Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11481
Views
15
Helpful
83
Replies

ASK THE EXPERTS - IP SECURITY VPN

ciscomoderator
Community Manager
Community Manager

‎06-18-2010 03:41 PM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN  with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan.  Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security.  Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

 

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

 

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
83 Replies 83

sziaulla
Cisco Employee
Cisco Employee
In response to dianewalker

‎06-30-2010 08:11 AM

Hi Diane,

Most common issue I have seen with this symptom are as follows

1. client is not able to reach the vpn server on udp port 500 and therefore the server never respond. You can easily check this in the concentrator log and make sure if the server is getting the client request or not.

2. Group name /password is not correct.

Due to the security concerns VPN servers are designed not to respond to the request with invalid group name / password. This can also be checked on the concentrator with the logs.

Pls free to ask any follow-up questions.

Thanks

-Syed

0 Helpful

dianewalker
Level 1
Level 1

‎06-30-2010 07:40 AM

Ciscomoderator,

Can you tell me about Easy VPN?  Do we need the ASA in order to setup VPN?

Thanks.

Diane

0 Helpful

sunsrini
Cisco Employee
Cisco Employee
In response to dianewalker

‎06-30-2010 08:35 AM

Hi Diane,

You can use IOS router or ASA as easyvpn server. Please refer these links for configuration details.

http://www.cisco.com/en/US/partner/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6350_TSD_Products_Configuration_Guide_Chapter.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnrmote.html

There are few config examples in the above link. If you have a specific client and scenarios, let us know, we can find any examples for that.

Thanks

Sundar

0 Helpful

dianewalker
Level 1
Level 1
In response to sunsrini

‎06-30-2010 09:40 AM

Sundar,

Thanks for your prompt response.  I am not able to open the first link

http://www.cisco.com/en/US/partner/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6350_TSD_Products

When would you use the IOS router or the ASA to setup VPN using EasyVPN server?  Would you use the IOS router to setup VPN for 2000 employees?

I am not familiar with EasyVPN server.  I will check out the second link.

Thanks.

0 Helpful

sunsrini
Cisco Employee
Cisco Employee
In response to dianewalker

‎06-30-2010 04:18 PM

Hi Diane

Easyvpn server is mainly to support remote access vpn sessions like software or hardware vpn clients. The scalable limit of 2000 tunnels depends on the platform models within IOS routers or ASAs.  I am sending these links for both these platforms, the scalable numbers are shown towards the end of the page.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/data_sheet_c78-457320.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

You can also get some more details at www.cisco.com/go/easyvpn for config examples etc.

To select IOS router or ASA may depend on your non-vpn design requirements as well.  ASA is primarily a firewall that can protect your network with added vpn feature set, it has limited support for routing protocols etc. Some other differences are with selected features like load-balancing/redundancy, VRF support, Virtual tunnels etc..between the platforms. Please let us know if further questions.

Thanks

Sundar

0 Helpful

dianewalker
Level 1
Level 1
In response to sunsrini

‎07-01-2010 08:30 AM

Sundar,

Thanks for your response and information.  I will check out the links.  Since the forum will be over soon, I would like to ask you another question.  In case my question is in the documentation, please ignore me.  If I use the IOS router and use EasyVPN to setup VPN, will I be able to setup clientless SSL? Do I require additional licenses or additional modules to setup clientless SSL?  For the ASA, clientless SSL requires additional licenses which are expensive.  I am trying to save money.

Thanks.

Diane

0 Helpful

sunsrini
Cisco Employee
Cisco Employee
In response to dianewalker

‎07-01-2010 11:20 AM

Hi Diane

IOS routers support few free users, but it also needed license for more users. Also, it does not seem to scale as much as ASA can do with respect to SSLVPN. Please refer this link for free and max users limit per platform.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html

Please free to reach me if you have more questions.

Thanks

Sundar

0 Helpful

mishap
Level 1
Level 1

‎07-01-2010 11:48 AM

Hello,

  I hate to re-post, but I would really like some insight into "Hairpin" routing and setting it up on an ASA for VPN users. I can't seem to find anything relevant to what I want which is tunnel all traffic, including Internet, back through the VPN. I would really love a brief description of the packet flow from the VPN user's point of view with some focus on when and what is being NAT'ed where.

Some more information on my specific issue can be found here: https://supportforums.cisco.com/thread/2030063?tstart=0

Any help would be appreciated.

Thanks,

  Ken

0 Helpful

shakeerali
Level 1
Level 1

‎07-01-2010 12:28 PM

Hi,

I want a Switch/Router to tranfer data from ATM (Automated Teller Machine) at one side using GPRS as medium and have a Router at the other end with VPN connectivity. Could you suggest me the Cisco part numbers for the Switch/Router with GRPS Modem and Router with VPN connectivity. And also I want to know what IP address will be used at the Switch/Router (ATM side) i.e is it a public IP address or private IP address ? and is it possible to use Cisco 880 Wireless Router at the ATM Machine side in my design ?

Thanks.

Mohammed Ali.

0 Helpful
Customers Also Viewed These Support Documents