Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi,at the moment I have some vpn-filters applied to remote access VPN groups defined and everything works as expected (sysopt connection permit-vpn is enabled).Now I need to setup a few L2L tunnels and I want to restrict traffic beyond the crypto-acl...
Hi,can someone explain the functionality of the FWSM traffic classifier in depth?We're having a complex FWSM config with around 40 contexts and 20 shared interfaces between most of the contexts.To enable - inter-context communication over shared vlan...
Hi,I've the following setup running (relevant parts):interface Ethernet0/0 ip address 10.200.30.21 255.255.255.248 ip nat inside standby 122 ip 10.200.30.22 standby 122 name HSRP_int!interface Ethernet0/1 ip address xxx.xxx.xxx.132 255.255.255.192 ip...
Hi,I want to extend a VPN setup by adding 836 routers as EzVPN clients in NEM mode connecting to a 3005 VPN Conc.As far as I understood 12.2T, 12.3 and 12.3(T) documentation correctly, EzVPN will not work with digital certificates for authentication...
Hi,since I upgraded our redundant PIX 515E from 6.3(1) to 6.3(3) there is a noticeable higher amount of dropped packets (x5).The dropped connections are equal in one point: While closing the tcp client/server session, there is a RST packet involved (...
Hi,for RA VPNs, the vpn-filter works flawlessly for me with "sysopt connection permit-vpn" enabled. Software release is 7.2(2).I didnt had the time to test it with L2L tunnels yet, but I'm going to implement this with caution after I read the post fr...
Yes, they should, if you do not want to use FWSM transparent mode.If you do not assign an IP address to the SVI, for what reason it should be configured?OTOH you can have another L3 routing device in the same VLAN outside the CAT6k that acts as a gat...
Hi,1) You can have more than 1 SVI shared between MSFC and FWSM.MSFC(config)#firewall multiple-vlan-interfacesenables this.Then, you configure L3 VLAN interfaces on the MSFC. MSFC(config)#interface VLAN ...These VLANs must be trunked to the FWSM thro...
Hi,maybe the IKE/IPSec settings on your Conc. forcing XAUTH? Try to use a IKE proposal without XAUTH, for example the predefined IKE-3DES-MD5-RSA-DH1.To the "ra" thing: a CA (sub or root) may delegate registration tasks to a so called registration au...
Hi,I succeeded, but without the use of EZVPN. Now we're connecting the 836's to a central IOS hub doing IPSec Lan-to-Lan VPN with certificates (836 remote router with dynamic IP address assignment from ISP).Sample config for 836 (only relevant parts)...
