I configured the VPN on the ASA, I can not get a client to connect to the ASA
: Saved:ASA Version 7.2(2) !hostname domain-name enable passwordnamesddns update methodddns both!!interface Vlan1nameif insidesecurity-level 100ddns update hostname ddns update dhcp client update dnsip address 192.168.1.1
[Code].....
I have an ASA 5505 that has had a working configuration with several AnyConnect clients using dual authentication for weeks now. My normal process for adding new users has been to configure the user in both authentication databases and the onboard certificate authority, have the user connect to the outside IP of our firewall with IE, download the P12 cert after entering their OTP and then connecting once the cert's imported to download AnyConnect.
I had to add a new user a couple days ago and curiously IE (8) on their computer could not connect to the outside interface of our firewall, as if the laptop had no internet connectivity. I could telnet to port 443 from a command-line, and could even hit it with Firefox (which I ended up doing to download the P12 cert...). I can hit other SSL-enabled and standard websites from IE as well as Firefox. In addition, because AnyConnect seems to rely on the same mechanism to connect as IE does, AnyConnect can't connect either.
I then tested using a previously working laptop fully configured with AnyConnect and a certificate and now it can't connect. There are other previously working laptops that still work, which only makes the issue more clouded.
In watching the logs on the firewall, when one of these non-working computers attempts to connect they hit the firewall, a connection is opened and the SSL handshake is started, but it's never finished and the connection is torn down. Working computers complete the handshake as expected and a tunnel is opened.
I've checked IE forums for this issue and none of the fixes found therein seem to apply or work. Since this issue seems to only affect IE and AnyConnect's ability to connect to my firewall I have to assume the issue is there.
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
ASA Version 9.1(1)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code]....
I've configured a 5505 but internal clients can't ping external ip. To test I've connect a pc with the ip of the default router on the Outside int the ASA can ping the PC and the PC can ping the ASA, but internal clients can't ping the PC
PC config 195.12.23.241/28
Here's the ASA config, so far I've wiped the ASA and started with a blank sonfig and built it up but still not working.
ASA Version 8.2(5)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
[Code] .....
I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
:
ASA Version 8.2(1)
[Code].....
I'm trying to configure an ASA 5505 to view my Slingbox from my iPhone/iPad from an outside or 3G network. I can't ping my internal networks while connected via AnyConnect. I know that I need to free up port 5001, but I can't seem to get it to work.
View 0 Replies View RelatedI'm looking to setup AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems this should be really easy. I must be missing something.
I can get the AnyConnect users to connect fine and they can access sites internal and at other IPSec-tunneled sites. But no access to the internet.
Internal is 10.1.1.x, VPN pool is 10.1.1.251-253 (Temp list for testing). I issued the following tracer: packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed
The last reported point (where it fails) is:
Phase: 7
Type: WEBVPN-SVC
Subtype: in
[Code].....
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
View 1 Replies View RelatedSo here's what I think I should do to give email access only to a segment of addresses of my inside network.
1) Create a network object for 62 machines that will represent my dhcp clients.I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.
2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:
How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?
3) Create an ACL which will Deny my DHCP range to talk to the outside.
4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).
I'm having trouble setting up local LAN (reach inside network when VPN connected) and Internet access (reach internet when VPN connected) for my VPN CLients when they are connected to my VPN, They can connect, no problem there, but I can't reach any resources when connected. My pings time out, both to my inside network and to public ip adresses, the only thing I'm able to ping is my ASA (172.16.30.1), and I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).
Here's my config
ASA Version 8.0(3) !hostname KardesASAdomain-name default.domain.invalidenable password XXXX encryptednames!interface Vlan1 nameif inside security-level 100 ip address 172.16.30.1 255.255.255.0 !interface Vlan10
[Code]....
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. What ports I need to open up? My AD servers are Windows 2003.
View 1 Replies View RelatedWe have an ASA configured to access the internet, which works fine for clients who have an IP address assigned by DHCP, but not for clients with manually assigned IPs.
For instance, with the DHCP server configured to give IP addresses between 172.16.101.1 and 172.16.101.10, a device may get the IP address 172.16.101.1. This machine will have connectivity to the internet.
If we then configure DHCPd server range as 172.16.101.2 to 172.16.101.10 and statically assign the 172.16.101.1 IP to the client, it will not have internet access. It will, however have inside access and VPN access.
If I try to ping 8.8.8.8, the following is logged:
ASA 3 Feb 08 2013 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Deny inbound icmp src outside:8.8.8.8 dst servers:xxx.xxx.xxx.100 (type 0, code 0)
Where 'servers' is the name of the inside interface the request is made from and 'xxx.xxx.xxx.100' is the external IP. It seems as DNAT is not working when the client IP is static assigned.
My ASA 5505 has stopped giving out DHCP address to my machines.Everything was working fine and nothing has changed in the network. I've reloaded the firewall and clear all DHCP on the firewall I've even re-entered the cmd on the ASA.
I'm able to staticlly assigned address to the clients and all is way. When I do a DHCP debug on the ASA I don't see any events relating to the DHCP service apart from checking for lease expiry.
I've also tried to plug a machine straight into the ASA and no result. I finally did a packet capture and I am seeing the client machine sending out a DHCP discover packet and nothing else is responding.
My ASA config is:
dhcpd address 192.168.3.10-192.168.3.33 inside
dhcpd dns 8.8.4.4 interface inside
dhcpd option 3 ip 192.168.3.1 interface inside
dhcpd enable inside
Just installed ASA -5505 replaced cisco 851
My exchange server hosts remote outlook clients and remote web access
no one on the remote side can access my exchange server
internal mail flows in bound and out bound.
My iphone can not access the exchange server either.
When the Cisco 851 was online all the above worked great. Nothing changed on the remote client side just put the ASA 5505 in service.
I am new to the ASSA 5505 family. Had a reseller configure the router but unable to get them at this hour. Called Cisco support but they are closed at this time also.
I have a couple of ASA 5505's which work fine for what they are doing VPN and all that - we have 1 DLINK DFR-700 Firewall left and I need to get a new ASA to replace this since it is old.
All this box really does is port forward external clients to 1 address on the internal lan for client software updates. Any example configs?
So lets say we have client a with IP 1.1.1.1 and client b has 2.2.2.2 - at the moment this is what happens client a and b come in through http and get mapped to the internal http server 10.10.1.2
So I need to setup about 100 clients which can come in through http only - get mapped to the internal IP and also keeping the internal server to be able to access anything outside.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies View RelatedI wanted to know the maximum VPN client sessions (using the Cisco VPN client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505 simultaneously.
In other words, if I have x VPN clients and y Site-to-Site tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)? If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
[Code]...
Once a client connects to my VPN (VPN Client 5) they can not see anything other than the outside interface. If I ping anything on the LAN for example I get a reply from the outside interface. I can not see any WAN either (even by IP) My LAN clients can see the clients within the VPN Pool. I would like all traffic to flow through the VPN. I have tried split tunneling to verify if the internet would work and local lan would stay connected. It does work but I was still unable to access anything on the remote netwok. I am not sure if I am missing a nat command or something simple.
The current setup is as follows. 881 Router with windows 2008 radius authentication. The client is authenticating and reciving an IP address from the local ip pool. Please see below for the running config.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
I just purchased a WAP 321 and followed the setup wizard. Its powered by a poe switch. The issue I have is no clients can connect to it. I updated the firmware. I reset to factory and tried setting it up manually till no one can connect. I dont understand what im doing wrong here. Unless its a bad unit. I will have about 10 to 15 clients connecting to it. Its the only ap in the building.
View 12 Replies View RelatedI bought 3 of the Aironet 1231g access points and cannot get any clients to connect to them. I have tried everything from an Iphone, Droid2, Win 7 and XP laptops with built in wireless G cards. All say that they cannot connect to the wireless network. I have two setup currently, one on Vlan 1 that I have configured the way I want with WPA2 enterprise. The other one is just one I setup while playing around.
View 4 Replies View RelatedBasically, yesterday while hanging some 3602's going to a different controller, I started getting task reports of wireless phones not working. However, due to the area of complaint I mistakenly assumed it was due to me causing havoc in the area with AP replacements. Then the issues started to spread with Carts and Cow's and other various devices not able to connect until it started affecting me. I was not able to connect to any SSID at all, kind of nerve racking when you talking ICU/NICU area's in a hospital. Once I got to a wired device, my first thought was to move the AP's to a different controller to at least try and get things back up and then work on the controller to see what was going on. However, in trying to get the AP's to move, most of them wouldn't. In hind sight, I wish I had just shut off the etherchannel port on the 6500 that this wlc is on and force the AP's to move that way, but with people standing over me I ended up just rebooting the controller. Of course, once it came back up the AP's reattached to it but everything was working fine. I went ahead and moved the AP's off of it to another controller for now but am searching for answers. About to start digging into bug reports, but am concerned with this line of code causing the issue and worried about moving to 7.2.110.
View 4 Replies View RelatedPurchased an 887 my my home office. ADSL ATM0 and Dialer get an address from my ISP, have tried to configure NAT but none of my clients can browse the internet. I can't ping outside the network but I can ping clients internally as my clients are connected via a switch, which is plugged in before the 887. I can get access to the router via the Command Line and CP Express and Config Pro seems to work.
Building configuration...
Current configuration : 8900 bytes
!
! Last configuration change at 12:47:16 NewYork Wed Dec 14 2011 by elrooko
[Code].....
I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP
View 2 Replies View RelatedI want to know why all my wifi client connect only in G protocol, even if the wireless card supports N, even if all the AP in one of my buildings is AP3500. In the WCS config for my two WISM controller the 802.11a network status is disable, the 802.11n network status is enable and the 802.11b/g Network status is enable and 802.11g support is enable. even in that part of config the 802.11n is enable.
In the High throughput 802.11n section all the rates is check to be supported.
What config I'm missing to get my 802.11N client to get connected with this protocol and not on G protocol.
What's wrong with this config ? Clients can see the wireless ssid's but cant connect.
View 1 Replies View RelatedI have a computer (client) and I have connected to gateway and internet but I'm not connected to other clients.
View 3 Replies View RelatedI have a 4402 which is connected to a 4506 Switch int Gig 3/1 via a trunk port. The Managment and AP-manger interfaces are on vlan 6 [code] I have a 1142N AP also connected to the switch and it pulls a DHCP IP Address and configs etc and registers to the WLC. It too is on Vlan 6 and it is connected to the 4506 on int gig 4/33 which is an access port. [code] I am doing local authentication, so i have added users to the WLC.. My problem is that the first client that connected was able to get an IP address and connect to anything internal and external.I then connected another client on another laptop and that client could connect but not get an IP address, it just self assigned.When i look at the clients i can see the MAC address of both Clients on the WLC, but doing a show mac address-table dynamic i only see the MAC of the client that works properly. The client that doesnt get an IP has no entry in the 4506 switch.I am stumped, from what I understand, is that the 2nd clients traffic is being trunked to the WLC , hence it has the MAC address. But I dont know why its not getting a DHCP assigned IP address.
View 37 Replies View RelatedI am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.
I have a WAP4410n which has been configured with a single SSID since implementation several weeks ago with no issues. I am now trying to add a second SSID and not having any success. Originally the second SSID was not being assigned a MAC address and thus not being broadcasted. After upgrading firmware to 2.0.4.2 I now see a MAC address associated with second SSID and it is being seen by clients, but they still cannot connect. I reset the AP to default settings and reconfigured from scratch but still no luck. I have two of these APs, the other one is still at FW rev 2.0.1.0 and has same issue (it does have MAC address associated with second SSID so I didn't bother upgrading firmware yet).
I have tried a few different authetication options, including disabling authentication, to no avail. Question - I do not see an IP address associated with the second SSID - is that the problem and if so, how do I fix that?
I have a AP1240 Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1), and want to configuration WPA2 without using Radius.But my clients can not connecto to AP. On AP always display messages "%DOT11-7-AUTH_FAILED: Station 0026.6609.e55d Authentication failed"
Here is my configuration:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AC1P1F08
[code]......