Cisco VPN :: 5505 / 5510 - Several Devices Not Communicating Across Tunnel
Jan 30, 2012
We have a new site-to-site configuration comprised of two ASAs (a 5505 at the remote site and a 5510 locally). The site-to-site tunnel is up and appears to be working fine, with the exception of one thing; two identified IP addresses on the remote end cannot seem to communicate across the tunnel.
For example: address 192.168.3.81 is able to see resources at our facility, but 192.168.3.82 (an HP Laser jet P2055dn) cannot. However, 192.168.3.82 is ping able from the inside interface of the remote ASA and doesn't appear to be having any other connectivity issues. Also, the default gateway of this device appears to be set properly. When checking the real-time log viewer, I'm not seeing any error messages, it just appears as if the .82 device is not routing to the remote ASA, but strangely enough the local ASA's logs do seem to show communication with .82. (See the below logs.)
When we attempt to ping the 192.168.3.82 address from a local PC (10.10.10.10) that participates in the VPN tunnel, we see the following:
Local ASA
6|Jan 31 2012|16:03:53|302021|192.168.3.82|0|10.10.10.10|512|Teardown ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512
[ code]....
Remote ASA
6|Jan 31 2012|16:03:53|302021|10.10.10.10|512|192.168.3.82|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0
[ code].....
We can successfully ping 192.168.3.81 from the same local workstation we see the following on the remote ASA :
6|Jan 31 2012|16:03:38|302021|10.10.10.10|512|192.168.3.81|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0
[Code]....
We have no IP address overlapping and neither ASA's logs show any errors. Unfortunately, we don't have access to the remote site's router configurations, but we've been assured that the issue is not on their end.
View 3 Replies
ADVERTISEMENT
Dec 5, 2010
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies
View Related
Jan 15, 2013
here's the network.
Panasonic TV (DLNA Device) - Ethernet
WDTV Live Plus (DLNA Device) - WLAN
Windows 8 PC - Ethernet
Windows 7 PC - WLAN
Samsung Galaxy S3 - WLAN
The WDTV can act as a media player for both the Windows 7 PC and Samsung Galaxy S3.The TV can act as a media player for the Windows 8 PC.If I connect the Windows 7 PC via Ethernet, then the TV sees it and can act as a media player for it and the WDTV no longer can.The TV can't act as a media player for the Samsung Galaxy S3 nor can they see each other to use the Galaxy S3 as a wireless remote (Viera remote android app) .Why can my wireless devices talk to each other and my wired devices talk to each other, but the wireless devices can't talk to the wired devices?
View 1 Replies
View Related
Jan 1, 2013
I've got several devices (two laptops, Xbox, WiiU, Apple TV, 2 ipads, and an iphone) that can connect to my home wifi network just fine. However, when connected it seems these devices cannot communicate with one another.
Homesharing between my iphone/laptop and Apple TV is no longer functioning. Also, I can not sync my windows media player with my Xbox, and I can not connect my iphone to the Xbox using AirMusic.
Here's my hardware: Motorola SB5101U SURFboard modem, Netgear Wireless N WNR2000 router.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:Windowssystem32>ipconfig/all
[Code]......
View 3 Replies
View Related
Aug 16, 2012
I have an exisitng ASA5520 which is already working with remote clients using Cisco vpn client configured using ipsec over tcp, I am now trying to get vpn access for Iphones working and having a problem where once connected the Iphone cannot ping any internal device. The configuration on the Iphone does not allow for Ipsec over tcp and therefore uses udp 500 by default, if i create a new profile from a pc and do not use ipsec over tcp it has the same issue where it establishes a vpn tunnel but cannot ping any internal device as soon as I change the profile to ipsec over tcp it works fine.
View 2 Replies
View Related
May 23, 2013
We set up a 1941 Router with the Cisco Configuration Professional Tool. The VPN Tunnel works and i get an IP Adress from the pool. But i cant reach any devices in the VLAN10 Network. Do i forget anything ?
Here is the config from the Router:
version 15.1
parser view CCP_Monitor
secret 5 $1$FnN7$Qr.mbJbPOuOH7Te6MD1.I0
commands configure include end
[Code].....
View 3 Replies
View Related
Dec 27, 2011
Monitor a VPN tunnel that has as end devices a Cisco ASA 5520 and a NetScreen Firewall. I'll like to be receive an alert when the VPN is down.
View 1 Replies
View Related
Sep 4, 2012
I currently reside in a university which has firewall restrictions. I use a SSH tunnel to connect to the internet. I managed to get my wifi up and running on my mobile device using Connectify but the only the sites which are accesible through wifi are the ones that are accesible through the university firewall. Anyway i can extend the SSH proxy to the mobile device via the Laptop?
View 1 Replies
View Related
May 11, 2011
i got a person who connect with vpn on a adsl connection to the corporate network.this person is using cisco ip phone on his remote location and i did configure the ASA 5505 to priorize voice over data.i still get voice skips when the remote pc is uploading data to the corporate network...what i've done is :
1.with asdm i did create 2 priority queues one for inside (queue limit 2048 trans ring limit 512) and outside (queue limit 2048 trans limit 256)
2. with the service policy wizard i did create a global service policy (all interface) and a traffic class for dscp 46 ef and on qos tab i did check the "enable priority for this flow"...
3. When using the phone, i clearly see that packets are growing on the LLQ queue (show priority-queue statistics)
4. i still get voice skips when uploading data to the corporate network... upload bandwidth is about 800k for upload the pc and the phone is on the same subnet
View 2 Replies
View Related
Jun 5, 2011
I finally got the VPN tunnel between 2 asa 5505's up and running, but I have some error codes on the initiator side that I can not figure out. [code]I have looked at the Crypto transforms on both sides, and they match just fine as far has the DH ID code, Group Number and the encryption. The remote side however, does not have any of there errors.
Is this something that I have skipped over, or missed that I should be looking for? The IP address that is listed above is not in my static addresses, not sure where theose are coming from. I believe that they are outside public IP's.
View 3 Replies
View Related
Feb 7, 2013
We're setting up a site to site VPN with a customer. Our side is a Cisco sa520 and there side is a Checkpoint. The tunnel is up, we've verified phase 1 and 2 are good. The issue is passing traffic across the tunnel, our LAN ip address are private addresses 10.10.1.0/24 but the customer states that we need to have a public IP address for our LAN in order to access there server on there LAN. So looking through all the forums, I see that you can NAT before crossing the VPN tunnel, but our issue is that our site only has 6 IP addresses assigned to it and those are the Comcast router, the WAN side of the SA520 firewall.
So we were wondering was there a way that we can either use the WAN interface on the SA520 or use another available of the 6 that were assigned to NAT and pass traffic across the tunnel. Sounds confusing? sorry but it is, rarely do I have a customer say I have to have a public IP for my side of the LAN. Now I also say this is a SA520 firewall, but if it's not possible to do with that is there a way were could with an ASA5505?
View 5 Replies
View Related
Jun 11, 2013
We currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
View 4 Replies
View Related
May 2, 2012
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
View 5 Replies
View Related
May 30, 2012
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
View 20 Replies
View Related
Mar 2, 2012
I updated the configuration per your response below... It still doesn't work. See my new config files below.
make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
[code].....
View 5 Replies
View Related
Dec 12, 2011
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
View 4 Replies
View Related
May 23, 2011
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies
View Related
Apr 25, 2013
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
View 4 Replies
View Related
Nov 27, 2012
I don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
View 1 Replies
View Related
May 15, 2013
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Nov 7, 2012
I have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested
Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
View 8 Replies
View Related
Jun 8, 2011
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies
View Related
Aug 12, 2011
I have an interesting SVPN challenge that I'm asking the subject experts here to assist me in solving.A customer in Domain A wants to transmit data to Domain B. The customers have agreed to establishing a secure vpn connection from Domain A to Domain B to transmit real time data. The challenge comes from sending unencrypted data from nodeA to nodeB & nodeC withing an encrypted VPN tunned to node d.The challenge is sending non-encrypted data from NodeA to NodeB where an encrypted VPN session is active. Every time I attempt to configure the interface (AppC) the VPN session is terminated, and the interface can no longer "see" nodeD via IP mapping. An engineer recommended adding a second NIC card to NodeB thereby permitting control of the AppC even when the VPN is up and running.Can I send live non-encrypted data to NodeB data buffer, while AppC sends data to NodeD in a VPN tunnel ?
View 1 Replies
View Related
Oct 25, 2012
Having a strange issue with RDP to a XP machine through a L2L tunnel.Tunnel is between an ASA5505 and ASA5510. Site A 5510, Site B 5505 I have a handful of Win7 and XP Dev machines running on ESXi 4.1 within Site A.Site B to Site A I can RDP to all Server 2008 and W7 machines(physical and virtual).I can also RDP to a physical XP machine.I can ping the XP VMs by name and IP successfully.I cannot RDP to the 5 XP VMs running on the ESXi 4.1 host Site A to Site B I can RDP from the XP VMs on the ESXi 4.1 host to any machine within Site B.Within Site A I can RDP to these XP VMs AnyConnect I can AnyConnect into Site A and RDP to the XP VMs I have tried to Telnet on 3389 to the XP VMs with no success.
View 4 Replies
View Related
May 25, 2011
I have set up two ASA 5505's (lets call them ASA1 and ASA2) with site to site VPN configuration and i've encountered two problems with my setup.ASA1 has IP 192.168.1.254 on the inside interface and is connects ASA2. It's also an Easy VPN Server for external users to connect through Easy VPN Client.ASA2 has IP 192.168.11.1 on the inside interface and connects to ASA1 Problem #1 None of the ASA's can ping eachothers inside LAN IP address. Computers behind the ASA's are unable to ping the remote ASA's inside IP address. My guess is that this has to do with either NAT or built in security.Problem #2. The Easy VPN clients which connects to ASA1 are unable to access the LAN behind ASA2.
View 3 Replies
View Related
Aug 22, 2011
I´m getting a dynamic public IP from my provider and what I´m trying to do is to establish a remote vpn tunnnel using IPSec which I achieve but every time the sessions resets or the ASA 5505 resets I get a new public IP and I need to put the new IP on the remote client so I can establish the vpn... How can I establish an ipsec vpn using DNS? For this scenario the remote vpn client is a vpn phone but it could be for any vpn client.
Private IP Public IP Private IP
PBX ---- (LAN) ---- ASA 5505 ---( Internet ) --- Remote Site ( Router ) --- (LAN) -- VPN Phone
View 3 Replies
View Related
May 7, 2012
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
View 1 Replies
View Related
Nov 18, 2011
I configured an IPSec VPN tunnel between two ASA 5505 firewalls. I would like to make sure that the IPSec tunnel (hence the security association) is permanent and do not drop due to idle condition.
View 2 Replies
View Related
Jul 3, 2011
I have a ASA 5505 VPN Concentrator using ADSM 5.2 connecting to a BEFSX41 router. Its a pretty simple set up that has been working for years. However, over the past several weeks the VPN tunnel is consistently dropping every day or two, however both side are able to ping the internet at all times. My current work around is to manually log into the BEFSX41 router and re-connect the VPN tunnel, which simply connects immediately. The tunnel will stay up for about a day or two until it reliably drops the tunnel connection. Every time the tunnel drops I get an alert with an error message: [code] After doing searches about what this error means, all I can find is that its supposed to mean there is a problem with the encryption keys. I have checked the keys many times over and everything is the same. I find it odd that nothing has changed in almost 2 years.
I have 10 other VPN connections that are always up at never have any problems. I have the same make/model router connected to other offices with no problems. I have swapped the router twice, and each time I get the same symptoms.
View 1 Replies
View Related
Feb 4, 2013
Two 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
View 7 Replies
View Related
