all OPTEMAN connected routers, including Detroit. However, Detroit is not passing that route to the 3750.
When we made the 3750 stack the core, we didn't change anything else, except for some IP changes. Why these routes aren't fully redistributing?
Detroit-3750 Stack
WS-C3750G-24TS-S <-Stack master running c3750-ipservicesk9-mz.122-55.SE7.bin
WS-C3750X-12S-E <-Running c3750e-universalk9-mz.122-55.SE7
show sdm prefer
The current template is "desktop routing" template.
[Code]...
View 6 Replies
View Related
May 27, 2012
My company AP 1231G is not passing the DHCP address to the client from the DHCP server, my config listed below basicly the AP is on its own VLAN 10.1.123.1 and the DHCP server is 10.1.10.2 -- trying to use iphelper to pass DHCP to clients and the AP is on static IP 10.1.123.2--
!
! Last configuration change at 13:15:56 +0800 Fri May 25 2012 by root
! NVRAM config last updated at 13:15:56 +0800 Fri May 25 2012 by root
!
[Code].....
View 1 Replies
View Related
Oct 9, 2012
I have a Cisco RV220W running the latest firmware (currently 1.0.4.17), and I have noticed that after about a week of use, wireless clients can no longer acquire IP addresses via DHCP.
I have used Network Monitor on both the DHCP server, and the WiFi client, and can see that the server is receiving the requests and sending a reply, but the client never sees the response from the server. So far the only way to resolve this is to reboot the router.
View 10 Replies
View Related
Nov 15, 2011
In my live VPN concentrator at work, my 5520 is showing a static route for each VPN client that is connected to my SSL vpn right now. This kind of confused me because wouldn't only one route to the address pools subnet be needed for my vpn users?
View 12 Replies
View Related
Dec 26, 2011
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
View 5 Replies
View Related
Feb 9, 2012
I have just purchased an ASA 5505 for my remote users to access our internal network. I have followed all the setup instructions I can find. I am able to establish a VPN connection using the Anyconnect client and can see some of my internal network. (Basically, only the subnet of the internal interface) However, I have several subnets inside my LAN which are routed by another switch inside my LAN. I have built in the correct static routes so that the ASA will send traffic to that intenal routing switch for any subnets not part of it's inside interface subnet. I can see and ping those subnets from the ASA itself but the AnyConnect clients cannot.
View 9 Replies
View Related
Nov 11, 2011
I was trying to find if it's possible to add the option for static routes for DHCP clients on Cisco IOS DHCP config mode. I'm looking to add a settings as defined on RFC 3442, like this one, set on ISC DHCPd server:
Global settings:
option rfc3442-classless-static-routes code 121 = array of integer 8;
option ms-classless-static-routes code 249 = array of integer 8;
And for the subnet declaration:
option rfc3442-classless-static-routes 24, 192, 168, 30, 192, 168, 10, 1;
option ms-classless-static-routes 24, 192, 168, 30, 92, 168, 10, 1;
View 5 Replies
View Related
Apr 8, 2011
Is there a way in EIGRP to prefer external routes versus internal routes. EIGRP always picks up internal routes as long as they are available, no matter if external routes have better metric. Our Scenario is that we have DMVPN hub and spoke topology running EIGRP 101. The Core routers also on EIGRP 101 prefer EIGRP 101 routes. We have the new MPLS network running BGP and redistributing these BGP routes into EIGRP 101. The core routers prefer EIGRP 101 routes (internal) to redistributed BGP (external) routes.
View 9 Replies
View Related
Jun 18, 2012
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
View 3 Replies
View Related
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
View 1 Replies
View Related
Feb 1, 2011
I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP
View 2 Replies
View Related
Jul 6, 2012
I have a Netgear WNDR4500 running the stock firmware, acting as a router for my home. I also have 2 routers that are flashed with DD-WRT (Linksys WRT54G and Asus WL-520GU) running as client bridges. The Netgear is 192.168.1.1 and the other 2 client bridges are 192.168.1.2 and 192.168.10.3. The Netgear router is performing DHCP giving addresses from 192.168.10.100 to 192.168.10.254. I have numerous machines connected to the Netgear, wirelessly and wired, and numerous machines wired to each client bridge. All machines have IP addresses that are 192.168.10.100, 192.168.10.101, 192.168.10.102, etc... Everything is working fine, but I have one question: When I access the Netgear router, it shows the client bridges as clients, machines that are wired and wireless to the Netgear router are listed as clients, but the client list does not show any clients that are connected to the client bridges. I assumed that since the router is performing DHCP that all clients would show up.
View 2 Replies
View Related
Apr 30, 2011
I've looked at many others having this same problem, but can't seem to figure out what my problem is. Same issue as most, I can connect fine, I get an IP, but it won't pass any traffic, I can't ping anything or access anything.
View 8 Replies
View Related
Sep 21, 2012
I have a vendor that currently uses a Cisco 871 as a VPN router in our company network, they use it connect to provide services to one of the servers in our LAN for our customers. Recently, we are going to be setting up a 24/7 call center with this vendor, they will be accessing a server in our network through the VPN to provide customer service during after hour periods.We have a problem however, with an application that is hosted by another vendor that is critical for our regular company call center. Access is reached with this application through this vendor by way of IPSec VPN tunnel that is built in our company's Cisco ASA 5510. This application is accessed via Internet Explorer that goes across to access the application at the endpoint
I need to figure a way by which the vendor that will be running the 24/7 call center coming through their tunnel in our network to connect over to the tunnel on the vendor on my ASA. Im likely going to have to set some routing of traffic in my internal default gateway router for this to work.
View 2 Replies
View Related
Mar 2, 2011
I am currently using a 1841 router with AdvSec 12.4(24)T4 IOS on it. I used to have a working SSL tunnel configuration working, but for some reason it had disappeared and I am rebuilding the configuration. Unfortunately, I have been able to configure the router to perform the SSL tunnel, but I am not able to pass any data through the VPN. I am only able to ping the inside interface of the router and this is it. If I try to extended PING from the router to the remote PC I am able to get replies. Trying to PING anything on the remote network does not provide any responses back. I am thinking there is some sort of routing not happening here or I am missing some sort of configuration to allow the VPN to pass data through correctly. [code]
View 2 Replies
View Related
Sep 7, 2011
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users).
[Code] .....
View 9 Replies
View Related
Apr 17, 2012
I have a 5510 that has 2 site to site vpn's that aren't working. Phase 1 and 2 are up, but no data packets are being sent. This just started randomly 2 days ago after working for weeks.
View 6 Replies
View Related
Jan 26, 2011
Traffic Generator TG connected to R1 via switch SW . One end of the R1 is LAN1 interface and other end is WAN1. LAN1 is connected to switch SW. WAN1 is connected to R2 WAN0 interface..
TG ------------- SW ------------------------------(LAN1) Router R1 (WAN1)------------------------------(WAN0)Router R2
I have to pass traffic to R2 WAN0 interface.
Wen I pass traffic say 5000 from TG, I'm to recieve 5000 at R1 lan1 interface but I'm not to recieve at R2 WAN1 interface and hence not to R2 WAN0 interface.
Config at TG:'
-----------------
Destination IP : R2 WAN interfavce IP
Destination MAC : R1 LAN mac
View 1 Replies
View Related
Nov 17, 2011
I have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
View 1 Replies
View Related
Nov 27, 2012
We currently have a cisco 4402 with firmware version 6.0.182.0 and 4 WLANs currently running on it, we found the need to add an additional WLAN and after the configuration was completed and I tried to connect to it I found that we are not getting an address. If i connect a laptop to the VLAN I can get an IP and am able to browse. If i hard code an IP into a device and connect to the wireless i am able to connect and browse.
View 7 Replies
View Related
Jul 25, 2012
I've been tasked with retiring a VPN Concentrator 3000 and replacing it with an ASA 5520. I'm trying to get a handle on how to set up the NATs and ACLs, since most of my experience is remote access VPNs, not site-to-site. Plus I've not configured a VPN 3000 in about 6 years so I'm having to re-learn a lot of the interface.
The VPN 3000 has a feature called LAN-to-LAN NAT rules that basically allow you to NAT an address on your internal network to an address on the "local" network for the LAN-to-LAN connection so it can then go through the tunnel to the remote side. The config looks something like this in the VPN 3000: [code]
Which looks to me like a "Static Policy NAT" in ASDM. So I set one of those up, that should be translating 172.16.3.151 on the inside interface to 192.168.200.151 on the inside interface (yes, the same interface) which should then (logically) be picked up as "interesting traffic" by the crypto-map and sent across the VPN tunnel. However, that doesn't seem to be the case - both the "packet trace" in the ASDM and traceroute from the source workstation show the packets getting to the inside interface, and then passed right out the outside interface to the internet router (which then drops the packets as they're a private IP).
what else do I need to do to make the crypto-map pick up the NATted traffic?
View 7 Replies
View Related
May 2, 2012
I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.
: ASA Version 8.2(1) !hostname ciscoasa104domain-name default.domain.invalidnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.104.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute! interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa821-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network DM_INLINE_NETWORK_1network-object 192.168.2.0 255.255.255.0network-object 192.168.4.0 255.255.255.0access-list outside_1_cryptomap extended permit ip 192.168.104.0 255.255.255.0
[code]....
View 7 Replies
View Related
Jan 17, 2011
I have an Cisco ME3400-24TS-A Switch with is not behaving normal.
I have already erased its flash, uploaded new IOS but could not fix the issue. However it boots normally and pass all tests show in boot process. Issue is this the i cant access or ping the computers attached to its ports from one to other.
However i can ping the switch vlan 1 IP from all computers attached to it.
When i tried Debug All Command, its shows the following:
debug all
This may severely impact network performance. Continue? (yes/[no]): yes
All possible debugging has been turned on
Switch#
*Mar 1 00:03:41.467: special_oce_change_vectors: select debug vectors
[Code]....
View 2 Replies
View Related
Apr 18, 2012
i am using RV042 router, i have configured DMZ in this, DMZ is not passing the traffic, i am able to ping the DMZ ip from the server. but the server is not getting the Internet.
View 1 Replies
View Related
Apr 23, 2012
I have to upgrade a WCS from version 6 to 7, here we have a MSE having a 6.0.85.0, the matrix document indicates that you can map or well,having installed only one version or release from MSE to WCS, my question is, do i have to upgrade first the mse to the compatible version to the new wcs version we want to upgrade?
View 1 Replies
View Related
Jan 15, 2012
I have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
View 1 Replies
View Related
Jan 15, 2013
I am facing a very big problem with site to site vpn on cisco 2900 ios.
I configured the vpn and when i ping from router itself to destination ip with source as lan interface , VPN works, no problem.
but when i connect any computer directly to router's lan interface to initiate traffic , it doesnot work at all. and on computer's lan i see yeloow sign.
mtu is 1500, speed is auto (I tried changing also) , duplex is auto ( i tried changing also) , through firewall on pc should not affect but still i disabled it.
since their is no problem with vpn config as vpn comes up when i initiate ping from router itself but i dont know why it is not working from lan.
do we need any inspect icmp on this router also ? or any policy modification to pass traffic across the interfac on router is required ?
I was useinf c2900k9-15.0(M4).bin and i upgraded it to 15.3 which is lated to get reed of any bug .
I connected two laptops directly to router's gi0/0, g0/1 interface to ping from one laptop to another but this also did not work.
View 3 Replies
View Related
Jan 24, 2012
I have a server with SQL Server 2008 on it. It listens on the default ports 1433 & 1434. But traffic is not making it through my DIR-655 to the LAN so that SQL Server can respond to the request. I am using DynDNS and have confirmed that the traffic is getting thru DNS and finding the router, but after watching the syslog I can see that I'm getting multiple of the following error messages when a request is initiated from a client (Microsoft Access app) outside my network:
01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 67.167.87.109:53284 to 67.167.87.109:139 01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 67.167.87.109:53282 to 67.167.87.109:445
In Port Forwarding I have specified a rule to allow/pass port 1433 & 1434 TCP traffic to my internal server IP.
Also I'm confused by the ports shown above since I was expecting to see 1433/1434 in there...seems this is a factor in the traffic never getting to the SQL Server to process the request?
View 1 Replies
View Related
Apr 19, 2012
Just setup two WAP200E's, the bridge is "Connected" as I look Status > System Performance in both WAP's. However, I cannot get to the LAN from one network to the next. Cannot even ping the WAP's from either side.
I already have two WAP200E's on this network, that have been working well for month (164 day uptime), and they are configured with a wireless bridge between them, both networks on the same LAN (same 192.168.2.x network on either side). The bridge names are different, different from the main WiFi in the building, too (if it makes a difference), and the static IPs the WAPs have don't appear to have any conflicts on the network.
This is actually three buildings, one is the main one with a Cisco SR520 for a router, and a Cisco SF 200-24P switch. So two WAP200E's go into this switch now, and I see them both fine when going into the management interface. Then each of the other buildings has one WAP200E, and a small Netgear 8 port PoE gigabit switch at each building to power the WAP.
The Netgear switches aren't managed, and I've made sure any features like STP, VLANs, etc. are turned off. And the Cisco SF 200 switch is set at auto and all the defaults mostly, particularly for the ports. I tried doing a SmartPort for this latest WAP200E and that didn't change anything, tried disabling STP for it too, and no change. The PoE port for the working WAP200E is identical in config to the PoE port for the new WAP200E, and both show forwarding, all VLANs admitted (none are enabled, no VLAN tagging, etc.).
So now I am wondering if I can have two WAP200E's into one switch? Or two bridges on the same LAN subnet? Or is there something else I am missing or should configure?
View 1 Replies
View Related
Jan 25, 2012
I have created Remote VPN on ASA5510 (8.0(5)) the Tunnel is UP and client machiches are able to connect to the VPN but not passing traffics between Server & Client.
View 7 Replies
View Related
Dec 20, 2011
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
View 4 Replies
View Related
Feb 12, 2012
We have a managed service provider voip network that requires us to use our own router for the data network. We wanted to use the RV042 for it's easy vpn setup. After installing it worked great for about 10 min. then the WAN port stopped passing traffic. 3 min. later it started working again. We tested the RV042 on a different network and it works fine. We tested an older Pix on the managed network and that works fine. But the RV042 will not work on the managed service provider voip network. The service provider says that on their end it shows our WAN port going up and down.
View 1 Replies
View Related
