I have a 5510 running 8.42 code with multiple site to site tunnels coming into it. Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly. That being said I think the ASA side is good. I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA. When I ping from the E0 interface I get the following debug output and nothing else. I've made a lot of changes to no avail in getting closer to a successful configuration. [code]
I want to establish GRE over IPsec tunnel between four branch offices and head office. At branch offices, I have 1841 router with Advanced Security software. At head office, I have a ASA5510 7.2 as frontend with one public IP addres and 1841 router behind it in private address space. Since ASA is not supporting GRE tunnels, can ASA be endpoint for GRE over IPsec? If not, can ASA pass this tunnel to the 1841 router behind it, so 1841 would be logical tunnel endpoint? What should I pay attention? Should both ASA and every 1841 support NAT-T, or just ASA?
I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
i want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end
I have the need to configure a backup VPN, I have remote branches with cisco 800 routers that make a VPN to an ASA5510 in the main offices, but as a DRP I want to have a backup VPN to another site. I dont know if it is a failover configuration or backup VPN, how to start investigating.
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
I configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients * Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5) ! hostname xxxx domain-name xxxx
I have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
I recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?
I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).
i am just installing my ASA 5510 and i want to configure it for remote access VPN IPSEC client.i use this doc : URl,When i start the connexion, the Client uses the first address of the pool and not the dedicated address ?,i have forget something ?
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key * group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000 ---snapshot Ping test to DHCP-Server 10.1.1.200---- ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
I’ve attached a simple network diagram of my WAN network. We have branch offices that came into our Headquarters using VPN tunnels over the public Internet and then we have a handful of offices that are connected to our headquarters via a private MPLS network. All of this traffic is routed into our Cisco ASA 5510s that we currently use for firewall and core network routing and VPN termination. All branch offices have VPN tunnels to our Cisco ASA. The Cisco ASA isn’t necessarily designed for core routing even though it was worked decent for us. We’d like to move the core routing off of the Cisco ASA and just use it as an Internet security/DMZ device like it is designed. We were hoping to purchase one pair (for failover) of the Cisco ISR router to perform our core routing and VPN termination. Can we eliminate the Cisco 2621 Internet router and use a single, beefy router to handle the Cox MPLS traffic and the Internet traffic on the same router?If we had one ISR doing these duties, where would the router sit in our topology?Is it safe to bring our Internet Circuit and MPLS circuit into the same router? How about with VRF?Do the Cisco ISR 2900/3900 support VRF and can I do VPN tunnels if I do the VRF?
I have a cisco 871 router and I have set up an IPsec vpn on it. I can connect to the vpn but once connected I can only ping the router (10.12.0.1) but nothing else on the network. I can access the router via ccp/telnet and from the router I can ping other machines on the network, so I know that they are connected, but I can't access them from the vpn connected machine. Also the vpn connected machine can't access the internet while connected to the VPN. How can I get computers that connect via the vpn to see other machines on the network, and how can they access the internet while connected to the vpn?
Here is the running config:
Building configuration... Current configuration : 6760 bytes version 12.4 no service pad [Code]...
Since some days we have a ASA5510, we connected it on a Windows Vista Laptop via ethernet cable (using at the back of the router the mgtm slot) and connect it on the network slot on the laptop. Laptop is getting IP addresses automatically.
Now we tried to reach the router in the Internet Explorer using: http://192.168.1.1, but we could not reach this site. When I try to ping the router via cmd and typing ping 192.168.1.1 I get answers.
For us it is very important to change the IP address of the router, as he will be used in a network with 10.xxx.xxx.xx addresses.
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations. I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software. how to configure IPSec client on the router?
I recently purchased a 1941W Router and upgraded it to IOS15.2T. After upgrading I was disapointed to see that it didn't have IPSEC VPN capability. What do I have to do to get this support activated/installed on this device?
We have set up a site to site IPSEC VPN between a Pix 515E running 8.0 (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and ASDM on the pix to build the initial tunnels. Now the site with the router is changing to a Dynamic IP address from the ISP so we have set up Dynamic DNS to update the dynamic IP address.
The problem we have is that ASDM will not allow us to set a domain as the peer address, it will only accept an IP address. We think the solution will be to remove the static Crypto Map and replace with a Dynamic Crypto map on the Pix side. Our questions are simply; is this the best solution? can we edit the original static list or is it better to delete and make a new dynamic crypto map? Is there a short cut to change the config in command line? This is a live network so just want to check before we make changes on live kit.
I want to make ipsec vpn between ASA and Cisco 877 Router,crypto isakmp and crypto ipsec ACTIVE state its works fine but Cisco 877 can not ping ASA internet interface but can ping behind ASA PC,PC can ping 192.168.2.1 but Cisco877 can ping only behind ASA PC thats ip 172.20.1.18
Ex: 192.168.2.0(Cisco877) =====ASA(172.20.1.0)-------172.20.1.18 PC ASA IP : 172.20.1.2.54 C877 IP 192.168.2.1
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
The ASA is: Cisco Adaptive Security Appliance Software Version 8.2(2)Hardware:
ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz The router is:Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), Version 12.4(20)YA3, RELEASE SOFTWARE (fc2) Router Config:!version 12.4!card type t1 0 0!no ip cef!ip multicast-routing no ipv6 cef!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key xxxxxxx address nn.nn.12.130!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac !crypto map NOLA 11 ipsec-isakmp set peer nn.nn.12.130 set transform-set 3DES-SHA set pfs group2 match address VPN-ACL!controller T1 0/0/0 fdl both cablelength long 0db channel-group 1 timeslots 1-24!interface Loopback0 ip address 1.1.1.1 255.255.255.252 ip virtual-reassembly no ip route-cache crypto map NOLA!interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45!interface
We are trying to setup a router with two internet feeds both of them doing IPSec VPNs back to a single peer...one of these VPNs is for VOICE traffic and the other is for DATA traffic...we have a default route set out one Internet feed which is the primary feed used for outbound browsing and the data vpn. The only other routes on this router are two static routes for the destination private subnets at the remote end but pointing to each feeds respective default gateway...I would have thought this would work, but only the data vpn is coming up and the voice seems to stay down due to not having a proper route?
If I set a static route for the remote peer out the voice internet feed, then the data vpn would drop...should I apply a policy based route on each of the inside interfaces, voice and data, setting the ip default next hop to their respective default gateways?
