Cisco Firewall :: ASA5510 - Web Interface On NAS From Remote Site Across VPN Tunnel?

Dec 3, 2012

I have two routers on my internal network.

10.10.199.106 is a Cisco ASA5510.

10.10.199.108 is a Sonicwall NSA 3500
 
The sonicwall handles our site to site VPN tunnels.  The Cisco handles our client to site VPN connections.
 
I have a unit that points to 10.10.199.106 (Cisco) for internet access.  All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
 
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel.  The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
 
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway.  However, I cannot hit the unit that uses .106 (Cisco) as it's gateway. 
 
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel.  If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.

View 4 Replies


ADVERTISEMENT

Cisco VPN :: 506 Firewall 6.3(4) PDM 1.0 / Broke Remote VPN After Site To Site VPN Tunnel Created?

May 19, 2011

It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
 
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20

Config Below:

: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host

[code]....

View 4 Replies View Related

Cisco Firewall :: ASA5510 8.4(5) Outside PPPOE Interface Not Available In Site

May 13, 2013

We have a Cisco ASA 5510 with:
-version: asa845-k8.bin
-ASDM: asdm-711-52.bin
 
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
 
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
 
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.

View 3 Replies View Related

Cisco VPN :: ASA 5505 - Users Aren't Able To Reach Remote Network Through Site-to-site Tunnel

May 21, 2011

Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
 
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
 
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24

View 5 Replies View Related

Cisco Wireless :: Configuring 5508 At Remote Site To Tunnel Traffic From WLC At Main Site?

Sep 20, 2012

At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG).  In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG".  None of the SSIDs are "anchored".
 
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs.  This site contains two customers.  One customer is the Main customer with the second customer leasing space.
 
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan).    I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
 
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500.  It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site.  This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
 
For my test, I am starting simple.  I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low).  I have anchored this test WLAN to that controller.  At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site.  I am unable to obtain an IP address from the remote site.  I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?

View 5 Replies View Related

Cisco VPN :: ASA 5510 - Remote Clients To Site To Site Tunnel

Feb 20, 2013

I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel.  Now when I am in our office I can hit the site to site vpn fine.  When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
 
ASA Version 9.1(1)
!
hostname xxxxx
domain-name xxxx
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[ code]....

View 3 Replies View Related

Cisco VPN :: ASA5510 - Latency Through IPsec Vpn Site Tunnel

Apr 26, 2012

I have an asa 5510 that has many(17)ipsec vpn site tunnels on it.  One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it.  It does appear to be the tunnel only because there is no latency to the internet.  I cleared the tunnel group out and readded it to no effect.  isp says everything fine.  any other known causes for this

View 2 Replies View Related

Cisco VPN :: ASA5510 L2L VPN Tunnel End Point Interface?

Feb 12, 2012

Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface.  So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.

View 0 Replies View Related

Cisco VPN :: ASA5510 / Change Split Tunnel And Not Allow Access To Internet From Remote Location?

Mar 28, 2010

I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured.  My remote users can access inside LAN servers as well as the Internet from their remote location.  What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet?  Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall.  This will allow the same security as if they were sitting in the office.

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Allow Only One Host Access To VPN Site To Site Tunnel

May 28, 2012

I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host.  How can I set this up?

View 33 Replies View Related

Cisco VPN :: Site To Site VPN IPSEC Tunnel From ASA 5505 To Clavister Firewall

Nov 20, 2012

I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
 
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
 
All these remote networks are at the Main Site Clavister Firewall.

View 1 Replies View Related

Cisco VPN :: Extend Production VLAN Behind ASA5510 To Remote Site And 2821?

Feb 24, 2011

I have an ASA 5510 and would like to extend one of the subnets behind this ASA out to my house that has a cable modem, a wireless router/switch and then behind that I have a 2821 router.  I've been reading and it looks like L2TP may be the way to go but can't find and config examples.  Again, I would like to securely extend one and nail up a permanent connection of one of the VLANs in the production network all the way into my house using my cable modem and the 2821.  Any config examples!  Also, any IOS recommendations for the 2821.  Lastly, does L2TP look like the way I need to go?  I'm attaching a very basic Visio diagram of what I'm trying to do. 

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Setup A Site To Site Tunnel?

Nov 13, 2012

I have a 5505 asa code version 8.3(2). Trying to set up a site to site tunnel with someone and he is asking if I can use ike v2. How do I go about setting up the tunnel to use ikev2? Is ikev2 an option with site to site tunnels?

View 5 Replies View Related

Cisco VPN :: ASA5505 Tunnel Some Traffic (public Host) From Remote Site

Feb 6, 2012

On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Identity NAT Configuration For Remote Access VPN And Site-to-Site

Mar 9, 2011

I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .

i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
 
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).

View 6 Replies View Related

Cisco Routers :: Setup VPN Tunnel Between Linux Machine And RVS4000 At A Remote Site?

Jul 21, 2011

I'm trying to set up a VPN tunnel between a Linux machine and a RVS4000 at a remote site (served via satellite connection). After many efforts, I finally succeeded (based on Openswan). However, while PINGing is OK, big packets (from the RVS4000 LAN to the Linux box) arrive corrupted.
 
I lowered the WAN MTU, with no success. What finally did the trick is to lower the MTU at the RVS4000 LAN interface. Since this is not possible via the Web I/F, I did it via telnet ("ifconfig eth0 mtu 1400"). However, this change is lost after router reboot. How can I make the LAN MTU setting permanent?

View 1 Replies View Related

Cisco Routers :: RV180 To Setup A VPN Tunnel Between Remote Site And Central Office

Aug 18, 2012

I bought 2 RV180 to setup a VPN tunnel between a remote site and central office.The VPN tunnel is established, I can ping from central office to remote site but browsing on that server fails. [code]
 
Seems the routing is not really working through the VPN Tunnel.

View 4 Replies View Related

Cisco Firewall :: Site-To-Site Tunnel Between ASA 8.4 / 8.2

Oct 6, 2012

I have created a site-to-site tunnel between an ASA running 8.4 and other ASA running 8.2. But the tunnel is not coming up.
 
ASA running 8.4
++++++++++++
 
fw2# sh run crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map inside_map 20 match address tunnel-from-1166-to-nyc1_dr
crypto map inside_map 20 set pfs
crypto map inside_map 20 set peer 10.224.2.178(code)

View 4 Replies View Related

Cisco Firewall :: ASA5510 Clients With Tunnel Can No Longer FTP

Sep 21, 2011

I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. This same tunnel had NO issues prior to the 8.2.4 upgrade.

I thought about trying to disable "inspect FTP,. I am running FTP passive mode on the ASA so  I don't believe "inspect FTP" is required.

View 2 Replies View Related

Cisco Firewall :: ASA5510 Configured One Site To VPN

Feb 10, 2013

i have  cisco  ASA5510  Firewall and  configured   one  site to VPN . i  want  to   configure  another  s2s vpn  in  the FW for  another  Site location.what  to  in the existing  Firewall  so that  2  site to site  vpn  can work.

View 4 Replies View Related

Cisco Firewall :: ASDM Access Through S2s Tunnel Group On ASA5510

Feb 7, 2012

For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
 
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
 
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
 
This is the current config relative to the 10.1.55.0 subnet:
 
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0

[Code]....

As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
 
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?

View 27 Replies View Related

Cisco Firewall :: ASA5510 Cannot Connect To Site Through Appliance

Mar 22, 2011

I have an @Remote appliance through Ricoh for our copiers.  This appliance connects to their site to transfer meter readings and other information.  This appliance can't connect to their site to transmit data.  Ricoh is telling me the problem is on our firewill.  I have assigned the Ricoh appliance a static IP address in our network.  Our firewall is a Cisco ASA 5510.  I don't have much expereince with logging on the ASA, so I'm not sure what "teardown dynamic TCP translation from inside" means.  Is there something that is preventing this IP from contacting the Ricoh site? [code]

View 3 Replies View Related

Cisco Firewall :: ASA5510 Firewall Interface Speed

Jul 21, 2011

I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
 
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
 
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.

View 2 Replies View Related

Cisco Firewall :: Connecting ASDM To ASA5510 Over Remote VPN

Apr 19, 2011

I have two ASA5510 with a peer to peer VPN configuration which is working pretty well.I'm trying to connect to my remote ASA (ASA2) with ASDM on my PC through the VPN on the local ASA (ASA1)I already connected the ASDM to ASA1 through the inside interface but I cant connect to the ASA2 the same way (over the VPN).
 
When I ping the ASA2 inside interface from my computer, I get the following events:
 
ASA1:
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built outbound icmp connection
192.168.2.1(ASA2 inside interface)  |   0    |   192.168.1.36  |   512  |  Teardown icmp connection
 ASA2
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built local-host Corporativo(outside):192.168.1.36
192.168.2.1(ASA2 inside interface)  |   0    |   192.168.1.36  |   512  |  Built local-host identity:192.168.2.1
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built inbound icmp connection
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Teardown icmp connection
 
This is my config in ASA2
 
ASA Version 8.0(5)!hostname ciscosnqdomain-name chaco.com.boenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.2.10 SNQ-Servername 192.168.1.21 Srvplxaname 10.30.30.30 e-Servername 192.168.1.0 Experion-networkdns-guard!interface Ethernet0/0 nameif Corporativo security-level 0 ip address 10.64.12.6 255.255.0.0!interface Ethernet0/1 nameif ExP_LS security-level 90 ip address 192.168.2.1 255.255.255.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif management security-level 100 ip address 192.168.0.2 255.255.255.0!boot system

[code]....

View 9 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only  My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.

View 2 Replies View Related

Cisco Firewall :: DMZ Sub Interfaces Into Sub Interface Of Asa5510

Jul 5, 2012

We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.

View 7 Replies View Related

Cisco Firewall :: ASA5510 / How To Hide All IPs Behind An Interface

Dec 17, 2012

We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well.  However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We  could deploy a proxy server in the wireless DMZ to make all the  wireless devices appear to web filter as a single IP, and apply a single  policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?

View 1 Replies View Related

Cisco Firewall :: 5505 Firewall Between HQ And Remote Site

Jun 12, 2012

we are planning on connecting a new aquired company to ours soon?We will connect the remote site to the HQ via a D3. I've been told we will need to have a firewall between them and us for a time. I was thinking of terminating the D3 connection at the remote site of 80 users. Can I use the asr as a firewall as well, to protect the HQ from the Remote site - or should I use a seperate appliance?I was thinking of a asa5505 but, am concerned with bandwidth limitations of the box?

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Unable To Establish Remote VPN Through AnyConnect

Mar 31, 2011

We have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500) no other things are going on , and i get error as shown below.
 
Secure VPN Connection terminated Locally by the client
Reason 412: Remote peer is no longer Responding
Connection terminated on.
 
i am suspecting it is VPN-3DES-AES activation key issue.when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below [ERROR] sl encryption rc4-sha1 des-sha1 The 3DES/AES algorithms require a VPN-3DES-AES activation key and currently in right panel of Active Algorithms i have only RC4-SHA1,

View 4 Replies View Related

Cisco Firewall :: ASA5510 Permit Incoming Connection From Remote LAN

Sep 4, 2011

Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]

View 7 Replies View Related

Cisco Firewall :: Switch ASA5510 Outside Interface Connection

Mar 10, 2011

Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
 
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.

View 3 Replies View Related

Cisco Firewall :: ASA5510 - Block IP Address From Outside Interface

Jun 23, 2011

Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved