Cisco VPN :: 5510 Anyconnect Unable To Reach Internal Networks
Sep 18, 2012
I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.
I have configured a Remote access vpn on pix 525 with 7.2(4) code. After getting connected (with ip address assigned from the pool) i am not able to reach any of the internal networks. [code]
I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:
192.168.0.0/24 192.168.43.0/24 (the intended migration network)
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
I am simulating Anyconnect VPN connection in the lab.I have an issue while configuring Anyconnect VPN on ASA5510.
I can have a successfull anyconnect connection but i can't ping my firewall Interface IPs while i am in the connection.
ASA 5510
Outside IP: 192.168.1.1/24 PC connected to Outside Interface: 192.168.1.10/24
Inside IP:10.10.10.1/24 PC connected to Inside Interface: 10.10.10.100/24
Pool : 10.20.20.11 - 10.20.20.50 /24
I have a successful VPN connection & the PC connected to the outside Interface gets an IP address from the assigned pool (10.20.20.11 with default gateway of 10.20.20.1).But i can't reach (ping/telent) to the ASA while I am on the anyconnect VPN connection.
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif Interface Name Security Ethernet0/0.205 SECURE 90
I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues.
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired. Below are the interfaces, security and ip addresses .
I have 25 of these routers installed behind various providers and transport (DSL, Cable, UVerse). At sites where I have static IP, I can't reach any service inside, and in fact can't even reach the router for Remote Management. At all times the users indoes can do whtever they like, the have Internet access.
At sites where we draw a dynamic IP or use PPPoE, I can reach services and manage the router until a known issue stops the inbound traffic.
I have a friend that have in his company an ASA5505 at central point and about 5 remote sites connected via Vpn site-to-site.All tunnels are up and reach the central network.The only traffic that pass throw the tunnel is the traffic with the ASA local network destination.
My friend asked me what it needs to reach from one Vpn remote site to another Vpn remote site, passing throw the ASA5505 central site.The ASA5505 can reach all remote networks throw the tunnels.
What it needs for the ASA to route traffic between the VPN´s tunnels?Does it need static routes on the remote sites to advertise the other remote sites ?
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.
Here my ASA settings :
Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.
I have just purchased an ASA 5505 for my remote users to access our internal network. I have followed all the setup instructions I can find. I am able to establish a VPN connection using the Anyconnect client and can see some of my internal network. (Basically, only the subnet of the internal interface) However, I have several subnets inside my LAN which are routed by another switch inside my LAN. I have built in the correct static routes so that the ASA will send traffic to that intenal routing switch for any subnets not part of it's inside interface subnet. I can see and ping those subnets from the ASA itself but the AnyConnect clients cannot.
After connecting via anyconnect client 2.5, I cannot access my internal network or internet. My Host is getting ip address of 10.2.2.1/24 & gw:10.2.2.2
Following is the config
ASA Version 8.2(5) ! names name 172.16.1.200 EOCVLAN198 description EOC VLAN 198 dns-guard ! interface Ethernet0/0 description to EOCATT7200-G0/2 switchport access vlan 2
I have a cable modem, hub and two routers. One router is wireless and the computers on this router have an IP address of 10.1.x.x. The other is a wired router and the computers on this router have an IP address of 192.168.x.x. Computers on both networks have Internet access but can't talk to computers on the other router.What I'm wondering is instead of using 3 hardware devices (1 hub/2 routers), is there any router model that will allow me to setup two internal networks similar to what I have above. I just want to cut down on the equipment and power that I use with my current setup.
We recently upgraded the OS X AnyConnect image on our ASA to 2.5.3051. For most people, including many others using OS X 10.6.8, this is working fine.
However, we have one OS X 10.6.8 client who consistantly sees this error:
Network Access: Unavailable - No Networks Detected
I've only seen that error when I truly did not have network connectivity; but this individual does actually have Internet connectivity, can browse the web, get email etc. The only thing he cannot do is connect to our ASA using the AnyConnect client.
I suspect downgrading the client image to the older version will fix his issue but we truly don't want to do that.
Site is not opening in any of my systems in the local network. but if i change ip to a real ip or if i use some other internet source like netsetter then it gets opened.
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration [code]The vpn goes up and I get an ip address, but it's impossible to reach the internal network. [code]
I have remote access vpn setup and I can get connected with no issues. I assigned the vpn a pool of addresses from the end of my inside interface subnet. When connected I can ping any device on that subnet, I can also connect to my switch on the same subnet via my browser. I can not however access any device located in my dmz while connected. This is a new setup I'm testing but I need vpn user to be able to use rdp to connect to machines in the dmz.
I am facing the following problem. SmartPhone is connected WiFi hotspot. Suppose SmartPhone ip is 10.0.2.2 and hotspot ip is 10.140.13.12. I am able to send data from smartphone to a server(over internet) which has static ip and sender details in server are hotspot ip. Problem is sending data from server back to smartphone. Tried sending to 10.0.2.2(smartphone) from server but packets are not received.
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside 2. DMZ 3. ServerNet1 4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it. [code]
We recently got a Cisco ASA 5510 Security Appliance and I have some general question.
We have 1 T1 internet connection, and we have 2 internal networks. These 2 internal networks currently hav access to the internet. I am having issues with the 2 internal networks being able to communicate with each other.
We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.
The main office network is 192.168.0.0 (Gateway of 192.168.0.1)
At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.
There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:
1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!
A customer has a ASA 5505 with a remote access vpn. They are moving their internal network to a new scheme and would like users who come in on the vpn to access both the exisiting and new networks. Currently the can only access the exisiting. WHen users connect to the remote access vpn, the asa gives them an address of 192.168.199.x. The current internal network is 200.190.1.x and they would like to reach their new network of 10.120.110.x.
We are facing strange issue in our network. We have a remote branch which is connected to main branch using Leased Line. Remote branch is having Cisco 1700 Router. Every day in the morning time the remote router is unreachable. We are not able to reach (ping/telnet) the remote Router but able to reach L3 switch/ LAN behind this router. The users from remote branch is also not able to reach the local router but they are able to ping the Main branch.Users in the remote branch are not able to access any resources in the main branch during the issue.
During the issue, we have checked the remote branch router and found the CPU utilization of the Cisco 1700 router is very high (99%). If we run "Show process CPU" command (please find the attachment) specially IP input process is very high (97%).
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
The Cisco 1921 router has two routed adapters. One is GE0/0 which I am using for my WAN interface. It is working properly. The 2nd interface is GE0/1 which is being used as my internal adapter. It is running NAT. When I attempt to reach the internet it fails while checking the exit interface. Here is the report.
AttributeValueRouter ModelCISCO1921/K9Image Namec1900-universalk9-mz.SPA.151-3.T.binIOS Version15.1(3)THostnameBulldog Interface Details AttributeValueInterfaceGigabitEthernet0/1IP address192.168.1.1DescriptionNOC Link Test Activity Summary
I have a sg300-10 switch. i update the firmware with the last one. Things are complicated when i create 2 VLAN. ( really 1 VLAN cause the first is native ).So i have the first VLAN with the interface 192.168.1.254 ans the VLAN 2 wich IP is 192.168.2.254
I'm connected with my workstation ( ip : 192.168.1.2/24 with GW 192.168.1.254 ) and i try to ping a web server on VLAN 2 ( ip : 192.168.2.2/24 GW 192.168.2.254 )
Ping is OK ! But when i try to reach any ports of the webserver : Nothing.
I have a problem where I have 3845 router and c3845-advsecurityk9-mz.124-24.T5.bin dis is the IOS running on it and there's a back up BRI interface for the serial. Now if my serial link goes it normally goes to my BRI, once we had a time where the BRI was also down and when we restored back the Serial link we were still not able to reach the other side. We are using OSPF routing to reach the destination. When this happens and when we reboot this router we are able to reach the destination. sometimes we are able to reach it when we remove ospf and use static and now if we put back the ospf routing the link comes back, this happens again and again.
Recently i bought a new printer: Epson SX620FW, I've tried many things, but I can't connect it wireless to my network. Ive downloaded and installed the latest drivers and software from the internet. My PC is connected with a cable to my wireless router. When I connect the printer with a cable to my router everything works perfectly. But I want to connect my printer wireless. On the printer I disconnect the cable. I followed the wireless wizard setup on the printer and I connect to my wireless router. This is confirmed by an ip adress on the printer. Also in the menu of my router I find the ip adres of my printer in the DHCP clients list. So far so good. But from my PC I can not find the printer in my network. I also cant ping my printers ipadres. When I connect the UTP cable to my printer again, I can ping the ip of my printer.
I've just reset our WISM2 in the test lab back to factory default as I needed to reconfigure the 6500 and the WISM2 itself. Bearing in mind I had it working before.I've just renamed and re-addressed some of the vlans so things flow better and make it easier to add more WISM2s in the future.Now I've run through the initial configuration and it's rebooted ok and show WISM status is showing Oper-Up and there's a port channel 407 been created as I would expect. However, I am unable to get to the management interface via GUI or SSH. In fact from the 6500 I can't even ping the management interface (but I can the service port).The Vlans have been changed in the 6500 config so it knows the native-vlan and service vlan etc and all the vlans are up/up.
I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , I have a different vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , I am not much familiar with Routing . i am using ASA 5520 firewall .
