Cisco Firewall :: ASA5520 - Dual Site To Site VPN
Mar 6, 2013
I done some searching and can't come up with a definative answer any where so I'm going to ask the experts.
We have an ASA 5520 in our home office, connected to the Internet via IPV4 and IPV6 and it's all working great, we fully support IPV4 and IPV6 to all home office workstations and servers. We have a branch office connected back to our home office via a IPV4 site to site VPN with IPV4 connectivity thru the Internet. The branch office is using an ASA5505 and only has IPv4 connectivity to the Internet.
We would like to setup the site to site VPN so that it supports both IPV4 and IPV6 traffic, essentially giving our branch office IPV6 connectivity to the Internet (though us) and to our IPV6 services. Most of our home office network is fully IPV6 but some older services remain IPV4 only. I know that the ASA5505 will give us either a IPV4 to IPV4 over IPv4 connection, we are currently using that, and it will give IPV6 to IPV6 over IPV4. But can it be configured to give both IPV4 and IPV6 to IPV4 and IPV6 over IPV4 connectivity?
View 1 Replies
ADVERTISEMENT
Apr 13, 2011
We have got site to site VPN configured between local site with PIX515 6.3(5) and remote site with ASA 5505 7.2(4) . Because of very unreliable internet connection in remote site , we have added new ISP link which we want to use as redundant link .i understand ASA 5505 can be configured with two ISP link with SLA monitor method for redundancy as per this document ,[URL]
my question is how do i set up this pix 515 to have redundant VPN tunnel with remote site (when primiary ISP link fails in remote site and secondary ISP links takes over ) . I was thinking of using PIX 515 with 2 peers in same crypto map used for that sepcific site to site vpn tunnel,not sure that is the right way or not though.But how would i configure ASA 5505 to use backup interface(where secondar isp router conects ) to particitae in Site to site Tunnel .
View 4 Replies
View Related
Dec 1, 2011
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
I have four hosts say: 10.240.1.1-10.240.1.4
They need access to two different networks:
205.100.150.0
140.175.200.0
I woud like to NAT them as something like:
7.5.210.1
7.5.210.2
7.5.210.3
7.5.210.4
View 1 Replies
View Related
Aug 10, 2011
I cannot get it to work : if interesting traffic comes ffrom the IPSO side, the box would not even try to set up the tunnel. and If it comes fomr the ASA side, the box attempts to do so but it with this strange message : AM_WAIT_MSG2
View 3 Replies
View Related
Jan 14, 2012
I have some VPN site to site ( site B and site C connect to site A ). This subnet 10.0.56.0/28 is behind site B. Another subnet 10.0.56.16/28 is behind site C. I would like to route this 10.0.56.0/28 to reach the subnet 10.0.56.16/28. Is there any possibility to do this on ASA5520 (site A)?
View 3 Replies
View Related
Jun 14, 2012
I have a site-site VPN tunnel between my location and my remote office. My remote office is changing their ISP, so the VPN GW is getting changed. do i need to create new site-site tunnel again or changing the remote peer VPN GW in my FW is enough? FYI, i have cisco ASA5520 and my remote office has check point UTM-1 edge box.
View 1 Replies
View Related
Oct 31, 2011
I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.
How do I get this to work?
example: (all IP's are fictional)
tunnel1
VPN
My side "outside" 10.10.10.10
Their side "outside" 20.20.20.20
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28
[code]....
View 3 Replies
View Related
Sep 25, 2011
One local site where i have one ASA5520 . I have to create a site to site vpn with the remote site1 and site 2.vpn with site1 is primary and other is backup. local address on ASA is 192.168.10.10 and on the remote site1 and site2 is 10.10.10.1.I have to make sure that if vpn with the site1 is active then the routing for 10.10.10.1 should be towards vpn to site1. and if it goes down then failover to vpn2 to site 2.In case if the vpn1 to site1 comes up, the traffic should shift to VPN1 to site1.Access is from ASA5520 end client to the remote server.
View 7 Replies
View Related
Apr 15, 2013
I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?
Here is my configuration for the cryptos and SLA tracker:
crypto map outside_map 10 match address ACL_VPN_1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer x.x.x.x x x.x.x.x
crypto map outside_map 10 set transform-set NAME_SET
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000(code)
View 3 Replies
View Related
Aug 30, 2011
I have a remote office with a dual WAN router (2911) in front of an ASA (5510). Our main office currently has an ipsec site to site vpn to that remote office ASA. The router has two ISPs. ISP-A is the wan link used for the site to site and has provided us with a /28 public address space which we use on the ASA outside interface for the site to site. Now we are in the process of getting a second ISP which will also provide a /28 or /29 public address space. I would like to use that second ISP for backing up the site to site in case ISP-A link goes down. I think I have the IP SLA config worked out. My question involves NAT. On the router I would like to configure a static nat that only takes place if ISP-A goes down. In other words, if everything is working fine, then the router does not nat the ASA outside address, but if the ISP-A link goes down, then the router will NAT the ASA outside address to one of ISP-B provided public addresses.
View 6 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
May 30, 2013
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
View 9 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Aug 13, 2012
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
View 2 Replies
View Related
Mar 9, 2011
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
View 6 Replies
View Related
Oct 10, 2012
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
View 1 Replies
View Related
Jan 16, 2013
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
May 28, 2012
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies
View Related
Dec 19, 2012
I've set up a standard site-to-site VPN between 2 ASA 5505s and the VPN is working fine for traffic between these ASAs and computers which are in the same LANs.but when I'm trying to connect to computers which are in another VLAN I have a problem.
View 1 Replies
View Related
May 19, 2011
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20
Config Below:
: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host
[code]....
View 4 Replies
View Related
Nov 20, 2012
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
All these remote networks are at the Main Site Clavister Firewall.
View 1 Replies
View Related
Aug 15, 2012
I wanted to know the maximum VPN client sessions (using the Cisco VPN client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505 simultaneously.
In other words, if I have x VPN clients and y Site-to-Site tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)? If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
[Code]...
View 3 Replies
View Related
Sep 20, 2011
Any step by step guide to setup syslog for site to site VPN.(in ASA 5520)Just send me the step to monitor site to site vpn using that in ASA 5520.
View 2 Replies
View Related
Mar 12, 2012
I'm having slow performance thru a Site to Site VPN. I have an ASA 5520 in each site with the version 8.2(4) in both ASA's. I have a 20Mb internet service in one side and in the other side I have 50Mb. When I transfer a file from the Sita A to Site B I get a transfer rate of 130KB/S.
View 1 Replies
View Related
Nov 13, 2012
I have a 5505 asa code version 8.3(2). Trying to set up a site to site tunnel with someone and he is asking if I can use ike v2. How do I go about setting up the tunnel to use ikev2? Is ikev2 an option with site to site tunnels?
View 5 Replies
View Related
Oct 3, 2012
I have cisco pix connected at the edge of my GPRS network. Inside is the GPRS core network and outside is the ISP.On cisco pix, i have site to site IPSec configured between my inside GPRS network and Blackberry servers. for blackberry services.Using the ASDM I can see the total number of packets in and out on this site to site IPSec, but if I want to measure the trand of the bandwidth utilisation over this IPSec, per sec, then how can I do this? I have PRTG traffic monitoring, through which I did try, several MIB (listed below) but still not able to find the correct way. how can I get the measurement for the IPSec from cisco pix?
View 1 Replies
View Related
Apr 18, 2013
I am not very experienced with Cisco networking.
Here is the situation.
Site A - headquarters 192.168.1.x
Site B - remote office 192.168.20.x
Site C - remote office 192.168.30.x
Site A - ASA 5510
Site B - ASA 5505
Site C - ASA 5505
Site-to-site VPN is established and works between A and B, A and C. Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels?
View 7 Replies
View Related
Dec 12, 2011
We have a Cisco ASA 5510 at our main office that makes connection with a 5505 at our other office using site to site VPN. (works)
Now for the question,
we want to access our other office from the main office but we wont want them to have access to our servers etc. so basically we want to control them but they shouldn't have the rights to control us.
Is this possible with a site to site VPN? and how to do it.
View 7 Replies
View Related
Dec 4, 2012
We are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site.
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC. I added the static route there and was able to ping, so something in the ASA seems to be preventing it.
I also can't seem to get the ASA at the remote site to ping 10.1.10.1. I've tried adding the static route there in hopes it would forward it through the VPN tunnel.
View 1 Replies
View Related
Jul 24, 2012
I have Cisco 3560X L3 Switch. We have done Inter VLAN in our internal networks. Below are the VLAN details
Default VLAN1 IP 192.168.125.2 (Gi0/1, Gi0/23, Gi0/24)
Interface Gi0/1 (Port Configure as a Trunk)
Interface VLAN 10 SERVERS_SW (Gi0/2 to 0/6)
IP Address: - 192.168.0.1 255.255.254.0
Interface VLAN 20 USERS_SW (Gi0/7 to 0/18)
IP Address: - 192.168.152.1 255.255.248.0
Interface VLAN 30 SPARE_SERVER_SW (Gi 0/19 to Gi 0/22)
IP Address: - 192.168.8.1 255.255.248.0
We have Sonicwall NSA2400 Firewall and we have setup Site-to-Site between our other offices who has Sonicwall TZ210 firewall. It works fine and they are able to access all the above networks.
Now the problem is we have one more site which uses Vigor Firewall (with Internal Network 192.168.100.0). We have setup the site-to-site vpn between Sonicwall NSA 2400 (Lets say SITE A) and Vigor (Lets say SITE B) but SITE A is unable to ping to SITE B Firewall but SITE B is able to *ONLY* SITE A firewall.
SITE A is trying to ping from User VLANs whose local ip is 192.168.152.0 range.
How to add route to 100.0 so that we will be able to ping and access SITE B networks.
View 5 Replies
View Related
Jan 28, 2013
The problem I am having is very strange and I have tried to upgrade the IOS on the 1841 to solve the problem but no luck. The issue is when I enable Zone Based firewall security on of the 1841 routers two VPN site-to-site tunnels stops working. If I turn off CEF (no ip cef) then the traffic for both tunnels works. Someone told me that the Zone Based firewall must have a match for the VPN traffic and I created that with ACL 160 and 161 but it did not solve the problem.
Current IOS is below.
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.0(1)M9, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Sep-12 23:58 by prod_rel_team
[code]....
View 2 Replies
View Related
Mar 25, 2013
I have no problem configuring both devices to successfully connect when the juniper firewall isn't in the picture. But due to policy; the RV042 at our main site must sit behind the firewall.
I've got the port forwarding setup but I'm not able to connect. I know I"m missing some configuration on the RV042 but I can't think of it! I've attached a GIF to give an example of both setups.
View 3 Replies
View Related
Jun 17, 2012
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies
View Related
