Cisco VPN :: 5505 - Cannot Connect To Internet After Connecting From ASA
Jan 20, 2013
I am a network Engineer but had no experinece in Firewall, right now i am under a pressure to take care of a ASA 5505 were all the VPN and Inbound and out bound were configured, recently i had some changes done and re done the change, but unfortunately it removed some configuration which are ment for VPN, now i am facing a problem,
VPN connection establishes but unable to browse internet is my problem, i tried inheriting the Split tunneli, but i coudnt get through it it seems, i doing some thing in a wrong way, i here use mostly ASDM,
i ll paste the Configuration for investigation,
ASA Version 8.0(4)16
!
hostname yantraind
domain-name yantra.intra
I set up an ASA 5505 at home through PPPOE connection. The ASA seems to obtain an IP address correctly.and I can ping a public ip address using the outside nic, but not the inside nic. I saw the error message when I ping: No route to ff0213 from fe801bc2b1288cd5bc1. As a result, I cannot connect to the Internet.
I successfully connected to my windows xp pc through the remote desktop connection client on my macbook and now I am unable to connect to the internet on the pc. All that it says is acquiring network address. I know that it is not an isp or router issue because all of the other computers on the network are able to connect just fine. I tried using system restore but it said something to the effect of windows can not restore to this point, no changes were made to your computer. This happened with multiple different restore points.
I'm unable to have any internet connection for my new setup.
here's the overview.
Current setup is
Internet -> Router -> PIX 501 -> Switch -> clients
Internet -> static ip given is 210.193.34.1 - 210.193.34.6 Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246 PIX 501 setting -> IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as I'm unable to access it.
local ip is 192.168.1.1 Clients - > 192.168.1.0
Old setup is working fine and connected to internet. for the new setup, as i do not want any downtime for the old setup. As you can see, there are two firewalls connected concurrently to the router. I've configured it this way.
Internet -> Router -> ASA 5505 -> Switch -> clients
ASA 5505 setting -> IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?), local ip/ Inside Interface is 192.168.2.1 Clients - > 192.168.2.0
some setup details. security policy, NAT, set to default. routing is route outside 0.0.0.0 0.0.0.0 210193.34.6
I'm unable to access after a week of troubleshooting.
[code] Started laptop and couldn't connect to wireless network, which used to work. I tried "netsh..reset.log" , "netsh.." , Repairing the network connection but still not working.
routing between VLANs on my ASA 5505. I am very technical system wise, but my knowledge of routing and switching is very shallow.
What I am trying to accomplish: Small lab environment with basic services split onto two seperate VLANs (such that DHCP would need a relay on the second VLAN to deliver leases). No external network connection as of right now (so no Internet).
My current configuration: Cisco Catalyst 2960 As you can see below, the two VLANs I am trying to set up are vlan101 (10.100.100.1) and vlan102 (10.100.101.1) Code:
i have a small asa 5505 trying to connect to a asa 5510
cisco-26834# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1 1 IKE Peer: 216.**.**.146 Type : user Role : initiator Rekey : no State : AM_CTCP_WAIT_REPLY
here's the full debug for the 5505 :
cisco-26834# Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE AM Initiator FSM error history (struct &0xc66a55b8) <state>, <event>: AM_DONE, EV_ERROR-->AM_CTCP_WAIT_REPLY, EV_CTCP_LINK_FAIL-->AM_CTCP_WAIT_REPLY, NullEvent-->AM_CTCP_INIT, EV_REQ_CTCP_LINK-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE SA AM:c045cc52 terminating: flags 0x01000021, refcnt 0, tuncnt 0 Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, sending delete/delete with reason message Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Error: Unable to remove IPSec/TCP entry
I am unable to connect to the vpn I set up on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 are below.
LOG CISCO VPN CLIENT Cisco Systems VPN Client Version 5.0.06.0160 Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.
The main office network is 192.168.0.0 (Gateway of 192.168.0.1)
At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.
There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:
1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
We are planning to purchase an ASA 5505 for a VPN solution for one of our offices. The office has 50-60 user at peak load who would be connecting over the S2S VPN to the datacenter.
From a hardware standpoint, can the ASA 5505 handle this load. The licence is for unlimitedf inside hosts but what is the actual limit on this platform?
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
ASA 5505 Site A connects to ASA 5505 Site B S2S VPN, both has static IP address.
Now I need to change from ISP so that I can get more internet bandwidth, but the new ISP only has dynamic IP address.
Now I need to change Site B's config to use dynamic IP and still connect to Site A and establish a S2S VPN.
How can I do this?I want the ASA 5505 to change its IP daily so that the VPN connection is still up even if the ISP at site B changes its IP. Or a way to do this automatically as I don't have anybody at site B that can do this manually for me.
I have little ASA experience. To make matters worse, I understand that IOS 8.4 is very difficult to configure. I spent all day today trying to configure this ASA 5505 and am stuck at the point that my lan traffic can happily connect to the wan (although I cant ping the wan). I can connect to SSL VPN from the internet, but after that I can not connect to anything lan or wan. Here is the basic info.
Inside 10.50.0.1/24 Outside DHCP VPN range 192.168.60.0/24
If the 5505 cant have a separate subnet for VPN, then I'm happy to put the vpn traffic right on the lan. My goal is to be able to VPN in to my ASA from the internet, and have full access to the network, and internet. It would also be nice to fix the issue so I can ping the internet from my lan.
Assuming that my ASA is only configured with the above settings and everything else is factory, any commands to make this work. I dont have access to the firewall at the moment to copy my running config, but I can get that if needed
Does anyone has had a problem with connection an asa 5505 with att? I can't connect the vpn, the tunnel sometimes open but still cant ping anything. Only public ip's even im able to ping to my firewall ip.i tried pppoe and bridge on the modem. The same configuration works on cable DSL but cant get it work on att.
I already have an acl that allow any any inside and outside. To get the pings works and a lot of stuff on the internet i search. Seem to be that there's a lot of problems between asa 5505 and att.
VPN users are having intermittent problems connecting to the ASA from the outside. When users complain, I'll log into the ASA via ASDM and watch the logs, I don't see anything get logged while they attempt to connect (AnyConnect). I have pings enabled from the outside and that's not even getting logged when pinging to the ASA. However, as soon as I run a ping, sourcing from the ASA to a public IP, everything works!?! It's like the 'outside' port becomes inactive when not in use, but 'wakes up' as soon as outbound traffic is detected.I have 5 public IP addresses from our router (3 VoIP, 1 Web Server, 1 ASA). All, except the ASA, are pingable during the occurrence.Possible that I have a bad port on the ASA? We just purchased the 5505 a month ago ..
I just installed a new asa 5505 and I had to configure the asa myself until my smartnet is activated and the asa is up and running on my network, however when iI try to connect using cisco anyconnect it fails and I get this error. What is wrong with my configuration?
I am trying to set up a lan to lan vpn access with 2 asa5505's but I cannot ping, traceroute or connect from either side. I can connect to both ASA 5505's from the internet, and connect to the internet FROM both 5505's, just not one to the other. I can ping the network GATEWAYS to the routers, just not the routers themselves.
Both of these machines have been configured for previous VPNs but that configuration has been removed.
I'm building a dual firewall solution for exchange. Currently, I also have people connecting VPN to the PIX 515E.
Internet ==vpn== 5505 == LAN
Looking to set up
PIX515E ==dmz== Edge server == ASA 5505 == LAN
In a setup like this, which device should I have people connect VPN to? The pix will be the only device directly connected to the internet. Everything else will be natted.
i have the network key and its connecting to the network but wen i try go onto the internet it comes up cannot display website or somthing likt that..it came up sumthin about .netframework aswell i don rele ave a clue wat to do next.
When I got my Actiontec GT704WGB router/modem(It's one of those ones that doubles as a router/modem.) My ISP is Verizon. I have McAfee is my anti-virus. Every time I try to connect it says "A connection error has occurred: The connection point has timed out." I use channel 11, have a 64 byte encrypted WEP key. Yesterday I found a neighbors connection, connected just fine, and it had a signal strength of about 40%. Why on earth can't I connect to my ONE HUNDRED PERCENT CONNECTION BUT I CAN CONNECT TO A FORTY PERCENT CONNECTION.EVERYTHING can connect to my router EXCEPT my PSP. [code]
I have a cisco 3750 switch connected to the ASA5520 which is connected to the internet
LAN ----> Catalyst -----> ASA5520 ------> INTERNET 10.1.4.0 ---10.0.0.1 ----10.0.0.2 ------- 203.98.227.3
On my switch I have VLANs configured. From the 10.1.4.0 network, I'm able to ping switch gateway. I can ping insde of ASA .. See my ASA config below. I have allowed http and dns traffic outside but cannot browse internet from the 10.1.4.0 network.
I have a Cisco ASA configured for Any Connect clients. I also want to pass 443 traffic back to an internal web server, but not sure if I can do this since the Any Connect clients are already connecting over 443 to the ASA, right?
I'm given an ASA 5505 to configure for remote access vpn. I can establish vpn connection to the ASA 5505 but can't access any of the internal vlan/subnets. I configured three of the ASA ports for connection into each of the internal subnets/vlan via a switch.Given below is my full configuration.
ASA5505# sh run: Saved:ASA Version 8.3(1)!enable password bLjadbVl0mgRQWih encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif
I just made a VPN on my ASA 5505 at home, I can connect successfully to it, but I can't contact anything in the network, nothing respond to ping or to anything else (include the ASA inside IP).
I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.
The Mozilla show the message: An error occurred during a connection to 192.168.1.1.Cannot communicate securely with peer: no common encryption algorithm(s).(Error code: ssl_error_no_cypher_overlap)
I'm trying to connect to something through an ASA.My traffic is coming in on a DMZ interface (security level 0) and going to something on a DMZ3 interface (security level 50).
From the GUI I configured NAT exemption from the source network (on DMZ) to the destination network (on DMZ3) therefore following the guidelines that the translation is set up from most secure to the least secure interface
I have no network connectivity to the host I need to get to From the GUI I removed the NAT exemption rule and configured a static NAT translation instead, translating the source (on DMZ) to itself (on DMZ3) - still no joy.The ACLs in place are fine, if I use the packet tracer tool, it fails at the NAT stage; [code]
I can't see what's wrong here. I've configured static NAT or NAT exemption between inside and outside or inside and DMZ many times over the last 10 years but can't work this out.the only thing I can thing of is that there might be a bug that affects DMZ to DMZ NATing, as everything between inside to DMZ and DMZ to Outside works fine.