Cisco VPN :: 5510 Multiple VPNs Between Two Sites Using Different IP Addresses
Sep 9, 2012
I would like to create two site-to-site VPNs, one for data and one for VoIP, between the same sites. One end is an ASA 5510 and the other is a third party firewall. Is this possible if I use different sets of IP addresses for each tunnel?
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 126.96.36.199 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 188.8.131.52). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 184.108.40.206 and then create a static nat to translate 192.168.0.3 to 220.127.116.11. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 18.104.22.168, outbound PAT and the site-to-site VPN.
I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose! I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.
I work from home, so also connect to our network using Remote Access VPN (any connect) to connect to the network at the data centre.
Just to be clear, here is my amazingly drawn network diagram:
[[my house]]-------------- <any connect VPN>------------[[ASA 5510 / Data centre]]-----------<site-to-site>-----------------[[Client network]]
The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the data center, then from there I can see the Clients network. Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cant seem to find anything that works. I've searched for this and cant find answers, even some sources saying its impossible.
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
ASA 5510, SSM-10 1GB RAM ASA version 8.4(1) ASDM Version 6.4(3) Context Mode Single FW Mode Routed License Security Plus
[code] Site-to-site VPNs in place between Site A and Site B and between each site to the DC. Site A and Site B have Cisco 2911 routers, there are ASA’s at the DC. The existing Site-to-site VPNs carry data and voice traffic between the sites (though voice and data is on separate VLANs in separate subnets)
ISP1 currently used for the existing circuits at Sites A and B but we have experienced issues with them recently which has disrupted service. So new circuits are to be installed at each site with ISP2. (See basic diagram attached which shows current set-up with intention to get new circuits via ISP2 installed)
We have 3 ports on our Cisco 2911 routers with 2 ports already in use for the existing connections (1 for the LAN and 1 for the WAN connection to ISP1) Can we simply use the 3rd port for the connection to ISP2 or would it be far more advisable to use a 2nd router (for redundancy, etc)
Would it be feasible to have a set-up where we have e.g. voice traffic go over a site-to-site VPN via ISP1 and data traffic go via site-to-site VPN via ISP2 but each can take over from the other in the event of a failure?
how do I block IP/Internet Adresses for ALL users without adding the sites manually per user in the Parental Control panel? I want to block a certain IP/internet adress for all users but can't find this feature within my EA6500 anywhere?Is this a firmware bug? Has linskys forgotten that some sites want to blocked for all users and how do I do it all in one?
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers. From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks. Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible. I've attached the hub and 2 spokes below. The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
I am about to deploy a load of Aironet LWAPs into my organization. I've configured the WLC 2504 and have a couple of the APs working at our main site. I just needed to plug them in, and they worked perfectly, straight out the box. But I just want to know the following:
1 - will the same apply if I connect an AP at a remote site? Remote sites are on different subnets and connected via IPSEC. Will the remote APs just find the WLC?
2 - is there anything I need to set up especially on the WLC in order to make this work?
I am installing 2 ASA 5505s at home offices with dynamic IPs. The EasyVPN server is a ASA585x. I am using the 5505s in NEM mode. I configured a unique DHCP scope on each 5505. I have a dynamic crpto map on the server. I configured unique tunnel groups, group policies and usernames for each site on the server. This seems to work fine. Is it normal to configure unique tunnel groups, group policies and usernames for each remote site?
I have an unusual deployment scenario which may require the use of a SRP-521W, the scenario is as follows:Temporary Setup:Cisco 857 As the ADSL router until Ethernet Hand-off is installedMultiple IP addresses delivered on the ADSL WAN serviceCisco 857 put into Bridge Mode and connected to SRP-521W WAN portCisco 521W handles the Authentication and RoutingCheck Point Firewall System connected to SRP-521W LAN-1Check Point Firewall has WAN IP 203.XXX.XXX.XXXCisco UC-540W Connected to SRP-521W LAN-2Cisco UC-540W has WAN IP 203.XX.XX.XX If you understand the above scenario, I am curious if this can be done and if so how? I need to keep the networks totaly separate and the only thing they would have in common is the Cisco SRP-521W.It should also be noted that the SRP-521W Is being used because the ADSL service is only temporary whilst the Fibre Build is completed and the carrier provides an Ethernet Hand-Off, then the Internet service will change to this type of presentation and the ADSL router will be relegated to the dark world of loneliness.I have gone through the router and have been playing around with the settings, the issue Is I have nothing in the LAB work up that can allow me to replicate this environment and test it before deployment... So, how to reduce the amount of trail and error I have to encounter to get it to work.
I would like to configure an 877w I just bought. It's connecting to a UK ADSL2+ link.I'm a penetration tester and I want to put the Cisco router in front of my existing firewall which has an IPS on it, so that it doesn't get in the way of port scans and vulnerability scans. My ISP has issued me with 14 usable addresses a/240 subnet and basically I want to be able to use the route with just the public IP addresses. I have configured Cisco routers before, but never with this type of configuration. It's always been single public IP address NAT'd through to one or two internal LAN's.
It will be nice if I could assign the wireless and fast ethernet ports to the same VLAN using the public addresses. I don't want to use DHCP I'm quite happy statically assigning IP addresses to the computers wireless and LAN interfaces. I am reasonably certain this is possible because not sure how to do it and a little busy at the moment carrying out penetration tests.
I have just installed an SRP 527w and it's basic operation is working fine. However, the ISP has allocated (and set up routing for) a range of 16 additional static addresses to the link that I now wish to configure and use, but I am having problems. Details are as follows (ip addresses are fictitious): [code]Extra ip range Netmask: 255.255.255.240From what I understand, these are added as subinterfaces which are bridged off the main WAN interface. However, when I try to add a subinterface by specifying (say) I get an error when saving : [code] The error states "IP Address and Gateway cannot be the same as the netmask".
We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.
configuring my Cisco 2951 router with Z0ne-based firewall. This is the scenario I would like to configure.
I have two ftp servers,S1 and S2, behind the router which needs to be accessed by two groups of users, G1 and G2, from the outside, i.e., from the internet.
I have two public IP addresses, 22.214.171.124 and 126.96.36.199. The WAN interface of the router is configured with IP address 188.8.131.52. G1 needs to access S1 on 184.108.40.206 and G2 needs to access S2 on 220.127.116.11.
What are the steps in configuring the router if I need the above scenario to be implemented?
I need to put a few cameras, without a server, on a static WAN ip address. Do I just assign them a static LAN ip address(for example 192.168.1.200), make sure the port they use is open, then type the WAN static ip address then colon and the last address? Like this.....I'm making up the WAN address....18.104.22.1684:200
I've got an ASA which has a number of contexts. They all share the same external interface, and in the interest of saving addresses I'm wondering if the standby address for each context is really necessary. I know that in active/passive the standby address is what allows the two to communicate and monitor that particular interface, however, in active/active I don't see the point as the context is either going to be on one or the other.
If there are any small business routers that offer one-to-one NAT? I have several public IP addresses assigned to me by CenturyLink. I have two servers that provide email and web hosting for two different domains. I want to put the client machines on one VLAN (VLAN Z) and assign it a public IP address (to keep server traffic separate). I want to put each server on its own VLAN (VLANs X & Y) and assign each server its own public IP address. I need the router to be able to provide a firewall and port forwarding for each VLAN. I also need to be able to route traffic between VLANs so the clients on VLAN Z can access their email and the websites on VLANs X and Y. I also need to be able to route DNS traffic between VLANs so each server can provide name resolution for their respective domains.
So, is this possible with a small business router or do I need to look at something different? I'm fairly certain this configuration is not possible with my current Cisco RVS4000. What it boils down to is I need a router that is capable of having multiple public IP addresses on the same interface and to forward those public addresses to private VLAN subnets. This would be one-to-one NAT if I understand it correctly..
We have just setup a new RV042G firewall. The customer has multiple public IP addresses and we need to allow RDP access for at least 2 of the Public IP addresses. I only see a way to open ports for the one IP assisgned to the WAN. I temporarily did a one to one NAT for the second public IP to NAT to the private IP but that pretty much opens everything which is not ideal from a security standpoint. How can we setup multiple IP addresses on this firewall?
The client has a Cisco RVS4000. There are 3 Internet devices need to be accessed from the outside and will use one public IP for one device. I don't see any options to setup on Cisco RVS4000 to do 3 NATs. If Cisco RVS4000 doesn't work in this situation, which router will do?
Today I was having a conversation with my Cisco Academy teacher from a few years back, and we couldn't figure this out.I am getting an internet connection via Verizon FiOS. Instead of giving me an ISR, they're going to just give me an ethernet cable. Here's what I want to do with it.
This cable is going to be plugged into a 1900 series router. Connect to that will be a 48 port switch. Connected to that will be multiple servers to be used for web hosting, email, databases, etc. My ISP is providing me with 13 public addresses, however, it is not my own unique subnet.
Here comes the question; how would I set this up? The way I was originally thinking was to assign one IP to fa0/0, a second to fa0/1, and then assign the fa0/1 address as the default gateways for all the hosts on the inside. But then I realized that it won't let me have the same network on 2 ports.
Is it possible to have multiple public IP addresses that are from different subnets going through one router? I have been told that this is not possible with most routers and that I would have to spend a lot of money on a router to be able to do it. I am still not totally clear on what defines a subnet even after reading up on them. What I am trying to achieve:
-My office has 10 computers.
-All would be connected to one router.
-My internet service provider has provided me with 10 public IP addresses, that are all very varied (which I asked for)
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
I have a customer that has an RSV4000 Router. The customer has also purchased a block of 5 usable public IP addresses. I need to be able to assign these public IP addresses to printers either by configuring a static IP on each printer directly or thru IP mapping or some other method. Does the RSV4000 support using multiple public IP addresses and if so what configuration is needed in the router for the printers to be seen by the outside world.
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
I have an ADSL connection and have configured the PPPoE subinterface on WAN1 (ADSL) this connection has a static IP, and I know that the ISP gives that to me through DHCP however I have 4 or 5 additional IP addresses also provided to me on that same link, and they are not given to me via DHCP.
How do I configure this router to have multiple fixed IP addresses on a PPPoE interface?
I also need to port forward some ports for each of the IP's but I assume this will be easy after i have the IP addresses setup.
I have an ASA 5505 with Security Plus License ?I have 5 Static IP Addresses from my ISP?I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.
What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.
I currently have my EA6500 behind verizon fios router. I have 5 static IP addresses assigned to FIOS router, however the machines I want to connect to are behing EA6500. It's a dual NAT scenario:
Public IP - FIOS Router - 192.168.1.0/24 network - EA6500 - 192.168.2.0/24 network
What I would like to do is for each public IP address, I would like to forward traffic to a particular host on 192.168.2.0 network. I can easily configure FIOS router for static NAT and assign one internal IP (from 192.168.1.0 range) for each public IP. However, I don't see a way to assign multiple IPs from 192.168.1.0 network to EA6500 internet interface.
I don't want to use EA6500 as a bridge as it will pretty much reduce my EA6500 to a very expensive GigE switch.
Is this possible? Or should I replace it with something more useful like a business router? This is for my home so I would like to avoid buying an expensive business router.