Cisco VPN :: RFC1918 / Setup VPN Tunnel To Vendors Hosted Network For AD Authentication
Oct 25, 2011
I am in need to setup a VPN tunnel to a vendors hosted network for AD authentication.To prevent RFC1918 Address overlap we are trying to NAT into a VPN Transit Network.I was given 209.235.17.232/19 and need to NAT these addresses:
209.235.17.233 <> 172.20.0.42
209.235.17.234 <> 172.20.0.43
The vendor is using 209.235.17.224/29 and NAT'ing to some 10.122.xx.xx addresses.
The Phase 1 requirements are:
Pre-Shared DH-Group2-AES256-SHA1 86400 seconds
The Phase 2 requirements are:
NOPFS-AES256-SHA1 3600 seconds
I have many l2l VPN tunnels configured using esp-3des esp-sha-hmac This is what I have configured on my ASA:
static (INSIDE,OUTSIDE) 209.235.17.233 172.20.0.42 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 209.235.17.234 172.20.0.43 netmask 255.255.255.255
access-list VPN-TO-JIVE extended permit ip 209.235.17.232 255.255.255.248 209.235.17.224 255.255.255.248
access-list VPN-TO-JIVE extended permit ip 209.235.17.224 255.255.255.248 209.235.17.232 255.255.255.248
[code].....
Currently my side is trying to initiate the tunnel, but we are getting this message:
15 IKE Peer: 65.168.255.157
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
I am configuring the transit network for the tunnel properly or performing the NAT for my 2 devices.I am still trying to determine what device the Vendor has on their end.
View 1 Replies
ADVERTISEMENT
Jun 13, 2011
I would like to pick the communities brains and get some opinions about VPN concentrators and different vendors.Now as far as I am aware and my research has taken me the Cisco VPN concentrator range has been discontinued and we need to look at the ASA range of devices for replacements.Working with smaller companies and ADSL solutions (dynamic IP assignment) it makes it challenging to establish a site to site VPN without dyndns and the cisco ASA range does not support dyndns VPN connections.Now the question I have or opinions I am looking for is:What I do like about Fortigate is that you have the ability to create virtual Firewalls. I am not looking for answers but rather real life experience with the different vendor products and opinions surrounding VPN concentrators.
View 2 Replies
View Related
Sep 7, 2012
We started out by switching them over from a normal POP server email service through Outlook and getting them onto Charter hosted Exchange. However, after getting them all set up, we had intermittent connection problems keep occurring. Here is what I know so far:
-the problem is with their network for sure
-re-imaged computers and reinstalled office
-any connection to exchange.charter-business.net is intermittent from their location only.
-replaced modem, router, switch
-tried different DNS servers, same problem
-used their DNS servers from another location, no problem connecting
Once we replaced their switch, the problem morphed a bit. Now, one of them can be connected at any given time without having problems. However, when the other tries to connect, they can't get through. E.g, if user #1 closes outlook, user #2 can now connect without problems.
View 3 Replies
View Related
Mar 13, 2012
Here is a snippet from "show ip cache flow", from a border router of our network; [code] To clarify, Gi0/3 faces our customers, Fa1/0 faces a transit provider. These results have come from configuring "ip flow egress" on Fa1/0, facing the transit provider. 1.2.3.4 is a static IP we have assigned a customer. I know this customer has a firewall terminating this connection so I want to understand the cache flow results on this route. Why is the destination address an RFC1918 address? Is it possible that the customers firewall is trying to connect to these addresses, the flow gets as far as this border router, and drops? I assume that to be false, and only successfully initiated flows are recorded?
Also, looking at those figures it's IP protocol 0x11 which is UDP (17) and source port 62023 to destination port 161. 161 is SNMP? Without asking the customer what they are doing I suppose I can never know at that level, but I'm really more interested in why these flows are showing at all, when 192.168.1.0/24 isn't in this routers FIB?
View 2 Replies
View Related
Oct 4, 2011
I have inherited a setup for a custom application and would like to know if this is the only way this could be set up. How would you do it?The application uses dedicated T1 links to our vendors. There is a Cisco 2901 router in the middle providing the connections. Traffic to specific vendor's IP's are routed to their prospective connections. I have attached a network diagram and a config for the 2901. The way my predecessor(s) set this up, each different vendor uses a different private IP address for the internal links. This seems odd to me. Shouldn't there be a way to have only one subnet on the inside and have the links NAT depending on which route it takes? The servers have persistent routes built in them to send vendor traffic to the associated IP on the router. E.g., traffic to Vendor 1 is routed to 192.168.50.1, the 2901's IP address for the Vendor 1 network. That traffic is then NAT'd to an IP address associated with Vendor 1's link and the 2901 then routes the traffic to the Vendor's end of the link.
I would think that I should be able to revamp this so that internally we're only using one subnet and the traffic could NAT at the link associated with the Vendor. I recently had to add the 3rd vendor connection, and wound up having to duplicate what was done for the other two in order to get it working quickly. I didn't have the time to wrap my head around the best way to revamp the whole thing.
View 3 Replies
View Related
Jun 14, 2011
We would like to enable ACS authentication to login to different routers (Cisco 881s) we got that are interconnecting with our WAN via VPN tunnels. We would like to avoid using public IP for the router to communicate and relay user/password info with the ACS server and rely on the server's private IP instead. The problem is that all the router's outside interfaces connect to the Internet using public IPs and when the router wants to communicate with the ACS server it will use its public-facing interface IP and that'll fail. We can ping the server obviously when we set the source to the internal LAN IP.
The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?
config being used and tested succesfully on local devices:
aaa new-model
tacacs-server host 10.x.x.x single-connection key xxxxxx
aaa authentication login tacacs-local group tacacs local
[Code].....
View 6 Replies
View Related
Jun 15, 2012
I am running CSD 3.6.5005 with Asa code 8.4(3) and asdm version 6.4(7). I have anyconnect premium and advanced endpoint assessment licenses installed with anyconnect essentials disabled. I have the standalone CSD package which hostscan is activated through.I am able to create host scan checks for registry and operating systems and have built dynamic access policies. The issue that I am experiencing is I can't get the av vendors to appear when configuring the advanced endpoint section. I keep seeing a pop with a blank screen when I try to add.I am using OSX lion and I have tried on windows also. I have tried on a 5505 and now on a failover set of 5510s.
View 1 Replies
View Related
Jan 16, 2011
I am looking for an option to do the following. [code] Cisco 6509 with SUP2 with MSFC2 full mem
I would like the cleanest most stable option to allow this to work and still be secure with authentication. I know on the home side, I can just specify the remote ip and add a password. Not sure what can be done on the DC side to allow this to work properly.
View 3 Replies
View Related
Jan 9, 2012
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
View 3 Replies
View Related
Jun 7, 2011
I got two offices about 150KM from each other,i need to backup 10 to 20GB / machine,the data ranges from accounts package to doc files etc.i suggested a vpn, then backup from one side to the other and vice versa as this ensures backups are swapped over and are off site.Would you recommend this, or am i better off using a hosted backup service i pay for / GB?
View 8 Replies
View Related
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Nov 22, 2009
I am trying to get a NAC demo running and am having some issues with a Layer 2 OOB, Virtual GW configuration. Currently I have 3560G switches and would like to assign ports to a vlan based on user roles.
My Auth VLAN is 110 and maps to VLAN 11
Guest VLAN is 11 (172.16.1.0/24)
Employee VLAN is 1
NAS Mgmt VLAN is 20 - CAS is 10.10.20.5 (this ip is setup on both eth0 and eth1 per documentation for L2 OOB Virtual GW)
NAM Mgmt VLAN is 30 - CAM is 10.10.30.5
Untrusted (Eth1) switchport is setup as a trunk allowing only vlan 110 and has a native vlan 999 to blackhole traffic.
Trusted (Eth0) switchport is setup as a trunk allowing vlan 1, 11, 20 and has a native vlan 998 to blackhole traffic.
I also setup a Managed Subnet on the CAS with IP 172.16.1.254 and VLAN 110.Switchport controlled by NAC is access vlan 110. When a machine connects an snmp trap is sent to CAM and is forced into vlan 110. If I try to put the port in another vlan CAM puts it back to 110 immediately. This all seems to be working well.The machine connected to the port gets a DHCP address from VLAN 11. When I initiate traffic from this machine, everything is blocked. If I open a web browser I do not get an authentication page. I also installed CCA 4.1.10 on the machine but it does not find a discovery host and the Login option is grayed out. The only way to get this machine to send traffic is to add a filter for it and force it to the ALLOW option. I did setup a default web login page but I seem to be missing something to get authentication to work. I am running version 4.1.8 with a demo license. The host running CCA is Windows Vista.
View 7 Replies
View Related
Mar 13, 2011
Is it possible to setup a Cisco 1200 AP with 802.1x to drop users into the corprate network if they have a certificate or if not to put them on the guest network?
View 3 Replies
View Related
Oct 1, 2012
I have two Cisco 2941's going over a IPSEC VPN. I need to push the same network over this connection. For example i need 192.168.255.0 / 25 on my side and i need to plug in a laptop on the far end 2941 with the same network. I have built GRE tunnels before and i found a configuration online to brdige interfaces over a GRE tunnel.
when i get to adding the bridging to the configuration which i will show below i get an error. Please see below. Also when i try to add the same briding command on the GRE tunnel which is needed it doesnt show the bridging command as being available. The Cisco 2941's are both using version: mwr 2941-iprank9-mz.124-20.MRb1.bin.As i stated the only end result i need is to be able to configure a path from point A and B and have the same network on each end.
View 1 Replies
View Related
Aug 6, 2011
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.On the site of Router Scientific Atlanta Cisco 2320 this is some info: [code] On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info: [code] Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.I show the configuration on Router Scientific Atlanta Cisco 2320: I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up.As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10.I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
View 1 Replies
View Related
Nov 5, 2011
I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works.
When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows;
[code]...
View 14 Replies
View Related
Mar 27, 2011
Is it possible to set up a vpn tunnel on a 1721 router that uses the following ios:
c1700-y7-mz.124-13b.bin
I thought I had read somewhere that tunnels were not supported on the 1700s but wanted to make sure. If they are I would like to know if they are supported in the above ios.
View 2 Replies
View Related
Jan 21, 2013
I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site
View 4 Replies
View Related
Jun 22, 2011
I am trying to setup EAP-TLS authentication for my wireless access points, but I can't sign my ACS certificate with my enterprise CA certificate.If I generate a self-signed certificate on the ACS server, and try to sign it on my CA, I get an ASN tag error. It looks like that is because the ACS server is not in the certificate path of the CA server.If I generate a certificate on the CA and try to import it into ACS, I get a "unable to parse certificate" error. Is there a way to edit the Certificate Trust List in 5.2? It looks like that was possible with 4.2, but not with the latest version.
View 1 Replies
View Related
Nov 6, 2011
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies
View Related
Jan 9, 2011
I was attempting to setup our 7204 Cisco router to use RADIUS for authentication via the AAA commands. I must have messed up when configuring it as it comes up via TELNET asking for a username and password but doesn't take my AD credentials. How might I login to this router to fix the config? Do I need to do a password recover process?
One note, I didn't save the running-config to startup-config, so if I restart the router will it load the startup-config, thus overwriting the running-config that wasn't working?
View 2 Replies
View Related
Jun 12, 2012
Is there any way to setup an IPSEC tunnel to be able to go from my subnet, 192.168.75.x and be able to reach anything on the other side of the tunnel, 192.168.X.X?
View 5 Replies
View Related
Sep 29, 2011
how to setup a both ends of an IPSEC VPN tunnel using a software client such as shrewsoft vpn and an 800 series router?
I've tried following the instructions on cisco's site, but I don't really understand which interface I should use? Dialer, VLAN1 or UnNumbered to a Loopback?
I'm OK with most basic features of the router, but never had any luck with VPNs?
View 3 Replies
View Related
Dec 8, 2006
I am trying to setup a vpn tunnel on my AG241 router but not having too much luck. I am not on a static ip, i sort of get the feeling that as long as i know the current external ip address i should be able to get through to my xp machine with the shares on it.
View 7 Replies
View Related
Jan 10, 2013
Here's my setup:
- Cisco 1841 connected to the internet on fa0/1
- LAN connected to fa0/0/1 (switch port, connected to Vlan1)
On my LAN I have a web server that houses different websites. Those websites have DNS records that point to my public IP address, located on fa0/1. From the outside I can reach the websites perfectly, but I can't reach them from the inside. So it looks like I can't seem to connect from my local LAN address to the public ip address on the Cisco (who then should NAT it to the correct server)
Here is a snippet from my config:
--NAT--
ip nat inside source static tcp 192.168.0.3 80 interface FastEthernet0/1 80
ip nat inside source route-map Internet interface FastEthernet0/1 overload
--OUTSIDE INTERFACE--
interface FastEthernet0/1
description WAN
ip address dhcp
ip access-group WAN-IN in
[ code]...
--INSIDE INTERFACE--
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0
ip access-group LAN-IN in
[Code]....
View 3 Replies
View Related
Dec 1, 2009
I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
View 9 Replies
View Related
Sep 19, 2012
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
View 4 Replies
View Related
Dec 20, 2012
I have a Cisco RV220W updated to latest firmware 1.0.4.17. I have been trying to get a VPN setup for the past few days without success. We had a test VPN up and running previously, but when we changed the IP's and secret key to connect the live VPN tunnel it failed and we haven't been able to get it working since.We have deleted both ends, rebuilt them probably 6 times each. We have changed secret keys, tried 3DES, AES, and AES256 encryptions with SHA-1. All the internal IP settings are correct :IE 192.168.1.1/24 or 192.168.1.1 255.255.255.0,External IP's are right, only oddball thing here is one of the external IP's is assigned by DHCP and is a /22 although the previous tunnel worked with the same ISP.
View 1 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
Dec 26, 2012
I was using a wrt54g previously, and host my own webserver, including my own DNS server. I used port forwarding to forward the web traffic to that computer. Well my family got me a new EA3500 as my old one would continually stop working.Since changing router when I duplicate the port forwarding setup from old to new, all the web browsing dies. My web server has now been offline for a few days, and I'm frustrated beyond belief now. I know I've seen the previous posts saying to never forward port 53 (DNS), but I'm at a loss why I could with my old router, but it's now the end of the world with this new one.
View 9 Replies
View Related
Mar 24, 2013
Recently I wanted to setup IPv6 for my home network. I signed up for tunnelbroker.net service and was provided with IPs. Then I configured the IP address in my DIR-615. But It's not working..
Screenshot of IPv6 config (router) : Screenshot of my Win 8 network Config : I also tested at [URL] but failed...
View 3 Replies
View Related
Feb 23, 2011
I'm trying to setup a VPN Tunnel between RV082 and WRV200.The RV082 has an static IP, the WRV200 has a dynamic IP. I have to Dyndns.org in the WRV200.I have setup the RV082 tunel auth like: Dynamic IP + email.In the WRV200 I setup the hostname with the username, and the domain with the domain part of domain entered in the RV082.In the RV082 VPN Log I got: Initial Aggressive Mode message from 11.22.33.44 but no (wildcard) connection has been configured.It seems to be working the IPSEC setup but the RV082 does not accept the connection because of a missmatch in the Remote Security Gateway Type parameter in the RV082.
View 1 Replies
View Related
Sep 23, 2012
I have a customer who is going to host a VOICE services like providing SIP services to its customers. What specific ports required to be opened up for this on ASA 5515X. I would rate it ASAP.
View 3 Replies
View Related
