Cisco VPN :: 2800 Remote Site For Customer Which Only Have 3G Connection
Feb 11, 2012
We have a new remote site for customer which only have 3G connection and to add more pain to that they have dynamic IP address.the easist possible solution was EZY VPN.....client has 2800 router with 3G and at our end we have ASA.....the issue is that , that always server (clients nehind) asa initiate connection to the remote site ie to 3G.....the rule of thumb is that whenever client(ie EZY VPN) will initiate conection the tunnel will establish.
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
We have Cisco 4507-R installed at customer site which got hang twice and became normal after getting booted.I have analyzed show tech-support for this switch after reboting but not found relevant logs for hang issue,
I'm looking to configure a DMVPN spoke with a Site to Site VPN Connection to a different destination than the DMVPN. I'm using a Cisco 2800 router. When I add the crytpo map to the outside interface for the Site to Site VPN. The DMVPN drops. Is there something I could be missing? The Tunnel interface for the DMVPN has the shared optioin applied to the tunnel protect ipsec profile.
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration... Current configuration : 5425 bytes ! ! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01 ! version 12.4 no service pad
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
We have a 5508 controller in main site.Which has two ports connected to local network.Management VLAN 500 is untagged and mapped to Port 1.All other interfaces are including 501 to 507 are mapped to Port 2.We have a SSID that is mapped to VLAN 501 interface , which successfully can be joined in main site.We connect an AP to remote site ;We have a remote site VLAN 115 which can be reached from main site.We connect an AP to access vlan 115 port on the remote site , we had described option 43 , so AP can successfully finds controller in local mode.
AP gets ip from VLAN 115 , can setup connection / ping controller successfully.There is a wide area connection between remote and main site.No trunk setup , the whole remote site is vlan 115.However when the client is trying to connect the test SSID , client cant get connected nor get ip address.Local switching is disabled.For this setup , client comes to AP as a requested , AP tunnels traffic to controller from vlan 500 , controller lets the client get into wired platform from VLAN 501.
My company just assumed management of a remote entity. The network has several misconfigurations and I need to make some network modifications from my office w/o losing access or incurring lengthy outage to the clients. The network consists of 1721 router and three 2960 switches.
- I only have access to the router from the Internet. I telnet off the router to the 3 switches.
The site uses a single class C 192.168.1.0 / 24. The router is running RIPv2 even though this is the only network. The prior network person (contractor) set up separate native vlans on each switch and all the ports are defined as Native trunk and access are defined to the VLAN interface assigned to the switch. So of course the logs are flooded with Native VLAN mismatch, Each 2960 switch is a VTP server but has no VTP domain.
basic network layout:
Internet => Eth [Cisco 1721] => Fa 0 192.168.1.254 ==> [SW1] [SW1] interface Vlan1 no ip address no ip route-cache!interface Vlan220ip address 192.168.1.219 255.255.255.0no ip route-cache
[code]....
!interface GigabitEthernet0/1description SW2 Gi0/1switchport access vlan 204switchport trunk native vlan 204!interface GigabitEthernet0/2switchport access vlan 204switchport trunk native vlan 204!interface Vlan1no ip addressno ip route-cache!interface Vlan204ip address 192.168.1.224 255.255.255.0no ip route-cache Normally, I would assign the current 192.168.1.254 to a subinterface to Router Fe 0/0 but with each switch having its own native VLAN I am afraid I will lose connectivity to the downstream switches -- my only access is telnet off the Cisco1721 Router.
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail) Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access. Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101 Remote VPN is Policy 20
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24. The main site (houston) uses 10.0.0.0/24 The remote site (lugoff) uses 10.0.1.0/24
At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG). In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG". None of the SSIDs are "anchored".
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs. This site contains two customers. One customer is the Main customer with the second customer leasing space.
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan). I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500. It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site. This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
For my test, I am starting simple. I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low). I have anchored this test WLAN to that controller. At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site. I am unable to obtain an IP address from the remote site. I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?
We have successfully establish a site-to-site vpn, but we have some difficulties when PPTP users try to access the remote network linked by this tunnel. LAN users can access the remote network without problem, but users who are connected remotly to the lan (PPTP) can't access computer on the remote network. Is there a way to allow PPTP user to access the remote network ? Adding a route ?
I have a site-to-site VPN already established, everything is working as it should. I'm trying to block the remote network from accessing our network since we only need to access theirs. I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505.
A user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.
I'm attempting to configure an for both site-to-site and remote access VPNs. The site-to-site is working fine, however when I connect using the Cisco client, after initial connection and password prompt I get a "not connected" status. The log states that a policy map match could not be found. I have successfully set the unit up for remote access with no site-to-site and ran into another host of issues when adding the site-to-site to the working remote access config, so I started over setting up site-to-site first. I've attempted this through ADSM (hate it) - the current configuration is via CLI. I'm certain I'm just missing a piece or two.
We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
On one of our branch locations ASA, I have a L2L VPN setup we are adding wireless to this remote location, and the AP's will talk back to the controller at HQ. The AP's are on the downstream L3 switch, and they have been placed on the mgmt network. It's definitely not ideal to have these AP's on the mgmt network, but for now that is how it is setup.
From HQ (163.122.x.x) I can ping and reach the ASA (10.200.2.1, and the downstream L3 switch 10.200.2.100, but when I ping one of the AP's, I get timeouts and and the following error on the ASA:%ASA-3-305005: No translation group found for icmp src outside:10.205.216.73 dst mgmt:10.200.2.152 (type 8, code 0)
It appears it's a NAT issue on the ASA, but I'm confused on what I need to change. Why can I ping the ASA and the switch from HQ, but not the AP's which reside on the same mgmt network? I don't really need it to NAT, just to pass the connections. I currently only have the following two NAT statements in the configure
I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
I have a PIX 515 and am working with a Site-to-Site VPN. When I do not specify a filter on the Group Policy I can successfully access the remote network and the remote network can access my local network. However this by itself poses a securty risk for my local servers. I need to be able to access the remote network fully, however only one or two workstations on the remote network need to access mine.
If I add access-list vpn-remote-site extended permit ip host remote-wkstn1 any then only the remote workstation can access my remote network. This gets me a step closer as now only the remote workstation can access my network effectively denying everything else. However, from my local network I can now only access the remote workstation and not all of the other devices. I do not have any control over the remote firewall and would like to make sure it is secured on my end.
RemoteLan - Router Dynamic WAN IP ----------- site to site VPN --------------ASA - ASA Lan 192.168.1.0/24 10.1.1.0/24
I am trying to get my head round configuring an ASA with V8.4 code where things have changed especially NAT.In earlier ASA 7/8.x code I belive the crypto map below would have allowed a properly configured remote router to connect irrespective of its WAN IP
I am struggling to get my head round how I achieve the same in ASA V8.4 . I have searched the web and found plenty of examples for earlier code but specificlly am trying to learn about how to achieve it with v8.4
One of our customers had 2 x 2800 series routers that they needed to reconfigure to support new services, The existing public subnet has 2 free ip addresses to use for the routers, unfortunetely even though the ISP can reconfigure this to create more addresses the customer cannot have any downtime (there are other routers in this subnet that are live) and therefore i had my hand forced into using VRRP as opposed to HSRP (3 addresses).
I used VRRP to share the master address as the VIP, so one address on the master, one on the backup, using the master address as the VIP.
This all works fine, outbound and inbound traffic failover as expected and preemption works just fine.
My problem is, he asked me to configure a remote access VPN. So i have configured the VPN to connect to the VRRP VIP. When the master is active, the VPN connects, traffic passes, all fine. When the master is switched off the VPN traffic hits the backup, as its now assumed the VIP, and completes phase 1, xauth works, but phase 2 will not come up and the client displayed "not connected".
So doing some debugs, the phase 2 policies are accepted, but i get the message
*Mar 1 01:36:21.451: IPSEC(validate_transform_proposal): invalid local address x.x.x.164
where x.x.x.164 is the VRRP VIP address, the physical address which has the crypto map applied is .165
So here lies the problem, the client is connecting to .164, the crypto map is applied to the interface the is configured with .165. Hence the "invalid local address"
I have found some documentation online that suggests that VPN redundancy is possible with HSRP, but not on the 2800 series router. I cant use HSRP as i have only 2 addresses, and i cant use that feature as my routers dont support it.
I have 2 ASA 5505 firewall, Site 2 Site VPN working between two firewall. I attached visio diagram for my senario. I configured IPsec Remote VPN in ASA-01 firewall, a user able connted to ASA-01 network via modem through remote VPN. As i configured site 2 site VPN between two ASA, Is that possible that through remote VPN a user can able to connect to ASA-02.
