Cisco Firewall :: VLAN Tagging To ISP Through ASA 5510 To Remote Site
Oct 25, 2012
we have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.
Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with same-security-traffic permit inter-interface configured.
Config:
!
interface Ethernet0/0
speed 100
no nameif
[Code]....
View 11 Replies
ADVERTISEMENT
Mar 9, 2011
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
View 6 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
May 18, 2011
I need some assistance in setting up VLAN's (802.1Q) accross two switchs, I want the same 2 vlan's on both switchs, how do i configure them to be connected and pass both vlan's traffic.VLANs from firewall are tagged at 3 and 8.Single port out from the firewall.The first switch is simple enough, port is connect at port 52 and configured from both vlan's then the individual ports are either on one or the other. The question is how do i connect the second switch so that it can also do both vlans. Assume I connect switch1 at port 51 to switch 2 port 52. Do I configure both ports to be on the same VLAN's. or do i setup LAG's.
View 3 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Jul 21, 2011
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
View 6 Replies
View Related
Apr 16, 2011
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.
View 0 Replies
View Related
Feb 14, 2011
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies
View Related
Jun 28, 2012
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
View 3 Replies
View Related
Feb 20, 2013
I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
ASA Version 9.1(1)
!
hostname xxxxx
domain-name xxxx
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[ code]....
View 3 Replies
View Related
Aug 8, 2011
can I configure Site-To-Site VPN and Remote Access VPN at the same time in one ASA 5510?
View 8 Replies
View Related
May 19, 2011
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20
Config Below:
: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host
[code]....
View 4 Replies
View Related
May 16, 2012
We have a need to access an VLAN at the main office( ie Core Switch 6500,switch 3750) from a remote site(Cisco3845 router, Switch3750) connecting by a SP through fibre link.
what is the easiest and quick way to do it and the user from the remote site just want to have access to that VLAN for a couple of days only.
View 6 Replies
View Related
Nov 11, 2011
I have a Cisco ASA 5510 with static IP and a Remote site with dynamic IP and i want to setup VPN between these 2 sites. i tried it many times but it doesn't come up.
I want to know how to do it?
View 3 Replies
View Related
Feb 24, 2011
I have an ASA 5510 and would like to extend one of the subnets behind this ASA out to my house that has a cable modem, a wireless router/switch and then behind that I have a 2821 router. I've been reading and it looks like L2TP may be the way to go but can't find and config examples. Again, I would like to securely extend one and nail up a permanent connection of one of the VLANs in the production network all the way into my house using my cable modem and the 2821. Any config examples! Also, any IOS recommendations for the 2821. Lastly, does L2TP look like the way I need to go? I'm attaching a very basic Visio diagram of what I'm trying to do.
View 4 Replies
View Related
Oct 10, 2012
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
View 1 Replies
View Related
May 28, 2012
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies
View Related
Apr 18, 2013
I am not very experienced with Cisco networking.
Here is the situation.
Site A - headquarters 192.168.1.x
Site B - remote office 192.168.20.x
Site C - remote office 192.168.30.x
Site A - ASA 5510
Site B - ASA 5505
Site C - ASA 5505
Site-to-site VPN is established and works between A and B, A and C. Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels?
View 7 Replies
View Related
Dec 12, 2011
We have a Cisco ASA 5510 at our main office that makes connection with a 5505 at our other office using site to site VPN. (works)
Now for the question,
we want to access our other office from the main office but we wont want them to have access to our servers etc. so basically we want to control them but they shouldn't have the rights to control us.
Is this possible with a site to site VPN? and how to do it.
View 7 Replies
View Related
Dec 12, 2011
I have 2 sites :
site A :
ASA 5510
VPN gateway for remote users
LAN 192.168.192.0/22
site B :
ASA 5505
LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
Here is a part of my configuration :
On Site A (ASA 5510)
--------------------------------
name 192.168.192.0 SiteA_Internal_Network
name 192.168.208.0 SiteB_Internal_Network
name 192.168.133.0 VPNPool_AnyConnect
name 192.168.133.32 VPNPool_VpnClient
[code]....
View 9 Replies
View Related
Mar 15, 2011
I configured ASA 5510 using dual ISP( Failover). Now my ASA working fine. Here my problem is My ASA 5510 configured for Site to Site VPN also.How my VPN switch to Secondary ISP automatically when primary ISP fails.
View 2 Replies
View Related
Jul 29, 2012
Unfortunately I do not remember the model and the switch is a couple of hours away without remote access.I have 4 vlans on a procurve switch.
VLAN1 - Network Devices (Server, printers, WAPs)
VLAN100 - Admin (Office workers)
VLAN200 - Teachers
VLAN300 - Students
There is a server doing DHCP. There are 4 ranges of IPs 1 for each VLAN.
The router is on Port 44. VLAN 1, 100, 200, 300 - Tagged
The Server is on Port 46. VLAN 1 - Untagged
The WAPs are on Ports 1, 11, 31 VLAN 1, 100, 200, 300 - Tagged
All other ports are on VLANs 100, 200 or 300 - Untagged
The WAPs all have VLANs 100, 200, 300. Each VLAN on a different SSID.
I have IP helper with the server IP on VLANs 100, 200, 300.
There are IPs from the different subnets on their respective VLANs in the switch.
The gateway for each subnet is on a different subinterface on the router.
The router is a linux box. (Untangle)
The WAPs are not able to talk to the server, therefore no computers on the wireless networks can get an IP.The server can only talk to the router if I change port 44 to untagged.What combination of tagged and untagged ports do I need to make everything talk?
Do I need to put the VLANs on the subinterfaces of the router?
View 1 Replies
View Related
Nov 16, 2011
I am trying to setup a site to site VPN between ASA 5510 and SSG 140 firewall. ASA end of the VPN is having dynamic public IP address. I tried sending hostname as peer identity on ASA by changing the IKE parameter setting but SSG somehow is not able to match the hostname of remote peer and reporting remote as unrecognized peer. Need setting up site 2 site VPN in similar setup?
View 1 Replies
View Related
Aug 19, 2011
I am currently tasked with setting up a network, pretty much from scratch, that requires some fairly hefty VLAN deployment. My hardware on hand (already existed so can't can't change anything easily) 5x ESW-540-48 Switches, 1x3750g switch, 1x2811 router. I don't believe the router should be required as the 3750 is capable of intervlan routing. [code]
Now at one point I actually had the VLAN's *working* in that I could specify an IP address and could ping to and from it! However DHCP wasn't passing despite numerous attempts with DHCP relay and IP-Helper configurations.Also I was having issues with VLAN 1 as the native VLAN, the ESW switches don't allow you to do much with them, as they 'weren't created by the user'. So tried switching that out to VLAN11 also but with very little success there (I had to change the native vlan on all trunks to VLAN 11)All the 10.x.x.x addresses need to be able to communicate with each other.All the ESW switches need to be able to handle their respective VLAN's as well as VLAN 1 (for Printers and wireless access points distributed around the building).
View 16 Replies
View Related
Nov 23, 2011
We are having one HP core switch and VLAN is configured on it. Four Nortel BES1010(24port) switches will be connected to this HP switch. We need to configure the VLAN tagging in the Nortel switches in order to make deices connected to nortel switches can communicate with devices in the VLAN.
View 3 Replies
View Related
Sep 28, 2012
I'm Confused from the fact that Vlan tagging is done at access port and trunk port always gets tagged packets (untill its case of native vlan).But I still believe in other fact which says tagging happen only when a frame hit the trunk port which means trunk port gets untagged frame and tagging is not possible at access port.
Would like to know where actually this tagging happens ?
and also which command we can use to encapsulate 802.1q protocol to access port ? The way we do at trunk port is #switchport trunk encapsulation dot1q Is the above command applicable for access mode also?
View 6 Replies
View Related
Feb 13, 2012
I have a sf300 with (2) vlans (1) ] vlan for data and vlan (100) is my voice vlan I have Vlan (100) tagged traffic, and my VoIP pbx as an access port only to vlan (100) all other ports are trunk ports with vlan (100) tagged and vlan (1) untagged traffic. I get no outbound audio on calls I can call out hear them fine they cant hear me. I am wondering if my tagged traffic leaving the phone is being striped and if so were. I have CDP turned off.
View 1 Replies
View Related
Jun 13, 2013
We are trying to replace the CSS between our firewall and DMZ with a BigIP. Among it's other functions, it will act as the router between the firewall and the DMZ. To make this work, I need to assign vlan tags values for the vlans I create on the BigIP box and these must match the tags on the cisco switches (3550's) How do I find this information on the switch?
View 2 Replies
View Related
Feb 14, 2012
I rencently bought the E4200v1 router, to be wired together with my WRT610nv2 to form gigabit network for different floor network.However with the recent installation of fiber to home network offered by my local ISP, I would need router that capable for performing vlan tagging (500 for internet & 600 for IPTV).Would like to know if Cisco have any development plan to enable the VLAN option for:-
1. E4200
2. WRT610nv2
At the moment, I'm still stuck with the provider "home-made" router which lacks of Gigabit & dual band wireless.
View 9 Replies
View Related
Oct 30, 2011
Having an issue getting my DMZ vlan working. Running my ASA5505 and i have configured e0/2 for DMZ w/ VLAN ID 3. Connected to my 2716 on port2.Inside e0/1 w/ VLAN ID 1. Connected to my 2716 on port1.
I am trying to get my DMZ Vlan to ports3&4 (LAG1) but when i assign the LAG group to PVID 3 i lose connectivity on VLAN1. I want to send both VLANs to that host because the teamed adaptor is used for Hyper-v Network Switch.
View 17 Replies
View Related
Jul 5, 2012
I have a 2960 switch connected to another. The I need to verify that vlan0010 on one switch is forwarding tagged traffic between the other switch it is hooked up to through the Gi0/1 port. How do I verify this? I have a server that's multihomed (Broadcom) on the other side an it is supposed to be on this vlan with one of it's network interfaces. We had a pwer outage and now it cannot communicate on this vlan. However, everything else on the vlan can reach all the other nodes accept this server in the front of my building. All the devices in the same room are linked to the same switch which has one port (fa0/17) on vlan0010 and can ping eachother just fine. The server is hooked to port 24 on my server room switch and Gigabit port one goes to a fiber converter all the way to the back. It then gets converted from fiber to cat5e again and links into the switch (2960) in the backroom.
View 5 Replies
View Related
Mar 18, 2012
I'm a little stuck with a 4400 7.0.220.0 + RAP 1550 + MAP 1260 Ethernet bridging issue. I'm using the VLAN tagging functionality and I'm finding that periodically a VLAN that I've tagged on the MAP will deregister from the backhaul and stop passing traffic. If I go into the Mesh tab on the MAP, select the wired interface, remove the VLAN from the list of tagged VLAN IDs and then add it right back to the list, its starts passing traffic again
View 2 Replies
View Related
Dec 13, 2012
We have a problem with CDP packets on sent by our Cisco 6509's. Unlike our other Cisco switches (4948G, 5020, etc.), the 6509 tags administrative traffic on the native vlan. As a result the CDP packets are sent with an 802.1Q header with a tag of 1. The other switches send the CDP packets untagged on the native vlan. This causes problems because we have non-Cisco devices in our lab that also receive and send CDP, but they do not process the packets that are tagged by the 6509. They see the packets from the 4948 and 5020 just fine.
How can I disable the administrative native vlan tagging on the 6509? Here is the current setup:
nwkdev-6509-1#show vlan dot1q tag native
dot1q native vlan tagging is disabled globally
nwkdev-6509-1#show interfaces gigabitEthernet 1/9/1 switchport
[Code].....
View 13 Replies
View Related