cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
View 11 Replies
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
View 1 Replies View RelatedI have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies View RelatedI have a very basic lab site to site vpn setup where I have a ASA 5505 running v7.2(4) on one side and a cisco 2811 on the other side.
What's my issue?
I can't seem to ping from cisco router to the 'inside' network of ASA (see config below) and can't seem to ping from ASA packets leaving the 'inside' interface to cisco router even w/ an ICMP ACL permit outside in. However I'm able to ping within ASA inside network & ping cisco 2811 side w/ packets leaving ASA 'outside' interface just fine.
example:
-------
ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from ASA inside)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
[Code].....
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24
On one of our branch locations ASA, I have a L2L VPN setup we are adding wireless to this remote location, and the AP's will talk back to the controller at HQ. The AP's are on the downstream L3 switch, and they have been placed on the mgmt network. It's definitely not ideal to have these AP's on the mgmt network, but for now that is how it is setup.
From HQ (163.122.x.x) I can ping and reach the ASA (10.200.2.1, and the downstream L3 switch 10.200.2.100, but when I ping one of the AP's, I get timeouts and and the following error on the ASA:%ASA-3-305005: No translation group found for icmp src outside:10.205.216.73 dst mgmt:10.200.2.152 (type 8, code 0)
It appears it's a NAT issue on the ASA, but I'm confused on what I need to change. Why can I ping the ASA and the switch from HQ, but not the AP's which reside on the same mgmt network? I don't really need it to NAT, just to pass the connections. I currently only have the following two NAT statements in the configure
[code]...
I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.4(4)1
!
hostname SaskASA
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies View RelatedThe scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad
[code]....
I've got a Cisco 5520, to which is a Cisco 5505 is connected via a Site to Site tunnel.The tunnel works just dandy, with traffic happily being passed to and from my Inside interface.
The issue comes with users connected to the 5505 access our DMZ, it simply refuses to work. I've read many posts about the changes made in 8.3 (which I'm running on the 5520) when it comes to NAT exemptions which I believe is the issue I'm having but I'm not able to implement any configuration to allow my site to site VPNs to connect to hosts within the DMZ.
An old copy of the configuration below (I tried many things after this point, but this is one of the cleaner copies!), [code]
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
View 3 Replies View RelatedI am trying to set up a site to site ipsec connection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.
View 4 Replies View RelatedI have the following VPN site-2-site configuration.The trouble I'm having is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and visa versa. Think I have added the static routes and ACLs correctly on the 3560 switches (acting as gateways) and both PIX's to access the internal networks. Host 172.168.9.3 can ping 172.168.200.3 fine.
View 3 Replies View RelatedI just get it that I can make a VPN Site-to-Site IPSec. But if I try to send a ping from one PC (network 1) to the other PC (network 2) it failed.
PC (Network 1) <ASA5505> Switch <ASA5510> PC (Network 2)
between the two ASA I have a funkctional VPN IPSec tunnel, but I can`t get access from one to theother network.
That are the access-list on the ASA5505:
asa5505#
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_ICMP; 4 elements
[Code].....
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20
Config Below:
: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host
[code]....
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies View RelatedI am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG). In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG". None of the SSIDs are "anchored".
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs. This site contains two customers. One customer is the Main customer with the second customer leasing space.
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan). I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500. It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site. This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
For my test, I am starting simple. I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low). I have anchored this test WLAN to that controller. At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site. I am unable to obtain an IP address from the remote site. I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?
We have successfully establish a site-to-site vpn, but we have some difficulties when PPTP users try to access the remote network linked by this tunnel. LAN users can access the remote network without problem, but users who are connected remotly to the lan (PPTP) can't access computer on the remote network. Is there a way to allow PPTP user to access the remote network ? Adding a route ?
View 1 Replies View RelatedI have a site-to-site VPN already established, everything is working as it should. I'm trying to block the remote network from accessing our network since we only need to access theirs. I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505.
View 5 Replies View RelatedA user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.
I'm attempting to configure an for both site-to-site and remote access VPNs. The site-to-site is working fine, however when I connect using the Cisco client, after initial connection and password prompt I get a "not connected" status. The log states that a policy map match could not be found. I have successfully set the unit up for remote access with no site-to-site and ran into another host of issues when adding the site-to-site to the working remote access config, so I started over setting up site-to-site first. I've attempted this through ADSM (hate it) - the current configuration is via CLI. I'm certain I'm just missing a piece or two.
View 2 Replies View RelatedWe have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
View 7 Replies View RelatedI have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
ASA Version 9.1(1)
!
hostname xxxxx
domain-name xxxx
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[ code]....
I am unable to ping any device on the internal lan from the opposite side of the tunnel. However, the tunnel connects successfully. I have the firewall disabled on both routers. Site A is using 192.168.3.1 and Site B is using 192.168.4.1. Any thoughts on why I cant ping one router from the other?
View 4 Replies View RelatedI have a PIX 515 and am working with a Site-to-Site VPN. When I do not specify a filter on the Group Policy I can successfully access the remote network and the remote network can access my local network. However this by itself poses a securty risk for my local servers. I need to be able to access the remote network fully, however only one or two workstations on the remote network need to access mine.
If I add access-list vpn-remote-site extended permit ip host remote-wkstn1 any then only the remote workstation can access my remote network. This gets me a step closer as now only the remote workstation can access my network effectively denying everything else. However, from my local network I can now only access the remote workstation and not all of the other devices. I do not have any control over the remote firewall and would like to make sure it is secured on my end.
Scenario using ASA V8.4
RemoteLan - Router Dynamic WAN IP ----------- site to site VPN --------------ASA - ASA Lan 192.168.1.0/24
10.1.1.0/24
I am trying to get my head round configuring an ASA with V8.4 code where things have changed especially NAT.In earlier ASA 7/8.x code I belive the crypto map below would have allowed a properly configured remote router to connect irrespective of its WAN IP
I am struggling to get my head round how I achieve the same in ASA V8.4 . I have searched the web and found plenty of examples for earlier code but specificlly am trying to learn about how to achieve it with v8.4
access-list outside_cryptomap_20.1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list outside_crypto_map_20.1
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto dynamic-map cisco 1 match address outside_crypto_map_20.1
crypto dynamic-map cisco 1 set transform-set myset
[code]....
can I configure Site-To-Site VPN and Remote Access VPN at the same time in one ASA 5510?
View 8 Replies View Related
