Cisco VPN :: 2811 / Remote VPN Client Is Not Communicating With LAN?
Apr 19, 2011
I have a cisco 2811 with security bundle with IOS 12.4(13r)T I am planing to use this router as a VPN gateway for company ( i.e)
1. LAN 2 LAN VPN ( Supporting if remote site is having dynamic IP)
2. Remote access VPN for VPN client
I have configured the router ( attached is the configuration) I have not tried to use the LAN to LAN VPN ( first i complete remote access VPN and then check L2L) I tried to use the remote access VPN I am able to connect from vpn client software and got the IP address but unable to ping the servers in LAN.
View 13 Replies
ADVERTISEMENT
Feb 13, 2013
I am attempting to setup remote VPN access for clients but have been unable to connect remotely using Cisco VPN client. Here is the current configuration on the router. I think I'm almost there and may be missing a couple commands.
Current configuration : 4758 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FCC-1811-Router
[code].....
View 3 Replies
View Related
May 28, 2012
I am working with a client to implement QoS for their Lync environment. Lync 2010 has this feature to mark dscp values based on packets tagged with logical ports. As an example, packets on port 49000 til 49999 will be marked to dscp 46(ef). On Cisco 2811 router, I am basically honouring the markings by the application and placing bandwidth priority on them and sending it out to the WAN.
The behaviour that I notice is that when port based packets are marked with a certain dscp value on the application, the router policy map doesn't pick up any packet increment for that dscp. But when all packets without port assigning to it are marked with certain dscp value, I can see increment on the router policy map for that dscp match. Why is this so???
The client wants the Lync to mark the packets with dscp value and the router is suppose to honour the marking, schedule the priority and send it out. [code]
View 5 Replies
View Related
Apr 29, 2011
I have an internal user that needs to remote desktop to an external internet serverI can traceroute and ping from his desktop to that server. I have a Cisco 2811 that is internet facing that I think is blocking the remote desktop. It does not access lists, but has a map-policy which I am unfamiliar with and can't seem to find much when I google about doing a remote desktop on a map-policy. If you can add remote desktop as a policy or something else blocking it, or do I need to build an access list.
View 5 Replies
View Related
Apr 2, 2013
I have a 2811 Router (config below) with VPN configured. I can connect through the VPN and access devices on the native VLAN but I can't access the 10.77.5.0 (VLAN 5) network (I don't care to access the 10.77.10.0 - VLAN 10 network). This issue has been plagueing me for quite a while. I believe it's a NAT or ACL issue. VPN client IP pool is 192.168.77.1 - 192.168.77.10. [code]
View 4 Replies
View Related
Nov 2, 2011
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
View 1 Replies
View Related
Sep 3, 2012
I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.
Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN
I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
[Code].....
View 4 Replies
View Related
Mar 14, 2011
I have an ASR 1002. Behind that and across another small MAN network (considered inside) I have an ASA. On the remote end, I have a simple 2811.
I need to create a vpn peer from the remote router to both the ASR (to hand off traffic there) and also a peer at the ASA (to encrypto across the MAN). The ASR1002 has the serial connection (DS3) to our MPLS cloud in which the remote is on the opposite side of.
So basically, I've created a single isakmp policy with two crypto map's by the same name but set to different peers and placed on the remote router then applied it to the serial interface. This works fine. Now i throw in the ASA which is behind the ASR. However, the connection still comes through that ASR to get to the ASA.After setting it up, it works as long as I don't have the crypto map applied to the ASR. If i apply the crypto map to the so interface of the ASR, my asa vpn connection stops working.It almost seems as if the crypto map on the ASR is grabbing my enrypted traffic destined for xx.xxx.24.14 and trying to do something with it. [code]
Why can't i peer from my remote router to both the ASA and the ASR on the opposite end of the serial link?
View 1 Replies
View Related
Sep 20, 2012
I have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way. [code]
View 7 Replies
View Related
Jan 22, 2011
I have A setup in different location with the the ASA Firewall with VPN enabled and a Print server. on Network B i have a server with 2008 installed and its my NAT server, DNS and File server.Now the Client on Netwrok B wants to access the Server in Network A Remotely through VPN they could connect to but cannot user Remote Desktop either its Ip translation issue or i dont know.
View 2 Replies
View Related
Feb 2, 2012
I try to configure a simple EzVPN infrastructure:
EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client
Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:
ezvpn-asa# ping 172.16.100.1
...
ezvpn-asa# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
[code]....
If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?
View 2 Replies
View Related
Feb 2, 2011
After trying to configure remote client VPN access to a Cisco 2911 ISR using the CLI I tried to use the Cisco Configuration Professional. However, either way I have the same problem. A client can successfully connect and access servers but just once. When the client disconnects and tries to connect again there is no access to the servers even though the VPN tunnel appears to be up. I've tried multiple versions of the Cisco vpn client SW and all behave the same: 1st connection can access servers, subsequent connections can't. I've also tried a second (different) client after the original connection and still no luck. If I reload the router the client can get the vpn connection and access the servers but if the client disconnects from the vpn and tries again there is no access to the servers.
I've also tried it with and without NAT but it doesn't seem to make any difference.
The config generated using CCP is as follows:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
[Code].....
View 4 Replies
View Related
Mar 10, 2013
I have an ASA 5505 that is on the perimeter of a hub & spoke vpn network, when I connect to this device using the VPN client I can connect to any device across the VPN infrastructure with the exception of the sub net that the client is connected to, for instance:
VPN client internal network connects to 192.168.113.0 /24 and is issued that ip address 192.168.113.200, the VPN client can be pinged from another device in this network however the client cannot access anything on this sub net, all other sites can be accessed ie. main site 192.168.16.0/24, second site 192.168.110/24 and third site 192.168.112/24. The ACL Manager has a single entry of "Source 192.168.113.0/24 Destination 192.168.0.0/16 and the "Standard ACL 192.168.8.8./16 permit.
View 14 Replies
View Related
May 25, 2012
This is probably where I should have started my search. During the last 2 days I have taught myself numerous things to try and figure out this problem. I want to run 2x Client on my android to remote into my desktop. I have a Verizon fios actiontec router ver. I and running win 7 prof.. I have been able to easily set up the 2x client and remote into my desktop while on my home wifi but trying to use 3g/4g service has yielded nothing but heartache and stress.
View 4 Replies
View Related
Mar 27, 2012
Question is in the subject line. Maybe I am missing something, but this does not seem to work (No such file or directory).
View 3 Replies
View Related
Apr 28, 2011
I'm having extreme issues in getting my vpn client to connect to a cisco router with a hwic-3g-hspa cellular interface
I have tested the config remotely by traversing the tunnel I have setup with a cisco vpn client and the client does connect, however when out on the road it doesn't respond, I'm litterally hitting my head against a brick here, everything just seem right I can't explain it.
I have done debugs and there is no sign of life, its as though when the vpn client connects to the router its not responding any way here is my config for the vpn clients part that is.
aaa new-model
!
!
aaa group server radius vpn-client-server-group-1
[Code].....
View 2 Replies
View Related
Jun 28, 2011
I've been trying to set up a SSL VPN connection for remote conenctivitiy with AnyConnect Client. I've configured virtually everything necessary, I can connect to the VPN page, download the Client, establish connectivity, Get an internal-IP address. But I can't ping any internal (and of course external IP addresses)
View 12 Replies
View Related
Jun 18, 2011
I am having asa 5520 in my head office and in branches 2811 routers.i connected two branches with my HO through VPN.now i configured remote vpn client in HO asa . now i need to access all the branches using this remote client.how i create route in HO ASA.
View 7 Replies
View Related
Dec 20, 2011
I have difficulties with configuring Remote IPSec VPN with Cisco ASA 5505 and Windows 7 native VPN client. My client PC gets VPN pool IP address, and can access remote network behind ASA, but then I lose my internet connectivity. I have read that this should be an issue with split tunneling, but I did as it is told here and no luck.On Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have internet connectivity (since client is using local gateway), but then, I cannot ping remote network.In log, I see this warnings of this type:Teardown TCP connection 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0:00:00 bytes 0 Flow is a loopback (cisco)I have attached my configuration file (without split-tunneling configuration I tried). If you need additional logs I'll send them right away.
View 4 Replies
View Related
Mar 16, 2012
Device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers? so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
View 5 Replies
View Related
Oct 26, 2010
I am using Cisco configuration professional to set up one easy vpn server on 887-K9,vpn client can dial up the server successfully but can only ping router but on other lan. Looks like there is a nat issues between lan and vpn client?
View 5 Replies
View Related
Oct 10, 2011
I can't seem to find out how I can generate a PCF file for a new remote vpn SW client? I have a VPN Concentrator 3000 series.
View 1 Replies
View Related
Jul 26, 2011
I'm configuring ASA 5510 Remote Access VPN, I can connect from Cisco VPN Client to the ASA VPN. I obtain from ASA some routes to inside networks, but I can't do any ping to those inside hosts. I have got those error in ASDM log file: [code]
View 1 Replies
View Related
Feb 22, 2011
Recently i have received one of my collegue's laptop that is running windows 7.I have installed cisco VPN client version 5.0.07.0290 on it and VPN client appears to connect to our ASA5540, but we are unable to connect (remote desktop) to any machines on our network as it does on our XP laptops. Furthermore, we cannot ping any as well. Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not.
But after some searching , i found from "routeprint" output (shown below ) that my local internet gateway is prefered over the VPN gateway which is 10.10.4.1.Here 10.10.4.19 is the IP address assigned for VPN adaptor.
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25 0.0.0.0 0.0.0.0 10.10.4.1 10.10.4.19 100
But after i manually add the below route on windows 7 laptop , it started connecting to remote desktop successfully.
route change 0.0.0.0 mask 0.0.0.0 10.10.4.1 metric 20
But aftersome time of idle state , it is again going back to original route state of prefering the local gateway of 192.168.1.2 and thus unable to connect to Remote Desktop again.
View 3 Replies
View Related
Apr 3, 2013
I´m tring to configure ASA 5505 with VPN Cleint, to access a remote network over a L2L with another ASA 5505, but no sucess. Is there any special feature to this work?
View 2 Replies
View Related
Apr 2, 2012
Trying to figure out how to configure the VPN client side to access a remote LAN.
Lan A - 172.16.17.0 - ASA5505 8.2(3)
Lan B - 200.200.0.0 - ASA5510
Cisco Client - V5
At present there exist a VPN tunnel between LAN A and LAN B. The client has a VPN tunnel to LAN A to run software package X on the LAN A server. The client also needs to run software package Y which needs access to a database on LAN B. The computers on LAN A have no problem using package Y since a VPN tunnel exist between LAN A and LAN B. How can I get the Client to also access LAN B on the same tunnel created when the client connects to LAN A? I can't seem to get packets that are directed to LAN B to cross the Client tunnel to A which would then hopefully move onto the LAN A/ LAN B tunnel.
View 2 Replies
View Related
Jun 21, 2011
It seemed that show vpn-sessiondb ra-ikev1-ipsec will not provide the client type of the remote vpn user as show vpn-sessiondb remote did before.
Is there a way to find it out on ASA running 8.3?
View 1 Replies
View Related
Mar 27, 2011
I have successfully installed and configured VPN Client - Version 5.0.07 to connect to ASA 5510 from a remote workstation. Here is the problem, I cannot ping any of the servers or workstations after I successfully connect. I can ping the ASA 5510 using its internal LAN IP, but no other nodes will respond on the remote LAN.
View 2 Replies
View Related
Jan 17, 2011
We have configured site to site VPN tunnel from offshore to client location using ASA5510 and accessing RDP from client location. Also configured remote VPN access at offshore location. But using remote VPN client we are able to get RDP from officeshore location but not able to access RDP from client location. Is there any additional changes required ?
View 4 Replies
View Related
Aug 9, 2011
Attempts to run remote desktop client a laptop on a tower using a CAT 5 Crossover isn't working. After starting the remote desktop on the laptop, I'm asked to identify the other computer, which I do, and a remote desktop window with a black background pops up, as expected. But I expect an opportunity to login will be displayed after a second or so. That never happens. After about a minute this pops up:Remote Desktop Disconnected?Your Remote Desktop session has ended.The connection to the remote computer was lost, possibly due to network connectivity problems. Try connecting to the remote computer again. If the problem continues, contact your network administrator or technical support.
My clients are impressed with my ability to setup their networks, Linksys routers with WIFI. But toss something unfamiliar into the mix, like this situation, and I'm pretty lost, pretty quick.
Environment:
Hospital's WIFI.
Laptop running XP Home with WIFI and Ethernet.
Tower running Win 7 Ultra with Ethernet.
Cat 5 crossover cable.
Goal:Configure laptop to access Hospital's WIFI. This is successful, I'm using it to post this. Configure laptop run a remote desktop with the tower as the server. The tower, running Win 7, has no monitor. I don't have a flat screen monitor, and didn't feel like dragging an 80 pound 24 inch Nokia into the hospital.After reading some sites while trying to figure this out, I gave the laptop the same group name, workgroup, as the tower.In my experience, starting the tower has been, turn it on, and it boots to Win 7. But I can't watch that happen without a monitor. I can't configure the the tower's network connections without a monitor either.I purchased the CAT 5 crossover cable yesterday, for this occasion. The label on the plastic bag it was packaged in had the word "Crossover" on it. I connect the CAT 5 to the laptop's single ethernet connection, and to the tower's Intel pro card. At home the laptop is on WIFI, the tower connects to the router.
View 4 Replies
View Related
May 25, 2011
My employees connects with a cisco ipsec vpn client to asa1,They can connect the network 192.168.1.0/24 from the employee location.(192.168.3.10 - 192.168.3.15) ip pool.Some people must also have a connection to the 192.168. 2.0/ 24, is it possible when they connect to asa1 with the ipsec vpnclient and that the 192.168.2.0/24 network also is avaible.
View 3 Replies
View Related
Apr 18, 2013
I have a need to Remote Desktop connect to company’s employees for support then they are abroad and using Cisco AnyConnect client.Cisco AnyConnect client connection works fine, clients can reach company’s inside network without problems, but I cannot make revers connection, I cannot Remote Desktop connect or ping VPN clients from companies inside network. I cannot ping clients from ASA too.I am using ASA 5520, Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7), and Cisco AnyConnect VPN Client 2.2.0133. Protocol Encryption- AnyConnect-Parent SSL – Tunnel DTLS-RC4 RC4 AES 128.
View 0 Replies
View Related
Sep 28, 2011
We have two sites connect with an IPSec L2L VPN.
-Site A: 192.168.13.0/24
-Site B: 192.168.2.0/24
On both sites we have a ASA5505(Base license) to terminate the tunnel.On Site B we also got a remote access vpn to which we can connect using the vpn client.The lan2lan tunnel works fine and so the remote access vpn.Now i want to connect to Site A using my vpn client connected to Site B. [code] There are no vpn-filters or other special policys in place..If tried to ping from my vpn client to Site A while i was debugging ipsec 255 on site B: the asa matched the l2l-tunnel for traffic sourced from 192.168.25.x to 192.168.13.x but when im doing a show crypto ipsec sa detail there are no packets getting encrypted..so of course no packets reaching my asa on site a.
View 9 Replies
View Related
