Cisco VPN :: ASA 5505 - Running Pair Of VPNs Working From Offsite
Dec 16, 2011
We're trying to get a new ASA 5505 put in place on our network after the untimely demise of our 1841 router. One of the functions of the router that we need to get back up and running is a pair of VPNs to employees that we have working from offsite. These are site-to-site VPNs.
They worked with the 1841 in place, so I know that the other end works. I'm just having trouble configuring the ASA to match. I've been through the wizard in ASDM a couple of times, but have yet to have any luck getting it to connect.
Attached are config files for the 1841 (with both VPNs) and the 5505 (with only 1 VPN in place). What I may be missing in order to get this working?
One note - I am having some trouble with my NAT configurations (another post pending), but I think they are close enough that I hope it's not interfering with the VPNs.
If I can get one running, the other has a nearly identical set up, so I should be able to get the second pretty easily.
I have a network of 5 different ASA 5505 they are all connected via site to site VPNs. 4 of the routers are working fine but the 5th one is only connecting to 2 VPNs when it should be connecting to 4 VPNs. I have verified that all the settings are correct on the routers (peer ip address, PSK, etc...) but the router still only connects to 2 VPNs. Is this a licensing issue? The license of the router in question looks like this: [code]
I have a pair of 5520s running 8.2(3) in failover active/standby, routed mode. I have an issue with SSH as it's stopped worked after a short time, less than 8hrs during the network being installed, telnet is working fine as is https/asdm. I have re-created the crypto key and the ssh access is allowed. When I try to connect I just get a flashing cursor, telnet to the ip and port 22 also works.
I'm having trouble setting up a second IPSec VPN tunnel on my Cisco ASA 5505 to another office. I was able to setup the first one with no problem through the ASDM, but have not been able to get the second one up.The IPSec tunnel is connecting to a WRVS4400N router at the other office. I tried debugging crypto isakmp, and crypto ipsec, but I'm getting nothing. Below is the config. Does something look wrong on my end? I also attached a screenshot of the parameters setup on the remote router.
I have two ASA 5505's with Security Plus licenses on both.I am trying to force them to becoming an HA pair using active/standby.When I enable failover I get this message:
Mate's license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.Do I need to apply new licenses to the ASA's?
Device licence details (same on both):Cisco Adaptive Security Appliance Software Version 8.2(1) [code] This platform has an ASA 5505 Security Plus license.
We have a pair of N7K distribution switches connected to a pair of N7K Aggregation switches.We run vPC on both pairs of n7k's.
-n7k-d1 has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC1) -n7k-d2 also has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC2)
My problem is that Spanning-Tree is blocking PC2 and all traffic from n7k-d2 is traversing the Peer-Link before reaching the Aggregation layer. Is this the best design for connecting two pairs of n7k's with vPC or if a better design would be to connect all 4 links into the same Port-Channel and vPC?
I've got this problem with our Operations Manager's laptop not letting him log in once he is offsite(at home). We use an Active Directory server here for all out workstations to log on to the domain but once he is offsite he cannot log in because the laptop obviously cannot find the sever to authorize the user. For now I just have him logging in locally to his laptop and not to the domain when he is offsite but this creates a problem; it makes two users/desktops for him, one user.domain and user.local. Is there a way to tell the machine locally that his username is authorized to let him log onto the domain account though it cannot connect to the domain server?
Is it possible to install the D Viewcam software on a PC that is offsite (different network) as the camera and record from there? Basically the camera is home and you record from work.Can I record directly to any NAS (same network as camera) without having a PC in the middle? Or do I need a specific NAS?What about one of those external hard drives that hook up directly to a router?
I've got a router on which I run a backup/media/print server, a couple of computers and a voip box. My router has only four ethernet lan sockets which are thus all occupied by the above, but I need to attach at least one further device b
Secondly, could a splitter such as >> this one << do the job? I'm guessing this basically split a single 4-pair ethernet connection into two 2-pair ethernet connections.
I'm replacing a new ASA 5505 due to a corrupted flash. On the original unit, I had the ability to SSH into the device using TeraTerm with no problems. While configuring the new device, I entered commands to enable SSH into the unit.
I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.
I work as a systems administrator for a global company and currently right now all my end users which is roughly 300 all use VPN from there office location to dial back into the server or use terminal server. I would like to know how to connect there locations back to main site without using VPN. What would be the cheapest and or easiest method to complete this.
I have a Cisco 5505 that had its disk erased (erase:disk0) and now I am trying to load a new image (822 or 813) from a tftp server.
From the ROMMON prompt I have configured the relevant parameters and run a tftp command.
The tftp transfer seems to complete successfully but then it gets stuck on "...loading".
I have tried different versions of IOS and I always experience the same problem, even though, with older versions of IOS (7.x), the device manages to reboot itself but then it crashes with the following error:
"Error : Uncompression of the image failed. invalid compressed data--format violated"
Could it be an hardware related-issue or a licensing problem maybe? or am I missing anything obvious?
also, with regards to the license: once restored, how do I get my 50 users license back?
I am setting up an offsite storage server for work at my home which will sync a few times a day to grab data and i wanted to ask about options for encryption or if i should worry about it.i am going to be initially dumping about 1-1.5T worth of data, with then maybe a couple of gigs a day added of new stuff.i am going to use server 2008 r2 as i am also doing a read only DC/AD for this system to give me and offsite controller just incase also.
I was thinking encryption for one more level of safety just incase something happened to the server, like theft or something but not sure what could reliably handle that much data ? System is only a dual core e7500 with 8G of ram, i have 2x500G SATA in raid 1 for the OS and 4 x 1T drives in raid 6 with 2 more coming.
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
I am trying to configure an ASA 5505 running 8.3 to allow a priv 15 local user to be able to ssh into the device and be placed into priv 15 mode without having to execute the enable command and type the enable password.Right now when you log in as a priv 15 user you still have to execute the enable command and type the enable password to get to priv 15.
here, am used to the RouterSwitch CLI but been asked to set up an ASA 5505 8.4.Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running-packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
Phase: 5 Type: NAT Subtype: rpf-check Result: DROP Config:nat (inside,outside) source static server publicIP service RDP RDP Additional Information:
[code]....
Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut!
I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work. I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS. Here is my config: [code]
When I login to the 3750, AAA is used. When I login to the 2960, the local username is used. Any thoughs here as to why it works on the 3850 and not the 2960?
I have three computers (all hp): a netbook running 32-bit Windows 7 starter, a laptop running 64-bit windows 7 premium and a desktop recently upgraded to 64-bit windows 7 premium. The desktop was previously running vista, and the network worked fine under vista.The computers can ping one another by IP address.
My pc is windows xp an has service pack 3, the adaptor is realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC. I have 3 gig of memory and a very larg nvidia card. OK my pc has worked absolutely fine until this weekend when my sister came and her son was on my pc when everyone was in bed. He attempted to print of not less than 88!! pictures he had acquired from different sites but i had disconnected the printer so it didnt take place. When they left earlier today i switched on my pc and there was a virus alert so i ran a scan. These got put into the chest. I then attemtpted to close down the programmes that had come back up when i switched on and this is when it happened. The pc told me it was going to shut down and when it restarted i had not internet connection. I checked the modem and the ethernet light is out.
I have 30 switched in my corporate network it’s all up and running all switches running by default configuration and connected to WS-C4506 core switch our dhcp server pooling 192.168.100.1/27 network. Now we need to configure new Vlan for finance department this department has more than 200 users. If my server distributes 192.168.200.0 range ip can vlan2 automatically assign ip 200.0 addresses to finance department.All switches running default config no ip address assigned.
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
I am putting an pre-labbed DMVPN Hub config onto a production 1841. We had to upgrade the IOS to support protection with NAT so the current IOS we're running is c1841-adventerprisek9-mz.124-25g.bin.I can paste the configuration in fine (via the tunnel interfaces) and the router accepts it however the 'show dmvpn', 'debug dmvpn' and other related commands don't work. I have checked the IOS feature navigator and it definitely shows that DMVPN phase 1 and 2 are supported in this image.
I recently acquired a used ASA 5505 and have encountered issues with getting the PoE output on Ports 6 & 7 working. Theese two PoE ports are behaving like all the other ports (100mbit, Vlan 1). Per the best I could Google, I made sure the all relevant ports are set to "auto" for duplex and link speed. Again, the ports do work for data - just not PoE. The LEDs light up ok.
I've tested four different working devices that can be powered off PoE with it, and all failed to power up using a straight-thru Ethernet cable connected to ports 6 & 7.
I configured a VPN on my ASA5505 and it seems to be working just fine if I connect with my i Pad or iPhone. But if I use the Cisco VPN Client, I can authenticate but can't get to any other the server that I can access just fine from my i Pad.
I can RDP from my i Pad to servers but I can't RDP from my laptop to the same servers.
I have setup a ASA and everything but ipsec seems to be working. I was able to use the clientless ssl but I need ipsec working. I'm at a loss. config is a little sloppy and i will be cleaning it up but would like to get this working first.
Cisco Systems VPN Client Version 5.0.07.0290 Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT
Actually I have to make a VPN between an 5520 ASA and a Cisco 887VA-K9 Router. Connected to ASA I have the outside interface, the inside-DMZ interface, the PCs interface and the VoIP interface. In the other site I will need to have a new subnet and a VoIP phone which I need to connect to the VoIP subnet in the other side in order to work with our CCM servers.I need two VPN established between ASA and 887 Router?
I have a pair of 5505s with an IPsec VPN between them. On the first 5505, I also have a user connecting to it via client based vpn. The user cannot access systems on the other side of the ipsec tunnel. That 5505 protects subnet a.b.c.d, the user is on subnet a.b.e.d which is not inclusive to a.b.c.d. First, am I correct in the assumption that I need to add the vpn network of a.b.e.d to the list of protected networks, and second if I change the list, does it drop and reset the ipsec vpn?
