i have cisco ASA5510 Firewall and configured one site to VPN . i want to configure another s2s vpn in the FW for another Site location.what to in the existing Firewall so that 2 site to site vpn can work.
View 4 RepliesI have a site to site VPN configured on a asa5505. The tunnel is up and the interesting traffic is successfully being encrypted. The issue is that when inbound traffic originating from a subnet outside of the encrypted range destin to the subnet within the encrypted range, the return traffic is sent into the tunnel and obviously fails.When traffic from 1.1.1.0/24 to 10.2.2.0/24 traverse the firewall the return traffic goes into the tunnel but it doesn't have the correct match parameters?Am I missing something? I'm expecting that only traffic matching the crypto map will use the tunnel and all other traffic will utilize the default route.
View 3 Replies View RelatedI am trying to determine if this is possible or not. I have tried several configurations and I can only get half of it to work.
LAN (10.1.1.0/24) =====> <===== OUTSIDE (T-1)
ASA5510
DMZ (10.1.10.0/29) ====> <===== BACKUP (DSL LINE)
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line. No inside traffic (inbound or outbound) should go through the T-1. No DMZ traffic (inbound or outbound) should go through the DSL line.
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.
I have an @Remote appliance through Ricoh for our copiers. This appliance connects to their site to transfer meter readings and other information. This appliance can't connect to their site to transmit data. Ricoh is telling me the problem is on our firewill. I have assigned the Ricoh appliance a static IP address in our network. Our firewall is a Cisco ASA 5510. I don't have much expereince with logging on the ASA, so I'm not sure what "teardown dynamic TCP translation from inside" means. Is there something that is preventing this IP from contacting the Ricoh site? [code]
View 3 Replies View RelatedWe have a Cisco ASA 5510 with:
-version: asa845-k8.bin
-ASDM: asdm-711-52.bin
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?
I have a ASA5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.Secondly request also they need failover over the ISP link.how we implement the same on ASA 5510.
View 0 Replies View RelatedWe have two ASA5510's connected to two different ISP's and both able to initiate a site-site IPsec connection to a remote site. Depending on the state of the ISP's either ASA may initiate this VPN.We use Reverse Route Injection into OSPF for VPN clients and it works fine with the route being distributed when a client connects and disappearing when there are no clients.So we thought we'd try it for our site-site VPN's. Unfortunately when we enable Reverse Route Injection the routes are distributed regardless of whether the VPN is up or not, so if one ASA has initiated a VPN it's reverse route is distributed (which is what we want) but the other ASA also distributes a route for it's non-existent VPN. The result is that our gateway routers see two OSPF routes and can't ascertain which route is actually up.
Is there any way to distribute the route using Reverse Route Injection (or any other method) only when a site-site VPN is actually up? For various reasons we can't use BGP or other gateway routing protocols.Our ASA5510 are currently running IOS 8.2(1)
we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 (192.168.45.0/24) to any host behind the 5510 (192.168.0.0/24) the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some "denied by inside-access in"-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?
View 1 Replies View RelatedQuestion on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.
View 3 Replies View Relatedsample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure. my is use that i dont know to how to configure nonat. i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
View 2 Replies View RelatedI need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address (192.168.89.1) as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address 192.168.89.1, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.
I have an issue with a site-to-site VPN tunnel between a ASA5510 and 887VA. I have two tunnels connected to the ASA and one seems to be affected where by the tunnel is disconnected and brought up around every 20 seconds. The tunnel is re-established instantly but this break in transmission is causing application issues.
View 2 Replies View RelatedI have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.
View 1 Replies View RelatedI'm trying to establish site to site VPN between ASA5510 to ASA5520, scenario. [code] our Vendor said to nat the local network to specific ip and use that ip as local pool,here the configuration details [code] i create static nat but its doesn't work for me phase 1 is not up, how to create nat local network to 10.10.10.10.
View 9 Replies View RelatedI am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates "All IPSec SA proposals found unacceptable!"
View 11 Replies View RelatedI have two sites connected using ASA5510 version 6.4(5)
site A site B
10.8.0.0/20 -- ASA -------internet ------------ASA -- 10.6.0.0/24
From site A, i can vnc, rdp, telenet and ssh to site B, however from site B am not able to rdp, vnc telnet or ssh to site A (i can ping site A devices) guess am missing something in the policy but not sure if its in site A or Site B
We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
I setup site to site VPN between C2921 (site A) and ASA 5510 (site B). I am having problems with SA being deleted:
1: I can alwasy initiate VPN connection from Site B to Site A.
2: after VPN tunnel is up and idle for a while, SA is dropped and I lost VPN connection from Site A to Site B.
3: to get the connection back, I have to ping Site A from Site B
4: when the connection is established, it works fine!
I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.I have setup a policy NAT to translate my clients internal LAN to a "NAT" LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.
My client has a ASA5510 with a base license, but their owner has their firewall and routing "leased" or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.
And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones . [code]
I have some home office setups that have s2s VPNs which terminate on my netscreen SSG5. I am moving off the SSG and onto an ASA5510 but not sure if or how I can make this work? The end users do not have static IPs at this point. I use dyn dns on their home routers to update their DHCP IPs from the providers. If they can't get static IPs how can I specify the peer ID with a DNS name rather than IP address?
View 1 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
View 2 Replies View RelatedI am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
View 3 Replies View RelatedI have an ASA 5510 and would like to extend one of the subnets behind this ASA out to my house that has a cable modem, a wireless router/switch and then behind that I have a 2821 router. I've been reading and it looks like L2TP may be the way to go but can't find and config examples. Again, I would like to securely extend one and nail up a permanent connection of one of the VLANs in the production network all the way into my house using my cable modem and the 2821. Any config examples! Also, any IOS recommendations for the 2821. Lastly, does L2TP look like the way I need to go? I'm attaching a very basic Visio diagram of what I'm trying to do.
View 4 Replies View RelatedI would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
View 1 Replies View RelatedWe have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
!
version 12.4
no service pad
[Code].....
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies View Related