Cisco Routers :: Re-Route To Static T1 If Ipsec VPN Fails (SA520 / SA540)?
Dec 30, 2011Is it possible to re-route our Site 2 Site VPN over our Static Route (T1) if the WAN fails?
View 1 RepliesIs it possible to re-route our Site 2 Site VPN over our Static Route (T1) if the WAN fails?
View 1 RepliesI was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies View RelatedWe have Cisco SA520 and we want to use VPN to access the office servers from home. We have been able to configure the VPN server on the SA520 however the connection is very unstable.We use OS X 10.7 lion built-in Cisco compatible VPN clients and this is a typical output of ping from 3G mobile network to a server inside the office network. It works the same way also if I am trying to access from my home ADSL connection so the problem is not the instability of the 3G connection.
Some sample traffic sequeezed:
PING ns.svm (192.168.60.27): 56 data bytes
64 bytes from 192.168.60.27: icmp_seq=0 ttl=63 time=98.022 ms
64 bytes from 192.168.60.27: icmp_seq=1 ttl=63 time=76.934 ms
64 bytes from 192.168.60.27: icmp_seq=2 ttl=63 time=278.201 ms
[code]....
i measured with Iperf over two Cisco 1811 router, that bandwidth speed is higher then is used IPsec+GRE tunnel between two routers, than just using a static routes.Bandwidth over GRE in average is about 91389Kbit/sec Over static routes is about 88474Kbit/sec.
View 1 Replies View RelatedWe have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised.
View 4 Replies View RelatedI have Cisco RV180. I can not set static route with destination to all IPs (0.0.0.0/0.0.0.0). It always shows errors. It asked me to input non zero number. I can do this on Cisco RV042 without any problem.
View 3 Replies View RelatedI defined a static route: 192.168.0.0 / 255.255.255.0 / 192.168.1.201 (gateway), I can connect from 192.168.1.0 to 192.168.0.0 but we cannot ping in this local network. We have a CISCO 18000 as a VPN IP configured between this two local network.
View 1 Replies View RelatedI have a RV082 connected to a Comcast business-class internet with 6 static IP's one-to-one routed to specific internal hosts. This configuration has been stable for several years.
A few days ago, the RV082 stopped routing most of the external static requests to their specific internal hosts. External machines only display the "Can't connect to the webpage" error. Rebooting the RV082 re-enabled correct operation for about 30 minutes, then it failed again.
I pulled out my backup RV082, flashed it with the current configuration, and swapped it in. It acted the same - external statics route correctly for about 30 minutes, then it just stops.
Is it possible to configure a Site to Site VPN from a SA520 with Dynamic IP (DSL) to a Cisco ASA5510 with static IP? I need to make sure about because i am trying to sell this solution to a customer with two branch offices with DSL connection and a Main Office with Metroethernet.
I know that using a a pre-share-key on the defaultl2lgroup of the ASA, the ASA will accept any site to site VPN. I have tried this with the ASA 5505 instead of the SA500 for the branch office, but the ASA5505 is too expensive for my customer.
We have a Cisco SA540. It has been an extremely reliable UTM router. Other than SSL VPN not working for Mac OSX, we are very pleased with the unit.We have a 3 year contract for IPS, a 3 year contract for Trend Micro Protectlink Web, and a 3 year contract for Small Business Support Service for the unit.Right now we are trying to setup the VIP functionality but it is not going very well. To sum it up in a few words, we cannot get the SA540 to prompt the SSL VPN users to enter the 6-digit access code.
We setup an account at Verisign and requested a trial for VIP. They promptly setup the trial account. Getting everything setup was a breeze. The Verisign website is very well documented. They even had specific instructions for Cisco SA500 Series routers!!! We were very impressed with Verisign's implemenation. We are able to get our SA540 to talk to Verisign (basically, when we activate or deactivate an SSL VPN VIP user in the SA540 web GUI, you can immediately see it enabling or disabling the user on the Verisign website... it is very cool).Unfortunately no matter what we do, we cannot get the SA540 to prompt the SSL VPN user to enter the one time 6-digit code. In this case, we are using Verisign's iPhone app called 'VIP Access'.
I called into the SBSC and talked to a guy. I felt really bad for him. He used WebEx to log into my desktop and I showed, and explained, to him how all of it worked (setting up VIP in the SA540 web GUI, as well as, and the Verisign website). He had no clue about Verisign, VIP, or the two-factor authentacation concept at all. I told him that he needed to escalate my case to the SA500 Series team, but of course he had to try. He was supposed to call me back yesterday or today. I am sure he is dreading calling me back as he probably still has no clue.
How to use the VIP functionality? Or how it works and set it up? We would like to at least get it to work before our 30-day trial period is up. I have a distinct feeling that the functionality used to work, but Cisco hasn't kept up the firmware with all the latest back-end API calls to Verisign or something similar.
We require UPnP (mainly for an in-house built FTP Server app that uses UPnP to dynamically open/close ports for Passive FTP mode) and have found it's implementation in the SA540 is unreliable. Sometimes UPnP works after a reboot, sometimes it doesn't. When it does work after a reboot it will eventually stop working. Going into the web GUI and turning UPnP off and back on always fixes for a while.
Is this a known issue with the SA500 Series routers? We had an RV220W deployed first, but it's UPnP implementation was even more unreliable. That said, it seems that the latest Beta firmware version for the RV220W has fixed the issue. Could it be that the same fix needs to be applied to the SA540?I was planning on opening a cause with the CSBC at some point like I did with the RV220W, but I'd rather not spent the time doing so if the this is a known issue.
Installing a SSL certificate from DigiCert on a SA540 router? The SSL certificate is a wildcard variant (*.example.com).
View 1 Replies View RelatedI want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
View 7 Replies View RelatedWe have just purchased a license L-PL-GW-100MAX-3= Protect Link Gateway: Unlimited Web + 100 Max Email Seats,3YR. I found that it does not include IPS license. I cannot find anywhere where I can purchase an IPS license for SA540 gateway. It seems to be available only as a bundled product when purchasing the hardware.
View 1 Replies View RelatedI have a 3845 that will not let me ping to the internet from my PC.On interface g0/0 I have a connection to a internet connection (another router), using DHCP to get it's address (it gives g0/0 IP 192.168.0.3).On interface g0/1, I have a connection to my LAN (I assign the interface IP 10.10.1.1).
I can ping the router. The router can ping the internet, do DNS resolution, etc.I have ensured routing is enabled. The only route I have configured is a default static route: 0.0.0.0 0.0.0.0 192.168.0.1.Oddly, if I choose 0.0.0.0 0.0.0.0 g0/0, I cannot ping sites on the internet from the router.
I tried setting up ip nat inside for my LAN and ip nat outside for the WAN/internet uplink, but this did not work.
This was the issue, I missed finishing the NAT setup.I can make the router ping out all day, and have my PCs ping the router, but getting the connection between the two is not working.
Looking for routing with an SA540 router connecting to corporate VPN.We have an odd configuration that is beyond the scope of what I have configured previously with these devices..I am trying to configure the routing to the additional IP addresses listed for the HQ. The VPN tunnel between the .26.120.x and the .17.0.0 networks is built however it does not appear to be routing. The Cisco administrator at the HQ site says that they have "fully configured the routing" from all the listed IP addresses back through the VPN tunnel. The options I am unsure of for configuration of the SA540 router are: GW - I believe that I use the internal IP address of the 17.26.120.x router.Is this logical since the VPN tunnel. We are using NAT for the firewall internally.The existing 3 172.26.x.x VPN tunnels are live and working and fully routing between themselves.
View 2 Replies View RelatedI hope an easy question, in the WAN profile of our SA540 I have IP Aliases configured for a block of IP addresses we have. The active 2 IP addresses plugged into the actual RoadRunner modem respond fine to ping, the other three I have programmed to the WAN interface are not responding as I would think they should. Have I overlooked something? The "Block IP on WAN Interface" is disabled and pings back fine.
View 3 Replies View RelatedI went through the install procedure outlined in the ProtectLink Gateway install manual and i activated the ProtectLink Web product through Trend Micro (which shows up through their web site as a registered product to me). It still doesn't show up as installed on the SA540 (under Administration/License Management screen). When I try to activate the product again, it shows as "Already registered". Trend has no idea why it won't work. They said Cisco sold the license, so try their support.
View 1 Replies View RelatedI'm trying to figure out why recipients of emails from my company show that the mail is coming from our dedicated wan ip instead of the ip alias setup thru the dedicated wan.The external ip address for the sa540, wan1 (no optional interface), is 82.134.79.122.The ip alias is 62.97.213.156 mail. unitec hsubsea. com resolves to 62.97.213.156 for external dns yet it is reporting as the 82.134.79.122 for some recipients.The mail server was never setup with the 82.134.79.122 ip so i don't think this is a dns cache issue.What issue in the SA540 would cause the system to show as mail coming from 82.134.79.122 instead of the ip alias 62.97.213.156?
View 0 Replies View RelatedI am having this problem trying to connect to my university network trough the vpn client from a pc running Windows 7 Ultimate 64-bit: the client connects but I have no Internet access. I first believed that the problem was related to the fact that I had ZoneAlarm Free Antivirus+Firewall installed, but I made several steps, including the complete removal of the ZoneAlarm product, and I still have the same problem.
Here's what I see in the log:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
[code]....
Using the same client (32 bit version) in another pc of my lan which runs Windows XP and that had never ZoneAlarm installed on it, I have no problems.Also, using Shrew Soft Vpn Client 2.1.7 on the problematic pc I can connect to vpn without problems, so I am really stuck trying to understand what's wrong with Cisco Vpn Client.
I am currently trying to configure a Remote Access VPN on a SA520 (Primary Firmware Version 2.1.51) using Cisco VPN Client (Ver 5.0.07.0410)
Until now i have connectivity from the SA to the LAN and i can connect using the Cisco VPN Client to the AS:
[IKE] INFO: IPsec-SA established[UDP encap 12856->4500]
[IKE] INFO: IPsec-SA established[UDP encap 12856->4500]
It gives me an IP from the pool but i can not reach through ping to my LAN.
I am trying to configure the DMZ on my SA520 router but without success.After a lot of tests I reduced everything to a very simple test case that is not working: I setted the "Optional Port Mode" to "DMZ" and enabled "DHCP Server" in the "DMZ Configuration", but DHCP on the DMZ does not assign any address.I am wondering if my optional port is broken or not.
View 4 Replies View RelatedTwo factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?
View 16 Replies View RelatedI have a fibre connection on the dedicated WAN which was working perfect until someone somewhere cut through the line. The SA520 fell over to the Optional WAN port which is basic ADSL line which is connected. Logmein client is online too.
But it refuses to browse webpages, appears to be a dns issue or firewall or both.
I have added the ISP dns addresses into the forwarders on my server.
We have a Cisco SA520 Router (Firmware 2.1.18)We are only using this for about 1 month now. Router seems ok its justI am worried about the Memory utilization which reach to 62% (144/234 MB)Is this something to worry about?How can I utilize this by lowering down the usage?
View 3 Replies View RelatedI have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!. I have made sure the firewall was turned off. How to get the ssl tunnel connected?
View 3 Replies View RelatedIs Anyconnect supported for SA540 I have installed in on my android phone however I keep getting error "Unable to process data received from secure gateway" when trying to connect. If anyconnect is supported on SA540 how do I get it working?
View 1 Replies View RelatedSo I went to update the firmware on my SA520 last night and aparently something failed, the device restarted and now it doesn't respond to anything. The Diag light stays light and the factory reset button does nothing no matter how long I hold it in. Is there another way to reset the device?
View 2 Replies View RelatedIs PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
The original production LAN is connected via an unmanged switch.I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
How could i make a vpn tunnel between a router SA520 and a central UC540.
View 3 Replies View RelatedIs there a way on the security appliance SA520 to remove someone from the DHCP lease client manually rather than setting the DHCP lease time to expire in less time like 4 hours or 2 hours. I was able to do this on other routers by highlighting the connected device and click remove. If not any recommendations on how to handle the device that are attached via DHCP and the person is no longer here, but the lease time is not up. I have set DHCP lease time to 4 hours.
View 1 Replies View RelatedI am unable to isolate DMZ and LAN traffic with an SA520 running 2.1.7.1 firmware. I have the optional port configured as DMZ and DHCP server enabled. I tired leaving the firewall as default. Also tried creating firewall rules to deny traffic from LAN to DMZ and DMZ to LAN for any address and any service.I am still able to ping devices both from LAN to DMZ and DMZ to LAN. I am also able to see network resources in both directions.
View 5 Replies View RelatedVPN 1841, and static nat. I have to create VPN to connect to remote network, but problem is that they already use same subnet as mine. How to configure static nat on cisco 1841 so static nat will work and address will be translated in different IP when connection trough VPN.I have address 192.168.235.1 and I want to translate to 192.168.100.1,This 1841 is border router, and all VLNAs and VLANs routing is on 3650.
View 12 Replies View Related