Cisco VPN :: 5510 / 5540 / 5550 / 5580 - Series Firewall L2L And Client VPN
Feb 17, 2011
I want to privatize the outside interfaces of my ASA firewalls however I need a public IP address bound to an Interface to support L2L and client VPN (using the Cisco client software). What I'd like to do is route to the firewall privatized outside interface and have a DMZ interface with a public IP address on it for VPN peering. Ideally this would allow me to build rules on the outside interface limiting communication to the DMZ interface to IPSEC only. Thus VPN tunnels would traverse the outside interface and terminate on the DMZ interface giving me granular control of the peers and protocols allowed to the each the DMZ interface.
Platforms: ASA 5510, 5540, 5550, 5580
Versions: 7.2(4)33, 8.2(2)
View 1 Replies
ADVERTISEMENT
Jan 3, 2012
I am having the EXACT same problem as this user:URL
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.
View 1 Replies
View Related
Jul 6, 2011
We want to run ASA 8.4.x on an old ASA5540. We need to upgrade its memory to 2 GB with the following memory upgrade: ASA5540-MEM-2GB=
I suspect that we will completely remove the existing 1 GB of memory and replace it with 2 GB. If this is the case, can I use this 1 GB of memory removed from the ASA5540 and put it in a ASA5510 instead of buying a ASA5510-MEM-1GB= for the ASA5510?
View 2 Replies
View Related
Aug 5, 2012
We just set up the AnyConnect SSL vpn on our ASA. I am able to establish a connection fine using the Cisco AnyConnect client. I would like to use the native Windows VPN client though if possible. What configuration changes on either the firewall or the client I would need to make for this to happen?
View 1 Replies
View Related
Mar 16, 2013
I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
View 6 Replies
View Related
Feb 26, 2011
We have cisco 5510 and on our floor we have client who we provide internet connection. One of our client has small server and 2 computers and they want setup vpn connection so they can access their server from outside. We have only one static public ip for firewall and exchange. We don't want provide another public static ip to the our client so they can setup the vpn. Is their any other way to setup vpn for them? can they the use our 1 public ip for vpn?
View 11 Replies
View Related
Mar 16, 2012
Device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers? so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
View 5 Replies
View Related
Jan 18, 2012
We have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
View 3 Replies
View Related
Jan 2, 2012
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
[Code].....
View 7 Replies
View Related
May 11, 2011
I wonder what will be a normal speed for the anyconnect client when connected over the internet to a ASA 5550 vpn edition? Is it normal to get max 2 Mbps or higher?
View 3 Replies
View Related
Jan 22, 2012
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies
View Related
Feb 22, 2011
Recently i have received one of my collegue's laptop that is running windows 7.I have installed cisco VPN client version 5.0.07.0290 on it and VPN client appears to connect to our ASA5540, but we are unable to connect (remote desktop) to any machines on our network as it does on our XP laptops. Furthermore, we cannot ping any as well. Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not.
But after some searching , i found from "routeprint" output (shown below ) that my local internet gateway is prefered over the VPN gateway which is 10.10.4.1.Here 10.10.4.19 is the IP address assigned for VPN adaptor.
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25 0.0.0.0 0.0.0.0 10.10.4.1 10.10.4.19 100
But after i manually add the below route on windows 7 laptop , it started connecting to remote desktop successfully.
route change 0.0.0.0 mask 0.0.0.0 10.10.4.1 metric 20
But aftersome time of idle state , it is again going back to original route state of prefering the local gateway of 192.168.1.2 and thus unable to connect to Remote Desktop again.
View 3 Replies
View Related
Jul 13, 2011
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 3 Replies
View Related
Feb 11, 2013
I have a problem when trying to access from a workstation on the internal network to an external FTP server using Explicit FTPS. After the server requires the client TLS Authentication the client inits TLS but the connection is closed by timeout.
I have disabled the FTP inspection on the firewall and I have opened some high ports from the Internet to the test workstation (ACL and NAT rules), but without results.
If I try to connect from a workstation to the FTP server using a direct Internet connection I can access the FTP server without problems, so I think the problem is in the ASA.
View 6 Replies
View Related
Oct 31, 2011
I have configured Clientless SSL VPN for access to ASA 5540 internal network. Still I am unable to take ssh to my core switc [code]
View 5 Replies
View Related
Sep 11, 2011
I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL].
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.
View 8 Replies
View Related
Aug 7, 2012
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
View 3 Replies
View Related
Apr 18, 2012
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
View 1 Replies
View Related
Oct 30, 2011
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
View 1 Replies
View Related
Jan 23, 2011
I tried to monitor via SNMP my ASA 5550&5510 my Active IPSEC tunnels , I want to receive Bandwidth for each tunnel interface.I’m running Version 8.2(1)? which OID to use?
View 3 Replies
View Related
Feb 20, 2013
I have a asa 5510 vpn client groups configured and connected to the internal network DHCP server stops giving network service dhcp and the network goes down.
View 6 Replies
View Related
Oct 15, 2011
accessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.
View 5 Replies
View Related
Sep 27, 2011
I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
View 5 Replies
View Related
Feb 11, 2012
I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
When i checked this MAC address in the same firewall it shows too many IP Addresses. What could be the reason ?
View 0 Replies
View Related
May 23, 2012
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
View 7 Replies
View Related
May 16, 2011
A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.
View 5 Replies
View Related
Aug 19, 2012
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
View 2 Replies
View Related
Mar 29, 2011
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies
View Related
Mar 5, 2011
i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
View 8 Replies
View Related
Apr 8, 2012
In my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
I checked rarepanel everything is ok also i saw environment also showing ok
View 1 Replies
View Related
Feb 19, 2012
I have encountered a problem in one of customer that the Active ASA 5580 is unable to sync with Standby Failover ASA. When Active is connected with FO and push the configs to it will not find the ethernet/Gig interfaces due to which the all the configuration were not applied and when the primary ASA the secondary is unable to respond.
When i attached console with the Standby ASA i have seen this error.
Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby.
For detail undestanding i am attaching the configs of primary and standby ASA. The KHI-DR-ASA-BB-01 is the standyby firewall.
View 2 Replies
View Related
Jul 11, 2012
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
View 5 Replies
View Related
Nov 23, 2011
We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key? Can we generate PAK or Activation Key using SO (service order) number?
View 1 Replies
View Related
