Cisco VPN :: PIX 515E - Configuration As VPN Concentrator
Jul 2, 2012
I need to configure a Cisco pix 515e as vpn concentrator. Now the network has 2 Cisco pix in fail over - May I add a new Cisco pix in parallel and redirect the vpn tunnel on it? How do I need to make the configuration in order to work?
I dint have any experience in Using cisco pix firewall. i got this for home lab practice.the pix can be accessed and configured by web based and CLI mode right. basic configuariton tto configure pix 515e in cli mode.
as of now im using console( hyper terminal) to access the pix. in cli based commands i need the following
1. how to assign ip address to inside ethernet and outside ethernet
2. how to enable telnet and after enabling it , can i connect my pc directly to the pix inside ethernet and do telnetting or if at all possible with (https enabled)web based config. any of these are ohk.
went at browsing to find these all i could find is web based configs. i need cli commands.
I just got my PIX515e configured and thought I had it working correctly, but on my 3745 router, the line protocol is down, I've looked through the configs for bot the PIX and the 3745 and can't seem to figure out why I don't have access.
Pix515E config: pixfirewall# show run : Saved : PIX Version 8.0(4)32 ! hostname pixfirewall domain-name home.jkkcc.com enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names
we have a pix 515E firewall with software version Cisco PIX Security Appliance Software Version 7.0(4) and ASDM version Device Manager Version 5.0(4). we are in a process of upgrading the software. Kindly suggest the software and ASDM version most fit for the device. Also the software should be compatilbe for the current configuation running.
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1) firewall transparent names ! interface Ethernet0 [Code]....
I have a question about VPN Concentrator FTP Backup configuration to get logs on FTP server. I have configure FTP Backup with all details but I still do not see any logs on FTP server. Do you know what could be the issue? I have never used Concentrator and not sure what needs to be done to get in working condition. I am using VPN Concentrator 3015 series.
I have been trying to setup a LAN-to-LAN VPN between two sites that are using a 3000 series CISCO Concentrator. After following the basic setups from the CISCO site, I am still unable to create a tunnel. At the moment I'm starting to believe it is how I have physically setup the network. Site 1 is using a Billion BiPAC 7404VNPX ADSL2+ Modem, Site 2 is using a Netgear DGN2000 ADSL2+ Modem, The VPN Concentrators are setup behind these devices with each firewall setup to allow the needed ports forwarded.
My organization has an old 3005 that i need to wipe the config of. The problem is that i cant gain access to the device via the console port. Every time i try connecting using a terminal session, all i see is a blinking cursor. As a result, my question to the group is there another way to wipe the config on this device?
Our VPN 3000 concentrator's admin password was changed by somebody so i reset the password by using straight through serial cable, now the problem is it allows me to login with admin through console but not through admin web interface or telnet. I have enabled telnet and http access but still no success. Concentrator is using internal database so no AAA server is configured.
I have a client who saw there was a android version of the AnyConnect client and want me to go through and get their VPN 3000 Concentrator confingured to be able to connect in with it.
The Conncentrator is currently setup several groups of users and the base group is set up to all other products to connec tin via a pre shared key. It took alot research to get it configured to this point and all the searches i pull up are for a ASA.
I'm planning connect VPN concentrator in our company to PIX515 DMZ interface.At the moment , VPN concentrator(used for remote access VPN for laptop users) is connected directly to core switch so as PIx515. Having VPN Concentrator connected directly to LAN is security risk .SO i want to connect VPN concentrator to DMZ of the Firewall(pix515).
We don't have any test environment and we are not allowed to have downtime of more than 10 minutes in production network ,I want to make sure my design and commands would work without problem .I've attached doigram of our curernt setup and new setup I'm planning to work on as well as commands . Does this design will work .Nat , routing everything .
Can a Cisco PIX 515E with an Unrestricted License (UR) be deployed as a VPN concentrator? For example, remote users having VPN clients installed on their desktops connect through the Internet and are authenticated by the PIX 515E at the main site.
I have a VPN Concentrator 3000 with LAN-to-LAN DES-56 connections connected to it (Cisco PIX 506). Everything was working fine and then over the night something messed up on it. No settings were changed or anything.
First issue was anything using DHCP (getting IPs from the sites local PIX) couldn't be pinged or reach out through the Concentrator. It was only Thin Clients that didn't work. I could still ping the PIX, printers and desktop computers that were static set IPs. But this was happening at every site going through this Concentrator. The sites going through out MPLS network are fine.
I tried setting the Thin Clients to a static IP but still couldn't ping them.
I then decided to reboot the Concentrator, when it came back up all sites reconnected back to the Concentrator but now couldn't ping anything at the sites, not even the LAN IP of the PIX (or printers and desktops now). I power cycled a few of the sites PIXs but they still were not pingable even though the Concentrator showed they were connected.
I then decided to physical power cycle the Concentrator, it's back up and all sites are connected but none of the devices on the LAN side are reachable.
The Concentrator can ping the sites WAN IP but nothing on the LAN side going through and out the Concentrator. It can ping the LAN through the private interface (going back towards my LAN) just not going through the public interface (over the WAN).
The sessions show that Bytes are Rxing but no Bytes are Txing.
I would like to pick the communities brains and get some opinions about VPN concentrators and different vendors.Now as far as I am aware and my research has taken me the Cisco VPN concentrator range has been discontinued and we need to look at the ASA range of devices for replacements.Working with smaller companies and ADSL solutions (dynamic IP assignment) it makes it challenging to establish a site to site VPN without dyndns and the cisco ASA range does not support dyndns VPN connections.Now the question I have or opinions I am looking for is:What I do like about Fortigate is that you have the ability to create virtual Firewalls. I am not looking for answers but rather real life experience with the different vendor products and opinions surrounding VPN concentrators.
I have 3000 concentrator in 192.168.1.x/24 network (concentrator has static IP of 192.168.1.4/24 assigned to its private int). I can manage it thru HTTP from any PC in the same subnet, but connection failes while trying to connect from PC on different subnet (i.e. 10.1.1.x/24). Is there ACL in concentrator config which needs to be modified to allow management from different subnet?
Our enterprise uses a VPN Concentrator 3000 for our VPN access. Is there a way to view a log history of what user connected to VPN and what IP address they were assigned? It would be for 2 days ago which was over the weekend.
I've the following scenario VPN Concentrator is connected to a router which is connected to a router and at the edge Cisco 515E PIX is connected to the internet. The problem is that the normal VPN Dial-up connection (a utility of windows) are getting connected but Cisco VPN Client throws error 412. Here's what I've tried (Initially groups and user were created):
(1) Allowed port 10000 on PIX ( access-list from-outside-coming-in permit tcp any host <public ip> eq 10000) and checked IPSec over UDP on VPN Conc. under Mode Config tab. Also checked IPSec over TCP tab under tunneling panel at port 10000. Tried connecting through VPN Client but it threw error 412 (2) In the reference guide, I read that IPSec over NAT is allowed on ports ranging from 4000 something to 40000 something.
I tried 33333, both on PIX and VPN Conc. under Mode Config tab but still no use. Same error 412.
Where did I need to go on the Concentrator to disable tcp 1723 and 10000? We don't require these to be open and our pen test shows these as being open.
Client: CISCO VPN Client VPN server: Cisco Concentrator 3020 OS v 4.7
I want to get away from configuring split tunneling for security reasons. With Split tunneling and I am able to specify to which subnets the clients have access to. I do it defining "Network Lists"
When I modify the group and select "tunnel everything" under "client config" tab, the users then can access all subnets in the LAN. When I select this option the "Split tunneling network list" is grayed out
End goal is to make all traffic go thru the tunnel but be able to resctrict access to speficic subnets.
I have an old VPN 3000 Concentrator that I do not have any idea what is running on it. The previous network admin didn't leave a password for it, so I tried to reset the password. I was successful in doing so, but when I try to access it with the default of admin/admin via web browser, I still cannot access it. I am loathe to remove or power off this device without knowing what is on it.
We have two 3000 vpn concentrators. Under both of their load balancing fields, Configuration - Load balancing , the checkbox for loadbalancing is enabled.However both have different priorities, one with 10 and other with 1. Does this mean both are actually loadbalancing. What does the priorities indicate here?If we replace the concentrators with ASA , how will this load balancing need to be configured on ASA & how will it work.
I have an interesting problem. I've configured a site to site VPN connection between these two devices. I am using the CDMA card as the primary and only outside connection on the 1921. What happens is that by default the cellular connection is offline. When traffic is generated internally from that network to the concentrator side of this scenario the cellular connection goes online and builds the tunnel, no problem. However, I cannot initiate the tunnel from the concentrator side. I think what i need is a way to force the cellular connection to always be on, and if it fails to come back online.
I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.
When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].
I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.
The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.
We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons. We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel. Im using a Cisco 3000 concentrator.
I am trying to setup a L2L IPSec VPN between cisco VPN3020 concentrator and Cisco 2811 something is not working and I don't understand why.I describe my situation in detail my router has 2 interfaces
External interface Fa 0/1 ip 193.P.Q.R Internal interface Fa 0/0 141.G.H.254 Lan on internal interface is 141.G.H.0/24
remote VPN concentrator has 2 interfaces
Public interface 131.A.B.C Private interface 131.A.I.E
I have to set up L2L so that host 141.G.H.10 can talk to host 131.A.H.D whici is behind the VPN concentrator my router config:
crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2crypto isakmp key * address 131.A.B.C!crypto ipsec transform-set presid-set esp-3des esp-md5-hmac !crypto map presid-map 5 ipsec-isakmp set peer 131.A.B.C set transform-set presid-set match address presid!interface FastEthernet0/1 ip address 193.P.Q.R 255.255.255.252 duplex full speed 100 crypto map presid-map!interface FastEthernet0/0 ip address 141.G.H.254 255.255.255.0 duplex auto speed auto! ip access-list extended presid permit ip host 141.G.H.10 host 131.A.H.D ip route 0.0.0.0 0.0.0.0 193.P.Q.S
Then I configured VPN3020 accordingly creating a lan to lan profile with the proper IKE proposals ecc ecc when interesting traffic is matched by VPN acl (presid) I see this messages in the VPN concentrator logs:
57101 02/23/2011 15:49:05.310 SEV=4 IKE/119 RPT=4033 193.P.Q.R Group [193.P.Q.R]PHASE 1 COMPLETED 57102 02/23/2011 15:49:05.310 SEV=4 AUTH/22 RPT=3935 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] connected, Session Type: IPSec/LAN-to-LAN 57104 02/23/2011 15:49:05.310 SEV=4 AUTH/84 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R connected 57110 02/23/2011 15:49:54.820 SEV=4 IKE/123 RPT=1093 193.P.Q.R Group [193.P.Q.R]IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 57112 02/23/2011 15:49:54.820 SEV=5 IKE/194 RPT=3778 193.P.Q.R Group [193.P.Q.R]Sending IKE Delete With Reason message: Connectivity to Client Lost. 57114 02/23/2011 15:49:54.820 SEV=4 AUTH/23 RPT=14 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] disconnected: duration: 0:00:49 57115 02/23/2011 15:49:54.820 SEV=4 AUTH/85 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R disconnected: duration: 0:00:49
and from router side I See this with show crypto isakmp sa
131.A.B.C 193.P.Q.R CONF_XAUTH 5 0 ACTIVE
but the status got stuck in CONF_XAUTH state and then disconnects?
We recently had a Port Scan done on our external IP Addresses. One of those IP Addresses scanned was our Concentrator 3000. The report came back with the following TCP ports being open on the Concentrator 3000 - 80, 443, 1723, 10000, 10001, 10002, 10003, 10004, and 10009. I am unsure if it is necessary to have any or all of these open. The Concentrator 3000 is in front of our ASA5520.
is it possible to use cisco AnyConnect client to connect users with Cisco VPN 3000 appliance?If so how to configure VPN 3000 concentrator to work with AnyConnect?
I have been working with my ASA 5505 VPN Concentrator to maintain a connection with one of my remote sites. I have several tunnels that work fine and dont have any issues at all, but one tunnel with outside IP ending in 146 and inside LAN 192.168.3.0 goes down every 24 hours. Attached is the config from the concentrator. I changed around the Security Association Lifetime Settings and the tunnel would drop after that amount of time expired. If I set it to 24 hours, the tunnel would drop every 24 hours. If I set it to 8 hours it would go down every 8 hours.
I have swapped the router a few times, double and triple checked my key settings, disabled keep alives on both ends, and this problem just started happening a few weeks ago after working fine for years. I also get the following e-mail error every time it goes down:
<161>Jul 10 2011 16:19:47: %ASA-1-713900: Group = xxx.xxx.xxx.146, IP = xxx.xxx.xxx.146, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
IP routing is disabled on the 3750 (it's acting solely as a switch) IP routing is enabled with an EIGRP process running on the 3550 router that has the network for the 3005 broadcasting.
I can ping the vpn 3005 concentrator from a telnet session in the 3550 but not from the 3750.I can ping between the 3750 and the 3550 vlan management interfaces. Visually speaking it's like this
I know this because I tracerout to the 3005 from the 3750 and it resolved the default gateway configured for the 3550 properly but then started timing out.
The 3750 is trunked to the 3550.
3750 is vtp client mode 3550 is vtp server mode
I'm wondering if there's a layer 2 issue involved here as it is a VTP domain and maybe it's not returning properly.
Is it possible to configure a site-to-site VPN between an ASA 5510 running 8.2(1) and an old Cisco VPN Concentrator 3000? I've only been able to find an old 3000 to PIX guide on Cisco's site, and I cannot figure out how the two device's VPN options match up.
These are the options from the 3000:
IKE Proposal Authentication: Encryption options:
On the 5510's Site-to-Site Connection Profile, all the options are clumped into two boxes under Encrption Algorithms: