Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
0
Helpful
7
Replies

cisco system vpn client

softpro77
Level 1
Level 1

‎10-19-2008 05:35 PM

hi , my vpn architecture is as follows:

HQ using Cisco 1841 ISR

Static WAN IP

LAN IP e.g. 192.168.1.0

EasyVPN Server with Pre-share key configurations.

Peer no.1

Using dynamic IP

DLink DSL-G600 series

install cisco systems vpn client

the questions:

From the peer no.1 , outbound traffic is able to go to the HQ.

How about in-bound data traffic from the HQ ? e.g. microsft SQL services etc...

If in-bound data traffic cannot, how to configure this 'in-bound' traffic to work ?

Any recommendations and advise is apprecitate !

Thanks in advance !

Rick

Labels:
0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-19-2008 10:41 PM

You most probably need to allow UDP 500 (or even 4500) and ESP (IP Protocol # 50) on the NAT gateway. Its usually there under a separate section titled VPN passthrough etc.

The phase 2 SA has 'two' uni-directional connections.

Regards

Farrukh

0 Helpful

softpro77
Level 1
Level 1
In response to Farrukh Haroon

‎10-19-2008 11:54 PM

Hi Farrukh,

I understand you mean on the peer's Dlink router, I have to allow the UDP 500~4500 , ESP (IP Protocol #50) on the NAT gateway ?

Or

Do you mean on the HQ's cisco 1841 IOS configurations ?

Thanks in advance

Rick

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to softpro77

‎10-20-2008 12:41 AM

On the D-LInk

Regards

Farrukh

0 Helpful

softpro77
Level 1
Level 1
In response to Farrukh Haroon

‎10-20-2008 01:08 AM

hi Farrukh

o-right, so lets say, after i allow the 'ports'of the peer's DLink router, any idea of of any useful 'commands' or 'utilities' i can use to test to verify if 'in-bound' traffic is working fine ?

After I establish the ipsec tunnels using cisco systems vpn client software installed on the windows pc on the peer's site.

Thanks in advance !

rick

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to softpro77

‎10-20-2008 01:33 AM

The first place to check is the encr/decr on your VPN client Status screen.

You can also check the 'show crypto ipsec sa' on the VPN Server. The encaps/decaps both should increment.

Then you can simple initate pings from both sides to check the tunnel.

Regards

Farrukh

0 Helpful

softpro77
Level 1
Level 1
In response to Farrukh Haroon

‎10-20-2008 05:54 PM

hi farrukh ,

i've come accross the online document abt the built in 'stateful firewall(Always On) feature that i can't comprehend.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015ce82.html#95647

http://help.unc.edu/4000

Let's say after I allow the 'ports' that you mentioned on the Peer's DLink side, then what do I need to configure this built-in 'Stateful firewall' of the cisco systems software client ?

My goal is to let allow the in-bound data traffic from HQ to peer's end.

Meaning the peer's is 'Application aware' of the HQ-head end, after establishing IPsec vpn tunnels.

Thanks in advance !

Rick

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to softpro77

‎10-20-2008 07:13 PM

This firewall feature is like a value-added or should I say bonus feature provided by Cisco. Its basically technology from ZoneLabs (ZoneAlarm) AFAIK. The VPN client makes sure encrypted traffic flows through even after enabling the firewall, but just make sure you test everything as it can sometimes break some desired traffic flows (for e.g. your own remote session to the VPN client pc for testing).

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents