[c-nsp] Cisco VPN Concentrator

Bob Fronk bfronk at davishelliot.com
Fri Nov 11 12:37:29 EST 2005 

Ok, I have everything working.  I ended up giving the concentrator a
public IP and putting it behind the edge router on a switch with the
PIX.  

PPTP, (Windows), Cisco VPN software client all connect to the
Concentrator and work fine.  The one thing I can't seem to get working
on the Concentrator as an EZVPN server.  

We have several 831 routers in remote locations that currently connect
to the PIX (setup as a EZVPN server).  I want to move all of those off
the PIX to the concentrator, however, I cannot seem to get the
configuration in the concentrator working correctly.

Does anyone have their concentrator setup as a EZVPN server or have any
links?  I have searched Cisco and Google, but cannot locate anything.

Thanks,

Bob Fronk, MCSE
bfronk at davishelliot.com   
 
 
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peder @
NetworkOblivion
Sent: Thursday, November 10, 2005 5:11 PM
To: David J. Hughes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VPN Concentrator

Yes, it is possible to put the inside interface behind a device like a 
PIX and then not use the outside interface.  I have one in production 
like that right now.  You can't do tcp nat traversal, but you can do udp

nat traversal (not sure why udp works and tcp doesn't).

As far as hairpinning, the VPN3005 allows hairpinning if you have an 
internal router.  What you do is set the tunnel default gateway to the 
internal router.  A user send a packet that should go out another vpn, 
it hits the vpn, it sends it to the internal router, the internal router

sends it back to the vpn and the vpn then sends it out the other tunnel.

  Ugly, but it works.  If you don't have an internal router, I believe 
you are SOL.

David J. Hughes wrote:
> On 11/11/2005, at 12:39 AM, Bob Fronk wrote:
> 
> 
>>I have done some searching and cannot find any sample configs that use
>>only one Interface on the concentrator.  So I am beginning to wonder
if
>>it is possible.  However, since the PPTP works, I have to believe that
>>the IPSec should work if I can figure out what I have done wrong.
> 
> 
> Does anyone have any input on this?  I've always assumed that the VPN 
> 3k would reject hair-pinned packets in the same way PIX's do (well, 
> have until very recently).
> 
> 
> David
> ...
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 

Network stuff you didn't know....
http://www.networkoblivion.com
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list