Cisco VPN :: 5520 Cannot Connect Remote Subnets Via ASA To Draytek Router VPN
Jun 19, 2011
my local site has Cisco 2811 router connecting locally to ASA 5520. Remote site A has Draytek Vigor2950. I have working vpn between local subnet 10.0.0.0/24 and remote site A 10.100.6.0/24. I have remote sites B (10.100.7.0/24) and C (10.100.8.0/24). I would like to route traffic from local site to remote sites B and C via the local-to-remote A vpn. On Draytek routers B and C, I have added to subnet 10.0.0.0/24 to the remote network profile list. On local router, I route traffic for subnets 10.100.7.x and 10.100.8.x to the ASA. On ASA I have added these subnets to the profile for local-to-remoteA vpn.But the vpn will not establish when I attempt to ping from local to remote B or C.
I have a need to Remote Desktop connect to company’s employees for support then they are abroad and using Cisco AnyConnect client.Cisco AnyConnect client connection works fine, clients can reach company’s inside network without problems, but I cannot make revers connection, I cannot Remote Desktop connect or ping VPN clients from companies inside network. I cannot ping clients from ASA too.I am using ASA 5520, Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7), and Cisco AnyConnect VPN Client 2.2.0133. Protocol Encryption- AnyConnect-Parent SSL – Tunnel DTLS-RC4 RC4 AES 128.
I am coming to this forum because TAC and several CCIEs are having trouble finding me a solution to my problem. I have Two 5520s each running 841 connected in two different data centers with two different internet providers. I have 100+ 5505s that have the capability to connect to either 5520 via EZVPN to either 5520. Up to now there has not been a need for a 5505 connected to one 5520 to talk to another 5505 on the other 5520. Each 5505 accesses network resources as in any enterprise network. Our company recently started telecommuting and I have been giving 5505s and a VOIP phone out to people. What was discovered is, if you are on one 5505 connected to a 5520 and the other 5505 is connected to the other 5520 the audio in voip does not work. If both the 5505s are connected to the same 5520 than everything works fine. Conversely a 5505 on one 5520 cannot ping a 5505 on the other 5520. 5505s on the same 5520 can ping each other no problem.
My problem: All 5505's are configured for a 172.18.xxx.xxx 255.255.255.224 subnet. This subnet is not used anywhere else. So I have a 100 Class "C" subnets carved up into 255.255.255.224 networks. If I look at a specific route for a subnet on one 5520 I see it pointed to the outside interface via RRI. I can look for the route in the 5520s connected CORE switch and I see the route pointed to the 5520. We have a fiber connection to the CORE in the other data center. The route is in this CORE switch as well. When I look for the route in the 5520 connected to this core it is not there. I have all other routes visible but not this particular route which should show on the inside interface. All I show on the 5520 are the 5505s connected to this ASA. So the 5520 is not processing the RRI subnets from the other 5520 and vise versa. Thats why a 5505 on one 5520 cannot ping a 5505 on the other 5520. I only see 172.18.0.0/27 on the outside interface of both 5520s. I do not see any 172.18.0.0/27 on the inside interface on either.
I have had numerous TAC cases open on this and no one seems to either understand my problem or have a solution for me. My local sales rep CCIE says the problem looks like a bug in 841 (which I am running) and that the ASA is not processing RRI from eigrp which I am running as well. The whole network is running the same instance of EIGRP including the 5520's.
My questions: 1) Is it possible the 5520 is not allowing 172.18.0.0/27 on both the outside and inside interface? Even though all subnets are masked proper the ASA maybe thinks it is being spoofed? I have not been able to confirm this using the real time log. 2) Could this really be a bug? I have looked at all the release notes and have not found anything resembling my problem. TAC has not recommended that I upgrade or downgrade my IOS.
Our IPS has given us a second range of IPs as we were running out. Unfortunately, they can only give us two non overlapping range. I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges. This is not a failover scenario -- and I need outward facing servers on both ranges. It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans. As there are two subnet there are two gateways. How do I keep the traffic on track?
i have a asa 5520 that is working with three zones DMZ, inside and outside.
my DMZ is for all my branches and it had a /24 subnet my inside had a /24 subnet and all was fine i could talk to branches and they could talk to me. i also had all the branchess accessing internet via the ASA which is at HO. i changed the subnets from /24 to /21 and broke everything
below is the configs for the asa ! interface GigabitEthernet0/0 nameif outside
I am struggling on a problem for over 2 weeks despite of various researches.
We have a Cisco router, then an ASA 5520 8.4(3). The private interface of the ASA is connected to a switch, and so on connected to one interface of the router. The private interface is as following : 129.88.63.253 255.255.248.0 (/21) => It is in the 129.88.56.0/21 subnet
Here is the part of the router config we are interested in : ! interface Vlan32 ip address 129.88.63.254 255.255.248.0 (this is the tunnel default gateway configured on the ASA - 129.88.56.0/21 subnet) ip address 129.88.71.254 255.255.255.0 secondary ip address 129.88.75.254 255.255.252.0 secondary ip access-group CVPN-depuis-129.88.56 in ip access-group CVPN-vers-129.88.56 out ip verify unicast source reachable-via rx allow-default no ip redirects mls rp ip !
On the ASA, there is currently one default route for the tunneled traffic : route Private 0.0.0.0 0.0.0.0 129.88.63.254 tunneled As you can see, it's on the same subnet as the primary IP address of interface Vlan32 on the router.
The scenario is as following : - we can connect to the VPN with the appropriate alias (LDAP connection), then we get an IP address in the defined range (it's a local ASA pool) - the pool is : 129.88.71.0/24 - but, once we are connected, we can't do anything, because it seems like we don't have any network access
Site A: ASA5520 VLAN data subnet 172.16.10.x/24 VLAN Voice subnet 10.0.0.x/24
Site B: ASA5505 Base license VLAN data subnet 192.168.10.x/24 VLAN Voice (restr) subnet 10.0.1.0/24
The callmanager is located on site A and needs to sent out DHCP-offers to site B through the VPN so the IP-phones can register to the callmanager. I got the VPN up and running for the data-subnet but i can't get traffic through the voice-subnet/VLAN.
Can the ASA's do the job or do I need to route traffic before the ASA's on both sides and sent it through the tunnel, configured both subnets as interesting traffic? Ofcourse the last situation I need to upgrade the license for the 5505 to gain more VLAN's.
The problem is when one of the hosts trys to reach the inside interface of the remote ASA. E.g. Host 1 trying to ping ASA5510 inside interface. Again Host 1 and 2 have the same subnet address of 10.1.1.0/24. I have configured the ASA 5505 to do the the NAT translations.
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
I have a cisco 877 router connected to our adsl broadband at our head office. I have managed to set this up with Nat and DHCP all working to let multiple users access the internet through our single static ip supplied by the ISP lets say the ip is 1.2.3.4.Our internal network is 192.168.1.0 255.255. 255. 0.I have a draytek vigor 2600 at a branch office set up the same with a static ip addresss supplied by the ISP lets say the ip is 5.6.7.8.The internal network is 192.168.4.0 255.255.255.0
I am trying to set up a VPN between the head office and branch office so the branch office users can connect to our internal server(lets say ip is 192.168.1.2) to receive group policies,access files and also telnet into our database server(lets say ip is 192.168.1.3).I have attached a sort of running config that i have pieced together from bits i have read on this site and others. I have tried these settings and other permutations of these settings but i cant seem to establish a tunnel even though when i show int tunnel0 on the router it says tunnel is up and line protocol is up, if i show ip route it shows that there is an ip address for the tunnel and that is about it(No vpn light on).
If it makes sense and that I have entered the right information? I have highlighted the parts i am not sure about in red(Quite a bit and obviously not the exact settings but what i think it should be). Once all the settings are correct on the cisco will it automatically establish the vpn or do i have to dial it from the draytek.
My company is setting up a small branch in Scotland (the main office is in Bristol)All we need one desktop, one laptop, a printer and we will be using a DraytekVgn router, and a small switch.We need VPN to this office to set up an inhouse application.How would I set this up with minimal configuration.......ie...Does BT send a router/modem with the set up..Is there anything inside the router configuration that has to be changed.(I know PPTP etc has to be enabled).Do I use the same vpn external ip address we use for our other 2 branches....Can I change the IP Address of the router from 192.168.1.1........to say 192.168.100.1.
I have managed to get the tunnel up and working and we are sending data via the tunnel from our Cisco VPN router to the Draytek and onto the clients server. (they , the client, have acknowledged that they are recieving and sending packets back to us).But, we never see any returning packets at our VPN tunnel endpoint. When we send I see the encrypted packet count go up , but the packet decrypt remains at zero, this is using show crypto ipsec sa | begin x.x.x.x.
We do have other working VPN solutions, but this is the first connecting to a Draytek. The ACL's are matching, and they have NAT turned off. The routing is fine or else the tunnel would not come up as are all the tunnel parameters, else our packets would not arrive at their server.
I'm having some rather odd issues with my wireless connectivity. Running a draytek 2830n router. The wireless connection drops out at random sometimes, at other times it connects (shows full reception) but does allow any kind of internet connection. Plugging in by lan cable allows normal function.I have no clue whats going on but I did just notice that shutting down one of the laptops connected to the network (Dell lx502) appears to have solved the problem for the moment. I've not had a chance to test this as a long term solution. However I believe this is the only laptop with a dual band wifi card.This problem was also occurring on our previous router, a draytek 2820vn but the symptoms were a bit different and this laptop was not there at the time.Is it possible for one machine to knock out an entire wireless network? The other change I made yesterday was to activate the bind ip to mac function on the router for our new NAS as I was messing around with ftp configurations.
I have 2 DSL Lines going into a load balancing router. The load balancer is set up to distribute the traffic equally on the two lines, hence doubling the bandwidth. Though great at load balancing, it cannot handle DHCP for the 50+ users on our network, and therefore we are using another router for DHCP, which is running DD-WRT firmware.DSL 1 - 10.1.0.1DSL 2 - 10.2.0.1Load Balancer - external 10.1.0.2, 10.2.0.2 internal 192.168.10.1. DHCP Router - external 192.168.10.2, internal 192.168.1.1All other devices - 192.168.1.xThe load balancer has many options to direct traffic to one WAN port or the other based on IP address, which we would like to implement. But right now, since all my devices are on the 192.168.1.x subnet, it can't see anything but the DHCP router. So essentially it thinks it has only one client.
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
I have problem of Site to Site connectivity I have 2 sites (Site 1' public ip. 115.119.120.X, local ips are 192.168.1.0, & Site 2' public ip 115.119.187.X, local ips are 192.168.2.0)Both sires are having different locations & using routers are Maipu 800.At present both sites are running with internet (each router are configured for DHCP, NATING & DNS for intenet)guide my with complete config, both local systems has to communicate...My preperance is existing routers & If it is nessary to change the routers, what will be the config.
How is it possible to connect a host to a switch when they're in different subnets? I'm new to Networking and was thinking it may be achievable through VLAN configuration?
I've recently installed a Cisco ASA with a NAT'd configuration, I'm in the final stages and would like to configure a lan to lan VPN to a Draytek box and that unfortunately isn't going well and having spent almost two days on it am starting to wonder if it will actually work. I can get it to connect but no data seems to be transmitted between the two.
Site A on the range 10.0.0.0 has the ASA and Site B is on the 192.168.16.0 and is a Draytek 2930.
Below is the ASA config created with the lan to lan wizard:
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
I have 2 dual ASA 5520 devices running VPN at two geographically different locations. What is the best way to do failover between the two remote locations?i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.
The problem is that the 10.0.0.0/8 internetl network establishes the connection via the outside interface. However, the return path is via the inside interface. But the vpn concentrator keeps showing next-hop not reachable for USP 500. Why does it show that when it has a route via the inside interface.
6|Jan 29 2013 13:44:38|110003: Routing failed to locate next hop for udp from NP Identity Ifc:202.x.x.x..29/62465 to outside:10.163..x.x/5892
Also, since we are trying to send traffic from outside to the inside interface, I tried to NAT the source ip i.e 202.x.x.x and left the source unaltered. But it still doesnt work.
I am wondering why is the ASA not routing via the inside interface and looks for the return traffic via the same outside interface the traffic entered in. The outside has a security-level of 0 and the isnide has a sec-level of 100.
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
We're trying to establish a "simple" vpn tunnel between a cisco 800 and a draytek 2910, situation:
LAN (192.168.2.0 ) --cisco800 ----- internet ------ draytek ----LAN (192.168.20.0 )
WAN-ports , internet access on both sides are working fine.vpn configuration part cisco:
crypto isakmp policy 1 encr 3des authentication pre-share group 2
[code]....
What can be wrong: other protocol? something with pfs? diffy hellman group: i heart draytek used 1 and cisco 2?debugging on the cisco site keeps on ginving the error message:
entry number 487 : CRYPTO-4-IKMP_BAD_MESSAGE IKE message from x.x.x.x failed its sanity check or is malformed timestamp: 4002880
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
I am having an issue with establishing L2L VPN with remote site. My side is cisco asa 5520 and other side is check point UTM-- tunnel is not up.just wnated to confirm on my sidde if the configuration is OK.al the parameters using are correct for both side. any issue with below conf ? default route is pointing to my next GW address is there additiona default is required for VPN ? to reach the remote LAN somthing like pointing to remote peer address.to give a brief idea front end device is router as GW wher in internet is terminated and other wan connections ASA is behind ther GW rtr and outside int of asa and lan interface of GW rtr is having public ip. LAN switch is connected to ASA
I have a remote office that currently connects back to a Central data center via Site to Site VPN. I am bringing up a 2nd internet connection as a fall back in the Remote Office. How do I configure the Site to Site VPN to work correctly so that if the primary internet connection goes down, the site fails over to the secondary? On Remote the internet connections are from different providers so they have completely different blocks of public IPs.
Central ASA 5520 8.0(4) Gig 0/0 Public IP
Remote ASA 5520 8.4(1) Gig 0/0 Public IP Gig 0/3 Public IP (2nd internet)
Not sure if my subject is a good decription of the problem or not.
I have an ASA 5520 at my home office and a SonicWALL NSA2400 at my remote office. The remote office has dual internet connections and I wanted to create two seperate VPNs between the devices using each internet connection on the SonicWALL.
I know how to configure this on the SonicWALL, the problem is on the ASA 5520
OK Basic network config
Main Office
ASA Public IP 1.1.1.1
ASA Internal network 192.168.1.0 (VPN source)
Remote office
Public IP 1 2.2.2.2
Public IP 2 3.3.3.3
Iternal network 192.168.2.0 (VPN destination on ASA)
If I have a VPN from the main ASA to either one of the SonicWALL's public IPs everything works fine
If I create 2 VPN tounels from the main ASA, 1 to each public IP on the SonicWALL, the VPN shows as up but no traffic flows.
I Have asa 5520 terminate the remote access VPN Connection,when successfully connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.
We have 2 5520 ASA's working in an active/standby function at our central site. The remote agencies have control of their ASA's or other devices able to create VPN tunnels back to the central site. When a new remote agency wants to connect to our central site we assign them a network range that is routable on the central sites network.We ask that the remote agency NAT into the addresses we provided them.This way we are able to route back to them. We assign the interesting traffic and then they we start communicating by way of the tunnel.
Since the central site can't control the traffic coming in on the site to site tunnel other than just defining the interesting traffic AND we aren't able to control the NAT on the remote end how can I put an access list on the central site ASA to allow only certain ports and IP's by way of access list? Ultimately, I'm trying to limit traffic on the central site coming inbound to only allow traffic I want. I tried applying a group policy to the lan2lan site to site tunnel, but it failed for some reason. It actually prevented all traffic. Can I apply a group policy to a site-to-site tunnel?
I'm struggling here a bit as I don't have control of the remote end. They can NAT whatever they want to an address in the range we assigned them. The tunnels interesting traffic is set to full ip to the central site's destination. The interesting traffic on the central site is set the same. However, on the central side...I want to limit that traffic to only certain ports by way of an acl. If it is possible to assign a site-to-site tunnel a group policy and filtering is done in that method, can
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
