Cisco VPN :: 2911 Site-to-Site VPN / Local Server Access Internet
Aug 18, 2011
I have a Cisco 2911 router configured with a couple of VPN tunnels . The issue that I am having is that I cannot access the servers (WEB,EMIL) thru the tunnel . After looking around found out that adding a route-map to my static NAT rule will fix the issue . Once I do that I am able to access the serves thru the VPN but my local machines lose internet access .So I have to delete the access list The issue seems to be with the Access list 110 permit ip [code]
View 5 Replies
ADVERTISEMENT
Feb 2, 2011
When i connect VPN in server site then I can't use my Local Internet connection?
View 1 Replies
View Related
Feb 14, 2011
I have problem with accessing servers through site-to-site vpn from ASA which makes this site-to-site vpn and has enablerd Clientless VPN.Reason why I need it / What I need to do:ASA 5510 has enabled Clientless VPN and on this portal is allowed users to go to URL of internal servers through bookmars. We are using it when somebody could not access IPSec VPN or is in internet cafe. So this user logs into clientless vpn and click on bookmark to access mail server for exmaple. But there is problem, asa cannot access this server through site-to-site VPN.
Network:Here is quick design of my network.I don't have problem access server in VLAN 159 from VLAN 10 or 100. But I need to be able access servers in Vlan 159 from ASA 5510 which has IP address 192.168.1.4.I have this subnet which ASA belongs in BEFORE-NAT object in same place as VLAN 10, 100 are and in Site-to-Site vpn profile.
View 8 Replies
View Related
Apr 3, 2013
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
View 9 Replies
View Related
Jan 24, 2013
[code] Site-to-site VPNs in place between Site A and Site B and between each site to the DC. Site A and Site B have Cisco 2911 routers, there are ASA’s at the DC. The existing Site-to-site VPNs carry data and voice traffic between the sites (though voice and data is on separate VLANs in separate subnets)
ISP1 currently used for the existing circuits at Sites A and B but we have experienced issues with them recently which has disrupted service. So new circuits are to be installed at each site with ISP2. (See basic diagram attached which shows current set-up with intention to get new circuits via ISP2 installed)
We have 3 ports on our Cisco 2911 routers with 2 ports already in use for the existing connections (1 for the LAN and 1 for the WAN connection to ISP1) Can we simply use the 3rd port for the connection to ISP2 or would it be far more advisable to use a 2nd router (for redundancy, etc)
Would it be feasible to have a set-up where we have e.g. voice traffic go over a site-to-site VPN via ISP1 and data traffic go via site-to-site VPN via ISP2 but each can take over from the other in the event of a failure?
View 5 Replies
View Related
Mar 15, 2011
I have a Cisco 2911 router and a Cisco RV 120W router and i would like to establish a VPN tunnel between theese two. I have defined the settings on the Cisco RV 120W router and i just want the Cisco 2911 to follow those. setting up a connection with Cisco IOS.
View 1 Replies
View Related
Dec 29, 2012
Is there a way to set up a Site-to-site VPN between RV042 & Cisco 2911? I "googled" this and obtained a document, but it is not regarding Cisco 2911: [URL]
Routers are needed to setup it successfully. I have tried on both routers several configuration steps, no success...
View 3 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Jun 11, 2013
I am attempting to establish a Site To Site VPN between our SA540 and 2911 routers and somewhere I have a misconfiguration that eludes me. I suspect maybe in the 2911 Transform Set? Here is the output from the SA540. [code]
View 1 Replies
View Related
Sep 26, 2011
Using 3G USB modem on a Cisco router 2911 can you establish site to site VPN?
View 3 Replies
View Related
Mar 21, 2011
Im trying to configure a IPsec site-to-site between Cisco 2911 and Cisco RV 120W routers and im having some trouble with it. Hoping some could shine some light on this matter. Posting my running config on 2911 and also the config of the Cisco RV 120W (.jpg)
View 17 Replies
View Related
Aug 30, 2011
I have a remote office with a dual WAN router (2911) in front of an ASA (5510). Our main office currently has an ipsec site to site vpn to that remote office ASA. The router has two ISPs. ISP-A is the wan link used for the site to site and has provided us with a /28 public address space which we use on the ASA outside interface for the site to site. Now we are in the process of getting a second ISP which will also provide a /28 or /29 public address space. I would like to use that second ISP for backing up the site to site in case ISP-A link goes down. I think I have the IP SLA config worked out. My question involves NAT. On the router I would like to configure a static nat that only takes place if ISP-A goes down. In other words, if everything is working fine, then the router does not nat the ASA outside address, but if the ISP-A link goes down, then the router will NAT the ASA outside address to one of ISP-B provided public addresses.
View 6 Replies
View Related
Mar 6, 2013
Our Headquarter (asa 5510) is running a site to site vpn connection with a Branch office (router 2811). All remote users are accesing the internet through the VPN and also accesing headquarter file servers.I want to know if there is a way for some remote users to be able to use the vpn for accesing the file servers but to access the internet through the branch office. The rest of the remote users will be still accessing the internet through VPN.
View 2 Replies
View Related
Dec 18, 2011
Can I use a single Public IP address for both Internet access and site to site vpn access?If not, can I configure the RV220W as a bridge and still use it via another gateway configured for vpn passthrough as a VPN appliance/server on the LAN?
View 3 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Jul 21, 2011
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
View 6 Replies
View Related
May 1, 2013
I have 3x site-to-site vpn connections setup on my Cisco 2911 router which is based at Head Office. They all connect OK but there appears to be some ports blocked.Access any applications using HTTPS Our Proxy Agent uses port 8280 - When the internal address is used, it doesn't work. When the public address is used, it works. Printers are unable to use scan to email - Port 25.I'm confident that nothing is being restricted at the remote sites as all of these functions worked on our old Head Office router.All i want to do is allow ANY traffic to and from Head Office and all the VPN sites. I'm fairly new to this type of router having made the jump from small business equipment.
View 2 Replies
View Related
Feb 8, 2012
I'm trying to setup VPN S2S. Office router 2911 ip a.a.a.a, remote office ASA 5505 8.4(3) with ip b.b.b.b, but no luck.
2911 config:
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
[code].....
View 14 Replies
View Related
Apr 25, 2011
Any experience setting up a site-to-site VPN between a ASA 5505 running 8.3 code and Windows Server 2008 R2?
View 1 Replies
View Related
Mar 3, 2013
I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
View 5 Replies
View Related
Apr 7, 2013
I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip (192.168.20.1) on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel. [code]
View 2 Replies
View Related
Nov 27, 2011
On my 2911 router, can I have both an Easy VPN server, and a site-to-site VPN? Also, with an Easy VPN, is it possible to specify another internet (outside) IP address in my assigned range as the address remote users use . . . rather than the specific IP address assigned to the interface?
View 3 Replies
View Related
May 29, 2012
Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC
View 1 Replies
View Related
Mar 21, 2012
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
View 4 Replies
View Related
Sep 12, 2011
I configurated Ipsec vpn at asa 5510. my inside ip 192.168.10.156my public ip: 85.x.x.xmy peer ip : 62.x.x.x
the project is that:
the remote site want the interesting traffic like that:
source ip 172.16.1.104 can access destination ip 10.0.154.27
My inside ip is 192.168.10.0/0 and i can not to change it 172.16.1.0/24 and i can not to add this ip at my network.
View 3 Replies
View Related
Apr 22, 2012
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
View 5 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Feb 7, 2012
ASA = 8.2(1)
ASDM = 6.2(1)
Recently I used the wizard to create an IPsec site-to-site connection, which went very smoothly; however, I now noticed that when I connect via Anyconnect 2.5.0217 I cannot get to local and subnatted resources on the network.
I rolled back to saved config file, which was taken before the site-to-site vpn was created, but that did not work as well.What should I check to see why I can no longer get to different subnets after the site-to-site vpn connection.
View 4 Replies
View Related
Mar 9, 2011
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
View 6 Replies
View Related
Jan 16, 2013
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
May 28, 2012
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies
View Related
Dec 1, 2011
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
I have four hosts say: 10.240.1.1-10.240.1.4
They need access to two different networks:
205.100.150.0
140.175.200.0
I woud like to NAT them as something like:
7.5.210.1
7.5.210.2
7.5.210.3
7.5.210.4
View 1 Replies
View Related
Feb 14, 2011
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies
View Related
