ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
Not very familiar with ASA and NAT'ing in general so hopefully, this will make sense.
I've created a Site-to-Site IPSec VPN tunnel with one of our clients (who uses a PIX). The remote user can connect to our local, private LAN servers without a problem. However, when the remote user tries to connect to servers on our corporate network (which is linked over WAN routers from LA to Dallas) they cant get through.
When I run Packet Trace in ASDM on our ASA all is well until the packet attempts to traverse from the Inside interface back through the Outside interface (back to the remote client side of the VPN tunnel).
I see the following "error" within the Packet Trace tool;
----------------------------------------------------------------------------------------- Type - NAT Subtype - rpf-check Action - DROP
I've attached my ASA config. The remote client-side address is 220.127.116.11, its being PAT'd to 172.30.12.75 and the remote host/network its not able to reach is 172.30.101.20 ( /24 net mask). The local segment in my LA network is 172.30.12.0/22 and the servers in this network are all able to communicate with the remote client-side user at 18.104.22.168.
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM nat (inside,outside) static interface service tcp smtp smtp to: object network BMMM nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 22.214.171.124 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
SyslogCollector - [Thread: SyslogObjectForwarder] ERROR, 27 Mar 2012 09:02:12,254, Could not send syslogs, removing the subscriber...Connection refused: connect SyslogCollector - [Thread: SyslogObjectForwarder] ERROR, 27 Mar 2012 09:03:15,223, Could not send syslogs, removing the subscriber...Connection refused: connect
Syslog subscription seems ok but syslog messages are dropped and not forwarded:
I attached SyslogCollector.log, SyslogAnalyzer.log, AnalyzerDebug.log
I can ping 192.168.1.254 gateway for about 5 seconds and lose the Ethernet connection.On IE nothing happens.Is there any tool I can use to find the router address or update firmware or restore factory default settings.
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
We just replaced our ancient 6509 dedicated SAN switch with a Nexus 5548UP (with 4 2248 FEXs).Our old SAN 6509 was completely separated from the Core 6509, and that Core 6509 doubled as a Datacenter switch. We've now segmented the "Datacenter" and "Core." The SAN and servers are connected to the Nexus gear rather than the Core. The old SAN had only 3 vlans. One for SAN data (Vlan16), one for management interfaces (Vlan250), and one for switch management (Vlan15).
As part of my cleanup, I want to get rid of that Vlan15 and use vlan250 for switch management. In another building, we have a 3750 that provides SAN (Vlan16) and management (Vlan250) connectivity to a single Equallogic box and a Dell PowerVault tape drive for backup purpose. That 3750 is the only device that still has an address on Vlan15 (other than the core). Refer to the drawing below.
The Core 6509 is the gateway for Vlan250 and Vlan15. I have created an interface for Vlan250 on the 3750. ACLs exist on vty connections of each switch allowing telnet access ONLY from the Mgmt 2960. There are no ACLs on the Vlans themselves.From the Mgmt 2960, I can telnet to the 3750 using either its Vlan250 IP address or its Vlan15 IP address. However, if I shut down Interface Vlan15 on the Core 6509, I can no longer telnet to the 3750, not even using its Vlan250 IP address.
The connection times out. If I attempt to telnet to the 3750 via Vlan250 from the Core 6509, I get connection refused (which I should get due to the ACL on the vty connections). I can still telnet to other devices on Vlan250 (such as the management interfaces on the Nexus 5Ks). Why am I able to telnet to the 3750's Vlan250 Interface only when the Core's Vlan15 Interface is Up?
my firewall log is full of entries listing policy violations rejections. These look like traffic from LAN to WAN that is being rejected, right? [code]Noted that most of the rejections are in the 40,000-60,000 port range.
-new RV042G -WAN 1 set to 10.x -LAN 192.168.1.1
Action Interface SourceInterface Source Destination Time
1. Allow All Traffic  LAN Any Any Always 2. Deny All Traffic  WAN1 Any Any Always 3. Deny All Traffic  WAN2 Any Any Always
Have tried re-flashing firmware to current version (was already on it), disabled SPI, disabling Denial of Service, all no change.Also noted another issue with logging; bug? When the router was brand new out of box and again after firmware flash:
* the "All" drop down of System Log was BLANK, not logging any entries although other drop downs such as "System Log and Firewall Log were * email alerts were not being triggered for log entries * clear log button appears to resolve the issue after which the ALL shows all entries now
When i access a url with http, it works fine. But with https it dosen't work, and get the message on the firefox as "The proxy server is refusing connections Firefox is configured to use a proxy server that is refusing connections. Check the proxy settings to make sure that they are correct. Contact your network administrator to make sure the proxy server is working.
I have a 3845 router. Setup SSH Version 2generated rsa keys (1024)set login localtransport input ssh and telnet is enabled since I can't get ssh connection working When I connect using SSH, I get the following error. server refused authentication protocol.
I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
We are using an ASA with 8.4 in transparent mode. Connection fails when a host on inside tries to connect to a server on outside. This server uses mac-address 0100.5E00.0000 to load balance but replies with real mac-address.Firewall logs "Deny TCP".ARP inspection is disabled.
I have a cisco ASA 5510 that I have set up currently to access via ASDM through the Inside interface. When I VPN in using our older VPN server I can connect to it fine. I recently set up the ASA to also be a VPN server which will eventually replace the older server for our HQ. I noticed that when I'm VPN using the ASA as the VPN server, I can only ASDM to the public which I prefer not to allow. Access to the inside doesn't seem to work this way. What configurations if any would be causing this. I'm assuming it's some thing I need to adjust in the VPN configuration.
I am pretty new to Cisco networking and setting up a test router to use from home to connect into our network. My organization would like for us to provide upper management with home office setups to give them the ability to work from home. We will provide all of the equipment of course (router, phone and workstation). my boss wants me to use some of our old decommissioned equipment to set up a test home office to see how efficient and feasible it would be. I have a Cisco 1700 router, Altigen IP720 phone, and Dell Optiplex 380 workstation.
I would like to use a Cisco 1921 at my house and create a "Easy VPN Remote" connection to our ASA 5510 at work. Can I use the Easy VPN Client with the base license, or do I need the security license to take advantage of the VPN tunnel?
We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.
I have a Cisco 5510 which has remote access VPN configured.Now I have new block of IP address, is there a way I can just change the outside interface IP so that people can remote in without doing anythng else?Or if I coulds be taught to create a new one.Or best way to approcah this issue?For example: it was 67.64.x.x now I need to change to 64.44.x.x.
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 126.96.36.199 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 188.8.131.52 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:184.108.40.206/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
we have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.
Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with same-security-traffic permit inter-interface configured.
I have been tasked with setting up a guest wireless network for a remote office. They would prefer that the guest network be on a different VLAN than the trusted network, and they want to use a different outside IP address for the guest network.
I am trying to figure out how to configure the ASA so that it supports two different LANS, each with it's own outside IP address. Is this possible?
I have a remote VPN with split tunnelling enabled. Currently, users connected to this VPN browses internet with his/her internet connection. Now, my requirement is that a roaming user connecting to the vpn must use our company's internet connection for his browsing purposes. How can I do this?Equipment we are using: ASA 5510
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.