Networking-Blog

My WordPress Blog

CISCO HOT STANDBY Protocols – HSRP, VRRP & GLBP

It is somewhat irritating that we have three protocols which accomplish nearly the same tasks. HSRP and VRRP are practically identical, while GLBP expands their functionality to offer load balancing. Interestingly, VRRP does not support IPv6, as IPv6 can provide more robust router discovery through its Neighbor Discovery Protocol. Cisco has included IPv6 support in HSRP and GLBP, though.


Hot Standby

First Hop Redundancy protocol comparison (HSRP,VRRP,GLBP)

Protocol
Features

HSRP

(Hot Standby Router protocol)

VRRP

(Virtual Redundancy Router Protocol)

GLBP

(Gateway Load Balancing Protocol)

Router role

– 1 active router.- 1 standby router.- 1 or more listening routers.

– 1 master router.- 1 or more backup routers.

– 1 AVG (Active Virtual Gateway).- up to 4 AVF routers on the group (Active Virtual Forwarder) passing traffic.- up to 1024 virtual routers (GLBP groups) per physical interface.

– Use virtual ip address.

– Can use real router ip address, if not, the one with highest priority become master.

– Use virtual ip address.

Scope

Cisco proprietary

IEEE standard

Cisco proprietary

Election

Active Router:
1-Highest Priority
2-Highest IP (tiebreaker)

Master Router: (*)
1-Highest Priority
2-Highest IP (tiebreaker)

Active Virtual Gateway:
1-Highest Priority
2-Highest IP (tiebreaker)

Optimization features

Tracking

yes

yes

yes

Preempt

yes

yes

yes

Timer adjust

yes

yes

yes

Traffic type

224.0.0.2 – udp 1985 (version1)
224.0.0.102-udp 1985 (version2)

224.0.0.18 – IP 112

224.0.0.102 udp 3222

Timers

Hello – 3 seconds

Advertisement – 1 second

Hello – 3 seconds

(Hold) 10 seconds

(Master Down Interval)3 * Advertisement + skew time

(Hold) 10 seconds

(Skew time)(256-priority) / 256

Load-balancing functionality

– Multiple HSRP group per interface/SVI/routed int.

– Multiple VRRP group per interface/SVI/routed int.

Load-balancing oriented- Weighted algorithm.- Host-dependent algorithm.

– Round-Robin algorithm (default).

Requires appropriate distribution of Virtual GW IP per Clients for optimal load-balancing.(generally through DHCP)

Requires appropriate distribution of Virtual GW IP per Clients for optimal load-balancing.(generally through DHCP)

Clients are transparently updated with virtual MAC according to load-balancing algorithm through ARP requesting a unique virtual gateway.

Difference Between HSRP and VRRP

HSRP vs. VRRP

1. HSRP is a propriety protocol developed by CISCO, whereas VRRP is a non-propriety
protocol created by IEFT.
2. HSRP was created in an earlier year compared to the more recent VRRP.
3. VRRP has a faster timer for its default hello, and a faster hold timer, as opposed to
the slower HSRP timers.
4. VRRP’s standby speaker cannot send hellos like the HSRP protocols.

HSRP :

This also utilizes a default hello countdown timer for 3 seconds, along with a hold timer
that spans for 10 seconds.

VRRP :

Is a non-propriety protocol developed and invented by IEFT, back in 1999. This protocol is said to work for a wide range of systems. It even boasts of a faster timer of 1 second for its default hello, and a 3-second hold timer as well. Moreover, it has been observed that VRRP’s standby speaker is not able to send hellos, as opposed to its availability in the HSRP protocol.

In regards to VRRP, there is a backup router that supports the role of the master router, in the event that
the latter fails to function.

* If the group VRRP Virtual IP on the master (higher priority) is the real IP configured on a different VRRP (Backup with lower priority) IOS will manage to make the VRRP router with the real IP, the master, by setting its priority to 255, knowing that the configurable range is [1-254].

 

ASA – Group Object

Create a Object-Group icmp-type ICMP traffic :

object-group icmp-type INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded

Create a Object-Group service for TCP traffic :

object-group service INBOUND tcp
description Inbound Access
port-object eq 3389
port-object range 9998 9999

ADSL2 v ADSL2+

There’s a common misconception that ADSL2+ is faster than ADSL2 on any line.
That’s not really the case. In simple terms,

ADSL2+ utilises twice the frequency range available on your phone line that ADSL2 does.
This again, in simple terms means twice as fast BUT that is only seen on short low attenuation lines.

If your line is only capable of supporting 7meg on ADSL2 then it’s only capable of supporting 7meg on ADSL2+
as it can only usually allow the use of the same frequencies for both (see below).

However, if you’re lucky enough to have a line that can support higher frequencies then you get up to :
 
12meg
on ADSL2 (the maximum possible)
but up to
24meg on ADSL2+.

The cross over between ADSL2 and ADSL2+ is therefore in the 10-12 meg range (typically 35-40db if the line is relatively noise free).

It can give faster speeds but usually only on short lines as explained above.
The only time that wouldn’t be true is for a moderately short line
(that offered some higher frequencies above those usable by ADSL2)
that had induced noise at the lower frequencies and was clean at higher frequencies,
in which case ADSL2+ would possibly be better as it could use those higher frequencies.

There is also the possibility that a network uses equipment whose firmware works better in
certain conditions with specific ADSL modes hence why it is mentioned G.DMT sometimes being
better for problem lines.

Cisco: 1841 – 3G Configuration

This configuration example is for use with a 3G WIC card within a Cisco based
Router.

This was configured with a Vodafone Network.

Initialization

Place the SIM card into it, then insert the card in the router and power it on.

Create a Profile specific to your mobile ISP

  • Insert the APN told by your ISP (Vodafone UK: ‘Internet’ username: ‘web’ password: ‘web’)
  • Insert the authentication method (chap or pap) and the credentials, also supplied from your ISP

Below is an example of a Vodafone UK Cellar Profilule.
Router# cellular 0/0/0 gsm profile create 1 Internet chap web web

From the profile you’ve just created, you can review it using command

router# sh cellular 0 profile

Profile Information
====================
Profile 1 = ACTIVE
--------
PDP Type = IPv4
PDP address = 192.168.1.1
Access Point Name (APN) = Internet
Authentication = PAP
Username: web, Password: web 

* - Default profile

Configuration

You need to define a chat script first, which is used for modem setup and call
initialization. If you are familiar with IOS dial configurations, you feel at home.
Please note that the last number in the dial string (1 in the example below) refers
to the modem profile number you hopefully have defined earlier.

! your chat script
chat-script vodafone “” “ATDT*98*1#” TIMEOUT 60 CONNECT

! the bare interface config
! subcommands at the Cellular interface

interface Cellular0/0/0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string vodafone
dialer-group 1
async mode interactive
ppp chap hostname web
ppp chap password 0 web
ppp ipcp dns request

!

ip route 0.0.0.0 0.0.0.0 Cellular0
dialer-list 1 protocol ip permit

! this is the async line assigned to the 3G modem
you need to specify your chat script here

line 0/0/0
script dialer vodaphone
no exec
rxspeed 3600000
txspeed 384000

If cellular int does not get an ip address, might need to go into
config t and add this line
even thou we see it above :

line 0/0/0
script dialer vodaphone

!
!

show command:

Just in case you need it for troubleshooting, here are the show commands to use.

  • show cellular 0 network
  • show cellular 0 hardware
  • show cellular 0 connection
  • show cellular 0 radio
  • show cellular 0 profile
  • show cellular 0 security
  • show cellular 0 all Debug commands :
  • debug chat Rather than reloading the router to restart the module, you can
    actually using CLI to reset or reboot the module
    :

    debug chat

    router(config)# service internal
    router(config)# exit
    router# test cellular 0 modem-power-cycle ! for rebooting
    router# test cellular 0 modem-reset ! for resetting

    debug commands :

    debug chat
    debug modem
    debug dialer events
    debug ppp authentication

  • Remember to create the Cellular Profile, after tftp config to router :
    cellular 0/0/0 gsm profile create 1 Internet chap web web
  • This is the bare configuration, you will need to add NAT, firewalls etc etc.

Linux Video Driver Version Command

Video Driver Version Command

dmesg | grep NVIDIA
sudo lspci -vvnn | grep 10de

 

What I did from the command line is to find the packages for nvidia

(dpkg -l | grep nvidia)
and then
apt-get remove nvidia-173 

(or whatever package you get from the previous command).

The problem is that you will still have the nvidia modues listed in xorg.conf.
So, I also  mv /etc/X11/xorg.conf /etc/X11/xorg.conf_backup
and rebooted.

I landed in a graphical mode as usual, without the nvidia GL stuff,
but then there are graphical tools to set it up.

At this state, it’s safe to delete the xorg.conf backup you just created.

####################
Whenever I try to start my computer from kernel version 3 (it boots fine with 2.6) Kubuntu stops booting

altogether.

11.10 stops booting at “Checking battery state … [OK]”

I had to reinstall my graphics drivers.

sudo apt-get install --reinstall nvidia-173

Home Linux Ubuntu Iptables Firewall Rule

# Generated by iptables-save v1.4.4 on Wed Dec 29 15:11:27 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT –reject-with icmp-port-unreachable
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 222 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH –rsource -j DROP
-A INPUT -d 172.16.254.3/32 -i eth0 -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -d 10.20.254.254/32 -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
-A INPUT -d 172.16.254.3/32 -i eth0 -p udp -m udp –dport 7777 -j ACCEPT
-A INPUT -d 172.16.254.3/32 -i eth0 -p udp -m udp –dport 7778 -j ACCEPT
-A INPUT -d 172.16.254.3/32 -i eth0 -p udp -m udp –dport 7787 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 5800 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 5900 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 5901 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 5902 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 5938 -j ACCEPT
-A INPUT -s 10.20.254.249/32 -d 192.168.2.4/32 -i ppp0 -p tcp -m tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.6.0/29 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 139 -j ACCEPT
-A INPUT -s 172.16.254.3/32 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 139 -j ACCEPT
-A INPUT -s 172.16.254.3/32 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 10.0.0.0/24 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 192.168.6.0/29 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 10.20.254.249/32 -d 192.168.2.4/32 -i ppp0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 192.168.3.0/29 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 192.168.4.0/28 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -s 172.16.0.2/32 -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 445 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 21 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 192.168.2.4/32 -i eth0 -p udp -m udp –dport 514 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 192.168.2.4/32 -i eth0 -p udp -m udp –dport 9996 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p udp -m udp –dport 50518 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p tcp -m tcp –dport 50518 -j ACCEPT
-A INPUT -d 192.168.2.4/32 -i eth0 -p udp -m udp –dport 6881 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 10.20.254.248/29 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 172.16.254.2/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 172.16.254.3/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 172.16.254.3/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.4.0/28 -d 192.168.2.4/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.4.0/28 -d 172.16.254.3/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.6.0/29 -d 192.168.2.4/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 172.16.0.2/32 -d 192.168.2.4/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 10.20.254.248/29 -d 10.20.254.248/29 -i ppp0 -p icmp -j ACCEPT
-A INPUT -s 10.20.254.249/32 -d 192.168.2.4/32 -i ppp0 -p icmp -j ACCEPT
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
-A INPUT -j DROP
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 80 -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -p tcp -m tcp –sport 8080 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 443 -j ACCEPT
-A OUTPUT -s 10.20.254.254/32 -p tcp -m tcp –sport 1723 -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -p udp -m udp –sport 7777 -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -p udp -m udp –sport 7778 -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -p udp -m udp –sport 7787 -j ACCEPT
-A OUTPUT -s 10.20.254.254/32 -p gre -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 5938 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 5900 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 21 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.2.1/32 -p tcp -m tcp –dport 2222 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.3.2/32 -p tcp -m tcp –dport 2223 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.4.2/32 -p tcp -m tcp –dport 2223 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.2.1/32 -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 30000 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.2/32 -d 192.168.2.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.2/32 -d 172.16.254.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.2/32 -d 172.16.254.3/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -d 172.16.254.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -d 172.16.254.2/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -d 192.168.2.4/32 -p icmp -j ACCEPT
-A OUTPUT -s 172.16.254.3/32 -d 192.168.4.0/28 -p icmp -j ACCEPT
-A OUTPUT -s 10.20.254.254/32 -d 192.168.2.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 10.20.254.254/32 -d 192.168.2.4/32 -p icmp -j ACCEPT
-A OUTPUT -s 10.20.254.249/32 -d 192.168.2.4/32 -p icmp -j ACCEPT
-A OUTPUT -s 10.20.254.254/32 -d 10.20.254.249/32 -p icmp -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p udp -m udp –dport 69 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 23 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p udp -m udp –dport 123 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 81.103.221.11/32 -p tcp -m tcp –dport 25 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.2.1/32 -p udp -m udp –dport 514 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.2.1/32 -p udp -m udp –dport 161 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.2.1/32 -p udp -m udp –dport 162 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 4070 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 192.168.5.2/32 -p tcp -m tcp –dport 9100 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -d 94.136.40.61/32 -p tcp -m tcp –dport 110 -j ACCEPT
-A OUTPUT -s 192.168.2.4/32 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A OUTPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
-A OUTPUT -j DROP
COMMIT
# Completed on Wed Dec 29 15:11:27 2010
# Generated by iptables-save v1.4.4 on Wed Dec 29 15:11:27 2010
*nat
:PREROUTING ACCEPT [430:32842]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2773:170524]
COMMIT
# Completed on Wed Dec 29 15:11:27 2010
# Generated by iptables-save v1.4.4 on Wed Dec 29 15:11:27 2010
*mangle
:PREROUTING ACCEPT [1735576:104189954]
:INPUT ACCEPT [1735512:104181797]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2877496:3782379744]
:POSTROUTING ACCEPT [2874912:3782220690]
COMMIT
# Completed on Wed Dec 29 15:11:27 2010

PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client

ezvpn-asa5500-506e-1.gif

Easy VPN Server (ASA 5520)


!— Configure the outside and inside interfaces.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
!

!— This access list is used for a nat zero command that prevents
!— traffic which matches the access list from undergoing
!— network address translation (NAT).

access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!— This access list is used to define the traffic
!— that should pass through the tunnel.
!— It is bound to the group policy which defines
!— a dynamic crypto map.

access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
!

!— Specify the NAT configuration.
!— NAT 0 prevents NAT for the ACL defined in this configuration.
!— The nat 1 command specifies NAT for all other traffic.

global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.20.20.2 1
!
!

!— This defines the group policy you use with EasyVPN.
!— Specify the networks
!— that should pass through the tunnel and that you want to
!— use network extension mode.

group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
webvpn

!— Here the username and password associated with
!— this VPN connection are defined.  You
!— can also use AAA for this function.

username cisco password 3USUcOPFUiMCO4Jk encrypted
!
!

!— PHASE 2 CONFIGURATION —!
!— The encryption types for Phase 2 are defined here.
!— A single DES encryption with
!— the md5 hash algorithm is used.

crypto ipsec transform-set mySET esp-des esp-md5-hmac

!— Defines a dynamic crypto map with
!— the specified encryption settings.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

!— Binds the dynamic map to the IPsec/ISAKMP process.

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

!— Specifies the interface to be used with
!— the settings defined in this configuration.

crypto map myMAP interface outside

!— PHASE 1 CONFIGURATION —
!— This configuration uses isakmp policy 1.
!— The configuration commands here define the Phase
!— 1 policies that are used.

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

!— The tunnel-group commands bind the configurations
!— defined in this configuration to the tunnel that is
!— used for EasyVPN.  This tunnel name is the one specified on the remote side.

!— defined in this configuration to the tunnel that is
!— used for EasyVPN.  This tunnel name is the one specified on the remote side.

tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!
— The pre-shared-key used here is “cisco”.

pre-shared-key *

Easy VPN Remote Hardware Client :

PIX Version 6.3(5)

!— Brings the interfaces out of a shutdown state.

interface ethernet0 auto
interface ethernet1 auto

!— Assign the interface names.

nameif ethernet0 outside security0
nameif ethernet1 inside security100!
!

!— Assign the interface IP addresses.

ip address outside 10.10.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
!
!— Set the standard NAT configuration.
!— EasyVPN  provides the NAT exceptions needed.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!
!— Specify the default route.

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!

!— EasyVPN Client Configuration —
!— Specify the IP address of the VPN server.

vpnclient server 10.20.20.1

!— This example uses network extension mode.

vpnclient mode network-extension-mode

!— Specify the group name and the pre-shared key.

vpnclient vpngroup mytunnel password ********

!— Specify the authentication username and password.

vpnclient username cisco password ********

!—- After you issue this command, the tunnel is established.

Summary :

ASA :

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.20.20.2 1
!
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
webvpn
!
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
!
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
!
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *

PIX Client : Easy VPN Client :

interface ethernet0 auto
interface ethernet1 auto
!
nameif ethernet0 outside security0
nameif ethernet1 inside security100
!
ip address outside 10.10.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
vpnclient server 10.20.20.1
vpnclient mode network-extension-mode
vpnclient vpngroup mytunnel password ********
vpnclient username cisco password ********

!—- After you issue this command, the tunnel is established.