Restricting VPN 3000 Groups [7:51798]
We are currently using rsa ace server to authenticate vpn clients connecting to vpn3000 concentrator. we will need to create different groups depending on users function, thus several pcf files will need to be deployed. we will need to restrict users to a particular vpn concentrator group. For example, a user inadvertently receives the wrong pcf file, we want to be able to deny that user access or limit his/her access. any recommendations appreciated. Thanks. A Philly Fan _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51798&t=51798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess level 15 - [7:41251]
Are you using the default username and password (admin/admin) >From: "[EMAIL PROTECTED]" >Reply-To: "[EMAIL PROTECTED]" > >To: [EMAIL PROTECTED] >Subject: acess level 15 - [7:41251] >Date: Thu, 11 Apr 2002 21:59:06 -0400 > >HI, > >1. Getting an error while trying to use browser to configure vpn conc.3000 >series, - "access level 15". > >2.neiher thru telnet I am able to successfully login - except for console >port. > >Can any1 tell me where is the mistake i hv made >Thankx _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41309&t=41251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN Client & PIX [7:40670]
I didn't see an update on this, but unless there has been an upgrade to the linksys, it will only pass 1 Ipsec tunnel. If there is an existing connection, and another is attempted, the original one will be dropped. there are some higher end (higher priced) firewall devices, that will pass large number of tunnels. How many clients are you trying to terminate? you might think about pix 501 hope this helps >From: "Curious" >Reply-To: "Curious" >To: [EMAIL PROTECTED] >Subject: Re: Cisco VPN Client & PIX [7:40670] >Date: Sat, 6 Apr 2002 12:48:48 -0500 > >Clients are behind Linksys Cable/DSL router and in the office we have PIX >515. >PIX assigns IP address from Local IP address Pool. > >""Curious"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I am using Cisco VPN Client to connect with my Office PIX 515 firwall >over > > IPSEC 3DES encryption. My connection is droping automatically. It is not > > because of idle time out or maximum time out. it happens on radomly. If >some > > one has any information on it. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40979&t=40670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP question [7:40525]
aren't the 2 7206 dual homed, 2 connections to each ISP? why not run hsrp on the 7206 and let those routers make decisions for all internal routers? >From: "Ouellette, Tim" >Reply-To: "Ouellette, Tim" >To: [EMAIL PROTECTED] >Subject: RE: BGP question [7:40525] >Date: Thu, 4 Apr 2002 18:39:17 -0500 > >This can be simplified in the following way. > >If you want your internal routers to be able to make a routing decision >based on an external bgp route that is somewhere on the net that I'd think >your internal router (3660) has to have that route in it's routing table >(maybe redistributed into some IGP from BGP). Maybe not the best way. > >Or, you could inject default routes from each BGP speaker (your 7200's) >into >your IGP. If let's say one of your 3600's send a packet to it's default >gateway (one of the 7200)'s which in turn could pass it over ethernet to >the >other 7200 if you setup some policy routing etc. > >I'd say you might want have your 2600/3600's connected to both 7200's for >redundancy in case one box completely fails it'll use the other. This >could >be done be accepting the default routes from each 7200 or by creating a >floating static that way if the primary route to the internet fails, it'll >use a backup. These are just a couple of ideas. If you provide some >specifics of the layout, I may be able to help out a bit more. Also, I'm >sure some of the experts here will provide much better detail of how >they've >implemented such a design. > >In short, I'm thinking that if you want a 2600/3600 to make a decision on >which 7200 to go out of for a specific route, it has to know about it. > >Tim > >-Original Message- >From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] >Sent: Thursday, April 04, 2002 4:29 PM >To: [EMAIL PROTECTED] >Subject: BGP question [7:40525] > > >If I had 2 7206 routers dual homed to two different ISP's for redundancy, I >know I don't NEED the full bgp table, but if I were to accept them for >optimal routing within my network, how would I tell my internal routers who >don;t run BGP which of the two 7206 routers to go to for a specific route >oout to the internet? I assume doing a redistribution into the IGP is a >big >no-no, so how do small 3600's and 2600's inside the AS know which of the >two >routers to send the traffic to based on the fact that that one router has >the better route? > >I can think of adding a third 7206 router which would run BGP, connect to >the other two routers and accept the full table as well, and the internal >routers would use that one as the gateway to the internet, but if I didn't >have that third router, is there any other way? > >-- > >RFC 1149 Compliant. >Get in my head: >http://sar.dynu.com _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40592&t=40525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco view Problems [7:39764]
We had the same issue, had to upgrade java on the cisco works server. >From: "maamun Murangwa" >Reply-To: "maamun Murangwa" >To: [EMAIL PROTECTED] >Subject: Cisco view Problems [7:39764] >Date: Thu, 28 Mar 2002 10:56:20 -0500 > >Hi all, > >I'm having a problem with viewing devices using cisco >view, i get an error message ''Please grant permission >to launch cisco view.Quit the browser and try again'' > >I have looked at the installation notes no luck so >far. >Any help will be highly appreciated > >Thanx in advance > >MM > >__ >Do You Yahoo!? >Everything you'll ever need on one web page >from News and Sport to Email and Music Charts >http://uk.my.yahoo.com _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39777&t=39764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how to disable NAT in PIX firewall (both insid [7:29405]
config looks correct. check with your next hop router outside of the firewall to ensure that routes for your inside network are available. >From: "Brian Whalen" >Reply-To: "Brian Whalen" >To: [EMAIL PROTECTED] >Subject: Re: how to disable NAT in PIX firewall (both insid [7:29405] >Date: Tue, 18 Dec 2001 11:57:04 -0500 > >Though I am not a PIX pro, if you don't want nat, are you sure you got the >right product for your needs?? > >Brian "Sonic" Whalen >Success = Preparation + Opportunity > > >On Mon, 17 Dec 2001, David Tran wrote: > > > Hi Everyone, > > > > I am having problem setting up a network in this scenario > > > > with my PIX515-UR firewall running version 6.1(1) with pdm > > > > version 1.1(2). > > > > I have a network with REGISTERED IP addresses. The > > > > "inside" interface of the PIX is on the 129.174.1.0/24 > > > > network with IP address of 129.174.1.254. The "outside" > > > > interface of the PIX is on the 66.61.46.0/24 network with > > > > IP address of 66.61.46.120. The "inside" interface has > > > > a security level of 100 and the "outside" interface has > > > > security level of 0. On the "inside" internal network, I > > > > have 10 workstations range from 129.174.1.1-10. These > > > > workstations have the default gateway point to the > > > > "inside" interface of the PIX. > > > > I understand that for machines from the "inside" > > > > network to access the Internet, the command "nat" > > > > and global must be used. However, since I all of my > > > > machines have valid (aka registered IP addresses), I > > > > want to disabe NAT completely. For, example, > > > > I want machine 129.174.1.1 to be able to browse and > > > > ping any machines on the Internet. At the same time, > > > > I don't want users from the Internet to be able to access > > > > any of the workstations on the "inside" interface. I have > > > > been searching for documentation on Cisco website > > > > but it seems likemost of the example have to do with NAT > > > > enable. There are a few examples that will disable NAT > > > > but it is relatedto VPN which is something I don't want. > > > > Furthermore, most of the examples fill with errors and > > > > pretty worthless (for PIX anyway). If anyone has done > > > > this before, let me know. I also include a copy of the config. > > > > Thanks. > > > > David > > > > PIX Version 6.1(1) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security50 > > > > enable password sdfkjfdjjdfjksdf encrypted > > > > passwd sdfjksdfkjsdfjksjf encrypted > > > > hostname ciscopix > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 1720 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list no-nat-list permit ip any any > > > > access-list no-nat-list permit icmp any any > > > > pager lines 24 > > > > interface ethernet0 auto > > > > interface ethernet1 auto > > > > interface ethernet2 auto > > > > mtu outside 1500 > > > > mtu inside 1500 > > > > mtu dmz 1500 > > > > ip address outside 66.61.46.120 255.255.255.0 > > > > ip address inside 129.174.1.254 255.255.255.0 > > > > ip address dmz 127.0.0.1 255.255.255.255 > > > > ip audit info action alarm > > > > ip audit attack action alarm > > > > no failover > > > > failover timeout 0:00:00 > > > > failover poll 15 > > > > failover ip address outside 0.0.0.0 > > > > failover ip address inside 0.0.0.0 > > > > failover ip address dmz 0.0.0.0 > > > > pdm history enable > > > > arp timeout 14400 > > > > nat (inside) 0 129.174.1.0 255.255.255.0 > > > > static (inside, outside) 129.174.1.0 129.174.1.0 > > > > conduit permit ip any any > > > > conduit permit icmp any any > > > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > > > timeout xlate 3:00:00 > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 >0:05:00 > > sip > > > > 0:30:00 sip_media 0:02:00 > > > > timeout uauth 0:05:00 absolute > > > > aaa-server TACACS+ protocol tacacs+ > > > > aaa-server RADIUS protocol radius > > > > no snmp-server location > > > > no snmp-server contact > > > > snmp-server community public > > > > no snmp-server enable traps > > > > floodguard enable > > > > no sysopt route dnat > > > > telnet timeout 5 > > > > ssh timeout 5 > > > > terminal width 80 s _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29502&t=29405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
vpn client, windows 98 and RSA ACE [7:26149]
we are using vpn client (3.0.6 rel 2 and 3.1.1) to connect to vpn 3000 concentrator with RSA ACE server 5.0 authenticating the connections. put windows 98 in the mix and there tends to be problems. #1 problem - VPN Subsystem unavailable - cannot make IPSec Connection #2 problem - VPN client will not pass request for PIN creating (when securid token is in New PIN mode) If you have any information on the following symptoms and resolutions. It seems to be a limintation of windows 98 where the problem is most prominent. I checked out technet and bug navigator II as well as TAC thanks _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26149&t=26149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
multiple concurrent IPSec sessions cable/dsl at home [7:22157]
we currently have many vpn users from there homes, some have needs for multiple connections. While the Netgear, SMC devices work great for internet connectivity and add some layers of protection, their lack of support for multiple connections has me searching for another device. Have you any device that will allow for this type of setup, or any suggestions for workarounds. I appreciate any input on this. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=22157&t=22157 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN Client [7:19858]
George, do you have control of the vpn3000? the split tunnel list on the concentrator should be setup to with only the networks accessible from ipsec tunnel. otherwise, all ip traffic will be sent through the tunnel. >From: "George Kallingal" >Reply-To: "George Kallingal" >To: [EMAIL PROTECTED] >Subject: Cisco VPN Client [7:19858] >Date: Thu, 13 Sep 2001 17:31:20 -0400 > >I have a question about the Cisco VPN Client software and how it binds its >driver to a network card. > >We have an NT server that we are connecting to a remote network using the >Cisco VPN Client (to a Concentrator 3000, I believe). Upon connection >through the VPN, I lose connectivity to the other servers on the local >network. Is there a way to maintain the local area connection while >connected over VPN? I tried to multi-home the server and unbind the DNE >driver for one network card, but that just disabled the network card. > >Has anyone experienced this before? Are there any workarounds? Fixes? Or >does this require a call to Cisco TAC? > >Thanks. > >George _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20128&t=19858 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ipsec and nat [7:12825]
Dennis, I am not referring to vpn client, but having a lan-lan vpn setup where networks on both sides of the endpoints are configured with overlapping address space. one side of the tunnel is a hiding (nat on a non-cisco device) behind one address. there is a vpn3000 on the other end that can not perform the translation and route it over the IPsec tunnel. thanks. >From: "Dennis H" >Reply-To: "Dennis H" >To: [EMAIL PROTECTED] >Subject: Re: ipsec and nat [7:12825] >Date: Wed, 18 Jul 2001 12:23:48 -0400 > >I believe you mean ipsec over nat, as opposed to nat over ipsec... the vpn >concentrators can do it using udp port forwarding but this only work if >you're using Cisco's vpn client. > > >""Fly Ers"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Anyone confirm whether pix, concentrator or ipsec router has the ability >to > > nat over ipsec? i know that I can nat everything on a router behind one >of > > these devices. > > > > Thanks. > > > > _ > > Get your FREE download of MSN Explorer at http://explorer.msn.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12902&t=12825 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ipsec and nat [7:12827]
I just found the answer. http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12827&t=12827 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ipsec and nat [7:12825]
Anyone confirm whether pix, concentrator or ipsec router has the ability to nat over ipsec? i know that I can nat everything on a router behind one of these devices. Thanks. _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12825&t=12825 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
GRE over IPSec Tunnel [7:9257]
Have IPSec tunnel between PIX 515 and VPN3000. attempting to establish GRE tunnel over ipsec between to cisco router endpoints. the tunnel appears to be up but can not pass traffic accross. Using this for broadcast traffic, routing updates, netbios. Please advise Thanks _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9257&t=9257 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
