dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1548
share rss forum feed


SulucOhmun

@sbcglobal.net

[HELP] Cisco NewB with console cable, ASA-5505 & much grief, hel

Hello!

So I'm not daft here, but I'm not a "cisco guy". I've been hired on by a small business to help them out a bit.

They have a pretty particular network setup that involves a Cisco ASA-5505 acting as a router that establishes an IPSec/L2L VPN tunnel to a data center. From what I can see using "show running-config" the VPN tunnel is using a pre-shared key and "DefaultRAGroup". I have the pre-shared key from running "show running-config as admin" it looks something like: "prey-shared-key &*gh34836j7372j73" & I know the hostname of the ASA-5505...

My issue is this, my boss has asked me to get his home desktop windows 8 computer connected to the same VPN that the cisco ASA-5505 router connects to at work(this allows them to access an internal terminal services server and connect to their RDP resources) so that he can access the same internal resources from his home. I have a cisco console cable I soldered up & the console password for full admin access. I've logged in and run every "show ___" command that exists in IOS to try and figure out how this VPN link is setup, and still can't figure out how to get windows 8 to connect to the VPN.

If I add a VPN connection in windows 8, set it to IPSec L2TP, click advanced & put in the pre-shared key, and click "allow these protocols & select all three options one at a time or all 3 at the same time: PAP, CHAP, CHAPv2 -- each time I am asked for a username and password and I can't for the life of me understand what I am supposed to enter for the username and password?

I did not see anything about a username or password anywhere in the cisco ASA-5505 issuing every "show ?" command that exists.

Please, Please help! You will be saving so much trouble I can't even begin to express just how much!

Thank You so very much ahead of time for ANY help no matter how small, I have been trying to figure this out for over 3 weeks now.

--S.O
Edit/Delete Message


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

Re: [HELP] Cisco NewB with console cable, ASA-5505 & much grief,

Just so I'm straight... you've been hired to do a job you're not qualified to do. And now you want us to teach you how ON PRODUCTION EQUIPMENT.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to SulucOhmun

There are plenty of documents from Cisco on how to setup various VPN scenarios. However, you don't want to play on production hardware people are using. How's the boss going to like it when you mess something up and the VPN stops working entirely?



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to SulucOhmun

well for starters, can you provide a sanitized copy of the running config (stripping IPs, usernames, and passwords, etc)?

Also, the VPN will authenticate (by default) to the local database of usernames and passwords but its not going to use L2TP. The built in VPN solutions in windows will not work unless of course windows 8 has a native IPSEC PSK client.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to SulucOhmun

Sanitized config, please.

What your boss wants to do is perfectly doable. You're likely going to have to mess with the existing config,
as he basically wants to turn what sounds like a site-to-site VPN config, and peer it with his home computer.
Riiiiiiiiiight....

Regards


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

Not really. He wants to do exactly what I've been doing for years... L2L VPN, plus remote vpn clients landing on the same ASA. The ASA will hairpin traffic (unlike the old Pix's.) Along with the small trick of using inside interface dhcp for RA clients -- thus making them look like local LAN hosts -- everything works perfectly. Well other than needing a vpn client (ipsec, or sslvpn -- the asa will feed me the sslvpn client, the other I have to already have installed.)


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to SulucOhmun

As others have mentioned, there are various sample configurations available in this forum FAQ you can review to get some ideas. Feel free to check them out if you have not done so.


nosx

join:2004-12-27
00000
kudos:5
reply to SulucOhmun

Please call Cisco and OPEN A TAC CASE.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by nosx:

Please call Cisco and OPEN A TAC CASE.

I wonder what happen when this is the response to every question asked here

nosx

join:2004-12-27
00000
kudos:5

Sorry aryoba, but this problem isnt a question with an answer.

I believe even if somebody were to get on the phone and go through the config, topology, and do the OP's job for him, we would likely end up doing more harm than good to that businesses network.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to aryoba

said by aryoba:

said by nosx:

Please call Cisco and OPEN A TAC CASE.

I wonder what happen when this is the response to every question asked here

We'd have a lot quieter Cisco forum here, that's for sure....

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to nosx

said by nosx:

Sorry aryoba, but this problem isnt a question with an answer.

I believe even if somebody were to get on the phone and go through the config, topology, and do the OP's job for him, we would likely end up doing more harm than good to that businesses network.

Which is why some network guys are getting $$$ though they may be under appreciated

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
reply to HELLFIRE

said by HELLFIRE:

said by aryoba:

said by nosx:

Please call Cisco and OPEN A TAC CASE.

I wonder what happen when this is the response to every question asked here

We'd have a lot quieter Cisco forum here, that's for sure....

Regards

I recalled several years back when this forum had a handful of network experts and was the place to exchange ideas and thoughts, even forming mutual professional relationships. With today's economy, I would assume those people were too busy to hang around anymore and moved on.

Nowdays we still have from time to time quite informative discussions, though I sometimes missed the past

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to SulucOhmun

I must've missed that golden time aryoba See Profile... we get the occasional (lively) technical discussion here, but I
don't mind the troubleshooting / "help me" / "what do you think?" kinda threads we see.

Regards



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

said by aryoba:

I recalled several years back when this forum had a handful of network experts and was the place to exchange ideas and thoughts, even forming mutual professional relationships. With today's economy, I would assume those people were too busy to hang around anymore and moved on.

Nowdays we still have from time to time quite informative discussions, though I sometimes missed the past

its all a matter of perception and skill level.
for those of us who have dealt with cisco kit -- not just at the deployment level -- but at the proof-of-concept level, working with the tme/tss/pss level, or have had to dive deep into the architecture of each platform -- we're not going to get much out of 'help me get my cisco router online so i can use it with my cable modem'.
for those of us who haven't had much exposure to cisco, or have recently acquired our ccna and are looking for how to apply it to the real world, this place may have some value.

i personally enjoy conversations about the former -- as i've had to go 'balls deep' in a lot of enterprise networks and do pocs. i also (while it lasted) had a personal n7k/n5k/n2k lab -- equipped with c4k/sup7e and asr1002. i enjoyed mocking up different technologies/scenarios for my own knowledge. now i'm relegated to my stack of 2811's and gns3. nothing is more fun than setting up something -- then finding out why it behaves the way it does.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

said by tubbynet:

nothing is more fun than setting up something -- then finding out why it behaves the way it does.

q.

And then making it work in an even more interesting way.
--
»Death Star Petition


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by DarkLogix:

said by tubbynet:

nothing is more fun than setting up something -- then finding out why it behaves the way it does.

q.

And then making it work in an even more interesting way.

one can only go so far.
its nice to have for personal edification -- but in large enterprise/sp/datacenter/hosting environments -- you need to be able to back up your claims.
more often than not -- it means building from or on top of a cvd (cisco validated design). there will always be tweaks, but any customer worth their weight will either (a) have a lab to mock this up -- or will request staging of equipment for a poc.

in large organizations with tight change management/strict sla/high uptime requirements -- you can't just cowboy a solution. it has to be vetted and approved. (of course, there are always exceptions to the rule *looks at nosx See Profile*).
along the way, things are sure to break, and in that instance -- you use them as a troubleshooting activity.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Of course.

Any solution to be deployed in a work enviro would have to met best practices. And just a test lab that shows it can work might not be enough vetting to find that 1-in-a-1000 bug that could crash the network.

Personaly I'm at a place that uses juniper, and well due to it juniper has made a awful impression on me.

So for now I mess with my cisco gear at home.
--
»Death Star Petition


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to aryoba

That was a very different era. Things are alot more complicated today, and "newbs" that much farther behind. (and there are too many people willing to pay lawyers when things go wrong than engineers to make it right from the start.)

What the OP wants is too complex to try to talk him through it on production hardware. (see above re: lawyers)



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to DarkLogix

said by DarkLogix:

Personaly I'm at a place that uses juniper, and well due to it juniper has made a awful impression on me.

So for now I mess with my cisco gear at home.

juniper makes some solid kit, but just like any other vendor -- it takes knowledge of the code lineage, an understanding of hardware/software limitations, and the best practices for configuration.

in fact -- $current_customer would have a lot fewer headaches if they would have used srx firewalls instead of cisco asa.

juniper mx-kit is pretty solid as well, as long as you know the limitations of mpc, dpc, ms-dpc and how they play inside the chassis.

the ex-series is a little half-baked -- but most of the bugs are solved for simpler switching, etc. when you start running mpls bits on top, then it gets interesting.

long story short -- as a consultant -- you have to keep an open mind when it comes to hardware. blanket statements that $vendor sucks prevent you from developing a true best-of-breed solution. of course -- at times -- you have to tow the line of whichever vendor you are more closely associated with. for me -- that means cisco -- but being a var/partner with multiple companies provides that enablement to choose what is best.

make yourself an olive box. you'll enjoy it.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

said by DarkLogix:

Any solution to be deployed in a work enviro would have to met best practices. And just a test lab that shows it can work might not be enough vetting to find that 1-in-a-1000 bug that could crash the network.

Funny, enough some vendor simply uses simple lab environment (i.e. back-to-back cable) instead of using actual circuits (i.e. DWDM or long-hauls) as QA prior releasing new equipments. We actually hit an image bug on this new equipments, just because we use real-world DWDM circuit; causing the vendor had to release official bug and fix in their next image release to remediate the issue (no, we did not get our money back due to production-time loss)

said by DarkLogix:

Personaly I'm at a place that uses juniper, and well due to it juniper has made a awful impression on me.

So for now I mess with my cisco gear at home.

With Juniper gears (such as routers, switches, or firewalls); it would be a stable and powerful equipment without running new features (i.e. stick with JUNOS 11.x is more likely to keep stability instead of running 12.x). This mindset also applies to IOS 12.4 compared to 15.x whenever possible.

At home though, I ran JUNOS 12.x to monitor its stability. On newer Cisco gears, we ran the 15.x IOS on production network and so far it is still stable.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to tubbynet

said by tubbynet:

said by DarkLogix:

Personaly I'm at a place that uses juniper, and well due to it juniper has made a awful impression on me.

So for now I mess with my cisco gear at home.

the ex-series is a little half-baked -- but most of the bugs are solved for simpler switching, etc. when you start running mpls bits on top, then it gets interesting.

Due to stability, you are not supposed to use the EX series for MPLS since it is a job for the MX series. Of course, some people may have different idea

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to cramer

said by cramer:

That was a very different era. Things are alot more complicated today, and "newbs" that much farther behind. (and there are too many people willing to pay lawyers when things go wrong than engineers to make it right from the start.)

I have seen too many companies like such nowdays unfortunately


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

said by aryoba:

Due to stability, you are not supposed to use the EX series for MPLS since it is a job for the MX series. Of course, some people may have different idea

considering that juniper has no answer for the me3600/me3800 -- juniper users are turning to things like the ex4500/4550 for parity.

iirc -- this model supports more than one label at imposition -- making it suitable for vpnv4 bits. i think the ex4200 and smaller support only a single push/pop operation -- making them relatively useless in the mpls world.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to tubbynet

SRX240H routers and EX4200 switches (with full 48port gig POE)
with the SRX doing the intervlan routing with a 3 port LACP

then they've crashed pretty hard alot.
--
»Death Star Petition