Cisco VPN :: 5520 / 5510 - Can VPN Clients Communicate With Other Dynamic Clients
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
We are configured the Remote IPSec VPN on cisco 1800 series router.The Clients are able to login to VPN and access the local corporate network Servers . But VPN Clients are not able to communicate with other VPN clients using their VPN Adapter IP.
Components used : CISCO VPN Client 5.7 Router 1800 Series
I recently noticed my 'Number of Dynamic DHCP Clients' on Network Settings is always empty. Before, it always registered a list since there are several devices that are connected to our wireless network (laptops, mobile phones, desktops).
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP
I have a Netgear WNDR4500 running the stock firmware, acting as a router for my home. I also have 2 routers that are flashed with DD-WRT (Linksys WRT54G and Asus WL-520GU) running as client bridges. The Netgear is 192.168.1.1 and the other 2 client bridges are 192.168.1.2 and 192.168.10.3. The Netgear router is performing DHCP giving addresses from 192.168.10.100 to 192.168.10.254. I have numerous machines connected to the Netgear, wirelessly and wired, and numerous machines wired to each client bridge. All machines have IP addresses that are 192.168.10.100, 192.168.10.101, 192.168.10.102, etc... Everything is working fine, but I have one question: When I access the Netgear router, it shows the client bridges as clients, machines that are wired and wireless to the Netgear router are listed as clients, but the client list does not show any clients that are connected to the client bridges. I assumed that since the router is performing DHCP that all clients would show up.
You have a Cisco ASA 5520 where clients connect using Cisco Anyconnect SSL VPN, say the URL is connect.whatever.org. You would like for when a user enters either [URL] or just connect.whatever.org into their web browser that it automatically puts the required url...
We are trying to manage our Cisco ASA 5520 (8.2.5) SSL clients through Active Directory(ldap).
Currently the SSL VPN tunnel is up and all users are able to connect being authenticated by AD. but Group-policy to AD groups are not working. all the domain users are able to go to all the group policies .
I need to give access only to their respective Group policy in ASA. Following are the available groups and GP.
I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;
The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!
When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?
Here's is the crypto ipsec sa output:
Result of the command: "show crypto ipsec sa | i caps|ident|spi"
local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM) remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ) #pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712 #pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: A4FA947A
We have asa 5520 with 8.4(2) release and asdm 6.4(5). When we create new ipsec connection profiles (by ipsec wizard for example), ASA reset all vpnclients sessions active. Now we need to create new profiles, but we have 170 vpnclients sessions active, so we cant'.
I have set up a remote access ipsec vpn on an asa 5520. I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, nor can the internal network ping the vpn clients and dns resolution internal or external does not work. I am seeing nothing blocked in the logs on the asa.
I'm trying to understand my options for assigning addresses to VPN clients on an ASA 5510. Under the ASDM, I have a field for DHCP servers, radio buttons: none, dhcp link, dhcp subnet, and field: client address pools. Cisco's VPN examples demonstrate setting up a client address pool, which I did, but the VPN client isn't assigned a gateway in the process so it can't connect to anything; I really don't understand the point of this. I'd like to create a DHCP pool on the ASA for VPN clients as this seems to be the standard configuration. However, I don't know where in the ASDM to configure this and how it's applied. The only DHCP options I found involved creating a DHCP server on an interface, which I don't want to do since VPN users aren't on a physical interface, right?
The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x. In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.
We have remote VPN setup with Cisco ASA 5510. By using VPN filter, I can follow the guide and make client to use all necessary server services. (dns, ssh etc). However, is there any way that allow inside server access remote VPN client's services, ex. let inside server ssh to remote VPN client? Consider remote access VPN filter ACL's syntax, I have to always let source be the "remote VPN client PC", the dest is "inside firewall server", how can I let the other way traffice going?
We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.
site A : ASA 5510 VPN gateway for remote users LAN 192.168.192.0/22 site B : ASA 5505 LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
Here is a part of my configuration :
On Site A (ASA 5510) -------------------------------- name 192.168.192.0 SiteA_Internal_Network name 192.168.208.0 SiteB_Internal_Network name 192.168.133.0 VPNPool_AnyConnect name 192.168.133.32 VPNPool_VpnClient
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
Our customer is using multicast in their internal network for their IP video deployemnt. Internallt on the network everything is working great.
We have two folks in management who want to be able to view the live multicast video feeds of the cameras remotely. I have tried to accomplish this using the Cisco VPN client. Although VPN connectivity is good (we can ping the individual cameras) they are unable to view the live multicast feeds. I enabled multicast globally on the ASA and the inside interface and get the same results.
Is there a way for the ASA to support the remote IPSec VPN client to view the multicast strams?
I have a strange issue on my ASA 5510 (8.4). I can't ping or connect to the VPN clients but the VPN clients can ping/connect to any inside resources. I have checked all the NAT extemtion entries.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling. [code]
I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable? Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.