VPN Concentrator Vendors For Network
Jun 13, 2011
I would like to pick the communities brains and get some opinions about VPN concentrators and different vendors.Now as far as I am aware and my research has taken me the Cisco VPN concentrator range has been discontinued and we need to look at the ASA range of devices for replacements.Working with smaller companies and ADSL solutions (dynamic IP assignment) it makes it challenging to establish a site to site VPN without dyndns and the cisco ASA range does not support dyndns VPN connections.Now the question I have or opinions I am looking for is:What I do like about Fortigate is that you have the ability to create virtual Firewalls. I am not looking for answers but rather real life experience with the different vendor products and opinions surrounding VPN concentrators.
View 2 Replies
ADVERTISEMENT
Oct 25, 2011
I am in need to setup a VPN tunnel to a vendors hosted network for AD authentication.To prevent RFC1918 Address overlap we are trying to NAT into a VPN Transit Network.I was given 209.235.17.232/19 and need to NAT these addresses:
209.235.17.233 <> 172.20.0.42
209.235.17.234 <> 172.20.0.43
The vendor is using 209.235.17.224/29 and NAT'ing to some 10.122.xx.xx addresses.
The Phase 1 requirements are:
Pre-Shared DH-Group2-AES256-SHA1 86400 seconds
The Phase 2 requirements are:
NOPFS-AES256-SHA1 3600 seconds
I have many l2l VPN tunnels configured using esp-3des esp-sha-hmac This is what I have configured on my ASA:
static (INSIDE,OUTSIDE) 209.235.17.233 172.20.0.42 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 209.235.17.234 172.20.0.43 netmask 255.255.255.255
access-list VPN-TO-JIVE extended permit ip 209.235.17.232 255.255.255.248 209.235.17.224 255.255.255.248
access-list VPN-TO-JIVE extended permit ip 209.235.17.224 255.255.255.248 209.235.17.232 255.255.255.248
[code].....
Currently my side is trying to initiate the tunnel, but we are getting this message:
15 IKE Peer: 65.168.255.157
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
I am configuring the transit network for the tunnel properly or performing the NAT for my 2 devices.I am still trying to determine what device the Vendor has on their end.
View 1 Replies
View Related
Oct 4, 2011
I have inherited a setup for a custom application and would like to know if this is the only way this could be set up. How would you do it?The application uses dedicated T1 links to our vendors. There is a Cisco 2901 router in the middle providing the connections. Traffic to specific vendor's IP's are routed to their prospective connections. I have attached a network diagram and a config for the 2901. The way my predecessor(s) set this up, each different vendor uses a different private IP address for the internal links. This seems odd to me. Shouldn't there be a way to have only one subnet on the inside and have the links NAT depending on which route it takes? The servers have persistent routes built in them to send vendor traffic to the associated IP on the router. E.g., traffic to Vendor 1 is routed to 192.168.50.1, the 2901's IP address for the Vendor 1 network. That traffic is then NAT'd to an IP address associated with Vendor 1's link and the 2901 then routes the traffic to the Vendor's end of the link.
I would think that I should be able to revamp this so that internally we're only using one subnet and the traffic could NAT at the link associated with the Vendor. I recently had to add the 3rd vendor connection, and wound up having to duplicate what was done for the other two in order to get it working quickly. I didn't have the time to wrap my head around the best way to revamp the whole thing.
View 3 Replies
View Related
Jun 15, 2012
I am running CSD 3.6.5005 with Asa code 8.4(3) and asdm version 6.4(7). I have anyconnect premium and advanced endpoint assessment licenses installed with anyconnect essentials disabled. I have the standalone CSD package which hostscan is activated through.I am able to create host scan checks for registry and operating systems and have built dynamic access policies. The issue that I am experiencing is I can't get the av vendors to appear when configuring the advanced endpoint section. I keep seeing a pop with a blank screen when I try to add.I am using OSX lion and I have tried on windows also. I have tried on a 5505 and now on a failover set of 5510s.
View 1 Replies
View Related
Jun 16, 2011
I have a question about VPN Concentrator FTP Backup configuration to get logs on FTP server. I have configure FTP Backup with all details but I still do not see any logs on FTP server. Do you know what could be the issue? I have never used Concentrator and not sure what needs to be done to get in working condition. I am using VPN Concentrator 3015 series.
View 5 Replies
View Related
May 28, 2011
I have been trying to setup a LAN-to-LAN VPN between two sites that are using a 3000 series CISCO Concentrator. After following the basic setups from the CISCO site, I am still unable to create a tunnel. At the moment I'm starting to believe it is how I have physically setup the network. Site 1 is using a Billion BiPAC 7404VNPX ADSL2+ Modem, Site 2 is using a Netgear DGN2000 ADSL2+ Modem, The VPN Concentrators are setup behind these devices with each firewall setup to allow the needed ports forwarded.
View 5 Replies
View Related
Jan 13, 2013
My organization has an old 3005 that i need to wipe the config of. The problem is that i cant gain access to the device via the console port. Every time i try connecting using a terminal session, all i see is a blinking cursor. As a result, my question to the group is there another way to wipe the config on this device?
View 2 Replies
View Related
Apr 14, 2011
Our VPN 3000 concentrator's admin password was changed by somebody so i reset the password by using straight through serial cable, now the problem is it allows me to login with admin through console but not through admin web interface or telnet. I have enabled telnet and http access but still no success. Concentrator is using internal database so no AAA server is configured.
View 1 Replies
View Related
Aug 14, 2011
I have a client who saw there was a android version of the AnyConnect client and want me to go through and get their VPN 3000 Concentrator confingured to be able to connect in with it.
The Conncentrator is currently setup several groups of users and the base group is set up to all other products to connec tin via a pre shared key. It took alot research to get it configured to this point and all the searches i pull up are for a ASA.
View 1 Replies
View Related
Feb 7, 2011
I'm planning connect VPN concentrator in our company to PIX515 DMZ interface.At the moment , VPN concentrator(used for remote access VPN for laptop users) is connected directly to core switch so as PIx515. Having VPN Concentrator connected directly to LAN is security risk .SO i want to connect VPN concentrator to DMZ of the Firewall(pix515).
We don't have any test environment and we are not allowed to have downtime of more than 10 minutes in production network ,I want to make sure my design and commands would work without problem .I've attached doigram of our curernt setup and new setup I'm planning to work on as well as commands . Does this design will work .Nat , routing everything .
View 15 Replies
View Related
Jul 2, 2012
I need to configure a Cisco pix 515e as vpn concentrator. Now the network has 2 Cisco pix in fail over - May I add a new Cisco pix in parallel and redirect the vpn tunnel on it? How do I need to make the configuration in order to work?
View 2 Replies
View Related
Aug 15, 2012
Can a Cisco PIX 515E with an Unrestricted License (UR) be deployed as a VPN concentrator? For example, remote users having VPN clients installed on their desktops connect through the Internet and are authenticated by the PIX 515E at the main site.
View 1 Replies
View Related
Apr 4, 2012
I have a VPN Concentrator 3000 with LAN-to-LAN DES-56 connections connected to it (Cisco PIX 506). Everything was working fine and then over the night something messed up on it. No settings were changed or anything.
First issue was anything using DHCP (getting IPs from the sites local PIX) couldn't be pinged or reach out through the Concentrator. It was only Thin Clients that didn't work. I could still ping the PIX, printers and desktop computers that were static set IPs. But this was happening at every site going through this Concentrator. The sites going through out MPLS network are fine.
I tried setting the Thin Clients to a static IP but still couldn't ping them.
I then decided to reboot the Concentrator, when it came back up all sites reconnected back to the Concentrator but now couldn't ping anything at the sites, not even the LAN IP of the PIX (or printers and desktops now). I power cycled a few of the sites PIXs but they still were not pingable even though the Concentrator showed they were connected.
I then decided to physical power cycle the Concentrator, it's back up and all sites are connected but none of the devices on the LAN side are reachable.
The Concentrator can ping the sites WAN IP but nothing on the LAN side going through and out the Concentrator. It can ping the LAN through the private interface (going back towards my LAN) just not going through the public interface (over the WAN).
The sessions show that Bytes are Rxing but no Bytes are Txing.
View 0 Replies
View Related
Aug 8, 2011
I have 3000 concentrator in 192.168.1.x/24 network (concentrator has static IP of 192.168.1.4/24 assigned to its private int). I can manage it thru HTTP from any PC in the same subnet, but connection failes while trying to connect from PC on different subnet (i.e. 10.1.1.x/24). Is there ACL in concentrator config which needs to be modified to allow management from different subnet?
View 2 Replies
View Related
Nov 21, 2010
Our enterprise uses a VPN Concentrator 3000 for our VPN access. Is there a way to view a log history of what user connected to VPN and what IP address they were assigned? It would be for 2 days ago which was over the weekend.
View 3 Replies
View Related
Mar 27, 2011
I've the following scenario VPN Concentrator is connected to a router which is connected to a router and at the edge Cisco 515E PIX is connected to the internet. The problem is that the normal VPN Dial-up connection (a utility of windows) are getting connected but Cisco VPN Client throws error 412. Here's what I've tried (Initially groups and user were created):
(1) Allowed port 10000 on PIX ( access-list from-outside-coming-in permit tcp any host <public ip> eq 10000) and checked IPSec over UDP on VPN Conc. under Mode Config tab. Also checked IPSec over TCP tab under tunneling panel at port 10000. Tried connecting through VPN Client but it threw error 412
(2) In the reference guide, I read that IPSec over NAT is allowed on ports ranging from 4000 something to 40000 something.
I tried 33333, both on PIX and VPN Conc. under Mode Config tab but still no use. Same error 412.
View 3 Replies
View Related
Jul 17, 2012
Where did I need to go on the Concentrator to disable tcp 1723 and 10000? We don't require these to be open and our pen test shows these as being open.
View 1 Replies
View Related
Nov 30, 2011
is it possible to do a site to site with a Cisco ISR 881W --> to a Cisco 3060 concentrator head?
View 1 Replies
View Related
Sep 13, 2011
Client: CISCO VPN Client
VPN server: Cisco Concentrator 3020 OS v 4.7
I want to get away from configuring split tunneling for security reasons. With Split tunneling and I am able to specify to which subnets the clients have access to. I do it defining "Network Lists"
When I modify the group and select "tunnel everything" under "client config" tab, the users then can access all subnets in the LAN. When I select this option the "Split tunneling network list" is grayed out
End goal is to make all traffic go thru the tunnel but be able to resctrict access to speficic subnets.
View 1 Replies
View Related
Jun 27, 2011
is it generally possible to configure a site to site VPN connection between Cisco VPN Concentrator 3000 and Cisco RV220W / RV120W?
View 2 Replies
View Related
Jul 8, 2012
I have an old VPN 3000 Concentrator that I do not have any idea what is running on it. The previous network admin didn't leave a password for it, so I tried to reset the password. I was successful in doing so, but when I try to access it with the default of admin/admin via web browser, I still cannot access it. I am loathe to remove or power off this device without knowing what is on it.
View 6 Replies
View Related
May 19, 2012
We have two 3000 vpn concentrators. Under both of their load balancing fields, Configuration - Load balancing , the checkbox for loadbalancing is enabled.However both have different priorities, one with 10 and other with 1. Does this mean both are actually loadbalancing. What does the priorities indicate here?If we replace the concentrators with ASA , how will this load balancing need to be configured on ASA & how will it work.
View 5 Replies
View Related
Mar 29, 2011
I have an interesting problem. I've configured a site to site VPN connection between these two devices. I am using the CDMA card as the primary and only outside connection on the 1921. What happens is that by default the cellular connection is offline. When traffic is generated internally from that network to the concentrator side of this scenario the cellular connection goes online and builds the tunnel, no problem. However, I cannot initiate the tunnel from the concentrator side. I think what i need is a way to force the cellular connection to always be on, and if it fails to come back online.
View 3 Replies
View Related
May 11, 2011
I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.
When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].
I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.
The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.
View 2 Replies
View Related
Jul 27, 2011
We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons. We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel. Im using a Cisco 3000 concentrator.
View 1 Replies
View Related
Feb 22, 2011
I am trying to setup a L2L IPSec VPN between cisco VPN3020 concentrator and Cisco 2811 something is not working and I don't understand why.I describe my situation in detail my router has 2 interfaces
External interface Fa 0/1 ip 193.P.Q.R
Internal interface Fa 0/0 141.G.H.254
Lan on internal interface is 141.G.H.0/24
remote VPN concentrator has 2 interfaces
Public interface 131.A.B.C
Private interface 131.A.I.E
I have to set up L2L so that host 141.G.H.10 can talk to host 131.A.H.D whici is behind the VPN concentrator my router config:
crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2crypto isakmp key * address 131.A.B.C!crypto ipsec transform-set presid-set esp-3des esp-md5-hmac !crypto map presid-map 5 ipsec-isakmp set peer 131.A.B.C set transform-set presid-set match address presid!interface FastEthernet0/1 ip address 193.P.Q.R 255.255.255.252 duplex full speed 100 crypto map presid-map!interface FastEthernet0/0 ip address 141.G.H.254 255.255.255.0 duplex auto speed auto!
ip access-list extended presid permit ip host 141.G.H.10 host 131.A.H.D
ip route 0.0.0.0 0.0.0.0 193.P.Q.S
Then I configured VPN3020 accordingly creating a lan to lan profile with the proper IKE proposals ecc ecc when interesting traffic is matched by VPN acl (presid) I see this messages in the VPN concentrator logs:
57101 02/23/2011 15:49:05.310 SEV=4 IKE/119 RPT=4033 193.P.Q.R Group [193.P.Q.R]PHASE 1 COMPLETED 57102 02/23/2011 15:49:05.310 SEV=4 AUTH/22 RPT=3935 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] connected, Session Type: IPSec/LAN-to-LAN 57104 02/23/2011 15:49:05.310 SEV=4 AUTH/84 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R connected 57110 02/23/2011 15:49:54.820 SEV=4 IKE/123 RPT=1093 193.P.Q.R Group [193.P.Q.R]IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 57112 02/23/2011 15:49:54.820 SEV=5 IKE/194 RPT=3778 193.P.Q.R Group [193.P.Q.R]Sending IKE Delete With Reason message: Connectivity to Client Lost. 57114 02/23/2011 15:49:54.820 SEV=4 AUTH/23 RPT=14 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] disconnected: duration: 0:00:49 57115 02/23/2011 15:49:54.820 SEV=4 AUTH/85 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R disconnected: duration: 0:00:49
and from router side I See this with show crypto isakmp sa
131.A.B.C 193.P.Q.R CONF_XAUTH 5 0 ACTIVE
but the status got stuck in CONF_XAUTH state and then disconnects?
View 1 Replies
View Related
Sep 21, 2011
We recently had a Port Scan done on our external IP Addresses. One of those IP Addresses scanned was our Concentrator 3000. The report came back with the following TCP ports being open on the Concentrator 3000 - 80, 443, 1723, 10000, 10001, 10002, 10003, 10004, and 10009. I am unsure if it is necessary to have any or all of these open. The Concentrator 3000 is in front of our ASA5520.
View 1 Replies
View Related
Oct 10, 2011
is it possible to use cisco AnyConnect client to connect users with Cisco VPN 3000 appliance?If so how to configure VPN 3000 concentrator to work with AnyConnect?
View 1 Replies
View Related
Jul 11, 2011
I have been working with my ASA 5505 VPN Concentrator to maintain a connection with one of my remote sites. I have several tunnels that work fine and dont have any issues at all, but one tunnel with outside IP ending in 146 and inside LAN 192.168.3.0 goes down every 24 hours. Attached is the config from the concentrator. I changed around the Security Association Lifetime Settings and the tunnel would drop after that amount of time expired. If I set it to 24 hours, the tunnel would drop every 24 hours. If I set it to 8 hours it would go down every 8 hours.
I have swapped the router a few times, double and triple checked my key settings, disabled keep alives on both ends, and this problem just started happening a few weeks ago after working fine for years. I also get the following e-mail error every time it goes down:
<161>Jul 10 2011 16:19:47: %ASA-1-713900: Group = xxx.xxx.xxx.146, IP = xxx.xxx.xxx.146, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
View 6 Replies
View Related
Feb 7, 2012
The network is set up like this.
Host -----> 3750 (classic) running IPSERVICES stack ----> 3550 router -----> VPN 3005 Concentrator.
IP routing is disabled on the 3750 (it's acting solely as a switch) IP routing is enabled with an EIGRP process running on the 3550 router that has the network for the 3005 broadcasting.
I can ping the vpn 3005 concentrator from a telnet session in the 3550 but not from the 3750.I can ping between the 3750 and the 3550 vlan management interfaces. Visually speaking it's like this
3750 ------> 3550 [Success!!!!]
3550 ------> VPN 3005 Concentrator [Success!!!!]
3750 ------> 3550 --xxxx--> VPN 3005 Concentrator [Timeout....]
I know this because I tracerout to the 3005 from the 3750 and it resolved the default gateway configured for the 3550 properly but then started timing out.
The 3750 is trunked to the 3550.
3750 is vtp client mode
3550 is vtp server mode
I'm wondering if there's a layer 2 issue involved here as it is a VTP domain and maybe it's not returning properly.
View 2 Replies
View Related
Jan 23, 2013
Is it possible to configure a site-to-site VPN between an ASA 5510 running 8.2(1) and an old Cisco VPN Concentrator 3000? I've only been able to find an old 3000 to PIX guide on Cisco's site, and I cannot figure out how the two device's VPN options match up.
These are the options from the 3000:
IKE Proposal
Authentication:
Encryption options:
On the 5510's Site-to-Site Connection Profile, all the options are clumped into two boxes under Encrption Algorithms:
IKE Proposal: Encryption, Hash, DH Group, Authentication
IPsec Proposal: ESP Encryption, ESP Authentication
We have a pre-shared key configured, but I cannot find a set of options on the 5510 to match the 3000; I always get this error:
3Jan 24 201310:10:09713902Group = 63.192.x.x, IP = 63.x.x.191, Removing peer from correlator table failed, no match!1Jan 24 201310:10:11713900Group = 63.x.x.191, IP = 63.x.x.191, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
View 2 Replies
View Related
Nov 14, 2011
I have a relatively simple question. I would like to create a private network within a larger network, the private network having several clients. I would ideally like the router to appear as the only device on the larger network and all data to be sorted by the router to the clients in the private network.
Will the Netgear FVS318G be able to do that? It seems to have the necessary NAT options.
View 1 Replies
View Related
Apr 4, 2012
I have 4 computers (3 laptops, 1 desktop) in a shared office. We get internet access using their wireless network. All works fine. However, I need to share a printer amongst all of the computers. The printer is LAN enabled and I would normally just put all the PCs on a hub, together with the printer and share it that way. BUT my question is can we access the internet using the wireless network and the printer using a separate wired network at the same time?
View 7 Replies
View Related