Cisco Switching/Routing :: ASA 5505 - Exchange Remote Clients Cannot Access
Sep 6, 2012
Just installed ASA -5505 replaced cisco 851
My exchange server hosts remote outlook clients and remote web access
no one on the remote side can access my exchange server
internal mail flows in bound and out bound.
My iphone can not access the exchange server either.
When the Cisco 851 was online all the above worked great. Nothing changed on the remote client side just put the ASA 5505 in service.
I am new to the ASSA 5505 family. Had a reseller configure the router but unable to get them at this hour. Called Cisco support but they are closed at this time also.
View 5 Replies
ADVERTISEMENT
Mar 31, 2013
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
View 3 Replies
View Related
Apr 15, 2012
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
View 1 Replies
View Related
Feb 7, 2013
We have an ASA configured to access the internet, which works fine for clients who have an IP address assigned by DHCP, but not for clients with manually assigned IPs.
For instance, with the DHCP server configured to give IP addresses between 172.16.101.1 and 172.16.101.10, a device may get the IP address 172.16.101.1. This machine will have connectivity to the internet.
If we then configure DHCPd server range as 172.16.101.2 to 172.16.101.10 and statically assign the 172.16.101.1 IP to the client, it will not have internet access. It will, however have inside access and VPN access.
If I try to ping 8.8.8.8, the following is logged:
ASA 3 Feb 08 2013 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Deny inbound icmp src outside:8.8.8.8 dst servers:xxx.xxx.xxx.100 (type 0, code 0)
Where 'servers' is the name of the inside interface the request is made from and 'xxx.xxx.xxx.100' is the external IP. It seems as DNAT is not working when the client IP is static assigned.
View 5 Replies
View Related
Dec 12, 2012
I have 2 site here:
site A
Cisco 891
external IP: 195.xxx.yyy.zzz
VPN Gateway for Remote users
[Code]....
View 1 Replies
View Related
Apr 4, 2011
We have a setup where clients on the internal network send/receive their emails through Microsoft Outlook client, while the Exchange server is hosted on the internet, outside the organization.The clients are connected to a Cisco switch, behind an ASA5510 Firewall. The Firewall is connected to an internet router, with double NAT (On the ASA and Router).
the outlook clients disconnect from the Exchange server, sometimes for hours, and then reconnect again. During these disconnections, the same client PCs are able to browse the internet normally. There are no restrictions for the traffic going from the inside to the outside. During the disconnections, if we try to connect using a public IP bypassing the ASA & router,.
View 1 Replies
View Related
Dec 12, 2011
I have 2 sites :
site A :
ASA 5510
VPN gateway for remote users
LAN 192.168.192.0/22
site B :
ASA 5505
LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
Here is a part of my configuration :
On Site A (ASA 5510)
--------------------------------
name 192.168.192.0 SiteA_Internal_Network
name 192.168.208.0 SiteB_Internal_Network
name 192.168.133.0 VPNPool_AnyConnect
name 192.168.133.32 VPNPool_VpnClient
[code]....
View 9 Replies
View Related
Oct 24, 2012
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
View 5 Replies
View Related
Dec 13, 2012
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5). We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the group policy.I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clients may ignore this option anyway.
View 0 Replies
View Related
Jul 25, 2011
I have a RV082 and several of my remote laptops cannot access my server using its domain name. It can be accessed using its internal ip address. The issue is that you can log onto the server using remote access and the ip however you cannot use any shortcuts using the domain name. You can see the server with the domin name however no access path is available. This is only on a few remote user laptops. Others work perfectly.
View 1 Replies
View Related
May 23, 2013
I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN. At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.I've added the below to make sure traffic going to the IP is going across the VPN.
View 4 Replies
View Related
Dec 31, 2012
ASA Version 9.1(1)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code]....
View 9 Replies
View Related
Mar 27, 2012
I'm trying to configure an ASA 5505 to view my Slingbox from my iPhone/iPad from an outside or 3G network. I can't ping my internal networks while connected via AnyConnect. I know that I need to free up port 5001, but I can't seem to get it to work.
View 0 Replies
View Related
Jun 9, 2010
I'm looking to setup AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems this should be really easy. I must be missing something.
I can get the AnyConnect users to connect fine and they can access sites internal and at other IPSec-tunneled sites. But no access to the internet.
Internal is 10.1.1.x, VPN pool is 10.1.1.251-253 (Temp list for testing). I issued the following tracer: packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed
The last reported point (where it fails) is:
Phase: 7
Type: WEBVPN-SVC
Subtype: in
[Code].....
View 10 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Jun 18, 2012
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
View 3 Replies
View Related
Mar 17, 2013
I am almost new to the networking field, hence I might have lacking some basic knowledge. I like to know the impact if the ground of any router get disconnect. WIll the router stops work? We have two peripheral router in my organization, both are connect with the MPLS cloud through the MUX. One router (3745) have ground connection, where as the other (3845) don't. Recently the 3745 router start generating CRC error on the WAN interface. Once we remove the patch cord connecting with the MUX for loop test and reconnect later, the interface did not come back again. FInaly someone advice me to check the ground connection. I found it was loose. Once I fix it properly and reboot the router the interface become up. The person told me that some cisco router send the reference signal through the ground to the MUX connecting with it, if the MUX and router failed to exchange the reference signal the router will not work, is this true ?
View 2 Replies
View Related
Sep 12, 2012
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
[code]...
View 1 Replies
View Related
Feb 14, 2013
I have created Remote access vpn on ASA 5505 (ver 8.2(5) with base license). When I connect from one machine, I can ping the internal network. But when I connect from another machine, cant.I have only decrypts on the ASA side, without encrypts. I was debugging ICMP packets with the capture feature, and saw that echo-reply packets are returning toward the outside interface, but aren't passing through it.
capture test access-list test interface outside
1: 08:54:44.298980 802.1Q vlan#1 P0 x.x.x.x > y.y.y.y: icmp: echo reply
Where x.x.x.x is LAN and y.y.y.y is the VPN client ip. The nat is ok, access lists are ok, but the packets dont pass through.I tried creating new VPN profile but the same problem, it seems that only one remote client can be active even base license allows more than 1 client.
View 2 Replies
View Related
Jun 19, 2011
Got a single asa 5505 configured in the office. we have 3 site to site vpn connections from this device, which all work from within the office.Ive not setup my pc to connect from home to the asa via the ciso client.
i can connect to all LAN servers on the local subnet, however i cannot connect through the ASA to any of my site to site vpn's.
if i do an ipconfig on my home pc i can see my local ip, mask & gw, and i can see my assigned remote access ip & mask but no gw.
I cannot ping any remote site to site pc's by IP or name.
View 6 Replies
View Related
Dec 10, 2012
I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2 15:09:21.240 12/11/12 Sev=Info/4 CM/0x63100002
[code]....
View 9 Replies
View Related
Apr 24, 2012
We have a ASA 5505 in our enviroment. We already configures two site 2 site VPN to our branch offices. Now we are planning to configure remote access VPN. So what should be consider when configuring the remote access VPN in ASA which already having site to site VPN?
View 9 Replies
View Related
Jun 26, 2012
I am trying to port forwarding Exchange 2010 OWA using ASA5505, wherever I used object NAT or Twice NAT it just doesn't work.... here is my config:
access-list outside-access remark "Exchange Server Access Rules"
access-list outside-access extended permit tcp any host <public x.x.x.11> eq smtp
access-list outside-access extended permit tcp any host <public x.x.x.11> eq https
[code]...
note that i use public ip <public x.x.x.9> on the outside interface for PAT, so all hosts in the same private can access internet
View 1 Replies
View Related
Oct 3, 2011
I have Cisco ASA 5505 and i want to create vpn remote access ...l
so i created and connected to the vpn ...my problem is to reach my Local connection of 192.168.1.0 /24 i put the WAN Connection in the FA0/0 and put my LOCAL AREA CONNECITON into FA0/1 .. so how i can route or translate my connection , and using cisco ASDM 6.1 in GUI ,,,
View 1 Replies
View Related
May 22, 2013
We have 3 offices, each with an ASA 5505 as the router/firewall, connected to the cable modem
(NC office) <----IPSEC----->(PA office) <----IPSEC-----> (CT office)
Internally we have a full mesh VPN, so all offices can talk to each other directly.I have people at home, using remote access VPN into the PA office, and I need them to be able to connect to the other two offices from there.I was able to get it to work to the CT office, but I can't get it to work for the NC office. (What I mean is, users can remote access VPN into the PA office, and access resources in the PA and CT offices, but they can't get to the NC office).
Result of the command: "show run"
: Saved:ASA Version 8.2(5) !hostname WayneASA
names!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address 70.91.18.205 255.255.255.252 !ftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 75.75.75.75name-server 75.75.76.76domain-name 3gtms.comsame-security-traffic permit intra-interfaceobject-group protocol TCPUDPprotocol-object udpprotocol-object tcpaccess-list inside_access_in extended permit ip any any access-list IPSec_Access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list IPSec_Access extended
[code].....
View 15 Replies
View Related
Sep 27, 2012
i want my ASA 5505 8.2(5) to access my proxy server on remote lan through VPN my VPN is OK, all PCs of local network can access to remote network.but ASA on local network can't access to remote network.i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
[code]....
View 1 Replies
View Related
May 24, 2011
I have 3 networks coming from the DMZ (VPN) and only one works:10.132.24.0/24 Not working10.132.25.0/24 Not working10.132.26.0/24 Working The thing is, the one that works is on the same network as the DMZ(VPN) interface. The other two do authenticate and they get an IP from the VPN Pool. but they just cant access anything.
View 11 Replies
View Related
Mar 1, 2012
I have not really set up ASAs nor VPNs on Cisco devices before. I'm currently attempting to configure a remote access VPN between ASA devices, a 5505 and a 5510. The 5510 is meant to be the server and the 5505 is meant to be the easyvpn client. The reason I am opting for remote access as opposed to site to site is that I have many 5505s at remote sites that I will need to configure in the future, and they will be moving around a bit (I would prefer not to have to keep up with the site-to-site configs). The 5510 will not be moving. Both ASA devices are able to ping out to 8.8.8.8 as well as ping each other's public facing IP.
Neither ASA can ping the other ASA's private IP (this part makes sense), and I am unable to SSH from a client on the 5510 side to the 5505's internal (192) interface. I have pasted sterilized configs from both ASAs below.
ASA 5510 (Server)
ASA Version 8.0(4)
!
hostname ASA5510
domain-name <domain>
enable password <password> encrypted
passwd <password> encrypted
[code].....
View 3 Replies
View Related
Dec 21, 2012
I try to configure my CISCO ASA 5505 for remote access vpn, and I encounter the following issue : Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. [code]
View 2 Replies
View Related
Jan 17, 2012
Is there a way I can configure a remote access VPN on a Cisco 5505 using digital certs instead of pre-shared key. I dont want to use a 3rd party CA, can the ASA perform this role? with a self signed cert?
View 6 Replies
View Related
Mar 10, 2013
I have an ASA 5505 that is on the perimeter of a hub & spoke vpn network, when I connect to this device using the VPN client I can connect to any device across the VPN infrastructure with the exception of the sub net that the client is connected to, for instance:
VPN client internal network connects to 192.168.113.0 /24 and is issued that ip address 192.168.113.200, the VPN client can be pinged from another device in this network however the client cannot access anything on this sub net, all other sites can be accessed ie. main site 192.168.16.0/24, second site 192.168.110/24 and third site 192.168.112/24. The ACL Manager has a single entry of "Source 192.168.113.0/24 Destination 192.168.0.0/16 and the "Standard ACL 192.168.8.8./16 permit.
View 14 Replies
View Related
Mar 28, 2013
I recently installed a couple of Cisco Aironet 3600 Series Wireless Access Points at a remote site. While I was at the site everything seemed OK, The clients were able to get connected to the access points, the guest network worked fine, I could SSH into the access points, and I could ping them. The problem is when I went back to my home site I tried to SSH into the access points through an ASA IPSec VPN Tunnel and it couldn’t find it. When I try to ping the access points they “time out”. I can ping and connect all other addresses (via RDP, HTTP, etc..) on the same subnet which should rule out an access list problem. A couple of notes to be aware of:
The WAP’s have the Autonomous IOS installed (Version 15.2(2)JB) The WAP’s are connected to Dell PowerConnect 5724 (Not by choice.. We are a Cisco shop, these were already there and have plans this year to replace)
I can ping and SSH with Putty to the WAP’s from the local subnet I cannot ping or SSH from a remote subnet to the WAP’s. I can access all other IP’s and Computers from a remote subnet.
View 12 Replies
View Related
Jul 23, 2011
I picked up a rather nasty bit of malware which resulted in a format and installation of Windows Ultimate 64, all well now except i cant get the wireless to work, downloaded assorted drivers from the dell support directory but to no avail, so questions are-:am i missing something obvious (windows function button for wireless does nothing)what is the correct driver for the N5040 and are there any tricks in getting it to work.
View 1 Replies
View Related