Cisco VPN :: 5510 Unable To Ping Any Off Private IPs At HQ From New Branch
Jun 25, 2012
We have had a successful site to site vpn working for several months now. It is an ASA 5510 at HQ to a ASA 5505 at a branch office in another state. We just added a second site to site vpn in another state this time from HQ to a Sonicwall TZ100. After plugging in the Sonicwall to the Qwest modem in bridge mode the tunnel came right up. I was unable to to ping any off the private IPs at HQ from the new branch, but was able to use remote desktop into the servers and workstations at HQ. Also all the computers show up when browsing the network from the new branch.
At the first branch we are able to ping both ways and use remote desktop both ways.When using packet tracer in ASDM on the HQ ASA and pinging from one of the IPs in the HQ protected network to an IP in the new branch network NAT-EXEMPT looks good, but when it hits the first NAT it matches on the "dynamic translation to pool 10 (10.1.255.254) [Interface PAT]" (which is the default route for all the vlans to get to the Internet.)The next NAT (subtype - host-limits) looks better and this one going to the IP address of the outside interface of the HQ ASA 5510, but then the third NAT (Subtype - rpf-check) reverts back to the "10 (10.1.255.254) Interface PAT]" and the packet is DROPPED. Also there is no VPN step in Packet Tracer after NAT.[code]
Is the problem possibly due to the fact that my 2 new ACLs for "encrypt_acl-30" fall after "access-list global_mpc extended permit tcp any any" in the config and it is running into the implicit deny all?
We are in the process of evaluating Cisco wireless controllers and AP. We have 3602 APs and 2504 controllers right now. We have multiple branch offices connected to the main office through layer 3 and they all have different vtp domains and vlans. I am trying to deploy APs at the branch offices and connect them back to the controller and the central site. I created a sub interface and ssid with one of the vlans at the branch office on the controller and was able to get the AP to join the controller through DNS. However, a client at the branch office connected to the AP was unable to ping anything at the branch and central sites. Any documentations on how to deploy such a setup where the controller is at the central site and AP at the branch office going through multiple routers in between?
i have a home lab network that is connected to my internet. I basically have a linksys router connected to cable modem and in order for my families internet to not go down while testing and learning my CCNA I am trying to treat the Linksys as the ISP.
1. Plugged my 891W router via FASTETHERNET 8 (192.168.1.10) into LAN Switch port 1 of my Linksys E4200 home router(192.168.1.1).
2. I plugged my 891W Gigabit 0 (10.10.10.1) LAN side into my 2950 Catalyst Switch (10.10.10.5 - VLAN 1)
3. my 2950 Catalyst switch (10.10.10.5 - Vlan 1) is plugged into my 2600 series router via the routers FE port (10.10.10.2).
There is a few more routers connected behind r2 but I am not dealing with them right now and there is also a switch connected into s1 but its not being used for this.
891w is labled r1 2950 is labled s1 2600 is labeled r2
I am running RIP Verison 2 for my network protocol.
r1 information below ---------------------------- r1#show ip protocols*** IP Routing is NSF aware *** Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 24 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain GigabitEthernet0 2 2 Vlan4 2 2 wlan-ap0 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for
[code].....
I can ping all over my homelab everything I can reach as long as I have a protocol up but I cannot reach the WAN IPs. I watched video by Jeremy Ciorara and I tried to follow the wan and nat part from a website [URL] And none of its working. I am not sure if this is a case where a private IP cannot function as a ISP and I am breaking some rule thats not mentioned in CCNA studies or if its something else. I tried these commands from Jeremy Video:
r1(config)#ip access-list standard "NAT_ADDRESSES" r1(config-std-nacl)#permit any r1(config)ip nat inside source list NAT_ADDRESSES interface fastEthernet 8 overload
However they did not work it was pretty close to whats in the basic website up there I listed as well. I think I went back to the basic configuration in the config file post above. Its really frustrating as I follow directions and they do not seem to work. I understand I am using my private 192.168.1.0 subnet as an ISP and maybe that has something to do with it but when yoru first learning and things dont work its kind of overwelming as you have problems seeing the big picture and dont yet trust in things you have learned as they are unfamiliar so its easy to get lost.
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505 Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled I can ping from internal LAN of HQ to internal LAN of branch but I cant ping from internal LAN of branch to internal LAN of HQ
HQ ASA 5520 Side ASA Version 8.4(3) host name aljoaib-fw01 [ code].... Branch side ASA 5505 ASA Version 8.2(5) host name GTC- DMM- FIREWALL domain-name ALJOAIB.COM enable password 7pgp93AEPfHtDc5N encrypted [Code]....
I have to sites connected togather using 4 MBps Link over the tunnel terminated on asa 5510,the call manager in site 1 and the other users on the site 2 unable to register with call mamager on site while i have a suceesull ping goes from site 2 to site 1 (call manager ip) so why this phone its not registered ,so in term of network no problems coz the ping gets through and am rely on ping to confirm that no network problem
----is there any udp traffic problem that prevent the phone registration
We have two ASA5510s, each with outside interfaces to the same two ISPs (different IP addresses within the same subnet, of course). Both ASAs allow ICMP on all (inside and outside) interfaces. One ASA's default route is to ISP-1 and the other is to ISP-2. We can ping the default gateways for both ISPs from only one ASA. From the other ASA, we can only ping the default gateway for the default route but not the other. The pings originate from an inside client, first configured with the default gateway for ASA-1, then for ASA-2. Why does this happen, how do I troubleshoot something like this and how do I fix it?
One of my client has BSNL leased line with LAN IP POOL we configured those on ASA 5510 nad Internet working fine but from cloud we are not getting any response for ping requiest please find running configuration below:
ciscoasa(config)# sh run : Saved : ASA Version 8.2(1)
I have an ASA 5510 configured with two L2L VPNs from the headquarter to two different branches.I m using the ASA “outside” interface which is connected to the internet in order to establish and configure the 2 VPN connections. Branch 1 could communicate with branch 2 through the ASA?
I'm looking for Routing Design scenarios to complete our configuration needs for remote branches. We will have two 1921 routers in each location, one with a T1 from our MPLS carrier, the other with a DSL connection from an ISP. The T1 router will have an assigned AS and use BGP to router back to head quarters. The DSL router will have an IPSec tunnel back to an ASA 5510 at head quarters. I envisions a GRE tunnel from the DSL router back to head end routers connecting to MPLS at head quarters. Not sure yet how to manipuate the routing between head quarters and the branches such that the T1 router is the primary route to and from the branches and the DSL router is for failover/backup.
I am trying to configure access to several remote offices for users who VPN into our main datacenter. The datacenter has a 5520, and the branches are connected through IPSec L2L VPNs. Branches all have 5505 or 5510's. Remote users use IPSec via the Cisco remote Client. Remote access into our data center works, and the L2L VPNs are perfect...just now that i need remote users to access the branches after Remote access VPNing (for support) i cant get that part to work.
Our Headquarter (asa 5510) is running a site to site vpn connection with a Branch office (router 2811). All remote users are accesing the internet through the VPN and also accesing headquarter file servers.I want to know if there is a way for some remote users to be able to use the vpn for accesing the file servers but to access the internet through the branch office. The rest of the remote users will be still accessing the internet through VPN.
We have configured a Cisco ASA 5505 with AnyConnect access. This works great. However, these users cannot seem to ping devices on the private network. We have configured all devices on the network with a 10.10.10.0/24 address space. The inside interface of the ASA i 10.10.10.1/24 and the VPN return addresses are 10.10.10.50 - 10.10.10.65/24.They users can utilize SSH and Oracle or MySQL calls but cannot seem to ping. Obviously, I am over looking something.
i recently get high speed link for my compagny to replace the old frame realy.the internet service provider gave me a non routable range to set on my asa like this : [code]then the ISP tell my public ip wan range was x4.23.209.166/29.i made this kind of configuration works when i put a cisco routeur in befor the cisco asa like this: [code] it is possible to make this works on cisco asa 5510 without putting a router in front ?if it works problem can happen to establishing vpn from the outside interface having a private ip ?
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
From My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
I'm setting up a Cisco ASA 5510.I did the setup for my public and private interface.From the management software I can ping any outside domain using my public interface, but when I try to do that from my private interface I cannot.Also for some reason my ip phone connected to the private interface work (I'm able to make and receive call), but any computer that I connect to the private interface I cannot access the internet.
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
I have RV110W connected in private network 192.168.5.0/24, I have redirected pptp port from adsl modem to the RV110W and VPN works OK. DDNS on the adsl modem is not available.I need to use Dynamic DNS functionality on my RV110W. The device supports several DDNS services (TZO.com, Dyn DNS.com, 3322.org and noip.com). For all but TZO the public "Internet IP Address" shows as 192.168.5.110, which also gets auto registered with the DDNS service.I have tested this with free noip.com account and this is obviously undesired behavior. I need the router to register my real public IP.For TZO it shows the proper public IP, but TZO service is no longer available on TZO.com.
Today we physically moved an ASA 5510 across town and took another location off of fiber and onto a VPN with the asa 5510, via a brand new 5505. The VPN seems to be up however no local traffic seems to be passing. The ASA 5510 can ping to the internal network of the 5505 but not vice versa.
The site that was moved is the 62.0 network, it is connected to the rest of the network through the new ASA 5505. I'm sure this is something elementary that I somehow missed.
I have recently got our Cisco engineer to create a VPN connection to our network through a ASA5510. I am able to ping all devices on the network bar two servers (2xW2K3, one configured with AD/DNS and the other is a AD/file server) using IP addresses ,However, I cannot ping any devices using host names. The engineer has entered in the correct IP address of our DNS server, but still we have this issue. As the VPN client cannot ping the DNS server, it is unable to resolve the host names, but I cannot seem to work out why we cannot ping the DNS server.
VPN between datacentre & office ASA 5510 & HP routers site-to-site vpn, 192.168.1.0 и 172.16.0.0 networks If I ping internal routers' cisco address 192.168.1.1 from 172.16.0.0 network host (172.16.2.200) I get ping timeout At the same time I see the same messages in ASDM monitoring when successful ping reaches and comes back to 192.168.1.0 host (192.168.1.101 for example) Pings from 172.16.0.0 to 192.168.1.0 hosts are ok, only 192.168.1.1 is silent Looks like icmp echo reply is not allowed or smth like that, where to take a look?why monitoring looks ok instead of denied according to ACL...?
I have a VPN client running on a laptop connected a DSL circuit. The VPN client is configured correctly for an external address on another firewall, this external firewall passes through ISAKMP / IPSEC to an ASA where it terminates. The client authenticates and gets an address from the client pool (VPNCLIENTS – 10.2.16.x / 24) and the tunnel completes with no problems. From the internal ASA I can ping any internal network behind the 10.0.3.240 interface (INSIDE) and I have a route on the inside network to get to the 10.2.16/0 clients to point to this address (10.0.3.240). All good so far.
Now the problems begin. I cant ping anything from the VPN clients (10.2.16.0) network to anywhere, I cant ping any interface on the ASA or any internal network. I also cant ping the client from the ASA and therefore not from the internal network either. This configuration is bare bones configuration so I don’t even have the NAT exception rules added. Network diagram attached too.
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
I have two inside interfaces (both security level 100) inside and inside110. Inside is 192.168.105.3/24 and inside110 is 192.168.110.3/24. I have a PC on the 192.168.105.0/24 network. I cannot ping the 192.168.110.3 IP of interface inside110.
I currently have an ASA 5510 unit. I have a dmz setup which house some web servers and an inside interface. The web servers contain multiple public ip addresses which I have natted and access is fine.What is the most simple way to enable ping for my dmz from the outside. Meaning if someone outside the network pings one of the servers by its public ip address I would like it to respond to ping.
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
I have recently installed an ASA5510 at a site in South Africa to connect via VPN to a site in the UK (ASA5520). The VPN comes up fine with the 5520 in the UK, however, I can not connect to the inside interface over the VPN, but can access it from the internal LAN. All other hosts on the LAN are accessible over the VPN.
The 5510 also has another VPN to another site in SA and the 2nd site cannot ping the interface either.
II have a management network 192.168.5.x and VPN network 192.168.25.x. I can ping a all my network elements except to firewall (ASA5510). The ASA has the IP 192.168.5.1. I think that the firewall has some restriction but I don't know. I have 8.2 software and any connect 3.0 and work fine. If I am in the management network (192.168.5.7), I can ping to firewall. The restrict is with the VPN network.
Background: I have a couple of ASA 5510's I'm going to put in our lab environment. I have restored them to default config and set up the m0/0 interface with an ip/mask and started the http server. My lab environment is on the 10.45 subnet and my .com corporate environment is on the 10.40 subnet. I've also setup DNS and, from the ASA, can ping anything in the 10.45 subnet.
The problem, is that from the ASA, I can not ping the internet or my 10.40 subnet. And vice versa, I cannot ping the ASA from my 10.40 subnet. When I bring up a regular server, there is no special configuration I need to do as those subnets talk to each other and nothing is restricted.
Is there something special I need to do go get it to work? I tried adding a access list to allow icmp, but that didn't seem to work.Oh, and I'm getting to the ASA by RDPing into a lab server (on 10.45) then putty to the ASA.
I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping url... and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly.
I ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
The VPN will connect.I can ping and connect to the ASA 5510 on it's LAN interface.My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
Here is my config.Result of the command: "show config"
Saved : Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012 ! ASA Version 8.2(5) ! hostname ********
