I've a question about VPN IPSEC on ASA5510
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
I have an ASA5510 running 8.2 code and I have over 200 static nats from the outside to the inside interface and that is how I expose our systems to the Internet. If this inside interface fails we also have a bypass interface that also terminates on the internal network but I am not sure how the nats will behave given they are statically mapped to the inside.
View 1 Replies View RelatedWe recently got a Cisco ASA 5510 Security Appliance and I have some general question.
We have 1 T1 internet connection, and we have 2 internal networks. These 2 internal networks currently hav access to the internet. I am having issues with the 2 internal networks being able to communicate with each other.
Cisco ASA 5510 directly facing the internet on E0/0 (1 Public IP only) with internal LAN on E0/1. Exchange 2010 OWA working fine with ACL and NAT rules configured.Problem:
•1. Cannot publish internal web servers to outside, have tried PAT.
•2. Have multiple web servers to publish with all on one protocol (HTTP) to a single public IP which I don’t know if it’s possible on a ASA.
•3.When SSL VPN is configured with Local user database, connecting from Anyconnect client gives a certificate error. Upon viewing the certificate it points to the internal mail server.
Currently my ASA5510 has a 64MB internal flash. Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)? The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.
View 2 Replies View RelatedI am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address "10.1.1.0"
Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
View 1 Replies View RelatedI've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).
View 7 Replies View RelatedI am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
Can I configure ASA as DHCP server for my LAN?
Can I configure WLC as DHCP server for my LAN?
If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
View 5 Replies View RelatedWe have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?
View 8 Replies View RelatedI want to establish GRE over IPsec tunnel between four branch offices and head office. At branch offices, I have 1841 router with Advanced Security software. At head office, I have a ASA5510 7.2 as frontend with one public IP addres and 1841 router behind it in private address space. Since ASA is not supporting GRE tunnels, can ASA be endpoint for GRE over IPsec? If not, can ASA pass this tunnel to the 1841 router behind it, so 1841 would be logical tunnel endpoint? What should I pay attention? Should both ASA and every 1841 support NAT-T, or just ASA?
View 1 Replies View RelatedI have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
I have a 5510 running 8.42 code with multiple site to site tunnels coming into it. Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly. That being said I think the ASA side is good. I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA. When I ping from the E0 interface I get the following debug output and nothing else. I've made a lot of changes to no avail in getting closer to a successful configuration. [code]
View 1 Replies View Relatedi want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end
View 1 Replies View RelatedI have the need to configure a backup VPN, I have remote branches with cisco 800 routers that make a VPN to an ASA5510 in the main offices, but as a DRP I want to have a backup VPN to another site. I dont know if it is a failover configuration or backup VPN, how to start investigating.
View 2 Replies View Related I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa(code)
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies View RelatedI configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients
* Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5)
!
hostname xxxx
domain-name xxxx
[Code].....
I have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
View 2 Replies View RelatedHow to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.
View 20 Replies View RelatedWe have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
I want to configure a remote VPN for our clients on Cisco ASA 5510 using Dyn DNS as I dont have static IP address.
View 9 Replies View RelatedDHCP conflict on 881-W with the internal AP?I have (12) 881-W chassis in the field. They are running DHCP services to the wired users as well as to the internal AP for reachability / management / etc. The scope for the internal AP is a /30 so only one address is in the scope and it is intended for the internal AP. This serves a a point to point link between the internal AP and the internal Router inside the 881-W chassis.
Somehow the 881-W DHCP server is getting out of synch and a conflict is occurring. It seems at some point, either at boot-up or lease expiration/renewal, the DHCP server is performing a ping to verify that the address is not in use. The AP has this address assigned prior and replies to the ping causing a conflict. I noticed an AP down today, checked the 881-W uptime and the conflict correlates to the same time. I have to manually clear the conflict and everything works as it should.The existing 12 881-w's could grow to 100's over time, so the manual intervention of clearing the conflict is not going to scale. I really want to stay away from static reservations.
I recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?
View 6 Replies View Relatedi am just installing my ASA 5510 and i want to configure it for remote access VPN IPSEC client.i use this doc : URl,When i start the connexion, the Client uses the first address of the pool and not the dedicated address ?,i have forget something ?
View 2 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedThe two controllers are having two internal DHCP servers with the same range in LAN (enx1,enx2). but i have specified which is primary DHCP server(enx3) in WLAN interface.
Now if a new user added into network, will he get IP address from primary dhcp(WLC) or AP connected WLC.
if two users connected to 2 diff AP's which are connected to 2 WLC will get the same IP address? since having same address pool configured.
I am wondering if the folowing is a valid configuration:
WLC2504
AP2600
I need 3 SSID/VLAN, 1 for corporate devices, 1 for coporate smartphones, 1 for guest.
Port 1 on the 2504 should be used for management and corporate devices and connect to the corp network. Port 2 is for smartphones/guest and will be connected to a Cisco ASA 5515 that is connected to a second ISP.
Corp devices should get IP from an Windows DHCP. Smartphones/guest should get IP from the WLC. Is this possilbe? I read this in a document "To use the WLC as a dhcp, you need to enable DHCP proxy as it is required." Some how I am imagining that this will mess with the Windows DHCP. Is it better to use the ASA as DHCP for smartphones/guest?
How do Mobility Groups work with internal DHCP scopes on a WLC 5508?We have a WLC 5508 with two internal DHCP scopes which redirect to captive portals for authentication. I am looking at putting in a second WLC in a mobility group setup to provide some WLC redundancy. The LWAPs will be setup so that every second AP is on the has the second WLC as its primary controller. If the primary WLC fails we want the secondary to be able to take over and issue IP's from the internal scope. How do you set this up with a Mobility group so the second WLC does not act as a rouge DHCP server while the primary WLC is still active?
View 6 Replies View RelatedWe created the management interface, an internal DHCP scope in same subnet, and Two SSID tied to the same management interface:
- when we connect to the first SSID we have and IP address
- but when we connect to the secone SSID: impossible to get an ip address - auth and association are OK
