Cisco :: ASA 5505 Series / Unable To Access New Subnet
Dec 7, 2011
I am working on a site that has recently added a new subnet and I am unable to ping any of the stations on this new network. I have configured an Exempt NAT rule just the same as the rules allowing access to other networks. I have a feeling the problem is in the Site-to-Site VPN configuration since the new subnet is at the primary location over the VPN.
In the site-to-site configuration I added the new subnet to the list of "Remote Networks" and I still can't communicate with any of the devices on the network. If I go to the main site I have no problems so it appears to be related to the VPN or a configuration in the ASA on that site.
A port scan shows that all the traffic is "filtered" so somewhere either the site ASA or the main ASA is blocking the traffic.
View 7 Replies
ADVERTISEMENT
Mar 23, 2011
I want to give access to remote subnet on firewall 5505.
Remote subnet is 16x.15X.56.0
Here is my access list
access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.254.0 16x.15X.56.0 255.255.254.0
View 7 Replies
View Related
Apr 23, 2013
I can't access the bvi interface I use to manage the AP1261N from an IP address that is not in the same subnet of the bvi interface. The AP is configured as root bridge. Obviously I've the same behaviour for the non-root AP connected to it. For sure it's an ap configuration problem as other devices in the same vlan (vlan1) are reachable by the vlan I'm connected to. This is the conf:
version 15.2
no service pad
service timestamps debug datetime msec
[Code].....
View 13 Replies
View Related
Jun 5, 2012
I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.The setup is as follows:
-ASA inside interface on 192.168.10.240
-VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet,[code]
View 3 Replies
View Related
Jun 9, 2013
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
View 1 Replies
View Related
Apr 21, 2012
I have two offices connected with an IPSEC VPN tunnel using RV220W routers. The Tunnel works fine for local users between the two sites(Site 1:10.0.0.x; site 2 is 10.0.2.x). I have also set up PPTP users for remote access. PPTP users that connect to site 1 cannot access site 2 and vice versa. The PPTP users have no trouble accessing the resources on the site that they connect to. I have tried activating RIP and adding various static routes with no success. If I PPTP connect to site 1 and I tracert to an IP address on site 2 the route goes to the site 1 router and then goes to the internet(connected to the site 1 router) where it stops.
View 2 Replies
View Related
Sep 2, 2012
I have powered ON WLC(2100 Series) and connected LAN port from WLC to my PC. To access WLC GUI what is the factory default IP address?
I connected Console Port of WLC to Serial port of my PC. I have configured WLC as per the WLC quick guide.
Management Interface IP address :: 10.40.0.4
Management interface Net Mask: 255.255.255.0
[Code].....
The result is same even when below commands are used Configuration modeport adminmode all enablenetwork webmode enablenetwork secureweb enable
View 12 Replies
View Related
May 7, 2013
We are having a hard time to console into to the APs using the serial connection (USB to serial converter).We have tried the recommended settings (9600, 8 bits, no parity, 1 stop bit, no flow control (also tried XON/XOFF)) without any success.We are able to connect to 3560 series switches and 5508 WLCs using the same cables, notebook and application (putty, hyperterminal & secureCRT).
View 4 Replies
View Related
Dec 3, 2012
I have a office network that was setup before I started. We have a 172. subnet and a 10.2 subnet. When users on Wifi get a 10.2 address ( ran out of 172 address ) they are not able to get out to the internet. But if the laptop is connected to a LAN port and get a 10.2 address they are able to get to the Internet. Not sure if its the Aps I need to configure or the Pix seeing that if they get a LAN address of 10.2 everything works. This is becoming a bigger issue now that the company has out grown its main subnet (172.)
APs= AIR-AP1231G-A-K9
Vlan = 172.16.1.XXX
Vlan2= 10.2.0.XXX
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
View 9 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Mar 19, 2013
I have an ASA 5505 which is unable to acces the internet, even when reloading just the basic config.If i setup my laptop with the outside ip or another ip in the subnet, it does work.
[code]....
View 2 Replies
View Related
Mar 25, 2013
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
[code]....
View 6 Replies
View Related
Oct 24, 2012
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
FWBKH(config)# show running-config
: Saved
:
ASA Version 8.2(2)
[Code].....
View 2 Replies
View Related
Sep 27, 2012
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
View 4 Replies
View Related
May 4, 2012
I am trying to “build up” a small home-network and using some of following Cisco equipment’s
ASA 5505 v8.4.3 witch base licenseCisco Catalyst 3750G with ipservices version 15.0.xand 1 qty of AP1142N I am not able to get internet access from any VRF’s.
From "MILAN (LAN) VRF, I am able to ping my gw: 10.45.45.1 but I am not able to ping for example: “linknett VRF”.
It seems that i am missing some NAT rules on ASA or ?
If i connect my laptop directly to the ASA, i am able to get internet access!
I am not feeling comfortable with a new ASA 8.4 code yet, so im not so sure which exact code's i am missing on ASA ...
attached digram including configuration files from ASA and 3750 sw.
View 17 Replies
View Related
Jun 24, 2012
I have a Cisco ASA 5505, with basic 50 license, that is connected directly to the Cable Modem with a public IP. I have VPN configured and active on the Outside interface. When we connect, we connect just fine with no errors, but we are not able to access any resources on the remote network.
ASA IOS version 8.2(5)
Remote Network IP: 10.0.0.0/24
VPN IP Pool: 192.168.102.10 - 25
View 4 Replies
View Related
Jan 30, 2013
I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.
Topology is:
RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24
SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24
From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).
Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.
At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.
View 6 Replies
View Related
Jun 14, 2011
Does AIR-CT2504-25-K9 spupports AIR-LAP1262N-E-K9 Access Point? How can I check this?
View 1 Replies
View Related
Oct 21, 2012
I'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work. In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, what are the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn, This is an ASA 5505. Its on IOS 8.4.
View 1 Replies
View Related
Nov 28, 2011
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
View 2 Replies
View Related
Sep 24, 2011
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.
View 1 Replies
View Related
Jul 7, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...
I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
New at VPN and have survived so far on cisco docs but this problem is evading me.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]....
View 1 Replies
View Related
Sep 7, 2011
We want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
Configuration:
: Saved
:
ASA Version 8.2(1)
[Code].....
View 3 Replies
View Related
Jul 6, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Aug 4, 2012
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway)
192.168.0.0 (Primary facility, ASA is the gateway)
192.168.2.0 (Second facility, connected via Verizon point-to-point)
192.168.3.0 (Third facility, connected via Verizon point-to-point)
[Code].....
View 7 Replies
View Related
Feb 9, 2012
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies
View Related
Jan 31, 2012
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. How to configure the subnet 10.1.5.0 to access the internet or to get the subnets to communicate. Below is a streamlined version of our current config.
!interface Vlan1nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0 ospf cost 10!interface Vlan2nameif outsidesecurity-level 0ip address 66.66.66.66 255.255.255.240 ospf cost 10!interface Vlan13nameif corporatesecurity-level 100ip
[Code].....
View 15 Replies
View Related
May 4, 2011
I'm new to Cisco equipment much more familiar w/ Sonicwall w/ that said......I have a 5505 w/ Security Plus licensing
I have set up multiple VLANs as follows
VLAN 1 inside - still setup as 192.168.1.1 (will not be using this for our lan)
VLAN2 - outside
VLAN100 - LAN 10.1.1.1/24
[Code]....
If I do add all the VLANs above I understand I will probably have to make a trunk port since I only have 5 usable interfaces
View 12 Replies
View Related
Oct 7, 2012
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
View 3 Replies
View Related
Mar 6, 2013
I have RV110W connected in private network 192.168.5.0/24, I have redirected pptp port from adsl modem to the RV110W and VPN works OK. DDNS on the adsl modem is not available.I need to use Dynamic DNS functionality on my RV110W. The device supports several DDNS services (TZO.com, Dyn DNS.com, 3322.org and noip.com). For all but TZO the public "Internet IP Address" shows as 192.168.5.110, which also gets auto registered with the DDNS service.I have tested this with free noip.com account and this is obviously undesired behavior. I need the router to register my real public IP.For TZO it shows the proper public IP, but TZO service is no longer available on TZO.com.
View 8 Replies
View Related
Jul 14, 2008
Cisco 4404 WLC
AP 1240 - LWAP
Wireless client receives a DHCP address from central DHCP server fine. Unable to route outside of own subnet . Continuous ARP WHO HAS (Default Gateway addr) TELL (client IP) messages being received. WLC running OS 4.2.99.0.
View 20 Replies
View Related
Mar 8, 2011
I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.I have added the followings in ASA5510. [code]
View 8 Replies
View Related
Jul 28, 2012
I have an 871 set up at home with 2 VLANs, both of these vlans present a strange behavior where an user is unable to ping/contact another user on the same subnet, however if users are on different subnet it seems to work [code]
According to the troubleshooting that I have done, the issue seems to be with the broadcast traffic, ARP request/reply do not reach another host on the same subnet (wireless to wireless or wired to wireless) however if the wireless device iniciates the connection to wired, it works fine.
I have tried to enable proxy arp on the different VLANs and BVI and different combinations but no sucess in order to get traffic across 2 wireless devices on the same subnet or a connection that is iniciated for a wired client to a wireless one.
I tried enabling and disabling dot11 arp-cache but no luck.
View 2 Replies
View Related