Cisco VPN :: 5505 / IPSec VPN Between ASAs With Same Subnet For Disaster Recovery
Feb 9, 2012
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies
ADVERTISEMENT
Aug 1, 2011
We are setting up a disaster recovery site which will host redundant copies of our servers and critical data in Kansas City. In the case of a disaster, our headquarters site would be totally gone.
Currently we have 7 branch offices that communicate to our HQ via VPN tunnels (either over an Internet circuit, or over a Cox Communications Ethernet WAN circuit). The branch sites each have a 2821 Cisco ISR Router. At the headquarters and at the DR site, we use a Cisco ASA 5510 to terminate the VPN tunnels and do all of our backbone routing. Routing on the ASA and on the branch routers is all static, using a routing protocol would be a nice upgrade in the future..? We use lan-2-lan IPSEC VPN tunnels, no GRE/VPN is in use because the ASA does not terminate it. What is the best way to setup my branch routers to automatically or manually fail-over to connect to a different ASA at the DR site?
Also, if my Headquarters site is still up, but either my Internet circuit or the Cox ethernet circuit at the headquarters goes down. How can I re-route all traffic in a loop back to the headquarters over the one good remaining circuit?
Is there a better way to do what I want to accomplish? BGP is not an option at this point due to its complexity.
View 6 Replies
View Related
Mar 14, 2013
My questions is in relation to disaster recovery, for wireless. We have our main data center, in the US, with two 5508 controllers. We have a DR location, in Europe, with two 5508 controller. We're upgrading our 5508's to the 7.4 code, so that we can take advantage of the RP port for our controllers. With that said, is there a way to make the US and Europe controllers redundant?
If there's a disaster, in the US, would the AP licensing, and AP's attach to the European controllers? Our AP's are set up with HA. I'm more concerned about the licensing flipping over to the DR controllers. I've tried researching this topic, and can't really find anything on it.
View 4 Replies
View Related
Aug 25, 2011
I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.
View 5 Replies
View Related
Oct 18, 2012
I've two sites, the branch with an ASA 5505 and on the corporate office i've an ASA 5510.I need to make a easy vpn tunnel between this to sites and I've made some configuration, but for now, the ikev1 isn't working.
View 1 Replies
View Related
Feb 17, 2013
I'm looking for automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
[code]....
View 7 Replies
View Related
Jan 16, 2013
I just learned that the licensing structure for the ASAs is changing, but I don't have any details. We have roughly 30 ASAs (from 5505s to 5585s). If there's a licensing change, I need to do an impact assessment and plan accordingly.
View 5 Replies
View Related
Jul 2, 2012
I'm trying to configure policing and/or shaping on a setup of 2 x ASA 5505 Sec Plus. The units are placed in office A and office B and each have a ISP connection to the internet and a leased line with a capacity of 4/4 Mbit/s for interoffice communication.
On each ASA there's four subnets. VLAN 200 is used to connect the offices through the leased line.
Subnets:
Outside = 2
Data = 10
Voice = 100
Linknet = 200
I've read a lot of articles and posts about shaping and policing on the ASA but still can't get it to work like I wan't to. I'm trying to limit all traffic besides IP-telephony traffic to 3 Mbit/s and thus reserving 900 Kbit/s for voice traffic. I tried setting a service-policy on the linknet interface on each ASA and set Traffic match to Any traffic and QoS settings for both input and output.
I can see traffic passing the policy when I run the "show service-policy police" command but it never seems to be high enough to be policed which is strange since the ASDM monitoring shows that I'm pushing 3900 kbit/s. I file transfers verifies that policing does'nt work.
View 2 Replies
View Related
Aug 1, 2011
I have site-to-site VPN using two ASAs 5505. I can ping between two computers C1 and C2. Now I want to add subnet 192.168.1.0. How do I configure routes on ASA so that I can ping between computers C3 and C2?
View 5 Replies
View Related
May 25, 2011
My employees connects with a cisco ipsec vpn client to asa1,They can connect the network 192.168.1.0/24 from the employee location.(192.168.3.10 - 192.168.3.15) ip pool.Some people must also have a connection to the 192.168. 2.0/ 24, is it possible when they connect to asa1 with the ipsec vpnclient and that the 192.168.2.0/24 network also is avaible.
View 3 Replies
View Related
Jun 12, 2012
Is there any way to setup an IPSEC tunnel to be able to go from my subnet, 192.168.75.x and be able to reach anything on the other side of the tunnel, 192.168.X.X?
View 5 Replies
View Related
Oct 21, 2012
I'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work. In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, what are the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn, This is an ASA 5505. Its on IOS 8.4.
View 1 Replies
View Related
May 1, 2012
i need to recover a router Cisco 2801. I lost the password and the "no service password-recovery" is configured. I have done many attempts with the procedure in this link :URL
View 9 Replies
View Related
Jul 7, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...
I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
New at VPN and have survived so far on cisco docs but this problem is evading me.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]....
View 1 Replies
View Related
Sep 7, 2011
We want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
Configuration:
: Saved
:
ASA Version 8.2(1)
[Code].....
View 3 Replies
View Related
Jul 6, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Aug 4, 2012
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway)
192.168.0.0 (Primary facility, ASA is the gateway)
192.168.2.0 (Second facility, connected via Verizon point-to-point)
192.168.3.0 (Third facility, connected via Verizon point-to-point)
[Code].....
View 7 Replies
View Related
Dec 7, 2011
I am working on a site that has recently added a new subnet and I am unable to ping any of the stations on this new network. I have configured an Exempt NAT rule just the same as the rules allowing access to other networks. I have a feeling the problem is in the Site-to-Site VPN configuration since the new subnet is at the primary location over the VPN.
In the site-to-site configuration I added the new subnet to the list of "Remote Networks" and I still can't communicate with any of the devices on the network. If I go to the main site I have no problems so it appears to be related to the VPN or a configuration in the ASA on that site.
A port scan shows that all the traffic is "filtered" so somewhere either the site ASA or the main ASA is blocking the traffic.
View 7 Replies
View Related
Mar 23, 2011
I want to give access to remote subnet on firewall 5505.
Remote subnet is 16x.15X.56.0
Here is my access list
access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.254.0 16x.15X.56.0 255.255.254.0
View 7 Replies
View Related
Jan 31, 2012
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. How to configure the subnet 10.1.5.0 to access the internet or to get the subnets to communicate. Below is a streamlined version of our current config.
!interface Vlan1nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0 ospf cost 10!interface Vlan2nameif outsidesecurity-level 0ip address 66.66.66.66 255.255.255.240 ospf cost 10!interface Vlan13nameif corporatesecurity-level 100ip
[Code].....
View 15 Replies
View Related
May 4, 2011
I'm new to Cisco equipment much more familiar w/ Sonicwall w/ that said......I have a 5505 w/ Security Plus licensing
I have set up multiple VLANs as follows
VLAN 1 inside - still setup as 192.168.1.1 (will not be using this for our lan)
VLAN2 - outside
VLAN100 - LAN 10.1.1.1/24
[Code]....
If I do add all the VLANs above I understand I will probably have to make a trunk port since I only have 5 usable interfaces
View 12 Replies
View Related
Oct 7, 2012
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
View 3 Replies
View Related
May 29, 2011
We have Cisco ASA 5505 and an internal user (behind NAT) needs to connect via VPN to an external company. I just cannot get this to work. I have enabled IPsec Pass Through from ASDM Configuration --> Firewall --> Service Policy Rules --> Edit Service Policy Rule --> Rule Actions --> tapped IPsec Pass Through I have tried to find some info from the log but all i get is this message: IP = [remote gateway ip] Invalid Packet Detected!"I cant find anything that is blocked from the log.
View 2 Replies
View Related
Mar 9, 2011
On an ASA 5505 with the proper licenses running version 8.3, which would you consider the more resource intensive for the ASA, IPSec VPN or an SSL VPN with a portal?
The connections through the firewall would be the same so I am curious how adding the different types of VPN will affect the CPU and overall ability of the ASA to function.
View 2 Replies
View Related
May 2, 2012
I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer. There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks. Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?
View 4 Replies
View Related
May 6, 2012
I have setup a ASA and everything but ipsec seems to be working. I was able to use the clientless ssl but I need ipsec working. I'm at a loss. config is a little sloppy and i will be cleaning it up but would like to get this working first.
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
[Code].....
View 3 Replies
View Related
Oct 3, 2011
I have Cisco ASA 5505 and i want to create vpn remote access ...l
so i created and connected to the vpn ...my problem is to reach my Local connection of 192.168.1.0 /24 i put the WAN Connection in the FA0/0 and put my LOCAL AREA CONNECITON into FA0/1 .. so how i can route or translate my connection , and using cisco ASDM 6.1 in GUI ,,,
View 1 Replies
View Related
May 23, 2011
I am trying to configure a Cisco ASA 5505 for Remote Clients.I am using ASDM interface and used the startup and ipsec wizards for my configuration but im hitting a stumbling block.For the last 2 days i have tried a number of configuration changes in attempt to make this work but failed, so i have done a factory reset and gone through the wizards again, so i have a clean configuration. Currently i have a Static Public IP Address 81.137.x.x and i am using a Netgear ADSL router, which is forwarding VPN traffic (UDP 500) to 192.168.171.35 (the wan port on the ASA 5505).The Cisco ASA has a default address of 192.168.1.1 I am using Cisco Client 5.0.06.0160.I have configured the client to use Group Authentication with the same credentials as setup through the wizard and im using Transparent Tunneling IPSec over UDP.I have attached 2 documents running_config.txt - which is shows the current ASA configuration Log-View.txt - showing error messages displayed in the real-time log viewer when i try to connect from the remote client.Im not sure whether i need to do any additional configurations for my setup other than simply run the wizards.
View 3 Replies
View Related
Mar 19, 2013
I am trying to configure an IPSEC vpn on an ASA5505 I setup an SSL vpn and it works fine, I can browse to the https: address log in and connnect to servers However when I try to setup the ipsec client access vpn it will not connect and I am getting the errors below I used the wizard for the initial configuration Looks like the inital IKE is being blocked or dropped?
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/500
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/137
View 10 Replies
View Related
Aug 22, 2011
I´m getting a dynamic public IP from my provider and what I´m trying to do is to establish a remote vpn tunnnel using IPSec which I achieve but every time the sessions resets or the ASA 5505 resets I get a new public IP and I need to put the new IP on the remote client so I can establish the vpn... How can I establish an ipsec vpn using DNS? For this scenario the remote vpn client is a vpn phone but it could be for any vpn client.
Private IP Public IP Private IP
PBX ---- (LAN) ---- ASA 5505 ---( Internet ) --- Remote Site ( Router ) --- (LAN) -- VPN Phone
View 3 Replies
View Related
May 7, 2012
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
View 1 Replies
View Related
Mar 2, 2012
Got some issues when setting up IPSEC/VPN on the asa 5505. I want to connect from the ipad with the built in IPSec client..Get errors when i run the debug crypto isakmp
View 1 Replies
View Related
Dec 14, 2012
I would like to know if I have only using IKEV2 to connect site to site VPN with Cisco 5505 device to connect few site. Which encryption method is better to choose with faster and stable IPsec encryption proposal,AES256, AES192, AES, 3DES, DES ?? which one is the best in IKEV2 site to site VPN tunnel?
View 4 Replies
View Related
