The network design is a hub and spoke using a carrier provided MPLS network with a ASA 5520 at the hub that has a IPSec tunnel to another part of the company.This configuration has worked for sometime now (long before I came to the company a couple of months ago).The thing that does not make sense to me is that the those networks out on the spokes did not have a route to the inside interface network of the ASA. With the way this MPLS works, if a network is not in the MPLS network routing tables it will not pass that network. The network was not in the MPLS network, nor was it in any of our edge routers connecting to the MPLS.
These hub networks did have routes both in the MPLS and edge devices for the networks on the other side of the IPSec tunnel and have been reaching them for some time.So what I am trying to understand is how it is possible for these hosts that have no route to the ASA inside interface network, but do have routes to the remote networks, how are they able to successfully pass that traffic? There are no NAT devices between these WAN hosts and the ASA.
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps. What could be causing this slowdown? Should SSL VPN performance be on par with IPSEC? Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.
I have a client that uses the ASA 5520 as both a firewall and VPN termination device. Day to day VPN usage is 30-50 users and the memory (512 MB) is typically at 50% while the CPU is mostly under 30%. I've suggested the RAM be upgrade to 1GB.The client would like to add a large block of VPN users which could see 250-300 concurrent users. What kind of a system resource hit should the expect with this level of load?
I have made the following change to my ASA 5520 using ASDM to try and force VPN clients to use a self assigned certificate from the ASA. I made the following changes Remove Access VPN > Certificate Management > Identity Certificates > Add Certificate.Then I made the following change.. Remote Access VPN > Network (Client) Access > IPSec(IKEv1) Connection Profiles > Connection Profile > Edit > IKE Peer Authentication > Pre Shared key and pointed the identity certificate to the one I created in the step above.Having made this change I am still able to VPN without a certificate configured in authentication settings.I was expecting that the VPN would attempt to issue the self assigned cert to client machine?
Options a user may reside in Austin, TX and I want the user to utilize the local proxy (i.e. texasproxy:8080). We currently only require the user to enter the RSA passcode and username to authentication (RSA/AD username are identical). Is there a way to have the user authenticate via RSA and have the user's AD group membership (TX) assign the user the specific IE proxy settings? We are utilizing an ASA 5520 on 8.2, but we are willing to upgrade to newer IOS or even consider anyconnect to resolve this issue.
Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.
When I try to add CAS to CAM a cannot choose a OOB Virtual Gateway or OOB Real-IP Gateway, because these operation modes are absent in Type list.What can be reason it?
Here is the situation: A CISCO871 router is configured to establish an IP SEC tunnel with a CISCO ASA5520. The configuration is OK about that. I wish to configure the same CISCO871 in order to establish a LAN-to-LAN IP sec Tunnel with another CISCO871 at the same time in order to reach private network. So, I have followed the Cisco procedure Document ID: 71462 "LAN-to-LAN IP sec Tunnel Between Two Routers Configuration Example"; it works, I can reach the peer private network BUT ONLY when the IP SEC tunnel with ASA is not established.
It seems to be a routing problem...I don't find how to configure to make both tunnels up and functional at the same time.
I have two ASA 5520 units, both running version 8.3(2) code. Among many other uses, they have an IPSec tunnel between them to link office 1 and office 3 together. Office 2 does exist, and is connected to a different port on the ASA in office 3; there is no IPSec involved with office 3.
I have set up a remote access ipsec vpn on an asa 5520. I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, and dns resolution does not work.
I am trying to set up remote access vpn on an asa 5520 running 8.4.1. I have the ipsec group, policies, and ip pool set up. When I try and connect with the cisco vpn client I see the following in the logs. Deny icmp src outside:214.67.39.42 dst outside:24.252.51.73 (type 3, code 3) by access-group "acl_inbound". Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?
I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.
We have multiple vpn tunnels coming to our cisco asa 5520 , the problem is that when we create another tunnel with the same network as another network on the firewall , it does not know how to route the traffic to which interface or sub interface.
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
I am working on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:
I then added the following rules on the inside-in ACL: However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
For isakmp:
For ESP:Seems like the nat rule is drawing my ESP traffic,
I have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity. What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router. I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map. However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works. Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24. I've also got two static NATs for inbound access from the data center and those seem to work fine.
Current configuration : 2787 bytes ! ! No configuration change since last restart ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption
I have upgraded my ASA 5520 til version 9.1 with ASDM version 7.1. After the upgrade ASDM shows a lot of IPSEC VPN-sessions in the GUI that i cannot see from the ASA. Right now the GUI says that I have 28 IPSEC-sessions while the output from "show vpn-sessiondb l2l" shows the expected 4 tunnels and the output from "show vpn-sessiopndb remote" shows 0 as expected. (I do not use IPSEC from remote users).
We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels.
We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520. Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with. Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel. My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. If so, what configuration options should I consider?
We have asa 5520 with 8.4(2) release and asdm 6.4(5). When we create new ipsec connection profiles (by ipsec wizard for example), ASA reset all vpnclients sessions active. Now we need to create new profiles, but we have 170 vpnclients sessions active, so we cant'.
we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
I've tried to set up IPSec over TCP with a VPN-Client V5.0.07.0440 on Win 7 64b to my ASA 5520 (Version 8.2(2)16) regarding to
[URL]
IPSec over TCP activated at the ASA crypto isakmp ipsec-over-tcp port 10000
and in the transport tap of the VPN connection 'enable transport tunneling' with IPSec over TCP an port 10000 instead of 'IPSec over UDP' The connect timed out with error code 412 And this is my log from the ASA:
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000 %ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x %ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000 %ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
I don't have a clue what's here missing.I have static crypto maps for the L2L tunnels and the default dynamic crypto map for the VPN clients which come over NAT-T
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address INTERNET_cryptomap_65535.65535 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
We have configured a site to site tunnel from our ASA to another organizations Cisco 3030. It appears to have just one way initiation. We can do a ping to a device on the remote site and it will ping just fine. however, when the tunnel needs to be initiated from the remote site, it will not work until we have initiated the tunnel and then everything works.
I continue to see Error processing payload: Payload ID: 1 errors on the ASDM logs.It appears that all the configuration is in place because we can in fact establish the IPSec tunnel unidirectional. And once established, traffic can flow bidirectional.
I recently faced an issue at work. Clients want to make ipsec site-to-site vpn redundant. I have 2-asa-5520 working in a stack. Is it possible to configure site-to-site vpn in a redundant mode, like first peer ip address is x.x.x.x and secondary is y.y.y.y (backup) ?
