Cisco :: Connect ASA 5505 S2S VPN?
Feb 28, 2012
The current scenario is as follows:
ASA 5505 Site A connects to ASA 5505 Site B S2S VPN, both has static IP address.
Now I need to change from ISP so that I can get more internet bandwidth, but the new ISP only has dynamic IP address.
Now I need to change Site B's config to use dynamic IP and still connect to Site A and establish a S2S VPN.
How can I do this?I want the ASA 5505 to change its IP daily so that the VPN connection is still up even if the ISP at site B changes its IP. Or a way to do this automatically as I don't have anybody at site B that can do this manually for me.
View 8 Replies
ADVERTISEMENT
Oct 13, 2012
I have little ASA experience. To make matters worse, I understand that IOS 8.4 is very difficult to configure. I spent all day today trying to configure this ASA 5505 and am stuck at the point that my lan traffic can happily connect to the wan (although I cant ping the wan). I can connect to SSL VPN from the internet, but after that I can not connect to anything lan or wan. Here is the basic info.
Inside 10.50.0.1/24
Outside DHCP
VPN range 192.168.60.0/24
If the 5505 cant have a separate subnet for VPN, then I'm happy to put the vpn traffic right on the lan. My goal is to be able to VPN in to my ASA from the internet, and have full access to the network, and internet. It would also be nice to fix the issue so I can ping the internet from my lan.
Assuming that my ASA is only configured with the above settings and everything else is factory, any commands to make this work. I dont have access to the firewall at the moment to copy my running config, but I can get that if needed
View 17 Replies
View Related
May 2, 2012
Does anyone has had a problem with connection an asa 5505 with att? I can't connect the vpn, the tunnel sometimes open but still cant ping anything. Only public ip's even im able to ping to my firewall ip.i tried pppoe and bridge on the modem. The same configuration works on cable DSL but cant get it work on att.
I already have an acl that allow any any inside and outside. To get the pings works and a lot of stuff on the internet i search. Seem to be that there's a lot of problems between asa 5505 and att.
View 2 Replies
View Related
May 15, 2013
VPN users are having intermittent problems connecting to the ASA from the outside. When users complain, I'll log into the ASA via ASDM and watch the logs, I don't see anything get logged while they attempt to connect (AnyConnect). I have pings enabled from the outside and that's not even getting logged when pinging to the ASA. However, as soon as I run a ping, sourcing from the ASA to a public IP, everything works!?! It's like the 'outside' port becomes inactive when not in use, but 'wakes up' as soon as outbound traffic is detected.I have 5 public IP addresses from our router (3 VoIP, 1 Web Server, 1 ASA). All, except the ASA, are pingable during the occurrence.Possible that I have a bad port on the ASA? We just purchased the 5505 a month ago ..
View 1 Replies
View Related
Jun 1, 2012
I just installed a new asa 5505 and I had to configure the asa myself until my smartnet is activated and the asa is up and running on my network, however when iI try to connect using cisco anyconnect it fails and I get this error. What is wrong with my configuration?
View 3 Replies
View Related
Sep 19, 2012
I am trying to set up a lan to lan vpn access with 2 asa5505's but I cannot ping, traceroute or connect from either side. I can connect to both ASA 5505's from the internet, and connect to the internet FROM both 5505's, just not one to the other. I can ping the network GATEWAYS to the routers, just not the routers themselves.
Both of these machines have been configured for previous VPNs but that configuration has been removed.
View 12 Replies
View Related
Jun 3, 2012
I configured the VPN on the ASA, I can not get a client to connect to the ASA
: Saved:ASA Version 7.2(2) !hostname domain-name enable passwordnamesddns update methodddns both!!interface Vlan1nameif insidesecurity-level 100ddns update hostname ddns update dhcp client update dnsip address 192.168.1.1
[Code].....
View 2 Replies
View Related
Jan 19, 2012
I'm building a dual firewall solution for exchange. Currently, I also have people connecting VPN to the PIX 515E.
Internet ==vpn== 5505 == LAN
Looking to set up
PIX515E ==dmz== Edge server == ASA 5505 == LAN
In a setup like this, which device should I have people connect VPN to? The pix will be the only device directly connected to the internet. Everything else will be natted.
View 3 Replies
View Related
Feb 6, 2013
I have a Cisco ASA configured for Any Connect clients. I also want to pass 443 traffic back to an internal web server, but not sure if I can do this since the Any Connect clients are already connecting over 443 to the ASA, right?
View 8 Replies
View Related
Aug 11, 2011
I'm given an ASA 5505 to configure for remote access vpn. I can establish vpn connection to the ASA 5505 but can't access any of the internal vlan/subnets. I configured three of the ASA ports for connection into each of the internal subnets/vlan via a switch.Given below is my full configuration.
ASA5505# sh run: Saved:ASA Version 8.3(1)!enable password bLjadbVl0mgRQWih encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif
[Code].....
View 27 Replies
View Related
Jan 20, 2013
I am a network Engineer but had no experinece in Firewall, right now i am under a pressure to take care of a ASA 5505 were all the VPN and Inbound and out bound were configured, recently i had some changes done and re done the change, but unfortunately it removed some configuration which are ment for VPN, now i am facing a problem,
VPN connection establishes but unable to browse internet is my problem, i tried inheriting the Split tunneli, but i coudnt get through it it seems, i doing some thing in a wrong way, i here use mostly ASDM,
i ll paste the Configuration for investigation,
ASA Version 8.0(4)16
!
hostname yantraind
domain-name yantra.intra
[Code]......
View 2 Replies
View Related
Apr 5, 2012
I just made a VPN on my ASA 5505 at home, I can connect successfully to it, but I can't contact anything in the network, nothing respond to ping or to anything else (include the ASA inside IP).
View 3 Replies
View Related
Jan 6, 2011
I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.
The Mozilla show the message: An error occurred during a connection to 192.168.1.1.Cannot communicate securely with peer: no common encryption algorithm(s).(Error code: ssl_error_no_cypher_overlap)
View 18 Replies
View Related
Feb 29, 2012
I'm trying to connect to something through an ASA.My traffic is coming in on a DMZ interface (security level 0) and going to something on a DMZ3 interface (security level 50).
From the GUI I configured NAT exemption from the source network (on DMZ) to the destination network (on DMZ3) therefore following the guidelines that the translation is set up from most secure to the least secure interface
I have no network connectivity to the host I need to get to From the GUI I removed the NAT exemption rule and configured a static NAT translation instead, translating the source (on DMZ) to itself (on DMZ3) - still no joy.The ACLs in place are fine, if I use the packet tracer tool, it fails at the NAT stage; [code]
I can't see what's wrong here. I've configured static NAT or NAT exemption between inside and outside or inside and DMZ many times over the last 10 years but can't work this out.the only thing I can thing of is that there might be a bug that affects DMZ to DMZ NATing, as everything between inside to DMZ and DMZ to Outside works fine.
View 1 Replies
View Related
Oct 19, 2009
I get the following error when trying to connect a vpn client through an ASA5505 with an already configured ipsec AES/256 site to site connection:
regular translation creation failed for protocol 50 src:inside:192.168.1.167 dst:outside:xx.xxx.x.64
The site to site addressing is not relevant, I'm not trying to pass traffic over the site-to-site, but rather create a new vpn from inside client to outside external vpn box that's not under my control. The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the above message is returned to me. If I add the rule static(inside, outside) interface 192.168.1.167 netmask 255.255.255.255 then it works, everything works, but ONLY from this computer.
Been Google for hours, but with no result as of yet.
View 6 Replies
View Related
Apr 2, 2013
I have a test ASA 5505 with the setting below:
How can I connect to the internet (Vlan 1 to VLan 11)
[code]....
View 1 Replies
View Related
Jul 28, 2011
I have an ASA 5505 that has had a working configuration with several AnyConnect clients using dual authentication for weeks now. My normal process for adding new users has been to configure the user in both authentication databases and the onboard certificate authority, have the user connect to the outside IP of our firewall with IE, download the P12 cert after entering their OTP and then connecting once the cert's imported to download AnyConnect.
I had to add a new user a couple days ago and curiously IE (8) on their computer could not connect to the outside interface of our firewall, as if the laptop had no internet connectivity. I could telnet to port 443 from a command-line, and could even hit it with Firefox (which I ended up doing to download the P12 cert...). I can hit other SSL-enabled and standard websites from IE as well as Firefox. In addition, because AnyConnect seems to rely on the same mechanism to connect as IE does, AnyConnect can't connect either.
I then tested using a previously working laptop fully configured with AnyConnect and a certificate and now it can't connect. There are other previously working laptops that still work, which only makes the issue more clouded.
In watching the logs on the firewall, when one of these non-working computers attempts to connect they hit the firewall, a connection is opened and the SSL handshake is started, but it's never finished and the connection is torn down. Working computers complete the handshake as expected and a tunnel is opened.
I've checked IE forums for this issue and none of the fixes found therein seem to apply or work. Since this issue seems to only affect IE and AnyConnect's ability to connect to my firewall I have to assume the issue is there.
View 1 Replies
View Related
Feb 27, 2011
I set up an ASA 5505 at home through PPPOE connection. The ASA seems to obtain an IP address correctly.and I can ping a public ip address using the outside nic, but not the inside nic. I saw the error message when I ping: No route to ff0213 from fe801bc2b1288cd5bc1. As a result, I cannot connect to the Internet.
View 11 Replies
View Related
Feb 13, 2012
We have a cisco asa 5505 on which we have setup a group VPN. The VPN connections from all cisco vpn clients works fine except one. The keep getting the below error
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. Connection Terminated".
Not sure why only one client won't be able to connect. The version we are using is 5.0.02 for VPN client.
View 10 Replies
View Related
Jan 27, 2013
Got some issues when setting up IPSEC/VPN on the asa 5505. I want to connect from the ipad with the built in IPSec client..Get these errors when i run the debug crypto isakmp.
View 6 Replies
View Related
Dec 20, 2012
For some reason there are some sites that I cannot access websites from inside interface.One such example is lxer.com where I am receiving this message in the browser:The connection has timed out The server at www.lxer.com is taking too long to respond.This has "suddenly" happened, and so I am wondering what others have done when such things has happened. My outside has a dhcp-IP, and I have noticed that this address had changed, so I corrected this in my router settings.ASA version is 5505
These are my settings:
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name example.no
enable password 123412321 encrypted
passwd 1231231 encrypted
names
[code]....
View 4 Replies
View Related
May 7, 2012
I have recently inherited a few networking responsibilities in an SMB network. Nothing overly complicated. Here's my issue, there is an ASA 5505 used for VPN and in the near future a DMZ. I can connect via the console but I'd rather use ASDM. The problem is that I can't get it to connect. VLAN 1 (Inside) has an address of 192.168.200.254. This is in ethernet 0/0. I have a laptop plugged into ethernet 0/4 and the laptop has an address on the same x.x.200 VLAN. I can ping the VLAN1 address, but I can't use http://192.168.200.254/admin to get to ASDM.
how I can do this? What I should check? Can the internal webserver that hosts the ASDM be turned off?
View 1 Replies
View Related
Mar 8, 2011
I'm unable to have any internet connection for my new setup.
here's the overview.
Current setup is
Internet -> Router -> PIX 501 -> Switch -> clients
Internet -> static ip given is 210.193.34.1 - 210.193.34.6
Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246
PIX 501 setting ->
IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as I'm unable to access it.
local ip is 192.168.1.1
Clients - > 192.168.1.0
Old setup is working fine and connected to internet. for the new setup, as i do not want any downtime for the old setup.
As you can see, there are two firewalls connected concurrently to the router. I've configured it this way.
Internet -> Router -> ASA 5505 -> Switch -> clients
ASA 5505 setting ->
IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?),
local ip/ Inside Interface is 192.168.2.1
Clients - > 192.168.2.0
some setup details.
security policy, NAT, set to default. routing is route outside 0.0.0.0 0.0.0.0 210193.34.6
I'm unable to access after a week of troubleshooting.
View 7 Replies
View Related
Jun 12, 2011
I have created a RA VPN with a 5505 using Anyconnect client. My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect. To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect. how I can limit the outside access to a single host?
View 3 Replies
View Related
Mar 23, 2013
A bit of a straight forward question, is it possible to connect a 5505 to a 5510 direct via a crossover or do you need a switch inbetween capable of trunking?
View 1 Replies
View Related
Feb 22, 2011
I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.
View 1 Replies
View Related
Jan 30, 2013
I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.
Topology is:
RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24
SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24
From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).
Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.
At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.
View 6 Replies
View Related
Aug 23, 2012
I have configured an ASA 5505 to connect a single internal network to internet, it is not working. I have attached the config
View 9 Replies
View Related
Mar 6, 2012
Just started using our ASA 5505 v8.2 (1) Trying to configure the ASA appliance to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).I have used a static NAT:
static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255
access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389
When I view the logs it is reporting the following:Inbound TCP connection denied from 206.100.100.1 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.Been pulling my hair out with this one as I believe I have everything configured correctly.
View 5 Replies
View Related
Oct 30, 2011
Having an issue getting my DMZ vlan working. Running my ASA5505 and i have configured e0/2 for DMZ w/ VLAN ID 3. Connected to my 2716 on port2.Inside e0/1 w/ VLAN ID 1. Connected to my 2716 on port1.
I am trying to get my DMZ Vlan to ports3&4 (LAG1) but when i assign the LAG group to PVID 3 i lose connectivity on VLAN1. I want to send both VLANs to that host because the teamed adaptor is used for Hyper-v Network Switch.
View 17 Replies
View Related
Dec 19, 2011
I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets. The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network. I have a DNS server on my internal network and it does resolve to the public IP correctly. NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly. I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress to the external (NATed) address is allowed.
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network. If I am outside my cisco then I can go to http://72.22.214.121 easily. [code]
View 1 Replies
View Related
Mar 20, 2012
i have a question about tunneling a software EasyVPN client to a client ASA Network. It looks like this:
EasyVPN Server 192.168.202.0/24 Network extension mode to Client EasyVPN ASA 192.168.1.0/24 This works fine in both directions. But now i want to connect the client ASA network via EasyVPN software client from outside. The user are already able to connect to the ASA Server on its static outside IP obtaining an IP from a 192.168.21.0/24 pool. This works fine. But how am i able to connect to the 192.168.1.0/24 network from this client?
View 5 Replies
View Related
May 28, 2013
i have configured vpn on asa 5505 and 881 router, as per below design,i am seeing the tunnel is built from cisco 881 router for few seconds and the its got delted. but nothing showing in asa.
View 1 Replies
View Related
