Cisco VPN :: 5510 / 5520 - 121 Ipec Vpn
Nov 1, 2012
I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.
Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.
What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad1c4500, priority=70, domain=encrypt, deny=false
hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0
src ip=10.20.0.0, mask=255.255.0.0, port=0
dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0
I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.
More usefull info:
SITE C
object-group network NoNatDMZ-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
[Code] ......
View 7 Replies
ADVERTISEMENT
Jul 24, 2012
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Static mappings (again from config):
static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255
static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255
Original access list:
access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit tcp host 67.228.177.117 host
[Code]....
View 6 Replies
View Related
Sep 27, 2012
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
View 1 Replies
View Related
Sep 24, 2012
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
View 3 Replies
View Related
Sep 30, 2012
I have an issue with the LMS 4.0, i added manually the ASA Fws 5520 and 5510, and i see them there, but i cannot see the configuration, inventory and technology details.Telnet is deactivaved in ASA´s, ssh and snmp v3 are enabled.Routers and switches were added without issues.
View 3 Replies
View Related
Apr 18, 2012
I'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.
View 1 Replies
View Related
Oct 14, 2012
I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
WebVPN
Anyconnect
Plug-ins
IPSEC tunnels
NAT
View 1 Replies
View Related
Feb 12, 2013
is it possible to configure a webfiltering on ASA 5505,5510,5520 ? So if its possible can you provide us a configuartion template.
View 3 Replies
View Related
Sep 19, 2012
Are the ASA memory DIMMs created for specific models? Would a 1GB 5510 Memory stick work in a 5520?
View 1 Replies
View Related
Jan 3, 2013
Is it possible to import the config of a 5510 to a 5520. Trying to replace two 5510's with 5520's and wondering is there a way import the existing config files for the 5510's into the 5520's?
View 3 Replies
View Related
Jul 5, 2012
How many user accounts i can create to a Cisco ASA box? Say for example a Cisco ASA 5510 or Cisco ASA 5520?
View 5 Replies
View Related
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
View 1 Replies
View Related
Jul 31, 2011
I have multiple site-to-site vpns using ASAs 5510 and 5520, tunnels were configured 3-4 years ago, and all these 3-4 years one vpn tunnel hangs until I clear isakmp sa peer. When I say hangs, I mean I can see the tunnel is UP and MM_ACTIVE with sh crypto isakmp sa, but I can not ping the remote subnets. When I clear the tunnel, it somes up again and communication is successful.
View 2 Replies
View Related
Sep 25, 2012
I am having a Site to site vpn between my ASA 5510 and ASA 5520.Tunnel is work s fine... but i see sometime the SA breaks down even through there is interesting traffic from one location to other. if do reinitiate the traffic the SA will come up. [code]
View 3 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
May 26, 2011
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
View 12 Replies
View Related
Jan 31, 2011
After having a hard time getting the VPN back to default, I logged into the ASDM and reset to factory defaults. After it reset, I logged in via the management port and configured everything to work. When I clicked on "apply", it gave an error saying that the inside interfaces, g0/1, IP address is on the same network as the management interface. When the ASA restarted, I am now unable to get into the unit via the management port or the inside interface.
I had set the management port to 10.0.1.254. WHen I connect an ethernet cable to it and place my mac on the the same network, I can ping the management interface, however I cannot SSH, Telnet or ASDM into it.
Here is the big problem, I don't have a console/rollover cable to connect to the console interface. Is there another way I can default the box? Maybe via the reset button on the back somehow? Or, is there a way to figure out the ip address of the inside interface? I'm assuming, since it did not take the IP I set, that it defaults to something right?
View 17 Replies
View Related
Jan 26, 2012
I cannot seem to ping between devices on two networks hanging off a 5520 unless I use the same-security interface command. I have the relevant ACL's set up between the interfaces, but it just doesnt work unless I have that command in - if I use that command, it bypasses the ACL.
Config
interface GigabitEthernet0/0.224
description NMS
vlan 224
nameif NMS
security-level 100
ip address 10.11.120.225 255.255.255.240[code].....
View 8 Replies
View Related
Jul 31, 2011
We are attempting to implement an ASA 5520 with a new ISP. Based on the limited routing needs, I believe we can use it as the router as well. I am familiar enough with routers, but the ASA is obviously a different thing.
The setup looks like:
ASA Version 8.2(1) !
host name Cisco
interface GigabitEthernet0/0description Internet name if Outsidesecurity-level 0ip address 69.XX.46.1 255.255.255.252 !interface GigabitEthernet0/1
description DMZnameif DMZsecurity-level 0ip address 69.XX.56.1 255.255.255.240
!interface GigabitEthernet0/2description Localnameif Insidesecurity-level 15ip address 10.0.XX.XXX 255.255.252.0
[Code] .....
1) Outside 0/0 connects to MRV from service provider (Public)
2) DMZ 0/1 connects to outside switch with servers (Public)
3) Inside 0/2 is LAN (Private)
A) Based on a completely default config and aside from setting the routes to send traffic from inside to outside, and outside to DMZ, what is the next step?
B) What should the interface security levels be, I am unsure what they should be or why...?
Based on the initial config with interfaces set as above, I cannot move traffic through.
View 5 Replies
View Related
Jun 25, 2012
I got a VPN request form from one of our partners. On my side I have one ASA 5520 running 8.0(3) On their form, It says that their endpoints are two boxes, sitting on different cities, It also says that there is only one encryption domain, (actually just one IP) that I need to speficy on the VPN setting. It looks like they mean that you could access the same encryption domain from any of the two Boxes in different cities. This is strange to me, since every time I have set up VPN before, each endpoint has their own encryption domains.I never seen two enpoints with the same encryption domain behind, so Im confused wether it might be a mistake on their part, or this is expected.
View 1 Replies
View Related
Aug 23, 2012
Is it possable to use rsa token on the ASA without setting up any other server just using the ASA, out clients use the cisco vpn client version 5.0.07.0290 and IOS 8.3(1), How would this be done?
View 3 Replies
View Related
Nov 6, 2012
I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.
View 7 Replies
View Related
Dec 8, 2011
I have connected an ASA 5520 firewall DMZ to SERVER (17) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 15,18). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 4 Replies
View Related
Mar 4, 2013
Can i use at one site ASA 5520 and another site Router to configure VTI tunnel with OSPF routing?
View 1 Replies
View Related
Apr 24, 2011
I have an iPAD. It connects to my ASA5520 via IPSEC. When it connects it gets an IP address from the ASA but it does not get any of the other stuff. Specifically the DNS suffix. How to correct it?
View 3 Replies
View Related
Jun 25, 2012
I have a L2L VPN tunnel on a Cisco ASA 5520 that I'm trying to get RRI to work on. On my cryptomap ACL I have defined a local object-group and a remote object-group, and I'm performing one-to-one NAT on the local group. I also have a route map configured that will take the static routes and redistribute them into my EIGRP AS. Two things I've noticed -1, I'm not seeing any static routes on my ASA that point to the remote subnets, and 2, the ACL that I've used in my route map definition is not getting any hits on it.
View 2 Replies
View Related
Aug 13, 2012
I'm trying to setup a tunnel from our Cisco 5520 to a 5550 using one of our external ips natted through this tunnel. For some reason traffic that should hit this tunnel goes through global nat. Here is the configs I have for this tunnel:
access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip host 66.85.99.170 host 1.2.3.4
[code]...
If I ping 1.2.3.4 from a inside ip host I see in the logs that it uses 66.77.88.136 as the NAT and not 66.77.88.170. Do you see something wrong with this configuration?
View 10 Replies
View Related
Nov 30, 2011
I'm currently running 8.3(2) on my 5520s in an active/standby config. The 5520s have the 2GB RAM upgrade and 256MB flash card. Are there any CPU limitations in going to 8.4? I read the release notes but didn't seen anything about CPU. I heard through the grapevine that a 64-bit processor may be needed. We currently have the Pentium 4 Celeron 2000 MHz CPU.
View 1 Replies
View Related
Dec 8, 2011
I have connected an ASA 5520 firewall DMZ to SERVER (55) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 66,77). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 1 Replies
View Related
Mar 20, 2011
I have a 5520 VPN that is otherwise correctly configured for access (so I would say). It is in test (external IP x.x.x.10/22) running parallel on an external switch to a Check Point (x.x.x.4/22) that is the live setup.
I can tunnel consistently to the outside interface on its external IP from inside the network, which is probably natural since I'm inside the network making the attempt; however...
When attempting connection from somewhere outside the network, I generally do not get response from the device. If I connect/disconnect from the Check Point VPN first, then I can subsequently get a connection to the ASA. I did actually have one instance of non-massaged connectivity to the ASA, but there was nothing that I did in the configs that would allow me to claim credit for that instance.
So here's the question: Is there a timeout setting that makes the outside interface go to sleep or something? I'm still at the developmental stage where settings that would be obvious trip me up for hours. I verified the routes. the timeout configs are below; I believe they are all default..
arp timeout 14400
!
timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00
View 3 Replies
View Related
Apr 7, 2013
I have setup IPsec remote vpn users into the Cisco ASA 5520 using Radius into my main network. Works just fine. I have site to site tunnels from my Cisco ASA5520 going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I would like my IPSec remote VPN users to be able to traverse into those site to site tunnels to access the remote subnets attached to those tunnels. Do I need to use a combination of routing and ACL's? Or do I just use ACL's only? Or do I just use routing only?
View 2 Replies
View Related
May 7, 2013
When I try to put my ASAs in active/standby config here is the error I get.Warning: Failover message decryption failure. Pleas make sure both units have the same failover shared key and crypto license or the system is out of memory.
View 1 Replies
View Related
Dec 30, 2012
I configured dual ISP on ASA 5520 following cisco doc below. Now I would like to configure SSL VPN to work with this for failover? I tried to find an article regarding this but I could not. [URL]
View 3 Replies
View Related
