Cisco VPN :: ASA 5505 Does Each EasyVPN Client On Network Take Up 1 Of 10 Licenses
Mar 8, 2012
I have a Cisco ASA 5505 which is setup as an EasyVPN client to e remote VPN concentrator.The Cisco ASA has the 50 internal user license with 10 VPN peers.We just upgraded the license from the base 10 internal user to 50 user license but it has not resolved the problem and only 10 internal users still work, the 11th fails. Does each EasyVPN client on the inside network take up 1 of the 10 VPN peer licences? This seems to be the issue from what I can see, just need confirmation.
i have a question about tunneling a software EasyVPN client to a client ASA Network. It looks like this:
EasyVPN Server 192.168.202.0/24 Network extension mode to Client EasyVPN ASA 192.168.1.0/24 This works fine in both directions. But now i want to connect the client ASA network via EasyVPN software client from outside. The user are already able to connect to the ASA Server on its static outside IP obtaining an IP from a 192.168.21.0/24 pool. This works fine. But how am i able to connect to the 192.168.1.0/24 network from this client?
So I have three ASA 5505 firewall. my firewalls we are in the test environment. I read on the net that when you have a situation like in my company where are headquarter and two offices, i should put in each branch office and headquarter one asa firewall and a firewalls should be configured as easyvpn.
VPN server is in headquarter and easyvpn's are in branch offices. i tried everything, but we could not configure them. maybe it's not a problem that in my test environment at my the external interfaces which have static addresses on these three firewalls, respectively serever 192.168.2.1, 192.168.2.2 and 192.168.2.3 client client. I seted firewalls by following the instructions, but does not work
I solved the problem with the server as a remote access VPN. client workstations that are on the 192.168.2.0/24 network can access a local LAN via VPN. But when you put the ASA 5505 firewall. clients on the LAN side of the firewall can not access the VPN. I use software products Cisco VPN Client 5.0.06, but when I create a connection and try to connect to get an error secure vpn connection terminated locally by the client. reason 412: the remote peer is no longer responding.
(Router is ISR 1921)This is doing my head in. I am not using NAT, there are no ACLs, there is no split horizon.Here is what I have. It is practically generated by CCP. When connected I cannot ping the loopback interface or the gig0/0 interface, (not to mention anything else).
version 15.0 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname dcsgw1
I am using Cisco configuration professional to set up one easy vpn server on 887-K9,vpn client can dial up the server successfully but can only ping router but on other lan. Looks like there is a nat issues between lan and vpn client?
I need to configure our ASA5505 firewall for remote access to our network using EasyVPN software installed on a laptop. That laptop will be connected in the different places, using DSL or 3G toggle or Public Wi-Fi. For some people it's very easy, but I don't have any experience with firewalls.
I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: VPN Client establishes the connection, traffic flow, destination network can be pinged. After a few minutes traffic stops passing the VPN. No ping to IP or DNS names can be made. In order to resole it. Users have to re-establish the VPN again. Occastioanl it stays and continue to work.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option in the IP local pool command.
############################################################################## TQI-WN-RT2911#sh run Building configuration... Current configuration : 7420 bytes ! ! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin ! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
We have many new and very small remote sites that will be connecting via an ASA5505 using easy VPN. Works without an issue and we've got the configuration and process nailed down.
The challenge I was presented with today involve non-standard remote sites where I need to configure a third interface on an ASA 5505 and allow it to pass directly to the Internet and not go through the VPN. Configuration of the third interface, assignment and configuration of the ACLs / NAT(PAT) are straight forward.
The challenge I face and haven't been able to find a direct answer to is if it's possible to have the traffic bypass the easy vpn network extension process. At this time the traffic is going down the tunnel which isn't what I want.
I fear I'll have to build classic site-to-site VPN configurations which isn't a huge issue though it breaks all maintenance/operations methods, processes and I'll have to spend time training the support team how to detect the differences.
I've two sites, the branch with an ASA 5505 and on the corporate office i've an ASA 5510.I need to make a easy vpn tunnel between this to sites and I've made some configuration, but for now, the ikev1 isn't working.
I have a branch office set up with a cable modem and an ASA 5505 as an easyvpn hardware client with network extension mode enabled, and connects to a PIX515E at the headend.I'm working on a separate issue for why the Internet connection drops periodically at the site, but my main problem is as follows.In this location, I have an 1142 LAP. It can boot up, and join the WLC just fine. Performance seems a little slow when it's working, but it works. The real issue is, if the VPN connection drops and reestablishes for any reason, the wireless clients all cease being able to communicate. All wired clients seem to bounce back without a problem.
The access point still shows to be joined to the controller, the access point never goes down, just wireless clients can't access anything any more. If I reload the access point, clients reassociate and continue on their merry way. For now, I am experimenting to keep the connection from dropping, but I'd really like to get it where I don't have to babysit this thing all day and night, and it can rejoin and function normally by itself after an outage.We are changing to this configuration from wireless bridging due to interference and reliability issues - however, I never experienced any similar issues with this particular access point before, so it's not the access point itself.
I am installing 2 ASA 5505s at home offices with dynamic IPs. The EasyVPN server is a ASA585x. I am using the 5505s in NEM mode. I configured a unique DHCP scope on each 5505. I have a dynamic crpto map on the server. I configured unique tunnel groups, group policies and usernames for each site on the server. This seems to work fine. Is it normal to configure unique tunnel groups, group policies and usernames for each remote site?
When ASA 5505 was installed we selected Easy VPN Remote. Now we want to disable it. In ASDM we navigate to Configuration > Remote Access VPN > Easy VPN Remote and try to clear the Enable Easy VPN Remote checkbox but it will not uncheck.
We have a number of 5505 ASAs at remote sites all of which are configured to connect to one of two head-end servers.We need to change the primary head-end IP addresses. At the moment devices are successfully connected to the secondary.If we issue vpnclient server i.j.k.l e.f.g.h then the device drops off the network and won't reconnect until it is power cycled.If we make the changes in ASDM using the GUI to remove the old primary and add in the new primary the ASDM says "No changes made".Devices are running 8.2 and 8.4 code and behaviour is the same.
how to change head-end server IP addresses without the device disconnecting and not coming back up? According to the configuration guide the ASA should cycle through the addresses every 8 seconds until it can connect - but it doesn't seem to do this as it won't connect to the good secondary head-end either!
I have one user who is unable to Access Remote Network resources when connected to the VPN on his home network. VPN shows connected and he is given a remote IP from the VPN Pool, but he cannot ping any IP on our network. When connected using Sprint Wi-Fi card he is able to connect and access remote network from the same laptop. Maybe there is some network overlap that I am missing.
see attached firewall config (zzz... being firewall public IP) and remote user route table. ASA 5505 VPN Client 5.0.07.0290
We have an ASA 5505 in our environment and currently two IPSec L2L VPN tunnels are established. But we are planning to connect using Easy VPN(Network Extension Mode) to another site as Client. Is it possible to configure Easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels?
Following is the warning that we get when tried to configure Easy VPN Client.NOCMEFW1(config)# vpnclient enable
I have a client that has a 5505 installed. They want to VPN in with their Win7 laptop, but they don't want to shell out $1000 for the 10-pack Cisco VPN client.I have successfully setup the clientless VPN, and they can, through a browser, get to their files, but they'd like to map network drives so it's just like they're in the office.I tried setting the IP Sec up on the 5505, and then using the built-in Win7 VPN network connection, but no go.I also do everything through the ASDM, but I realize some things cannot be done. I'd prefer to use the ASDM!Anyone else get this configured? 99% of what I see out here is how to connect the 5505 for site-to-site VPN.
We recently upgraded our 5505s to 8.2(5) 26 and noticed that each will crash after a cerntain amount of time. Some crash every 30 minutes other will crash every 4 to 8 hrs. The only difference would be the user's home ISP and/or home router, if they have one. They are configured with a dynamic dhcp IP address for the outside interface and the crash files starts with the following:When we downgrade back to 8.2(5) 13 the problem goes away. Any known bugs for this version? I haven't been able to find anything yet. We do have one 5505 that does not have this issues. The only thing that may be different is that it was never at 8.2(5) 13. We had downgrade it from a 8.3 version.
We have a RA Vpn split_tunnel setup in one of our locations which is working fine in all areas except for traffic destinged for one specific website using https. This vendor only allows the HTTPS connections to them to come from certain outside IP addresses. ssentially it should work like this:RAVPN_client (10.4.4.0/27) --> https request to vendor_ip (208.x.x.x) ---> ASA55XX --> NAT_to_outside_ip --> https request to vendor_ip (208.x.x.x) need to understand how you would go about NATing ONLY this specific https traffic from the RA VPN while not having to alter the setup otherwise. Internal hosts (aka behind the ASA physically) do not have any issue getting to this site, as its nat'd to the outside ip address as we expect.Here is what we are using for the NAT Exemption list he 10.2.2.x, 192.168.100.x and 172.23.2.x are other remote sites that we have. RA VPN users are using the 10.4.4.0/27 do not have any issues connecting to them, no matter the protocol.
Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:
ezvpn-asa# ping 172.16.100.1 ... ezvpn-asa# show crypto ipsec sa interface: outside Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?
I get the following error when trying to connect a vpn client through an ASA5505 with an already configured ipsec AES/256 site to site connection:
regular translation creation failed for protocol 50 src:inside:192.168.1.167 dst:outside:xx.xxx.x.64
The site to site addressing is not relevant, I'm not trying to pass traffic over the site-to-site, but rather create a new vpn from inside client to outside external vpn box that's not under my control. The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the above message is returned to me. If I add the rule static(inside, outside) interface 192.168.1.167 netmask 255.255.255.255 then it works, everything works, but ONLY from this computer.
Been Google for hours, but with no result as of yet.
I have an ASA 5505 that is on the perimeter of a hub & spoke vpn network, when I connect to this device using the VPN client I can connect to any device across the VPN infrastructure with the exception of the sub net that the client is connected to, for instance:
VPN client internal network connects to 192.168.113.0 /24 and is issued that ip address 192.168.113.200, the VPN client can be pinged from another device in this network however the client cannot access anything on this sub net, all other sites can be accessed ie. main site 192.168.16.0/24, second site 192.168.110/24 and third site 192.168.112/24. The ACL Manager has a single entry of "Source 192.168.113.0/24 Destination 192.168.0.0/16 and the "Standard ACL 192.168.8.8./16 permit.
I'm setting up our ASA 5505 for remote access VPN and now need to insert the VPN client addresses (allocated via RADIUS) into OSPF so that they get redistributed through our network.
The configuration of the ASA is that its hairpinning because it is behind an existing router/firewall (192.168.252.254), therefore it only has an inside interface (plus one for management).
The VPN access works fine as long as I have a static route on our router/firewall pointing the VPN clients network range to the ASA. But once I configure OSPF with a redistribute static (because VPN client addresses get added the the ASA as statics), a host route (which is fine) gets added to our firewall with a next hop of the router/firewall itself and not the ASA.
ieVPN Client route on the ASAS 192.168.242.75 255.255.255.255 [1/0] via 192.168.252.254, inside (not to sure if this is expected behaviour - would have thought it should be a Connected route)
VPN Client route on the Router/Firewall 192.168.242.75 192.168.252.254 UGH 0 1246 em2 (I would have expected that OSPF should have put this in with a gateway of .200) Route in the ASA OSPF database192.168.242.75 192.168.252.200 839 0x80000002 0x9e45 0