Cisco Firewall :: Two ASA 8.4 (2) Tunnels / Only Some Remote Peers Are Reachable?

May 6, 2013

I have one ASA with two tunnels. Each going to a different 3rd party Checkpoint firewall (site A, site B) Each site has two servers (A1, A2, B1, B2)I can only connect to A1 and B1. any connection to A2 and B2 fails. I have defined B2 and A2 in the crypto map to be protected.If I only have B2 or A2 in the crypto map ACL then the tunnel fails. Phase 1 does not come up. Its as if the ASA is ignoring the entries for B2 and A2.ASA running 8.4(2).I have also trashed the VPN and built via the wizard, same result.

View 12 Replies


ADVERTISEMENT

Cisco VPN :: ASA5505 Can Reach All Remote Networks Throw Tunnels

Jan 31, 2011

I have a friend that have in his company an ASA5505 at central point and about 5 remote sites connected via Vpn site-to-site.All tunnels are up and reach the central network.The only traffic that pass throw the tunnel is the traffic with the ASA local network destination.
 
My friend asked me what it needs to reach from one Vpn remote site to another Vpn remote site, passing throw the ASA5505 central site.The ASA5505 can reach all remote networks throw the tunnels.
 
What it needs for the ASA to route traffic between the VPN´s tunnels?Does it need static routes on the remote sites to advertise the other remote sites ?

View 5 Replies View Related

Cisco Firewall :: PIX 515E Discovering Isakmp Key For Those Vpn Tunnels

May 10, 2011

We have a PIX firewall 515E running version 6.3(4) and there are few site to site VPN's installed on it. We want to find out the isakmp key for those VPN tunnels. On ASA, We can run the command "more system..." and it displays the key, but it seems it doesn't work on the PIX 515E.

View 1 Replies View Related

Cisco Firewall :: 5505 - Disabling Timeouts Which Affect SSH Tunnels

Jan 4, 2012

Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
 
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)? timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
 
class CLASS_MAP_SSH
set connection  random-sequence-number disable
set connection timeout idle  48:00:00 reset
set connection decrement-ttl

View 3 Replies View Related

Cisco Firewall :: How Many IPSec Tunnels An ASA 5500 Series Supports

Aug 4, 2012

I tried looking in ASA documentations but unable to find out that how many IPSec Tunnels can be terminated to an ASA cluster. I have 5545 running only two IPSec Tunnels so far but need to terminate 18 sites all up and would like to confirm how many tunnels we could terminate? Is there a limitaion to it?

View 2 Replies View Related

Cisco WAN :: 1941 - ASA 5510 Via VPN Tunnels For Communication Back To Servers Behind Firewall

Jun 20, 2012

I am setting up a network that will use the 1941 router with a cellular card (HWIC) to connect to the Internet for communication with remote stations in the field. The 1941 has a static IP address (166.142.xxx.yyy) on the Internet provided by the ISP (Verizon). The 1941 is connected via ethernet to the ASA5510. The end goal is to have the field cell routers (Digi Transport WR-44-R, also static IP) connect to the ASA5510 via VPN tunnels for communication back to the servers behind the firewall. I'm not sure exactly how to configure the 1941 so that the remote router can connect to the ASA using the public IP of the 1941 router. I have the 1941 working stand alone and can connect to the Internet and pass traffic, but I tried a static NAT to translate the public IP to the private IP of the ASA and cannot pass traffic. below is part of the 1941 configuration: [code]
 
Do I need to use VLAN bridging to accomplish the task or am I missing something with the NAT?

View 3 Replies View Related

Cisco VPN :: One ASA5520 With Two Peers Interfaces

Feb 17, 2011

I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.

View 1 Replies View Related

Cisco Wireless :: WAP4410n Not Reachable?

Feb 7, 2012

I have a wap4410n. It was performing poorly. Only letting some computers on the wireless while not letting other. I was able to login into the device and I went through each of the settings pages to see if there was anything set wrong. I soon found there was a firmware upgrade available.
 
So over a wired connection I started the firmware upgrade after waiting 10+ minutes I was unable to reach the device and the web page said it was waiting for the ip address of the device. So I rebooted the device.
 
I can not ping the device. I can not see it on any subnet. I have tried the reset button multiple times.
 
The ethernet and power lights are on.

View 2 Replies View Related

Cisco :: Creating Dial Peers Through Sip Trunks?

Sep 24, 2012

Had a question regarding creating dial peers through sip trunks. It will be through verizon fios so it'll be terminated through the fa0/0 port. I know to the provider i'll implement something along the lines of this:dial-peer voice 1 voipsession target ipv4:1.2.4.4sipv2port fa0/0Many of the documentation I came across really only shows pots dial-peers will a voip dial-peer work the same? Something a long of the lines of this:dial-peer voice 2 voipdesination-pattern 91[2-9]..[2-]...... no digit-stripport fa0/0

View 9 Replies View Related

Cisco VPN :: ASA 5505 EasyVPN Client And Peers

Jul 11, 2011

I have a Cisco ASA 5505 which is setup as an EasyVPN client to e remote VPN concentrator.
 
The Cisco ASA has the 50 internal user license with 10 VPN peers.
 
We just upgraded the license from the base 10 internal user to 50 user license but it has not resolved the problem and only 10 internal users still work, the 11th fails.
 
Does each EasyVPN client on the inside network take up 1 of the 10 VPN peer licences?
 
This seems to be the issue from what I can see, just need confirmation.

View 1 Replies View Related

Cisco VPN :: Get 2811 To Accept Two IPSec Peers?

Dec 12, 2011

I am trying to get a 2811 to accept two IPSec peers however can only get one working at a time. I have setup fa0/0 and fa0/1 with their own public facing IP addresses with crypto maps associated to each interface however can only establish connectivity to one interface at any one time.
 
Relevent configuration below:
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800

[code]....

View 1 Replies View Related

Cisco Switches :: SG300 Not Reachable Beyond Subnet?

Feb 6, 2013

I'm trying to configure a SG300 to be reachable beyond its own subnet. Its IP address is configured by DHCP to 192.168.2.2/255.255.255.0. It is possible to ping the switch from the same subnet but not from outside. The switch is set to layer 2 mode. All routing should be done by the gateway.
 
Here's what I have checked so far: The default gateway and netmask are set correctlyThe gateway can ping the switchHosts in the 192.168.2.0/24 subnet have connectivity to other networks through the gateway (i.e. gateway configured correctly)Administrative interface > IPv4 interface shows the correct ip address, netmask, and gateway (greyed out because it is assigned by DHCP)the switch can ping other hosts within the same network  
 
Is there some kind of firewall setting that prohibits the switch to respond to ip packets from outside the subnet?

View 5 Replies View Related

Cisco WAN :: 861 Enabling All Internal Devices To Be Reachable Through NAT

Jun 15, 2012

I need to connect 10 branches to a datacenter using cisco 861 routers because the ethernet sollution the provider gave us can't assign more than 32 MAC addresses for whe whole network. So we have all our servers at the datacenter with a central firewall/router and all remote branches with a static route to this router. We would like to make all branches local networks available through NAT or another better solution so network devices at the datacenter network can communicate with all local devices accross all the brances.
 
I've tried to set up a dynamic NAT from outside to inside the network and didn't work, set up static ip routes for both datancenter and remote branchs and also didn't work. I just would like to make the routers work in a transparent way, no blocking of anything, passing all traffic in and out the network.

View 7 Replies View Related

Cisco WAN :: C2821 - How To Configure Priorities For Multiple BGP Peers

Jun 20, 2012

At our organisation our routers all have at least 3 BGP peers, each from a different connectivity provider. The different providers that we use all have different internet transit CDRs. Is there a way that I can configure a priority for the 3 BGP peers on our routers so that outbound traffic to the internet is sent to the BGP peer from the provider with the highest CDR?
 
Routers are C2821

View 2 Replies View Related

Cisco WAN :: 6500 Unable To Configure Further Ntp Peers On Router

Nov 5, 2012

What is the reason of following NTP error. I am unable to configure further ntp peers on the router. Could not able to understand the reason of 100 peers. I am adding only 2nd peer on the router but getting this error. There is no problem adding peers in other 6500s .

View 2 Replies View Related

Cisco :: 6500 - Monitoring IPv6 BGP Peers Via SNMP

Nov 5, 2011

I'm running 12.2(33)SXJ1 on a 6500 with several IPv6 BGP peers. Is there any way to monitor the BGP status of IPv6 peers? I've been through the BGP4 mib and cant seem find a way to check the status of IPv6 peers.

View 4 Replies View Related

Cisco WAN :: AS100 / Multiple Upstream EBGP Peers?

Nov 11, 2012

I am imagining a smallish networking (AS1234) with say three full BGP table peers that provide transit to the network (just to keep the maths simple here); Lets say AS100 and AS200 are preferred transit providers with AS300 as a backup/least prefered (AS prepends or similar stop us from using this network by default). So in this scenario our little network gets two different paths across the Internet, as not to rely solely on one provided, with a backup provider to hand also.
 
How do you mange issues like packet loss somewhere in AS100's or AS200's network? So lets say a host on our AS1234 network is talking to host in AS888 and the preferred route is through AS100 but somewhere deep in AS100 a link is flapping (for example) and I can't get to AS888 reliably through there anymore, but I can through to other peers of AS100 OK. We can postulate that AS100 is the best path for 50% of the Internet and AS200 for the other 50% (this is a best case fictional scenario). I can't ping 50% of the internet via AS100 and then in the event a ping fails (or some other more reliable test) tear down the BGP session to use AS100 until it's fixed again, nor vice versa with AS200.
 
First of all, I asume you don't know about the issue between AS100 and AS888 until someome moans about it to you? Secondly, do you then some how modify the route(s) to AS888 that come from AS100 (route map for example to change the weight or preference) so AS200 is now preferred for AS888? Do you infact shut down the AS100 peering and now use AS200 & AS300? How do you rectify these situations that are beyond you control using what is in your control?

View 2 Replies View Related

D-Link DIR-655 :: Websites Not Reachable On Server?

Aug 16, 2011

On my server I host several websites.Last Monday we got our FttH-connection and I'd set up my D-Link DIR 655 to manage our server and other computers.In the webconfig of my router I set up the Virtual Server for several applications (Telnet - 23, HTTP - 80, HTTPS - 443, FTP - 21, SMTP - 25, POP3 - 110, IMAP - 143 and also ports 20, 22 en 81) redirected to my server's IP address.For these items the private port and the public port of each item is the same port number; the protocol is TCP for these items. I didn't change the options Schedule ("Always") and Inbound Filter ("Allow All").

The DNS of my domains (samendienen.nl and some other domains) is set to my new IP-address.May be I forgot some other settings in my D-Link-router.what I have to do to make my websites reachable?

View 6 Replies View Related

Cisco WAN :: 887VA Adsl Connection Up But Only Certain Websites Reachable?

Feb 14, 2013

The aDSL circuit is up and connected and I can reach the internet, however not all sites on the internet are reachable. This is occurring on two seperate 887VA’s and the circuit has been tested with a netgear router and no issues occur.  The router has been tried on 5 different ADSL connections and the same problem occurs although more websites can be reached on a home broadband connection (ADSL2+ Annex A) as opposed to the problem being more severe on an ADSL2+ Annex M circuit.  The problem seems to affect websites that are full of adverts more than sites that have single domain landing pages. 
 
The sites that I cannot reach are pingable. This happens on multiple machines behind the router. The same config is used on an cisco 877-M router with no issues.
 
! Last configuration change at 14:52:30 UTC Wed Feb 13 2013
version 15.2
no service pad

[Code].....

View 8 Replies View Related

Cisco :: LMS 4.2 - Takes Time To Remention Device Reachable

Nov 29, 2012

I ve recognized some strange issue with LMS 4.2 , when the router becomes down or unreachable , the LMS doesn't send any event as Faultview,also when the router comes back online the LMS takes 1 hour to show its state as  reachable.

View 3 Replies View Related

Cisco WAN :: 4500 When NIC Configure With Teaming / Servers Gets Not Reachable

Jan 11, 2011

I have windows servers connected on cisco switch 4500 series. Issue is when server NIC configure with Teaming, some times servers gets not reachable, and after restarting the servers it gets reachable. Is 4500 series switch support the teaming software?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.3.124 Secondary Node Not Reachable After Registration

Jun 1, 2013

I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair.

View 6 Replies View Related

Cisco Firewall :: Max Number Of Clients And Site To Site VPN Tunnels On ASA 5505

Aug 15, 2012

I wanted to know the maximum VPN client sessions (using the Cisco VPN  client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505  simultaneously.
 
In other words, if I have x VPN clients and y Site-to-Site  tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)?  If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
[Code]...

View 3 Replies View Related

Cisco VPN :: IPSec On ASA5520 With ADSL Peers Ok But Not Fine With Mobile

Jun 18, 2012

We have an ASA5520 configured with a IPSec VPN, from any ADSL home/office our VPN clients can connect without any problem, but when we use our cellular phones in tetering mode (as an accesspoint) our VPN clients are impossible to connect. Same machines,same software, same operating system, same remote IP (ASA5520 external IP) only change Wifi connection (ADSL to cellular phone). The signal of cellular phones is not the problem we was doing the tests with different phones (IPHONE & ANDROID), different locations (all in spain) and differents providers (vodafone, orange and movistar) of internet by cellular phone.We think that perhaps the problem is the licenses that our ASA5520 has..

Our ASA5520 comes with this licenses:
------------------------------------------------------------------------------------------
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual

[code]....

View 8 Replies View Related

Linksys Wireless Router :: Cisco EA6500 - Hostname And IP Are Not Reachable?

Feb 22, 2013

I have a big problem with my Cisco EA6500 router. I have a domain that is pointing to my public IP address of the home network. I have various computers and applications that listen on different ports for various reasons on this network. Everything worked fine until a week or so ago when I had to restart the router. The reason was that while I did a routine change (add a Mac filter for wireless) the router stopped responding. After restarting it, I could not access the home computers through the domain name (public IP) while being inside the network. If I try from outside my LAN it works fine but when trying from within the LAN the hostname and IP are not reachable. Also, everything works from inside the LAN if I'm using LAN IPs.

View 9 Replies View Related

Cisco WAN :: 1941w AP Can't Ping 2nd Router / Host But Interface Reachable

Feb 2, 2013

From the router I can ping the 2nd router, all its host and all of the 1941w interfaces.
 
From the 1941w AP i cannot reach the 2nd router or any of its host, but I can reach the interface that is connected to the 2nd router but only one side of it.
 
Attached are both my router and ap configs. At the moment I am just trying to reach the 2nd router and its host so I can update the AP IOS image but cannot reach the tftp server.

View 5 Replies View Related

Cisco :: AiroNet 1142N Wireless Client Isolation / Peers Cannot Access

Apr 3, 2013

A Cisco RV220W router/firewall connects the local LAN to the internet.  The router is connected to a new Cisco SG300-28P switch configured in Layer 2 mode.  There are two new AIR-1142N wireless access points running in autonomous mode connected to 2 ports on the SG300 powered through PoE. The AIR-1142N access points are running the latest firmware version 15.2(2)JB.  There are two VLANs defined: VLAN1 is the native on all devices, and VLAN2 is for wireless guest traffic to provide access to the internet only.Internal/staff traffic is on 192.168.100.x, and the wireless SSID is MYNetS.Guest traffic is on 192.168.200.x and the wireless SSID is MyNetG.IP addresses are being assigned by the RV220W.
 
All works well with one exception.  Wireless clients on the internal SSID are able to ping/access the switch, router, and other clients on wired ports on the switch.  The router, switch, and wired clients can ping wireless clients.  However, wireless clients, on the same SSID and the same 1142N cannot ping/access one another.  They are being isolated from each other.  We absolutely need to have this capability.The SG300 does not have port security enabled on any port.  none of the workstations/laptops have a firewall enabled.  These laptops are all Macs btw.  I have checked that neither of the 1142N access points have Public Secure Packet Forwarding enabled on either of the VLANs.I am at a loss as to why the wireless clients are being isolated.

View 5 Replies View Related

Cisco Switching/Routing :: 5548 - Multiple Peers Detected On Mgmt0

May 1, 2012

I keep seeing these messages in my logs very frequently on a Nexus 5548UP.
 
     %LLDP-3-DETECT_MULTIPLE_PEERS: Multiple peers detected on mgmt0
 
what might be causing these? Google has shown less than desirable amounts of information on this message.

View 4 Replies View Related

Cisco Switching/Routing :: 6509 - HSRP Standby Address Not Reachable

Jun 11, 2013

I have  my hsp setup where switch A and switch B share active/standby roles among several vlans. In the last few weeks, i have seen trouble tickets where connectivity is lost and upon investigation i discover that i can ping physical interface IP addresses for both standby and active devices but not the standby IP. I have also validated configurations and layer 2 paths and they haven't been broken.

What I end up doing is failover to the standby device and back and the problem clears, reachability is restored. My question is whether I am solving this the right way. If so, what is it that would cause the standby IP to not be reachable and how does my solution fix that? N/B the switches are catalyst 6509's.

View 2 Replies View Related

Cisco VPN :: ASR 1002 - Disconnect / Connect WAN Interface / Router Not Reachable Via Telnet?

Aug 13, 2012

We have 400 branches is ended on ASR 1002 router. ASR 1002 is the Hub router. When we disconnect/connect WAN interface  or Shut/no shut tunnel interface, at the moment, router is not reacheable via telnet. 

But if i disable the EIGRP on tunnel interface, tunnel are ok, then when i enable eigrp on tunnel interface, all eigrp neighbourhoods are OK.Is there any way to limit NHRP or EIGRP packets ?

View 1 Replies View Related

Cisco Wireless :: AP1262N Repeater SSH Web Configuration Interface Not Reachable After Alignment

Jan 14, 2013

we have a couple of AP1262N-E-K9 APs with firmware version 12.4(25d)JA1 operating in autonmous mode. One AP is setup as repeater while all others are in root mode.

The repeater has setup one parent MAC address so it associates every time to the same parent root AP. Given this setting, I am logging into the repeater via SSH and start the antenna-alignment scan: "dot11 dot11Radio 0 antenna-alignment timeout 4"
 
During this scan, the repeater disconnects from its parent to perform the scan so no output is visible at the SSH console. After the scan is finished, the repeater re-associates to its parent and some output appears on the SSH console.

8 of 10 times this procedure works fine: the scan is finished and I can continue entering commands on the SSH console. However, in some cases the repeater is not reachable any more for about 7 minutes. I.e. pings to the repeater's IP address are unsuccessful and the SSH connection hangs until it is automatically disconnected after a timeout. Also, the web configuration interface is not reachable. After about 7 minutes everything works fine.

View 7 Replies View Related

Cisco Switching/Routing :: WS-C3750X-48P Access Switch Not Reachable And After Reload Started Working

Sep 15, 2012

I had a strange issue with one of my customer..Cisco  WS-C3750X-48P Access switch was not reachable and after reload it started working.I would like to know the root cause of the issue. There were no logs and no errors in interfaces.Even Cpu utilization was not high. We have enabled arp inspection and dhcp snooping in the switch..Hope this will not make any issue..Also we have dot1x enabled on port..

View 5 Replies View Related

Cisco Firewall :: 5505 Firewall Between HQ And Remote Site

Jun 12, 2012

we are planning on connecting a new aquired company to ours soon?We will connect the remote site to the HQ via a D3. I've been told we will need to have a firewall between them and us for a time. I was thinking of terminating the D3 connection at the remote site of 80 users. Can I use the asr as a firewall as well, to protect the HQ from the Remote site - or should I use a seperate appliance?I was thinking of a asa5505 but, am concerned with bandwidth limitations of the box?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved