[nsp] Cisco VPN 3000 - basics questions
Mati Gil
mgil at servicom2000.com
Wed Jan 7 03:16:23 EST 2004
RE: [nsp] Cisco VPN 3000 - basics questionsHello Mourad,
I don't know any way to check tunnel status to force open a backup
interface. Our backup interfaces only come up when primary interface is down
but we cannot force it if there is a problem in transit over the Internet.
Regards,
Mati
-----Mensaje original-----
De: BERKANE Mourad [mailto:mourad.berkane.prestataire at sfrcegetelsi.fr]
Enviado el: lunes, 05 de enero de 2004 11:15
Para: 'Mati Gil'
CC: cisco-nsp at puck.nether.net
Asunto: RE: [nsp] Cisco VPN 3000 - basics questions
Hi Mati,
Many Thanks!
I have another quizz about VPN Concentrator.
Is there any VPN Concentrator in the market allowing the activation of an
ISDN backup tunnel IPSec in case of failure of main IPSec tunnel over Public
Internet as shown in following diagram:
Router______Main IPSec tunnel over Public Internet________VPNConcentrator
| |
|--------------Backup IPSec over ISDN----------------------|
Somethink like cisco backup interface is not enough, i need to check the
status of main tunnel in order to active backup one over ISDN.
All the best for u in 2004 :-)
Regards,
Mourad
-----Message d'origine-----
De: Mati Gil [mailto:mgil at servicom2000.com]
Date: mercredi 31 décembre 2003 12:58
À: BERKANE Mourad; cisco-nsp at puck.nether.net
Objet: RE: [nsp] Cisco VPN 3000 - basics questions
Mourad,
to set up filters:
1-create an IP In Rule:
Direction: Inbound
Protocol: Any (if all IP)
Source address: IP network or network list with SA of traffic coming in
Destination address: IP network or network list with DA of traffic coming
in
2.-create an IP Out Rule:
Direction: Outbound
Protocol: Any (if all IP)
Source address: IP network or network list with SA of traffic going out
Destination address: IP network or network list with DA of traffic going
out
3- Create a Filter:
Default action: drop
4- Assign rules to the filter:
Add In and Out rules you've just created
5- Apply filter to your wherever you want (L2L, remote access group,
interface,...)
To use Certificates:
VPN3000 is not a Certificate Authority so it does not issue certificates.
you'll need a CA anyway. But you can manually install certificates on
VPN3000.
Look at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
_example09186a00800946f1.shtml for VPN3000
and at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080
09468a.shtml for VPN Client.
I hope it helps,
Mati
-----Mensaje original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]En nombre de BERKANE Mourad
Enviado el: miércoles, 31 de diciembre de 2003 11:38
Para: 'cisco-nsp at puck.nether.net'
Asunto: [nsp] Cisco VPN 3000 - basics questions
Importancia: Alta
I have 2 basic questions about Cisco VPN 3000 Series Concentrator.
Reading the user guide chapter about Policy Management/Traffic
Management/Filters, I see we could apply registered rules
(HTTPS,IKE,HTTPS,GRE,L2TP,OSPF ... in/out) but seems not allow manual
filters as we could setup with ACL.
I want to apply IP src/dest filters. How to configure them if possible?
Another question: can the Cisco VPN 3000 be a IKE certificate server if i
don't want to use external one for certificate IKE parameters?
Thanks!
Mourad
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list