Cisco VPN :: 1941 Tunnel Up But Can't Reach Devices?
May 23, 2013
We set up a 1941 Router with the Cisco Configuration Professional Tool. The VPN Tunnel works and i get an IP Adress from the pool. But i cant reach any devices in the VLAN10 Network. Do i forget anything ?
Here is the config from the Router:
version 15.1
parser view CCP_Monitor
secret 5 $1$FnN7$Qr.mbJbPOuOH7Te6MD1.I0
commands configure include end
[Code].....
View 3 Replies
ADVERTISEMENT
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Nov 28, 2012
since a few days I'm trying to solve a problem. I've successfully established an IPSec tunnel between two local LANs. In the main office I'm working with a ASA5510 CLI 8.4 and a static public IP address. The branches are using different Cisco 8xx routers and dynamic public IP address. The following picture shows the current configuration:As I mentioned an IPSec Tunnel between the main office "Intern"-LAN 192.168.1.0/24 and an outside LAN 10.10.0.0/24 is successfully established. Now there is a new intern "Admin"-LAN 192.168.2.0/24 at the main office. The users from the outside LAN 10.10.0.0/24 need the possibility to reach this new intern "Admin"-LAN.Can I simply route the traffic from 10.10.0.0/24 to 192.168.2.0/24 via the existing IPSec-Tunnel? Or need I a new IPSec tunnel between the outside 10.10.0.0/24 LAN and the new "Admin"-LAN 192.168.2.0/24?
View 5 Replies
View Related
Oct 12, 2011
An 1841 is conencted to the internet by DSL, it works fine. I have added it to the 10.98.8.x subnet off a 3750 switch.When I connect other devices to the same switch port, I can ping/browse to them fine, but when I connect the 1841 I can only ping it from the 3750, not another subnet connected to the same router. [code]
View 2 Replies
View Related
Apr 17, 2013
I have a PIX-515E version 8.0(2).I have two remote sites connected to this PIX via IPSec tunnels.Each remote site can reach the local networks behind the PIX but I can not reach remoteSiteA from remoteSiteB.So,
10.30.8.254 SiteA <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1
10.138.34.21 SiteB <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1
SiteA can ping SiteX
SiteB can ping SiteX
SiteA can't ping SiteB
SiteB can't ping SiteA
If i do show crypto isakmp ipsec sa I can see appropriate subnets:
Crypto map tag: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1
access-list ACLVPN-TO_SITEA permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254
local ident (addr/mask/prot/port): (10.138.34.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.30.8.254/255.255.255.255/0/0)
current_peer: 104.86.2.4
[code]....
Some log messages that seem to point to the problem...
Apr 18 2013 13:27:35: %PIX-4-402116: IPSEC: Received an ESP packet (SPI= 0xD51BB13A, sequence number= 0x21A) from 104.86.2.4 (user= 104.86.2.4) to 203.166.1.1. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.138.34.21, its source as 10.30.8.254, and its protocol as 6. The SA specifies its local proxy as 10.0.8.0/255.255.255.0/0/0 and its remote_proxy as 10.30.8.254/255.255.255.255/0/0
My question is really do I need to do anything funky to allow the traffic to pass between the two tunnels?
View 2 Replies
View Related
Jan 9, 2013
We have a Windows server based network (15 wired computers) and four wireless devices (more to come)We are using a CISCO SA520W appliance in the main building as the perimeter Internet gateway / firewall / wireless access. It all works well.We have a second building too far away for wireless devices to reach the SA520W radio in the main building.The second building is connected via fiber to the main building (switch to switch). Several wired computers are connected to the switch in the second building.We want to provide seamless wireless connectivity as wireless device users move between buildings.
We thought to mount and connect another simple B/G capable wireless access point, via ethernet wire, to the switch in the second building. But we're not sure of the best CISCO/Linksys model to choose for this. The choice should work well with the SA520W configuration and be relatively simple to configure in that environment.We're also unsure of the steps to configure a seamless wireless experience for the roving wireless device users.
View 11 Replies
View Related
May 13, 2011
I have a Cisco 1941 router with the Security license running IOS c1900-universalk9-mz.SPA.151-4.M.bin. Is there a "tunnel bandwidth" command like with routers that have the Advanced IP Services license? My concern is being able to adjust the bandwidth to a value greater than 8 Mbps...
View 3 Replies
View Related
May 7, 2012
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
View 1 Replies
View Related
Mar 7, 2013
I have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.I can see the tunnel is up but there is no traffic.This comes out the show crypto ipsec sa
interface: Dialer1
Crypto map tag: CMAP_AVW, local addr 10.10.10.89
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
current_peer 20.20.20.161 port 500
[code]....
View 3 Replies
View Related
Jun 16, 2011
I installed a 1941 router with an encrypted GRE tunnel yesterday. The router has ipbasek9 and securiyk9 licensed. Initially the router was running the image c1900-universalk9-mz.SPA.150-1.M5.bin and was working fine. The tunnel was up and passing traffic. I then upgraded the IOS to c1900- universal k9-mz.SPA.151-2.T2.bin and when I reloaded the router the tunnel was stuck in a reset/down state. I tried doing shut/no shut on the interface and reloading the router again, no change. Being under some time pressure to get the device back into production I rolled back to the previous IOS image and the tunnel worked fine again. Is there a known bug that causes this behavior? I have searched cisco.com but have not found one. [code]
View 1 Replies
View Related
May 21, 2011
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24
View 5 Replies
View Related
Jan 30, 2012
We have a new site-to-site configuration comprised of two ASAs (a 5505 at the remote site and a 5510 locally). The site-to-site tunnel is up and appears to be working fine, with the exception of one thing; two identified IP addresses on the remote end cannot seem to communicate across the tunnel.
For example: address 192.168.3.81 is able to see resources at our facility, but 192.168.3.82 (an HP Laser jet P2055dn) cannot. However, 192.168.3.82 is ping able from the inside interface of the remote ASA and doesn't appear to be having any other connectivity issues. Also, the default gateway of this device appears to be set properly. When checking the real-time log viewer, I'm not seeing any error messages, it just appears as if the .82 device is not routing to the remote ASA, but strangely enough the local ASA's logs do seem to show communication with .82. (See the below logs.)
When we attempt to ping the 192.168.3.82 address from a local PC (10.10.10.10) that participates in the VPN tunnel, we see the following:
Local ASA
6|Jan 31 2012|16:03:53|302021|192.168.3.82|0|10.10.10.10|512|Teardown ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512
[ code]....
Remote ASA
6|Jan 31 2012|16:03:53|302021|10.10.10.10|512|192.168.3.82|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0
[ code].....
We can successfully ping 192.168.3.81 from the same local workstation we see the following on the remote ASA :
6|Jan 31 2012|16:03:38|302021|10.10.10.10|512|192.168.3.81|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0
[Code]....
We have no IP address overlapping and neither ASA's logs show any errors. Unfortunately, we don't have access to the remote site's router configurations, but we've been assured that the issue is not on their end.
View 3 Replies
View Related
Dec 27, 2011
Monitor a VPN tunnel that has as end devices a Cisco ASA 5520 and a NetScreen Firewall. I'll like to be receive an alert when the VPN is down.
View 1 Replies
View Related
Sep 4, 2012
I currently reside in a university which has firewall restrictions. I use a SSH tunnel to connect to the internet. I managed to get my wifi up and running on my mobile device using Connectify but the only the sites which are accesible through wifi are the ones that are accesible through the university firewall. Anyway i can extend the SSH proxy to the mobile device via the Laptop?
View 1 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jun 1, 2012
Currently my home network is being switched via TrendNet TEGs80G unmanaged gig switches. I have been using them for about a year now with no issues. As my home network becomes more advanced, I recently just added a Cisco ASA5505, I am thinking about swapping those unmanaged devices, 4 of them, to managed. I was looking at the Cisco SG300-10 for upstairs, and a 16 port variant for my main core. These devices do not support full Cisco IOS cli, but they are manageable with a rich feature set nonetheless. My question is, should I swap the unmanaged devices with the more expensive Cisco devices, or just keep what works and save the money until I really need to spend it. As previously stated, my home LAN works just fine as it is, however my WiFi, NTV550s, server and workstations are all on the same network. Probably not the most secure but it is what it is without VLAN support.
View 11 Replies
View Related
Aug 15, 2011
I have installed my new E4200 and it works beautifully. I have several wirelss adapters and a few wired connections through powerline adapters. I also have a second VPN router attached to the 4200.I can see the wireless connected devices with the associated IP addresses. If I plug a laptop directly into the Cisco, I can of course see it.However, I can see none of the devices attatched to the powerline devices? I have a securty cam connected via the powerline and want to know the IP address. I checked with cisco technical support via chat and they said it is impossible. I have used 2 previous routers with the same configuration and can see all devices.
View 1 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Oct 11, 2012
All of a sudden my laptop, android phone and blu ray player (all wireless devices) can't communicate with my wired devices (marantz receiver and samsung tv). Everything still connects to the internet independently but i can't for instance play music from my wireless laptop to my wired marantz receiver. I had no trouble with this last week and didn't change anything (that I'm aware of) I did get Verizon to switch out my router but it didn't solve anything. My wife's computer also cannot connect to wired devices. Lastly, if I connect my laptop with via ethernet cable it sees wired devices fine. I tried shutting off windows firewall but didn't work. I have no other firewall/virus software installed. I can ping to all devices (wired and wireless) from my laptop.
View 1 Replies
View Related
Aug 15, 2011
I'm trying to reach Celebs4.UsThe first time I tried (earlier today), I was able to access, but when I clicked on one of the images I recieved a "The connection has timed out" error. I have not been able to open the site at all since that very first time.I have done the following:- tested it in both FF and IE- run tracert (seems like the problem is on the site's server end, but everyone else is able to connect fine)- flushdns- clear cachemy tracert: :: pokIt
View 5 Replies
View Related
Jul 4, 2012
I have a 2811 (running 12.4(15)XZ) with a WLCM (4.2.209.0).
I have reset the configurations on both. Set FE and WLCM IPs on the router and gave WLC Management and AP manager addresses. All + PC are on the same subnet. Router pings all addresses besides AP-manager(intended). WLC CLI cannot ping PC and PC cannot ping (nor http) to WLC. PC can however ping and telnet the router on both the FE and WLCM IPs.
I followed the guides on WLCM configuration, did I miss something?
How can I access the management IP and the web GUI?
2811 config:
Building configuration...
Current configuration : 1292 bytes
!
version 12.4
service timestamps debug datetime msec
[Code].....
View 17 Replies
View Related
Apr 15, 2012
for the last 5 days or so, my internet was acting weird, disconnecting every 20 mins or so, i had an old linksys router, no clue on the modem, but all of it's about 7 years old, i got a replacement, Motorola SBG6580, my connection is somewhat better, but my ISP says they can't ping my router/modem
View 1 Replies
View Related
Jul 7, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...
I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
New at VPN and have survived so far on cisco docs but this problem is evading me.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]....
View 1 Replies
View Related
Sep 30, 2011
I have an ASA running 8.2(2).I am trying to get the network on the inside interface to be able to communicate through the outside interface and on to the internet.
View 18 Replies
View Related
May 27, 2012
i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.
Here my ASA settings :
Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.
: Saved
:
ASA Version 8.2(1)
!
[Code].....
View 8 Replies
View Related
Oct 13, 2011
I have a (central) ASA5510 acting as a EasyVPN server and a number of (remote) ASA5505 as EasyVPN client. All the communication works fine between the different networks. The issu is the ASA itself. The remote ASA can ping the central ASA on it's internal IP-adress, but it can't ping any other resoruces at the central network. If I ping the DC at the central network from the remote ASA I get a deny in the central ASA with source address as the public IP-adress of the remote ASA and destination of the internal address of the DC. If I from the remote ASA do "ping inside ip-of-central-dc" it work's like a charm, but "ping ip-of-central-dc" dosen't work.
View 3 Replies
View Related
May 9, 2012
I have configured a Remote access vpn on pix 525 with 7.2(4) code. After getting connected (with ip address assigned from the pool) i am not able to reach any of the internal networks. [code]
View 3 Replies
View Related
Jul 6, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Jun 18, 2012
I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]
View 8 Replies
View Related
Feb 8, 2011
I have remote access vpn setup and I can get connected with no issues. I assigned the vpn a pool of addresses from the end of my inside interface subnet. When connected I can ping any device on that subnet, I can also connect to my switch on the same subnet via my browser. I can not however access any device located in my dmz while connected. This is a new setup I'm testing but I need vpn user to be able to use rdp to connect to machines in the dmz.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ASA1
domain-name
enable password encrypted
[code].....
View 4 Replies
View Related
Oct 9, 2012
[URL]
This router support bridge mode, but i'm unable to configure it. There's no such option in the web configuration page, but the manual says that disabling nat activates automatic routing mode. Unfortunately all i get when i disable nat is to be unable to reach any wan address.
By watching the generated routing table on the wrp400 (when in NO nat mode) i see that 0.0.0.0 is correctly set up to use the external border router, but any incoming packet from the wrp400 lan port isn't routed there.
Also, i don't get any dhcp from the external router, this means the wrp400 is blocking it.
how to set up a bridge mode between wan and lan ports
View 1 Replies
View Related