Cisco Firewall :: ASA 5510 Tunnel - Replicate Data Between Two Locations
Oct 3, 2012
I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.
We two locations, Location A and Location B. Both locations have a 100MB internet conection. Location A has a ASA 5510. Location B has a 5505. Users at both locations access the internet via their respective ASA. Location A is the headquarters and Location B is a disaster recovery site. We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.
View 30 Replies
ADVERTISEMENT
May 23, 2011
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies
View Related
Dec 17, 2011
I have establlished VPN tunnle between 2 locations
I can ping accros and access server resources on both LANs The problem is that from one location I can not access Internet
I can not ping by IP,when I do tracert it just reaches default gateway of this locations from other location(office) no problem
View 1 Replies
View Related
Jun 27, 2012
I have configured a VPN tunnel between two remote locations using static IP addresses on two RV042 routers. The tunnel seems to work but the problem is that when the two hosts attempt to ping each other only one can successfully ping. One PC with IP address 192.168.1.100 can ping across the network but the second PC with IP address 192.168.2.100 cannot. These are laptops seperate from the intranet used to test the tunnel. Someone had suggested NAT may be the issue so I enabled NAT Transverse on the routers but still no luck. The following is the results from a ping test.
PC 1
ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=116ms TTL=63
[Code] ......
View 1 Replies
View Related
Dec 7, 2011
I have 2 WRVS4400N's installed in our network, one at each end of a VPN tunnel between 2 physical locations. I continue to have issues with the VPN to "Stay" connected, even after purchasing another new WRVS4400N 4 months ago. I can reboot both routers, and the VPN connects with no problem, but hangs up after a few hours / days (no pattern).
I am taking a hard look at the issue now, as about 1 month ago, the newest router "automatically" reset it itself back to factory settings (thus interrupting nearly everything in our network). After contacting support, we reset the router and re-configured it to our environment. It is plugged into a surge protected UPS (yep, I thought maybe a power issue caused the problem, but it's not). Then about 1 week ago, the other/older (9 month old) router lost it's configuration. again, reset it and all works. Including the VPN, but the VPN still works as it did before connects for a while, but then drops and generally I need to reboot the router to get it connected again (clicking on the Connect on either router doesn't work until after a reboot).
Also, in light of the recent "lost configurations", I turned on logging and now I'm getting TONS of emails of log activity, even when the network is idle (no users, no background jobs running).
after rebooting and no inter activity, I get this kind of log, all night long (to me it generally looks like the VPN connection resets and increments by 1... I'm taking a guess that the increment hits a limit someplace and I lose my VPN).[code]
View 6 Replies
View Related
Jun 11, 2012
I have FWSM failover pair, Active/Active configuration, admin and another 4 context, few context active on first FWSM, other on second FWSM.I needed to add VLANs 51 and 52 to FWSMI created VLANs on both Cat6500, created firewall vlan-group 3 a and put "firewall module1 vlan-group 3" on both cat6500Then I log in in system space on primary FWSM and created interface VLAN.Created VLANs automatically occured in system space on Secondary FWSM.Then I wanted allocate VLAN 51 and 52 to context XY, so I went to part of configuration for context XY and "allocate-interface Vlan51" and "allocate-interface Vlan52".
View 1 Replies
View Related
Feb 13, 2012
I have a question regarding firewall configurations. Is it possible to have two interfaces ( for two internet service providers) one for voice and one for data. Can I have two Outside Interfaces that one will apply to a pppoe client group and the other will apply to a static IP? Is this possible and if so What would be the steps on applying this connection? Also to note I have a point to point connection already established for the pppoe. I also have another point to point connection for data, but however I do not know how to apply this to the firewall.
View 3 Replies
View Related
Mar 22, 2011
We are facing a major issue of VPN tunnel going down very often. I have 7 Site-2-Site VPN connectivity, this works fine for some days and suddently VPN tunnel goes down intermettenly for one or few locations and i need to clear isakmp sa for that speicific tunnel to come up.When tunnel goes down the vpn phase 1 status.....
6 IKE Peer: 125.18.0.38
Type : L2L Role : initiator
Rekey : yes State : MM_ACTIVE_REKEY
7 IKE Peer: 125.18.0.38
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
After clearing phase 1 for specific tunnel the VPN tunnel come up.
7 IKE Peer: 125.18.0.38 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
CINBLR01-SQDR-FIREWALL-00002# sh version
Cisco Adaptive Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)
Compiled on Thu 07-Aug-08 20:53 by buildersSystem image file is "disk0:/asa804-k8.bin"Config file at boot was "startup-config"
CINBLR01-SQDR-FIREWALL-00002 up 1 day 17 hours
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHzInternal ATA Compact Flash, 256MBBIOS Flash M50FW080 @ 0xffe00000, 1024KB
[code]....
This platform has an ASA 5510 Security Plus license.
View 7 Replies
View Related
Feb 4, 2013
I have inherited an asa 5510 whit 4GE SSM module installed. The asa runs fine, but i can not use the 4GE SSM ports. Using ASDM or console i can get and configure the gigabitethernet1/x ports but i can not get traffic on it. The ping from the console to the ip address of the Gigabitethernet1/0 is successful. On switches or hubs connected to those ports i can not see the port's mac address. The two Internal-data0/0 and Internal-data1/0 are down and i can get they up. How to configure 4GE SSM or ASA internal-data ports.
View 8 Replies
View Related
Nov 1, 2011
I'm setting up two separate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly: [code]
My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?
View 2 Replies
View Related
Nov 4, 2012
We will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.
View 5 Replies
View Related
May 2, 2013
we have ASA 5510 Configured. this is regarding site-to-site VPN.
View 1 Replies
View Related
Nov 27, 2012
I don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
View 1 Replies
View Related
May 15, 2013
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Jun 11, 2012
I working on a security solution using ASA firewall. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
View 3 Replies
View Related
Oct 24, 2012
I have a dynamic VPN site to site between a Firewall ASA 5510 with ASA version 8.2(1) (firewall ASA have a Static IP 201.111.14.114) and a C870 ISR (the ISR have a dynamic IP). The tunnel and the conectivity in both sides is successfull, however each time that occurs a interface restart because the Internet link is unstable in ISR side the VPN tunnel does not going to UP STATE again
These are the ISR logs listed when VPN going to DOWN
*Mar 10 13:58:45.157: %LINK-3-UPDOWN: Interface ATM0, changed state to down
*Mar 10 13:58:46.157: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
[Code]......
View 2 Replies
View Related
Jul 19, 2011
So I've run into a problem on my ASA5510, post-upgrade I can no longer connect to the inside interface from across our L2L VPN. I've tried both ASDM and SSH and the connections fail. I see in the logs that the attempt is being made, but it will eventually time out. There have been no problems with this type of connection with any previous upgrades, just this particular upgrade, I went from 8.4(1) to 8.4(2). I don't see much in the release notes or anything in a pre/post config diff that jumps out as a cause to this behavior. The only thing I did see in the release notes "CSCtg50770 Mngt-access (ASDM,SSH) to inside intf of 5580 fails over RA VPN session" which sounds like it could be my problem, but that was in the "Fixed in 8.4(2)" section and says it's for a 5580, maybe the fix for the 5580 broke it on a 5510??? I hope not and that I'm simply missing some new setting that I need to enable for this type of connection as this device is in a remote office.
View 2 Replies
View Related
Nov 22, 2011
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
View 4 Replies
View Related
Apr 17, 2013
We installed a new ASA 5515 about a month ago for the corporate office we also have 40 branch locations that feedback VOIP, camera, and Citrix to the corp location. Each of the branch locations have a separate DSL connection with a local provider and all of them are dynamic IP addresses.
The problem I have is that I cannot figure out a access rule to make the voip traffic work 100% of the time what ends up happening is five or six random locations change IP address's every day and I could not figure out how to create a access rule for that so I create a static route with that dynamic IP and then it will change a week or so later. That's a horrible security risk and a lot of manual work.
View 4 Replies
View Related
May 28, 2012
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies
View Related
Mar 12, 2013
i am new to MPLS on cisco routers. For our interoperability testing i need MPLS tunnel counters output ( data sent out and data received.). i am not able to find this information in cisco user guide. As per standard it is defined in MIB table mplsTunnelPerfTable of stdte.mib.
View 7 Replies
View Related
Jul 26, 2011
My RVS4000 router freezes up when a lot of data is being pushed through the Ipsec tunnel. Let me explain in detail.
On physical location A, I have an RVS4000 router (with IP 192.168.3.1) which is permanently connected with a WRVS4400 router (with IP 192.168.1.1) on physical location B. The Ipsec tunnel has been configured using the Easy Setup Wizard of Cisco and has been working fine and stable for months. Both routers have another Ipsec tunnel with another WRVS4400 router (with IP 192.168.2.1) on physical location C, but this router does not play a role in the problem below.Recently, I’m trying to set up a remote backup service between physical location A and B using “rsync”, which uses port 873. Due to the Ipsec/VPN tunnel, I could configure rsync to move the backup files from our NAS on location A (NAS has IP 192.168.1.2) directly to location B (NAS has IP 192.168.3.2). Both NAS-devices are of the brand Synology (DS211J). The Ipsec tunnel guarantees that the data is coded and thus secure.
However, when pushing the first batch of data, I noticed that the router on the receiving end (RVS4000) freezes up after approx. 1,5h after the batch has started, which is after approx. 1 gigabyte of data has been transmitted. The connection with the WAN is lost, also the VPN-tunnel is not working, I cannot ping the device or reach its configuration pages (on 192.168.3.1), the only option is unplugging it and letting it reboot. I’m thinking the router cannot deal with the huge amount of data that needs to be decoded. I tried 5/6 times, with always the same result (timing / amount of data pushed through before router freezes varies slightly).
View 11 Replies
View Related
Jan 2, 2013
Is it at all possible to channel all/some data traffic through an established ipsec tunneled connection using the RVL200? I have successfully established an ipsec connection through RVL200 and RV042 routers and are able to connect to servers/computers behind it.Now I want to channel all or some traffic through the ipsec-tunnel for computers that reside on 192.168.1.0 subnet of RVL200 network.
Main office - RV042 router - 10.200.62.1
Remote office - RVL200 router - 192.168.1.1
I am trying to use the Advanced Routing option to add static routes but I am not 100% sure if I am configuring the routes correctly.To give an example of routing DNS requests for HOTMAIL.COM [65.55.72.183]: [code]For some reason this does not appear to work. I have also tried using the interface setting of WAN and tested - this also does not work.
View 10 Replies
View Related
Sep 15, 2012
I have WLC 5508 with 6.0 software and kept in main office and 10 sites are connected . I created Group and hreap for the sites AP.Now customer wants the secondary WLC to keep on one another site. And the customer is asking all the configuration like ap group and all should come to secondary wlc automatically . In future also if he create any new group in primary it should come in secondary wlc.And if primary goes down the secondary should controll all the sites and when comes up primary should taken care.Active standbye mode.
View 10 Replies
View Related
Apr 9, 2013
I am replacing a 7204 router with a 4948 and am having trouble trying to replicate the config for the qnq Layer3 interface.A bit of background - I am a service provider where I have an interconnect with the carrier, who pass off WAN links to me as a standard VLAN Ids. Some of these VLANs however I can do QnQ.
This works fine - but I can get the second-dot1q 50 command working properly
View 14 Replies
View Related
Apr 17, 2012
I have a 5510 that has 2 site to site vpn's that aren't working. Phase 1 and 2 are up, but no data packets are being sent. This just started randomly 2 days ago after working for weeks.
View 6 Replies
View Related
Dec 2, 2012
just upgraded my ASA5510 from IOS 8.25 to 8.42Everything is running fine apart from one VPN between ASA5510 and cisco 887V router.The VPN session is up but no data traffic is being passed through The tunnel although this VPN was working fine with old IOS. The tunnel is up but no data is passing through IKEV1 session.
protected vrf: (none) local ident (addr/mask/prot/port): (10.0.12.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0) current_peer xxxxxx port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts [Code]...
View 1 Replies
View Related
Jun 11, 2013
We currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
View 4 Replies
View Related
May 2, 2012
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
View 5 Replies
View Related
May 30, 2012
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
View 20 Replies
View Related
Dec 12, 2011
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
View 4 Replies
View Related
