Cisco Firewall :: ASA 5510 - Allow Only One Host Access To VPN Site To Site Tunnel
May 28, 2012
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
We have a Cisco ASA 5510 at our main office that makes connection with a 5505 at our other office using site to site VPN. (works)
Now for the question,
we want to access our other office from the main office but we wont want them to have access to our servers etc. so basically we want to control them but they shouldn't have the rights to control us.
Is this possible with a site to site VPN? and how to do it.
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling. [code]
I have a site to site tunnel (bidirectional) configured between two ASA 5510's (head office and remote office) running 8.2.2. I'm trying to upgrade one end (head office) of the tunnel to 8.3.2 but when I do that, traffic from the remote office to the head office isn't transported. Traffic from the head office to the remote office is still fine (remote desktop sessions, etc).
A quick comparison of the 8.2.2 config and the 8.3.2 config on the head office ASA look identical in terms of the crypto/site-to-site commands.Is there any Cisco guide created yet for creating site/site tunnels under 8.3.2? I'm able to upgrade both ASA at the same time if that's determined to be a prerequisite.
I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101 Remote VPN is Policy 20
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
All these remote networks are at the Main Site Clavister Firewall.
I have a 5505 asa code version 8.3(2). Trying to set up a site to site tunnel with someone and he is asking if I can use ike v2. How do I go about setting up the tunnel to use ikev2? Is ikev2 an option with site to site tunnels?
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
Our Headquarter (asa 5510) is running a site to site vpn connection with a Branch office (router 2811). All remote users are accesing the internet through the VPN and also accesing headquarter file servers.I want to know if there is a way for some remote users to be able to use the vpn for accesing the file servers but to access the internet through the branch office. The rest of the remote users will be still accessing the internet through VPN.
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail) Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
Our HQ office has an ASA 5510 with full access to internal and external IP's. We have a small group of remote users that are working from a shared office suite and they only have Internet access by way of internal default gateway. Using a VPN client is not desirable due to many other devices requiring access to HQ. Is there a way to create a site-to-site VPN from this remote office space back to HQ (ASA 5510) if they have no access to the public IP address on their end?
Site A - headquarters 192.168.1.x Site B - remote office 192.168.20.x Site C - remote office 192.168.30.x
Site A - ASA 5510 Site B - ASA 5505 Site C - ASA 5505
Site-to-site VPN is established and works between A and B, A and C. Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels?
I have problem with accessing servers through site-to-site vpn from ASA which makes this site-to-site vpn and has enablerd Clientless VPN.Reason why I need it / What I need to do:ASA 5510 has enabled Clientless VPN and on this portal is allowed users to go to URL of internal servers through bookmars. We are using it when somebody could not access IPSec VPN or is in internet cafe. So this user logs into clientless vpn and click on bookmark to access mail server for exmaple. But there is problem, asa cannot access this server through site-to-site VPN.
Network:Here is quick design of my network.I don't have problem access server in VLAN 159 from VLAN 10 or 100. But I need to be able access servers in Vlan 159 from ASA 5510 which has IP address 192.168.1.4.I have this subnet which ASA belongs in BEFORE-NAT object in same place as VLAN 10, 100 are and in Site-to-Site vpn profile.
I configured ASA 5510 using dual ISP( Failover). Now my ASA working fine. Here my problem is My ASA 5510 configured for Site to Site VPN also.How my VPN switch to Secondary ISP automatically when primary ISP fails.
I am trying to setup a site to site VPN between ASA 5510 and SSG 140 firewall. ASA end of the VPN is having dynamic public IP address. I tried sending hostname as peer identity on ASA by changing the IKE parameter setting but SSG somehow is not able to match the hostname of remote peer and reporting remote as unrecognized peer. Need setting up site 2 site VPN in similar setup?
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes ! version 12.4 no service pad
I have some challenges with a VPN config I recently setup for a client.I have at the HO the following:
- 1800 router - Avaya phones and Gateway - 1MB radio internet access
At the BO(branch office), i have:
- 871 Router - Avaya phones - 256k internet bandwidth
The only reason we setup the VPN in the first place was for the phones at the BO to be able to connect to the gateway at the HO and also able to make calls and receive calls as if the phones were at the HO.The phones at the BO successfully register to the HO, but are unable to recieve calls and dial out. Everytime I try to make a call, the phone displays a "connecting..." message. [code]
As you can see i have problems with connecting 2 SRP521W together for an VPN tunnel. I tried as much as I can but now i dont know what to do or how and where is the mistake? the connection between these two devices was there last week, after weekend (nothing changed in configs) the connection suddenly was interrupted, without any reason or warning. another day it worked again and 20 mins later connection was dead again...and now it wont establish at all.. here are some screenshots from the vpnconfigs of my devices. one has a static IP the otherone uses FQDN. These are the IKE policies: Here the IPsec Policies: and the GRE policies:
I have configured Ipsec vpn tunnel beetween two routers (from site A to site B) over untrusted internet connection by cisco 3825 routers and i can successfully access both of this routers. But now i need to access internet on site B router sitting on site A router. So that if i run traceroute from A site machine then the gateway by which internet passing through shows the ip of site B.
The Architecture of our both site routers :
Site A 10.1.11.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B 10.4.11.0
/////Create IKE policy crypto isakmp policy 1 encr aes authentication pre-share group 2 [Code] .....
