Cisco VPN :: 5510 - Multiple L2L Ipsec To Same Destination (ip Address)

Jan 23, 2012

im lookin to establish a a multiple L2L ips  tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?

View 6 Replies


Cisco VPN :: ASA 5510 - NAT Destination Address Through VPN?

Feb 25, 2012

I am trying to perform destination NAT through a VPN scenario traffic coming from needs to connect to address from the source device traffic will have a source IP address of destination will be traffic will hit the asa 5510 and the traffic source will stay as but the destination needs to change to
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
 access-list FROM_INSIDE extended permit ip host host
access-list VPN-TUNNEL extended permit ip host host
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.

**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.

View 1 Replies View Related

Cisco Firewall :: Can Configure Two IPsec Tunnel In ASA5525X / When Destination Is Same

Sep 7, 2012

Can I configure two IPsec tunnel in a ASA5525X, when the destination is same.

View 1 Replies View Related

Cisco VPN :: PIX-515E Version 8.0(2) - Cannot Reach Destination Of One IPSec Tunnel Via Another

Apr 17, 2013

I have a PIX-515E version 8.0(2).I have two remote sites connected to this PIX via IPSec tunnels.Each remote site can reach the local networks behind the PIX but I can not reach remoteSiteA from remoteSiteB.So, SiteA <----- IPSec -----> PIX1 <----------------> SiteX SiteB <----- IPSec -----> PIX1 <----------------> SiteX
 SiteA can ping SiteX
SiteB can ping SiteX
SiteA can't ping SiteB
SiteB can't ping SiteA
If i do show crypto isakmp ipsec sa I can see appropriate subnets:
Crypto map tag: CRYPTO-MAP, seq num: 4, local addr: 
access-list ACLVPN-TO_SITEA permit ip host
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (

Some log messages that seem to point to the problem...
Apr 18 2013 13:27:35: %PIX-4-402116: IPSEC: Received an ESP packet (SPI= 0xD51BB13A, sequence number= 0x21A) from (user= to  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as, its source as, and its protocol as 6.  The SA specifies its local proxy as and its remote_proxy as 
My question is really do I need to do anything funky to allow the traffic to pass between the two tunnels?

View 2 Replies View Related

Cisco Switching/Routing :: Monitor Traffic Between Multiple Source To Destination Ports On Nexus 7k?

Nov 5, 2012

i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?

View 3 Replies View Related

Cisco Switching/Routing :: 877W - Multiple Static Routes / Same Destination Dialer0 And Vlan1?

Jun 10, 2013

Is there any way to have my Cisco 877W Router alter from using one static route to another static route when another router on the network is reporting destination host unreachable?
Router 1 (
Dialer0 -> ppoe to internet
Vlan1 -> local
 Router 2 (
Dialer0 -> ppoe to managed VPN (
Vlan1 -> local
Router 2 is connected to another network through a managed VPN and that network also has internet access. I want to be able to have two routes to the internet on Router 2. And when Router 1 internet goes down packets get routed through the VPN instead.
I currently have on Router 2
ip route
ip route Dialer0
ip route 250
Which does nothing when Router 1 has its Dialer0 interface shutdown, or goes offline completely.I suspect I could reverse the setup and have everything routed through the VPN by default and then if / when Dialer0 interface goes down it would switch to using Router 2, but if the problem is in the remote network and interface Dialer0 stays up, it would probably do the same thing... nothing.All devices mentioned are Cisco 877W routers with ADSL and a bunch of fast ethernet interfaces.

View 2 Replies View Related

Cisco WAN :: Why Is Destination An RFC1918 Address

Mar 13, 2012

Here is a snippet from "show ip cache flow", from a border router of our network; [code] To clarify, Gi0/3 faces our customers, Fa1/0 faces a transit provider. These results have come from configuring "ip flow egress" on Fa1/0, facing the transit provider. is a static IP we have assigned a customer. I know this customer has a firewall terminating this connection so I want to understand the cache flow results on this route. Why is the destination address an RFC1918 address? Is it possible that the customers firewall is trying to connect to these addresses, the flow gets as far as this border router, and drops? I assume that to be false, and only successfully initiated flows are recorded?
Also, looking at those figures it's IP protocol 0x11 which is UDP (17) and source port 62023 to destination port 161. 161 is SNMP? Without asking the customer what they are doing I suppose I can never know at that level, but I'm really more interested in why these flows are showing at all, when isn't in this routers FIB?

View 2 Replies View Related

Cisco Security :: ASA 8.4.1 Destination Address NAT?

Jul 15, 2012

i have a situation where i have a deployed asa5505 running 8.4.1.The client has an existing mail server that is located on their lan and has Port Nat's configured for the normal mail ports,  25,110,993,587 etc.
This works fine for mail inbound and for any user popping mail off the server externally or visiting the webmail interface from outside the network.However when users inside the LAN try to connect through the ASA back inbound to the IP on the External Interface of the ASA they are unable to do so.
One solution i came up with is Split DNS.   and well this works it rely's on the users not changing their dns servers.I was wondering if it's possible to do some sort of NAT that rewrites traffic destined for the above ports on the external IP to the Internal LAN Ip instead.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Static Route By Interface Or Destination

Sep 21, 2011

Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.
I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.
All interfaces are on the same security level of 100 except Outside which is 0.
Office 1 Interfaces ASA 5510
VLAN  1               vOffice1Data
VLAN  3               vOffice1Video
VLAN 5                vInterOffice     (QOS  connection Between Offices)


At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.

View 2 Replies View Related

Cisco Switching/Routing :: 2600 / Destination IP Address Redirection

Jul 9, 2012

I have a Cisco 2600.  I would like to know how to redirect traffic going to a certain IP address three hops away to an IP address on a locally connected segment. 
Ex.  Packet leaves a device with source IP of and destination of 20.20,20.20   When the packet hits the router ( I want the router to redirect the destination of to (locally connected segment).
The router has two physical interfaces.I am thinking along the lines of creating a VLAN with an ip of and then doing a NAT translation from to 

View 3 Replies View Related

Cisco Firewall :: ASA5505 / 5510 - Prioritize Traffic Based On Destination IP?

Sep 25, 2012

we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?

View 3 Replies View Related

Cisco WAN :: RS485 / BSTUN Multi-point (ASYNC) / Set The Destination Address?

Sep 26, 2012

transport the serial0 and serial1 from a remote route to a local router at his local serial0 interface.The routing mechanism is very easy, it like a RS485, incoming data at the local router is trasmited to the remote serial0 and serial1. If some data income at the serial0 or serial1 at the remote, this data travel to the local an is printed into de local serial0 Remote Serial0 and Serial1 ends at the local Serial0. The local Serial0 starts and ends at the remote Serial0 and Serial1.Both serials are RS-232 (is a async-protocol group)The RS-232 protocol is UNADDRESSED The application is a back-up serial link.
My Config is:

LOCAL R236: 
bstun peer-name
bstun protocol-group 10 async-generic
 interface serial0
physical-layer async

If i debug the BSTUN PACKET:

*Mar  7 02:31:18.182: %BSTUN-3-NOPEER: No peer configured to route frame with destination address 0 (bstun group 10)
At the Cisco IOS Software System Error Messages ARAP Error Messages Manual notes:
BSTUN-3-NOPEER: No peer configured to route frame with destination address
[chars] (bstun group [dec])
Explanation A BSTUN route has not been configured for the frame with a destination address.Recommended Action If this message appears while you are debugging BSTUN, it indicates that no specific BSTUN route has been configured for the frames being received with the device address listed in the packet debug trace. You may choose to configure a BSTUN route, or ignore this message.I know that the address must be content on the frames that income at the serial port interface, I mean the router fordward the frames if this have some BYTE and the start that indicate what is address of a remote device, so i guess that this routing mechanism use that byte to select the remote router.But If I set the address at the local and remote route, the router is not who must include his own address in the frame?If I set a point to point link, the only way if I want to transport more that 1 link,? for now the only way is set TWO groups and set one for first link ant the other for the second. (Serial0--Group1--Serial0 and Serial1--Group2--Serial1)The router do not let me set the same group ant the same route. where at the Serial interface i set the LOCAL ADDRESS for a BSTUN protocol?

View 3 Replies View Related

Cisco WAN :: 1941 - Multiple VRF BGP / GRE / IPsec Failing

May 17, 2011

I'm trying to configure a Cisco 1941 to connect to multiple Amazon VPC instances. Each VPC instance brings up 2 x IPsec over GRE tunnels with BGP in to the EC2 cloud and enables flat extension of the corporate LAN. Basically. you can spin up EC2 instances in a private subnet and route to them across the VPC link from the corporate LAN.
The Amazon configuration is templated and not designed to support multiple instances on one customer access gateway - however, I want to overcome this and find a technical solution around bringing up a second physical router. I've got VRF configured and working for the first instance, but when we add a second VRF to the configuration IPsec fails. The second VRF is essentially identical to the first.
We're potentially looking at a licensing issue with IOS 15.x, the version we're running is... 

ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
data          None          None          None

However, the IPsec configuration is complete and all keychains etc. are in place as they should be.

View 13 Replies View Related

Cisco VPN :: 7301 - Multiple L2L IPSec Sources On One Router

Feb 4, 2012

I'm trying to make a redundantish office/datacentre connection on the cheap. At the datacentre, we've got a 7301 (12.2(24)T5) and at the office we've got a Mikrotik RB1200 (5.12).The office router has two ADSL connections to two different ISPs, the datacentre router a single GigE to a colo provider. I'm trying to build an IPSec encrypted IPIP tunnel over each ADSL service to a separate loopback interface on the datacentre router, so I can run OSPF over the top for route exchange. I need to use two different loopbacks on the datacentre router so the office router can have a static route for each out each ISP ADSL. But I'm running into issues making encryption work on two different source addresses.Using the 'crypto map xxx local-address Loopback12' command, I can specify the outbound interface for one of the tunnels just fine, traffic moves as expected - while the other tunnel fails to encrypt. But is there a way of having two peers use two different local addresses, or applying two crypto maps to a single physical interface?

View 1 Replies View Related

Cisco Firewall :: Connecting ASA 5505 To Multiple IPSec VPN?

Sep 13, 2012

We currently have 2 different ASA 5505 connect to our ASA5510.  We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have.  What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.

View 13 Replies View Related

Cisco WAN :: Config ASA5510 For Multiple IPsec Tunnels

May 13, 2013

How to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.

View 20 Replies View Related

Cisco Firewall :: Connecting ASA 5505 To Multiple IPSec Vpn

Sep 13, 2012

We currently have 2 different ASA 5505 connect to our ASA5510.  We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have.  What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.

View 1 Replies View Related

Cisco Routers :: RV180W IPSec VPN With Multiple Networks?

Sep 4, 2012

I am setting up a customer site.  One side is RV180W and the other side is Checkpoint 500W.
RV180W side
 Checkpoint side
Need to setup an ipsec tunnel between the site.  However, from the RV180W side, I can only ping the VOIP network, but not LAN. I have heard that RV180W only can talk to one remote network via ipsec, correct?  workaround this other than changing out the RV180W? 

View 4 Replies View Related

Cisco Routers :: RVS4000 - Multiple IPSec VPN Tunnel

Aug 29, 2011

I recently purchased a RVS 4000 (firmware V2.0.0.3) and am having some issues creating a second (third...fourth?) IPSec VPN Tunnel. The first one is up and running just fine. On the VPN Summary screen it says [1 Tunnels Used  4 Tunnels Available].

When I go to configure the second tunnel, I select --New--  from the   "Select Tunnel Entry" drop down and proceed to fill in all the connection information. When I click Save, it seems to be processing and after a few seconds just returns me to the same screen, with none of the information I just input and no connection created. No errors given.

I have another RVS4000 to connect at a different location which will require a similar setup, but don't want to do anything with it until I have the one mentioned above working fully.

View 1 Replies View Related

Cisco VPN :: ASA5520 - IPSec VPN Client And Multiple Target Networks

Sep 9, 2012

I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.

View 5 Replies View Related

Cisco VPN :: Create Multiple IPsec Tunnels On 837 ADSL Router?

Nov 4, 2011

I need to create multiple ip-sec vpn tunnels on A Cisco 837 ADSL Router. I am able to create one tunnel but the second connection is asking for the outside interface which is atm and already taken by the first tunnel. How can i create more tunnels?
Secondly, after creating the first tunnel i am able to access the remote lan network but when i tried tracert "remote lan ip of a pc" from my pc i got "request timed out" after passing my 837 but succeeded to reach the target. Does tracert needs something to be opened in the router?

View 2 Replies View Related

Cisco Routers :: SRP547W Multiple IPSec Policies Through Single IKE Policy

Apr 7, 2012

I am trying to create a VPN between an SRP547W and a Cisco IOS router, in this case a UC540.I am running firmware 1.2.4 (003) Jan 11 2012. Now I can do this with an SRP527W and many other routers successfully. Including other IOS routers 1801, 1941 etc.
The issue I have is on the SRP547W I cannot create more than one IPSec Policy through a single IKE policy. I require this to route multiple v lans to our remote site. When I try to add an additional IPSec Policy I am give the error "IKE policy has been used by other IPSec policy"
This is possible to do on the SRP527W with latest firmware. I have tried rolling back to earlier firmware but instead I am given an error about overlap. Latest release note for this firmware suggest this issue was already resolved.

View 7 Replies View Related

Cisco VPN :: 5510 IPSec VPN Map

May 5, 2012

i have started managing a asa 5510 firewall which is already having 10 ipsec tunnels , the problem i am facing is they are configured as "ipsec vpn map"
i have attached sample config, i am finding it difficult to understand the parameters used in each tunnel as the configration seems bit complex to me, how it works .

View 9 Replies View Related

Cisco VPN :: 5510 - Context With IPSec VPN

Mar 10, 2011

I need to create a IPSec Site-Site VPN in the Single mode firewall. Is it possible to create the tunnel. I have ASA 5510 Security Plus with Ver 8.3

View 5 Replies View Related

Cisco VPN :: IPSEC VPN Setup On ASA 5510

May 12, 2011

We're in the process of setting up an ASA 5510 as our main VPN appliance.
The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network.  The 5510 uses radius for authentication going to a server on the same subnet for the authentication.  That works fine.  VPN client can connect to the 5510 and successfully authenticate.  Routes are pass through to the VPN client, no problem.  PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.
My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.
The VPN client is set to pull an ip address from the pool - - 100.  The 5510 is sitting on a separate subnet (50.x/22).  This seems to work on the Cisco 1700 that it will be replacing just fine.  I mirrored routes and ACLs as well onto the new 5510.  No luck.  Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510. 

View 24 Replies View Related

Cisco VPN :: 5510 L2L IPSec VPN Blocks SQL

May 17, 2012

I have an ASA 5510 running 8.4(2) which has a site to site IPSec VPN to a 3rd party who run some form of Checkpoint.  The VPN establishes and allows access to a server in our DMZ on all ports that we have tested (so far HTTP, SSL, RDP, FTP) except for SQL which doesn't even seem to reach the server.  I've got Wireshark running on the DMZ server and if the 3rd party initiates a TCP conversation from their server on any of the working ports to the server I see all of the expected packets arrive with the correct IPs etc (no NAT takes place across the VPN) but when an ODBC client attempts to query the SQL server on our DMZ box the packets do not arrive at the server.  What I can see is the RX byte count on the VPN increasing each time the query is run but definitely no SQL arriving at the server.
Also if I revert the ASA back to the old PIX it has replaced with the same VPN config but on version 7.x then it works just fine.

View 16 Replies View Related

Cisco VPN :: How To Use ASA 5510 To Terminate A LAN To LAN IPsec VPN

Aug 6, 2012

We have an ASA 5510 running 8.3 that we need to use to terminate a LAN to LAN IPSEC VPN.
Problem is we only have one public address available so have had to configure the link between the ASA and the Internet Router on private addresses.
Is it possible to NAT the public address to the inside or outside interface of the ASA and terminate the VPN on that interface?

View 7 Replies View Related

Cisco VPN :: Connect To IPsec On ASA 5510?

Aug 31, 2011

I have been given the following details by a company for us to connec to their IPsec VPN.
IP Address                    
VPN Device Description          Cisco ASA
VPN Device Version           5510
Encryption Domain 
Authentication Method                Pre Shared Key
Encryption Scheme                     IKE

I was going to use VPNC with linux but the company said they do not use remote access. So I tried a draytek vigor 3300v, that as well did not work. Had very bad logging so i couldn't troubleshoot.In the end I have decided to buy the cheapest cisco device that will allow me to connect to this.

View 3 Replies View Related

Cisco VPN :: IPSec Tunnels Between ASA 5510 And 5555

Nov 13, 2012

I have an ASA 5510 running ver 8.0(2) that has (4) Ipsec tunnels going from it to various other locations.  I am having an issue with data transfer speed on only one of the Tunnels.  This tunnel is between the 5510 and the 5555, on that link I am getting a dat transfer rate of a little over 120k a second, whereas if I pull the same set of files from another location I am seeing a transfer rate of 5m per second. 
I have verified that it is not a capacity issue on the Internet bandwidth on both locations, and I can pull the same data from the same location to various other locations via Ipsec tunnels, I am only having an issue with a specific tunnel going from the 5510 to the 5555. 
Since it is not affecting other tunnels on the 5510 nor is it affecting tunnels on the 5555 going to other locations, I am leaning toward a routing issue within the ISP?  I will say the ISP is taking me a long way around to stay in the same Metropolitan area.

View 1 Replies View Related

Cisco VPN :: ASA 5510 Ipsec Stops Working

Jun 8, 2011

i've an Cisco ASA 5510 with Security Appliance Software Version 8.0(2), in this ASA i've many L2L tunnels to this ASA, anda sometims new tunnels can't connect, the older tunnels still ok and working, yesterday this situation occured again and i've tried to clear all ipsec tunnels and try to reconnect again no one cames up again. At the time of this situation memory usage was about 78% and CPU is was around 5%. I've made a reload without changes and the situation returns to the normality.
At the time of the fail i've collect the outpu from debug crypto isakmp 255, the outpu was in the annexed file.

View 1 Replies View Related

Cisco VPN :: IPSec Client Connection Through ASA 5510?

Mar 28, 2013

I've got random connection issue when I try to connect to a VPN gateway through an ASA 5510 (IPSEC client ->ASA 5510->VPN Gateway).
When the tunnel is coming up, those two lines appears in the captured traffic on the internal interface :
<private internal IP>.500          > <destination IP>.500:  udp 541
<public external IP>.500 > <destination IP>.500:  udp 541
When it's not coming up, the port nuimber for the public IP is not 500
(private internal IP).500  >  (destination IP).500:  udp 541
(public external IP).442 >  (destination IP).500:  udp 541
I don't understand why sometimes the port for the public external IP is 500 and sometimes not.

View 1 Replies View Related

Cisco VPN :: Citrix App Disconnect Over IPSEC In ASA 5510?

Jul 16, 2012

We have built IPSEC VPN over MPLS P2P circuit between Head & Branch office using Cisco ASA 5510. Client systems at Branch office connects to Citrix app at Head office, but it gets disconnect intermittently for all user. if any recommendations/changes required for Citrix App whn passing over IPSEC VPN/ ASA.

View 2 Replies View Related

Cisco VPN :: 5510 - L2TP Over IPSEC Static NAT

May 22, 2013

I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface.  I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.  The second issue involves DNS.  I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS.  What is the workaround for using split tunneling AND internal DNS servers, if any?
i've had two different CCNA's look at this numerous times to no avail.  A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd.  You can see in the config where i added the extra STATIC NAT to try and fix the issue.  And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network. [code]

View 1 Replies View Related

Copyrights 2005-15, All rights reserved