Cisco Firewall :: 5520 - Remote Access VPN Through A Tunnel?

Oct 17, 2011

I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.

View 7 Replies


ADVERTISEMENT

Cisco Firewall :: 5510 RADIUS Based AAA For Remote Access Tunnel Groups

Nov 22, 2011

How would I go about configuring RADIUS based AAA for remote access VPN users?  I have an OSX RADIUS server and an ASA 5510
 
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - How To Configure Logging For Remote Access VPN

Apr 16, 2012

i have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
 
i want the time user connected .how log it is connected .If any error while connecting ?

View 4 Replies View Related

Cisco VPN :: ASA 5520 - Tunnel Up But Can't Access LAN For Each Side

Nov 1, 2012

i have configured site to site VPN between asa 5520.

Site A (192.168.56.0/24)------ASA5520------Internet--------- ASA5520-------Site B ( 192.168.255.0/24)
 
VPN tunnel is up but i cant access LAN for each side. config Site A 

host name CCASA 
name 192.168.255.0 CCNetwork
dns-guard interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 41.41.38.156 255.255.255.248
[code]...

View 5 Replies View Related

Cisco Firewall :: ASA 5520 VPN Tunnel Up But Not Traffic

Nov 1, 2012

We just migrated from a single 5510 to a dual (failover)  5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]

View 12 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: 5520 - VPN Tunnel Not Working Properly?

Jan 11, 2012

I am getting the below  messages in my cisco asa 5520, during this time tunnel is down. just what to check whether the problem is at remote FW or with asa

[code]...

View 4 Replies View Related

Cisco Firewall :: 5520 - SSH Socks Tunnel Set Up On Server

Jul 18, 2012

I have the following setup 
|| Socks Server || >> Switch1 >> ||Cisco 5520 ASA || -->> | Switch 2| -->> Clients
 
I have a SSH SOCKS tunnel set up on the socks server which is a Linux box. When I connect my machine to the switch 2, I am NOT able to receive and mail by setting up a mail client and it seems SOCKS traffic does not reach the socks server. I can however run a telnet command on port 1080 (socks port) which connects  which shows that the port was going through and open. However there was no SOCKS traffic. When I connected the machine to Switch 1, SOCKS traffic worked as expected and I was able to receive mail.

This suggests to me that the ASA has some inherent rule that does not allow SOCKS traffic. IS this true and if so how can I bypass this?

View 4 Replies View Related

Cisco WAN :: 1841 VPN Tunnel - Cannot Access Remote Lan From Router

Dec 15, 2010

I can ping across the tunnel from the pc's on either end of the tunnel, but I can't ping across the tunnel from the routers. If i ping using the source command using the LAN interface, the ping is successfull.
 
The reason i need this is for the remote router to be able to lookup the head office server for dns wins and ldap.

View 4 Replies View Related

Cisco VPN :: Monitor Tunnel That Has End Devices ASA 5520 And NetScreen Firewall?

Dec 27, 2011

Monitor a VPN tunnel that has as end devices a Cisco ASA 5520 and a NetScreen Firewall. I'll like to be receive an alert when the VPN is down.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - IPSec Tunnel Without Private Network

Apr 11, 2013

I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. If so, what configuration options should I consider?

View 5 Replies View Related

Cisco Firewall :: Command To Check IPSEC Tunnel On ASA 5520?

Jan 7, 2013

Need to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?

View 6 Replies View Related

Cisco Firewall :: ASA5510 - Web Interface On NAS From Remote Site Across VPN Tunnel?

Dec 3, 2012

I have two routers on my internal network.

10.10.199.106 is a Cisco ASA5510.

10.10.199.108 is a Sonicwall NSA 3500
 
The sonicwall handles our site to site VPN tunnels.  The Cisco handles our client to site VPN connections.
 
I have a unit that points to 10.10.199.106 (Cisco) for internet access.  All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
 
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel.  The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
 
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway.  However, I cannot hit the unit that uses .106 (Cisco) as it's gateway. 
 
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel.  If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.

View 4 Replies View Related

Cisco Routers :: Rv120w VPN Tunnel From Internet / Cannot Access Remote Servers

Feb 23, 2012

I have setup a site-to-site VPN tunnel between 2 sites using CISCO rv120w.Everything works fine; any PC on one site can access all systems on the other site and vice-versa.The issue I have is when I start a VPN connection another site on Internet using IPSecuritas.I can initiate a VPN to site 1 and site 2; but when connected, I can only access servers that are located into the same site I'm connected to; I cannot ping the remote site.The Range of IP addresses on the internet during my tests is 192.168.11.0 (I 'm using a Mac)

-Systems with IP 192.168.1.1 and 192.168.10.1 are bridges
-Systems with IP 192.168.1.2 and 192.168.10.2 are CISCO rv120w

View 4 Replies View Related

Cisco VPN :: ASA 5520 / Access To DMZ From Remote Sites Over S2S VPN?

Nov 10, 2011

We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?

View 6 Replies View Related

Cisco VPN :: Configure Remote Access VPN In ASA 5520?

Jan 22, 2013

I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"

As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.

View 8 Replies View Related

Cisco VPN :: ASA5510 / Change Split Tunnel And Not Allow Access To Internet From Remote Location?

Mar 28, 2010

I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured.  My remote users can access inside LAN servers as well as the Internet from their remote location.  What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet?  Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall.  This will allow the same security as if they were sitting in the office.

View 4 Replies View Related

Cisco VPN :: Remote VPN With ASA 5520 - Can't Access Internal Network

Mar 14, 2011

I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.

View 8 Replies View Related

Cisco VPN :: 5520 Terminate Remote Access VPN Connection

Aug 6, 2012

I Have asa 5520 terminate the remote access VPN Connection,when successfully  connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.

View 1 Replies View Related

Cisco VPN :: 5520 Controlling Remote Site Access Through LAN-to-LAN

Mar 19, 2013

We have 2 5520 ASA's working in an active/standby function at our central site. The remote agencies have control of their ASA's or other devices able to create VPN tunnels back to the central site. When a new remote agency wants to connect to our central site we assign them a network range that is routable on the central sites network.We ask that the remote agency NAT into the addresses we provided them.This way we are able to route back to them. We assign the interesting traffic and then they we start communicating by way of the tunnel.  
 
Since the central site can't control the traffic coming in on the site to site tunnel other than just defining the interesting traffic AND we aren't able to control the NAT on the remote end how can I put an access list on the central site ASA to allow only certain ports and IP's by way of access list?   Ultimately, I'm trying to limit traffic on the central site coming inbound to only allow traffic I want.  I tried applying a group policy to the lan2lan site to site tunnel, but it failed for some reason. It actually prevented all traffic. Can I apply a group policy to a site-to-site tunnel?  
 
I'm struggling here a bit as I don't have control of the remote end.   They can NAT whatever they want to an address in the range we assigned them.   The tunnels interesting traffic is set to full ip to the central site's destination.  The interesting traffic on the central site is set the same. However, on the central side...I want to limit that traffic to only certain ports by way of an acl.  If it is possible to assign a site-to-site tunnel a group policy and filtering is done in that method, can                  

View 3 Replies View Related

Cisco VPN :: ASA 5520 - IPSec Remote Access VPN Design

Mar 7, 2011

Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.

View 6 Replies View Related

Cisco VPN :: ASA 5520 / Remote Access VPN - Allow Based On Ports

Jan 25, 2013

I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.

After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
 
how can i allow user to access a server with defined port only and not any other service/port access for the server.

View 4 Replies View Related

Cisco VPN :: ASA 5520 8.2(3) - Allow Remote Clients To Access Other Networks

Oct 24, 2012

I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks.  Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that).  Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)?  Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?

View 5 Replies View Related

Cisco Firewall :: ASA 5520 / Establishing L2L VPN With Remote Site?

Jan 9, 2012

I am having an issue with establishing L2L VPN with remote site. My side is cisco asa 5520 and other side is check point UTM-- tunnel is not up.just wnated to confirm on my sidde if the configuration is OK.al the parameters using are correct for both side.  any issue with below conf ? default route is pointing to my next GW address is there additiona default is required for VPN ? to reach the remote LAN somthing like pointing to remote peer address.to give a brief idea front end device is router as GW wher in internet is terminated and other wan connections ASA is behind ther GW rtr and outside int of asa and lan interface of GW rtr is having public ip. LAN  switch is connected to ASA
 
access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
 access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
 nat (insideinterface) 0 access-list insideinterface_nat0_outbound 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

[code]....

View 9 Replies View Related

Cisco VPN :: 5520 Remote Access VPN (IPSec) Configuration Using FQDN

Apr 29, 2013

We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
 
-Device : ASA 5520
-Configuration Type : IPSec

View 1 Replies View Related

Cisco VPN :: 5520 Active Monitoring Of Remote Access Vpn Connections

Apr 14, 2012

I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?

View 5 Replies View Related

Cisco VPN :: 5520 VPN Filtering And Access From Local To Remote Site

Mar 21, 2012

I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)

View 4 Replies View Related

Cisco VPN :: Unable To Establish Remote Access Connection From Behind ASA 5520?

Jul 16, 2012

We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
 
"Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
 
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config  with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work? 
 
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address

[Code]....

View 15 Replies View Related

Cisco Firewall :: 5520 - Restrict Remote IPSec Vpn From Company Pcs Only?

Aug 19, 2012

we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Active / Standby Remote Software Update

Jun 7, 2011

We have a pair of 5510s and a pair of 5520s, each in Active/Standby mode.  I'd like to upgrade the ASDM and ASA software on these, but am finding no documentation that advises on how this can be done without physical access to the devices.  It so happens I am on site, but we will be deploying these throughout our network and I'd like to be able to perform this type of maintenance without travelling to each site.  We utilize CSM and ASDM to manage these for the most part, but are certainly capable of configuring via CLI. 
 
The issue may be my lack understanding of the ASA fundamentals, but I don't really get how the software can be copied to the individual ASAs of the pair so they may be reloaded and upgraded without outage. With a remote SSH connection to the pair, I'm only copying the software to the Active ASA, correct?  Or is there a way to get the software to each disk individually from the single SSH connection?  I'm not quite sure how to manage the Standby ASA without consoling into it... If I can indeed remotely get the software to each ASA (copying to different disks?? i.e. disk0: and disk1:?), then I also run into an issue updating the boot statement for each of them individually, though to resolve that I suppose I could just remove the old software, but that seems like bad practice before confirming the new software is ok.If there is a simpler way of deploying new code via ASDM or CSM, I'm certainly open to that.

View 4 Replies View Related

Cisco VPN :: 506 Firewall 6.3(4) PDM 1.0 / Broke Remote VPN After Site To Site VPN Tunnel Created?

May 19, 2011

It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
 
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20

Config Below:

: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host

[code]....

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - NAT And Firewall Access Control

Oct 4, 2012

I have an ASA 5520 in my company which does all our NAT and Firewall access control.  Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created.  This is a test before the web app is released live.  Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through.  Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?

View 2 Replies View Related

Cisco VPN :: Active / Active ASA 5520 Remote VPN Access Limitations?

Sep 19, 2011

We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved