Cisco :: Switch VPN Endpoint From Server To Firewall?
Apr 4, 2012
I'm pondering this new client's topology. He has: (internet) >> router >> switch >> Windows server with a VPN enabled.
Right now I access his network remotely by just RDP directly into the server with a public IP address.Now doesn't this mean that I'm already sailing through his router and switch? Doesn't that mean that all (broadcast, routing, etc) communication hitting this IP is sucking CPU cycles and bandwidth on his router, switch, and server? Wouldn't it be best if he had his VPN endpoint set on his gateway?
View 1 Replies
ADVERTISEMENT
Aug 13, 2012
We have a switch in our IT office, Cisco 2960G. It plugs into the wall and goes to the server room and connects somewhere. This weekend we redid almost the whole server room and now this switch can connect to the rest of the network. The uplink has a link light but can get anything.
I have rebooted the switch, used scanning on our other switches to try and find the MAC of the switch but for the life of me I cant see it. Is there a command I can run from the command line of the switch to see where its pointing?
View 11 Replies
View Related
Jul 23, 2012
I'm Connecting an endpoint to the switchport, the End client is a printer (Samsung ML-2850)Weird thing is after connect, the end point success got IP from DHCP server, but somehow cannot ping to it. For switching there's no concern, even I try with ohter PC connect to this switchport and it's PIGN'able. Only problem this printer cannot reach.
I able to see the MAC address entry of the printer at my ASA firewall, rule wise at this moment i just enable the rule as permit any any, no restriction at all.
View 1 Replies
View Related
Jul 10, 2011
I would like to know how to configure my DIR-600s firewall UDP Endpoint Filtering. I ve read some guides and I ve got to configure this to Endpoint Independent in order to play League of Legends. The problem is that I can see the option Firewall & DMZ but then I don't see the UDP or TCP Endpoint Filtering options.
View 1 Replies
View Related
Dec 26, 2011
I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router. They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address. I have no problem getting the static VPNs up and running. My problem is with the VPN connections that are doing DHCP. I can go in and determine what IP they are currently using and setup a connection and it works fine. The problem is of course when their IP address from the ISP changes, which seems to happen at least daily. What is the proper way to setup a connection that is using DHCP? Also, can you setup multiple connections this way? Currently the 2 locations have different passwords setup in their routers.
View 1 Replies
View Related
Nov 2, 2012
In my organization we have 2 sites. These 2 sites have ASA 5520s, and the l2l between each ASA. The interface that is forming the VPN tunnel is on the ASA, NATed on the router. These ASAs sit behind the router, which are then connected to the ISPs. Recently, we had to change the ISP that we were creating the tunnel on, from Comcast to Sprint on our remote site. I re NATed the interface, and the l2l tunnel came back up after editing the tunnel-group, crypto maps, and reapplying the crypto map to the interface. However, our remote access VPN no longer works on the ASA that we changed the IP on. The other side was never changed, and still works fine. When I tried using debug cry isa and debug cry ip sec on the firewall, nothing shows when we attempt to connect. We are using IPsec over TCP. On the ASDM log, it says: Deny TCP (no connection) from xx.xx.xx.xx/49907 to xx.xx.xx.xx/10000 flags RST on interface WAN.
The VPN worked fine before, could it be an ACL thing? All we changed was the IP so that's what I'm inclined to believe, but on the router none of the interfaces have an ACL that's applied to them. It can't be on the ASA, because I believe we have the option to ignore the ACL enabled, but I might be incorrect about this. I'm new at ASA/VPNs in general.
I would upload the configs, but is there a pertinent output that would work, or just a general sh run?
View 3 Replies
View Related
Aug 2, 2011
trying to TS a VPN device that is behind an ASA basic set up is IOS VPN<firewall/nat<internet>ASA/nat>IOS VPN
I do not have a lot of insight into the other side of the connection, although the tech on the other side claims all is good. so to the point.
Is the asa capable of allowing this tunnel to work? The configs and debug follow.
1.1.1.1 = my public ip
2.2.2.2 = peer public ip
The asa -
[Code]......
View 2 Replies
View Related
Mar 18, 2011
Our ISP gave us a /30 for our external connection (with one IP being their side, and the other our firewall's outside int) and they then route a /28 down to us to give us 14 public IP addresses. Usually we use static NATs to give internal servers a public IP, and it works fine.
However, now I need to setup another VPN device with a public IP from our /28 pool. How the heck do I nat that? Should I give it's external int a private IP, and then NAT it at the first firewall? The 2nd firewall will be a VPN end point, and I'm afraid the NAT will break that.
View 9 Replies
View Related
Oct 31, 2011
Cisco 2651xm router
IOS: c2600-ipvoicek9-mz.124-15.T7.bin
Can a 2651XM router be configured as a PPTP VPN endpoint (client)? I ask because I want to connect this router to a professional vpn (privacy) service such as proxpn or mullvad or similar. If it can't, any vpn privacy services that cater for cisco-based vpn connection?
View 0 Replies
View Related
Apr 16, 2013
We have about 160 users setup using the Anyconnect client connecting to a ASA 5510. We are using split tunneling and also using the Websense endpoint client. Every now and again after installing the endpoint client we are unable to connect the AnyConnect. It asks for credentials waits for a while and then fails with the error "AnyConnect was not able to establish a connection to the specified secure gateway.Please try again later."
If we uninstall the endpoint client it works again and normally after reinstall it fails again ( I know). Eventually it just works and then its fine.
We have logged a call with websense and sent packet traces of working and none working . Then only thing they came back with is if we filtered the non working trace with port 80 you could see a few RST,ACK coming from the ASA to the client so they blamed the Cisco components.
View 1 Replies
View Related
Nov 16, 2011
I have a Snapgear 560U VPN Gateway at the main office with VPN connections to several branch offices also using Snapgear 560U. Those are no longer manufactured though, so I bought a Cisco WRVS4400N for our new office. The main office has a fixed IP but the branch office ha a dynamic one. On the Snapgear's it is very clear where I need to enter the Mandatory endpoint name on the dynamic side of the tunnel, but I can't find anything on this on the Cisco WRVS4400N. So where do I enter this information so that I can make a VPN connection between the Snapgear & Cisco boxes?
View 1 Replies
View Related
Apr 2, 2012
With firmware 1.2.0.9 - can the RV110W be used as a VPN endpoint? The VPN capabilities have been expanded in this version - but from the docs this isn't quite clear to me.
View 3 Replies
View Related
Feb 12, 2011
My network is set up in the following way..
DSL-320B | Linksys E3000 192.168.0.0/24 Subnet A Static Route 192.168.1.0 255.255.255.0 192.168.0.100 | Wan Port 192.168.0.100 DIR-655 | DIR-655 192.168.1.0/24 Subnet B
I am unable to browse by IP any machines on Subnet B from Subnet A and suspect this is due to the NAT and the Endpoint filtering within the DIR-655.
View 2 Replies
View Related
Nov 10, 2012
I purchased the RV180 to replace a dead Linksys BEFVP41 to connect a home office to HQ. The Linksys was configured with three IPSEC tunnels to connect to three different subnets all through the main HQ gateway. Note that each tunnel is independent with its own pre-shared key. I can configure the same tunnels on the RV180, and each one works correctly, but I can only get one to run at a time. I have to disable the other two. Enabling a second tunnel results in the No phase2 handle found error. I could not use the Basic VPN setup as it complains that the remote endpoint is already in use. I had to use the Advanced VPN Setup to create the IKE and IPSEC policies. In a different discussion [URL]
View 3 Replies
View Related
Mar 29, 2012
I have an ipsec tunnel IP is changing from mythical 200.200.200.182 to 200.200.200.254. Is it possible to change the .182 ip in below config via the CLI to .254 and have the site-to-site vpn continue to work? [code]
View 1 Replies
View Related
Apr 30, 2012
I try to connect a Router as an Endpoint (Because I just want to use a SERVICE from it).Well, the issue is this: I have a SW L3 that have too much VLANS, It is routing traffic and it provides internet connection. VLAN 182 has been created at this point and in this SW L3 has configured an interface vlan 182 with an IP 10.0.82.1/28.
To this Switch L3 is connected another switch L2 with an interface vlan 182 with an IP 10.0.82.2/28. Finally I have the last switch with the same features of configuration just that this has an IP 10.0.82.3/28. In this last switch is connected the router in the Gi1/0/24 as Switch port access, this port belongs to VLAN 182. At the router, the port is gi0/0 and it has an IP 10.0.82.4/28 and is UP.
The Switch where the router is connected is reachable from this router but not by the other switches. Router can reach all the network but not in the reverse way.Router has configured an ip default gateway 10.0.82.1.
View 2 Replies
View Related
May 17, 2012
we have installed nac for our customer and it works fine ,but the customer want the change the version of kaspersky antivirus from 6 to 8 end point security ,when we have try this the nac agent does not find the antivrus on the the workstation . i want to know if this version of kasoersky (end point security ) is supported by nac ,if no is ther a solution to make it works with the NAC .
View 3 Replies
View Related
Aug 30, 2011
I want to use the endpoint assessment / prelogin policies to apply only for anyconnect. Are there any ways to configure this?
I do not want the Secure Desktop to popup during webvpn.
View 0 Replies
View Related
May 13, 2012
In an enviroment with WCS and a WLC5508 with 40 AP's (WAPs are either 1262's and 1252's), I have noticed that the bulk of users are infact operating on 802.11g although most operating notebooks are running 802.11n capable NICs (including my own laptops NIC - but yet when I connect I connect at 54Mbps.). Only a small portion of registered clients are using 802.11n. All my WAPs have both radios enabled?My question is how does a client notebook select a "prefered" band of 802.11n. I know in some cases the wireless NICs themselves have an option to select the "Prefered Band", but there are many notebooks out there that dont have this option. What would make a client connect at 802.11n over 802.11g? Who makes that call ?
View 4 Replies
View Related
Apr 4, 2013
Environment :AP 2602, WLC 5508 V7.4, ISE 1.1.2, Prime Infras 1.2
For a specific SSID, we use MAC address as 1 of the conditions to authorize access only for the company-owned mobiles (smartphones and tablets), the other condition being, for the mobile, to present a valid AD user/password;this way, the so-called BYODs are rejected since this is the rule within this company ;The difficulty with this approach is the fact that there is no way in ISE Identities Endpoints nor Groups to associate a user-friendly name to the MAC address of the mobiles, which makes very tedious some actions such as a search in the ISE authentication Log based on the MAC address value itself;the question is just to know if it is planned to add a new field in Identities Endpoints definition that would allow to associate a user-friendly name to a MAC address, for future ISE versions,
View 1 Replies
View Related
Mar 12, 2013
While user's connecting through AnyConnect, AnyConnect doesn`t check endpoint attributes. I've configured checking process of "notepad.exe", but it doesn`t work. There is no checking process of "notepad.exe" in output debug dab trace (see attach).
ASA 5520 ver 8.4(1)
AnyConnect 3.1.02040
HostScan 3.1.02043
CSD 3.6.6234
View 16 Replies
View Related
Jan 5, 2013
I am trying to connect my RV110W from my home office to our office IPSec router. I have a dynamic IP address and am using DDNS, therefore the RV110W local endpoint needs to be configured with my FQDN, not the IP address as this will change.
On page 100 the manual states
Step 4 -
• Local WAN (Internet) IP Address—Enter the public IP address or domain name of the local endpoint (Cisco RV110W).
This option is not available in my router - I am running firmware 1.2.0.9
View 10 Replies
View Related
Jul 24, 2011
I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail
| (25) | (3000)
194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
View 2 Replies
View Related
Aug 23, 2011
We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142)
Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message
Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
View 2 Replies
View Related
Apr 26, 2011
I do have the below setup,,
1. I have 6509 switch
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
3. On switch side i have configured the port as Trunk
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?
View 2 Replies
View Related
Aug 23, 2011
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
View 21 Replies
View Related
Apr 3, 2012
I would like to set up "IP SLA" between L3 switch(supports many "IP SLA" versions like "UDP Echo Operation", "TCP Connect Operation", "UDP Based VoIP Operation", "ICMP Echo Operation", "FTP Operation" etc) and GNU/Linux server. Are there any "IP SLA" test types which are supported only between two Cisco devices?
View 1 Replies
View Related
May 26, 2013
In the past a used an RVS4000 as a VPN server for my company, but since I recently moved my company to China I would like to use it for a different purpose if it's possible. What I would like to do is the following:
Use an ADSL router to create a LAN networkConnect my RVS4000 to the ADLS router and use it as a switch instead of a routerUse the RVS4000 to connect to a VPN server abroad over L2TP or PPTP . This would allow me to enjoy the best of 2 worlds:
Enjoy the full broadband speed of the LAN network created by the ADSL router for normal internet useHave a separate wired connection permanently connected to VPN giving access to company email etc... My question is: Is this actually possible?
Can the RVS4000 be used as a switch?When used as a switch, can the RVS4000 still be used a 'VPN receiver'? I'm possible trying to do the impossible, because I would have to have the ADSL router have to act as a DHCP server and disable DHCP on my RVS4000 in which case it is probably impossible to have the RVS4000 act as an L2TP/PPTP VPN receiver.
View 1 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Jun 11, 2013
My setup is as below
inside host--> ASA1--Outside interface- layer_ 2_Switch1--outside interface--> ASA2--inside interface-DHCP SERVER.
We want that inside host should get ip from subnet 192.168.10.0 /24. This ip pool is configured in DHCP server (ip 172.16.10.1) which is connected to ASA2. There is no routing issue as we are able to ping DHCP srever 172.16.10.1 from ASA1. to do config needed on ASA1 and ASA2 , so that host connected to ASA1 inside interface can get ip from DHCP srever. We have configured 192.168.10.1 /24 to ASA1 inside interface which will be gateway to inside host of ASA1.
View 6 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
Apr 28, 2011
when we use switch as dhcp server and we want to configure a DHCP relay on other subnet that is not connected to this switch, what is the DHCP server ip address for configuration of DHCP relay? Should we use vlan1 ip?
View 2 Replies
View Related
Apr 3, 2011
I have connected two servers to my network. Both servers are running Win 2008 R2 and I have connected as follows.Connected 3Com switch to 2Wire router using Ethernet straight cable. Then connected server to 3Com switch.All lights on switch are green, but still unable to connect to internet.When I connect server to router, internet is working, but not through switch.
View 1 Replies
View Related
