Cisco VPN :: IPSec VPN Between 2911 And ScreenOS?
Aug 27, 2012
I'm trying to configure a simple IPSec VPN between a Cisco 2911 Router and a Juniper Netscreen ScreenOS device (don't exactly now the model). At first the debbuging looks good (QM_IDLE) but than the ISAKMP SA is deleted.The guy managing the Juniper device did send me his log excerpt:
###########################################################################
2012-08-28 10:24:16 system info 00536 IKE <WAN IP> Phase 2 msg ID
9b839579: Negotiations have failed.
2012-08-28 10:24:16 system info 00536 Rejected an IKE packet on loopback.11
from <WAN IP>:500 to
217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
[code]....
Is there anything special that needs to be considered when building a VPN to Juniper devices?
View 6 Replies
ADVERTISEMENT
Nov 11, 2012
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
View 6 Replies
View Related
Aug 23, 2011
I have a connection between HQ and Branch which connected by GRE tunnel over IPSec. I use Cisco router 3745 that has IOS version: 12.3(18) and Cisco router 2911 that has IOS version : 15.0(1r)M9 with ipbase, security and data license.
I tried to apply command to both routers as follows:
Cisco 3745 (HQ)
crypto isakmp key test address 10.1.1.2
crypto isakmp keepalive 60
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map vpn01 local-address Loopback0
[code]....
When I appied this command that will show a notification as below:
NOTE: crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface.
*** After appied this command, I cannot ping or send any traffic to HQ. ***
I use this command that is working normally on Cisco router 3745 that has IOS version: 12.3(18) and Cisco router 2811 that has IOS version : 12.4(7b).
View 2 Replies
View Related
Apr 3, 2013
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
View 9 Replies
View Related
Mar 15, 2011
I have a Cisco 2911 router and a Cisco RV 120W router and i would like to establish a VPN tunnel between theese two. I have defined the settings on the Cisco RV 120W router and i just want the Cisco 2911 to follow those. setting up a connection with Cisco IOS.
View 1 Replies
View Related
Dec 25, 2011
I am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
What will be the BOM for this up gradation.
View 2 Replies
View Related
Apr 29, 2013
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies
View Related
Jan 28, 2011
I am looking at this doc to use an ASA + 2911 to do Policy Based Routing with multiple ISPs.From the linked doc, under the PBR scenario, what should the IP addresses be for the routers connection to the ISPs? It isnt labeled.
View 4 Replies
View Related
Dec 21, 2011
What specific commands are needed to configure qos on a router?
Two sites:
Cisco 2911 (site 1 ) Cisco 2911 (Site 2)
Data Vlan
Management Vlan
I want to configure QOS on Site 1 where the Data Vlan traffic is always marked higher than the management Vlan coming from Site 1.
View 1 Replies
View Related
Dec 27, 2012
I have one router 2911 with the following image c2900-universalk9-mz.SPA.151-4.M4.bin I have two IPS on this routers and I tried to configure the IP SLA on this and I`m not able to do it and I don´t know why. I can configure almost everything but not the IP SLA command.this is the config:
track 10 ip sla 1 reachability
delay down 10 up 1
!
track 20 ip sla 2 reachability
delay down 10 up 1
!
[code]....
What I need to do in this case? or why cannot configure the IP SLA?
View 5 Replies
View Related
Oct 13, 2011
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. how I can configure IP SLA on my router.
View 4 Replies
View Related
Feb 12, 2013
I have a router Cisco 2911 with two possible Wan interfaces out and a backup configuration using IP SLA. When the Primary Interface goes down the traffic is automatically rerouted through the Backup Interface, but the problem I have is that when the traffic is going through the Backup Interface (because the Primary is down) if the Backup Interface also goes down, if the Primary goes up, the traffic is not automatically rerouted to the Primary Interface. And it looks to me like it keeps trying to goes out the Backup Interface and cannot see that the Primary is down. I guess that the pings are going out the backup Interface and as it is down the router doen't receive any anwer to the ping and doesn't change to the Primary.
The main configuration related to the IP SLA is this:
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0
description backup Interface
ip address 175.xx.xx.10 255.255.255.252
ip nat outside
[Code]....
View 8 Replies
View Related
Aug 5, 2012
We have 2911 with HWIC-4ESW. System image file is "flash0:c2900-universalk9-mz.SPA.152-1.T1.bin"_2911#sh inv NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis" PID: CISCO2911/K9 , VID: V05 , SN: FGL16011005
[Code]....
The problem was that HWIC-4ESW no longer pass traffic although showing that the interfaces are up rebooting the router solved the problem. What IOS is more stable and not subject to this problem?
View 3 Replies
View Related
Mar 2, 2012
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic.I followed this doc here for classic IPSec in the last example. URL
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end.
View 7 Replies
View Related
Mar 26, 2013
I have to build HA environment, at the moment we have only one R1 and WAN1 but company wants to buy R2 + WAN2 and have HA between the routers, in case R1 or WAN1 goes down the other router will take over.
What would be standard methodology nowadays to do that - does HSRP will do what I need or it is better do some other way?
View 7 Replies
View Related
Mar 11, 2013
What are the max number of T1's that can be bundled on a 2911 router?
View 0 Replies
View Related
Apr 19, 2011
I need a interface v.35 on 2911 router, but it does not have WIC slot, it has EHWIC. Could some one told me if there are a card with V.35 interface that I can install in this model of router?
View 2 Replies
View Related
Apr 26, 2012
I have the following setup where the Cisco ME 3400 provided by the ISP.
My Cisco 2911 is configured as below:
CORE_Router#sh run
Building configuration...
Current configuration : 6075 bytes
[Code].....
View 6 Replies
View Related
Aug 1, 2012
I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use all of them... Description:
gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.
The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.
Current config:
Current configuration : 6072 bytes
!
! Last configuration change at 14:31:44 UTC Thu Aug 2 2012
! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
[Code]....
View 7 Replies
View Related
May 19, 2011
I've got a 2911 with a primary ethernet link to the ISP, with BGP running over it. There's also an ADSL module in it, which will connect into the same ISP AS. how do i configure BGP over the ADSL so that it sits there doing nothing until the primary link fails? Do i need to setup a new instance of BGP with a different AS on the router or can it sit in the same AS as the primary link?
View 1 Replies
View Related
May 18, 2011
I thing that i find some bug in the newest IOS 15.1.4M.
The case is falow:
I start to configure failover for the costomer - make default route, make the default path but i cant find the comand IP SLA monitor. Is some meet this problem with this IOS or just Cisco make some chenge in the CLI commands?
Tomorrow i will try with IOS version 15.1.1T.
View 2 Replies
View Related
Dec 14, 2011
I have a 2911 router that I am trying to use a h.323 gateway for faxing purposes.Right now I can 4 digit dial and 10 digit the number and my analog phone answers, but when I try to place a call I get a fast busy immediately (as soon as I pick up the receiver)
View 1 Replies
View Related
Feb 1, 2012
Were bringing up a new site shortly and I'm trying to configure Serial0/0/0 which will be connected to an MPLS over 1.5m T1 line. I am basically doing a simular configuration as other sites where one of the ethernet interfaces is handed off from a fiber optic wan, but a T1 MPLS is connected to a WIC card and this provides a redundant path (though slower) in case of a fiber cut or equipment failure. This should be pretty straightforward but it appears as if I have no serial interface on this router. Card is in and everything, it is a VMIC-3-1MFT-T1/E1 in EHWIC 0.
View 7 Replies
View Related
Jun 26, 2012
I want to connect a RPS2300 to a Cisco 2911 router to provide power backup.I have two questions ,Easy one : if the 2911 PSU (internal Power Supply Unit) fails, how to confirm the RPS2300 provides power to the 2911 with no reboot of the 2911 ?,Tricky one : After we replace the broken PSU, will the 2911 reboot or not as power revert from RPS2300 to internal PSU ?
View 4 Replies
View Related
Nov 20, 2011
I purchased a 2911 router and a 25-pack of VPN licenses (PID: L-FL-SSLVPN25-K9=).I registered the license, and supplied the serial number of my router when asked.I received a .lic license file.When I attempt to install the license on the appliance, I receive an error:
% Error: Install failed. UDI L-FL-SSLVPN25-K9=:FTX1542AKJ3 on license does not m
atch any device
0/1 licenses were successfully installed
0/1 licenses were existing licenses
1/1 licenses were failed to install
However, the following establishes that the serial number is correct:
SFGallery#show inventory
NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis"
PID: CISCO2911/K9 , VID: V04 , SN: FTX1542AKJ3
NAME: "C2911 AC Power Supply", DESCR: "C2911 AC Power Supply"
PID: PWR-2911-AC , VID: V03 , SN: AZS153303LY
View 3 Replies
View Related
Jun 11, 2013
I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.
View 1 Replies
View Related
Mar 14, 2012
We can't seem to SSH from the outside network into our router. Our router config looks straight forward enough.
!
! Last configuration change at 10:41:22 zone Thu Mar 15 2012 by tssconsult
! NVRAM config last updated at 11:19:12 zone Thu Mar 15 2012 by tssconsult
!
[Code].....
View 7 Replies
View Related
May 20, 2012
Is it possible configuring load balance with three intefaces, in my router with the following features?I have three ISP, and would like balance the traffic ... Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1) Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX1613AH8D
3 Gigabit Ethernet interfaces
1 terminal line
2 Channelized (E1 or T1)/PRI ports
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
[code]....
View 3 Replies
View Related
Jan 30, 2013
Does Cisco 2911 support VRRP?I can’t find in datasheet anything about it.
View 2 Replies
View Related
Apr 14, 2012
I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input. Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.
Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic. From a company policy, we are not filtering ANY traffic of any kind going outbound. (I know this isn't best practice but that's another battle for another day.)
Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.
could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?
What are the security ramifications related to simply passing traffic instead of doing the inspection?
View 2 Replies
View Related
Feb 18, 2013
Recently they bought a new Cisco 2911 router and told me that they want it connected to an outside WAN connection that they hadn't used in a while so they could create a little network on the side. They want to just plug the server into the router and go. Unfortunately, I am sort of clueless about how to set up the config for it.
There are 3 GE ports, with the line from the outside coming in on GE0/0. I've already activated the interface and it is up, but that's where I get stuck.
View 14 Replies
View Related
Aug 29, 2011
I try to configure PGM in my 2911 plattform but it was impossible. I tried with many 15.1 version that support this protocol.
Someone configured PGM over 2911 Routers? What does correct IOS for work?
View 4 Replies
View Related
Jan 16, 2013
We have a PBR configured on a 2911 router (15.1-4.M2). The PBR is being used to send specific traffic across a S2S VPN instead of an MPLS connection. If ip cef is enabled, the router sends the traffic across the MPLS. If ip cef is disabled, the traffic goes across the S2S VPN. I checked to see if there were any bugs in the code they are running about this and nothing came up. It almost like CEF enabled PBR isn't working on this device, even though it should be enabled by default when ip cef is turned on.
View 3 Replies
View Related
