Cisco VPN :: ASA 5505 SSL VPN Can't Reach Inside From Subnet?
Jul 6, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
ADVERTISEMENT
Jul 7, 2012
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...
I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
New at VPN and have survived so far on cisco docs but this problem is evading me.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]....
View 1 Replies
View Related
Feb 26, 2011
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
[code]....
View 6 Replies
View Related
Oct 12, 2011
An 1841 is conencted to the internet by DSL, it works fine. I have added it to the 10.98.8.x subnet off a 3750 switch.When I connect other devices to the same switch port, I can ping/browse to them fine, but when I connect the 1841 I can only ping it from the 3750, not another subnet connected to the same router. [code]
View 2 Replies
View Related
Jun 18, 2012
I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]
View 8 Replies
View Related
Jun 9, 2010
Just got a new SGE2010P layer 3 switch. I'm trying to configure Vlan to reach a few subnet. I have the original 192.168.1.0/24 as vlan1. I want to reach our WiFi subnet 192.168.10.0/24. The WIFI router is directly connected. It's new for me as the previous Job i was sorking with a ws-3750-48.
i did from console change my switch to layer 3 mode... ( i want it as the DGW for each Vlan)from the web interface, i create a vlan4 for our WIFI Next i go to ipv4 to add an IP address to vlan 4 like 192.168.10.254 /24 As soon as I apply the IP the switch stop responding, Ping request time out.. i need to reboot the switch..
View 2 Replies
View Related
May 31, 2011
I am having problems accessing our internal network via VPN. We have an ASA at the perimeter that connects to a 3745 router and all of our networks come of that router. I can establish a VPN connection to the ASA but I can’t ping any of our internal host.
The internal network I need to access is 172.18.0.0. When I connect to the ASA I get a dhcp address from a pool created in the ASA, the pool is 172.200.1.x. I can’t ping from the ASA to the connected vpn host and I can’t ping from the host to the ASA ip address or to 3745 connected to it.
ASA config:
group-policy NAMEOFPOLICY internal
group-policy NAMEOFPOLICY attributes
dns-server value 172.18.2.2 172.18.2.23
[Code]....
route inside 172.18.0.0 255.255.0.0 172.18.255.1 1 Route on the 3745 back to the ASA ip route 0.0.0.0 0.0.0.0 172.18.255.2 I can’t see anything on the internal network, I can’t even ping the dns servers and so on.
View 3 Replies
View Related
Jan 2, 2012
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
[Code].....
View 7 Replies
View Related
Apr 4, 2013
The network topology is like this. Router with DHCP_Server on it.
VLAN 10
VLAN 20
VLAN 30
My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.
View 5 Replies
View Related
Jan 14, 2012
I have some VPN site to site ( site B and site C connect to site A ). This subnet 10.0.56.0/28 is behind site B. Another subnet 10.0.56.16/28 is behind site C. I would like to route this 10.0.56.0/28 to reach the subnet 10.0.56.16/28. Is there any possibility to do this on ASA5520 (site A)?
View 3 Replies
View Related
Mar 8, 2011
I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.I have added the followings in ASA5510. [code]
View 8 Replies
View Related
Nov 13, 2011
I've configured vpn ipsec with wizard but my ip address assigned by pool not reach the lan network ,lan network: 192.168.0.0 /24,pool network: 193.168.0.0 /24
View 12 Replies
View Related
Apr 11, 2011
I'm having trouble setting up local LAN (reach inside network when VPN connected) and Internet access (reach internet when VPN connected) for my VPN CLients when they are connected to my VPN, They can connect, no problem there, but I can't reach any resources when connected. My pings time out, both to my inside network and to public ip adresses, the only thing I'm able to ping is my ASA (172.16.30.1), and I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).
Here's my config
ASA Version 8.0(3) !hostname KardesASAdomain-name default.domain.invalidenable password XXXX encryptednames!interface Vlan1 nameif inside security-level 100 ip address 172.16.30.1 255.255.255.0 !interface Vlan10
[Code]....
View 14 Replies
View Related
Oct 21, 2012
I'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work. In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, what are the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn, This is an ASA 5505. Its on IOS 8.4.
View 1 Replies
View Related
Sep 7, 2011
We want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
Configuration:
: Saved
:
ASA Version 8.2(1)
[Code].....
View 3 Replies
View Related
Aug 4, 2012
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway)
192.168.0.0 (Primary facility, ASA is the gateway)
192.168.2.0 (Second facility, connected via Verizon point-to-point)
192.168.3.0 (Third facility, connected via Verizon point-to-point)
[Code].....
View 7 Replies
View Related
Dec 7, 2011
I am working on a site that has recently added a new subnet and I am unable to ping any of the stations on this new network. I have configured an Exempt NAT rule just the same as the rules allowing access to other networks. I have a feeling the problem is in the Site-to-Site VPN configuration since the new subnet is at the primary location over the VPN.
In the site-to-site configuration I added the new subnet to the list of "Remote Networks" and I still can't communicate with any of the devices on the network. If I go to the main site I have no problems so it appears to be related to the VPN or a configuration in the ASA on that site.
A port scan shows that all the traffic is "filtered" so somewhere either the site ASA or the main ASA is blocking the traffic.
View 7 Replies
View Related
Sep 20, 2012
I'm setting up a VPN in order to share files between two locations. I'm not sure it's the best solution, but he insists on using his Cisco ASA 5505 Firewall via a clientless VPN. His set-up is a simple residential cable modem (Motorola SurfBoard/TimeWarner) set in DMZ mode, the Cisco ASA, and an Ubuntu server.
The Clientless VPN is set up, as are the user groups, and bookmarks. I'm able to browse to the firewall's internal interface IP (https://192.168.1.1) and log in to the Clientless VPN portal, and from there, I can access all of the plug-ins I've configured (CIFS, VNC, etc). The problem is that I cannot connect from outside the local area network.
I think it's something very basic that I'm missing, like a NAT rule. I've tried adding some, but they always seem to interfer with the NAT rule allowing users to connect, via the internet, to the Apache web server (port 80) running on the Ubuntu machine behind the ASA Firewall.
Like I said, I'm not sure this is the best solution for him. Using an ASA seems like overkill for something that can be accomplished with some software, but he and I are both fans of Cisco, and, as I said, he is adament about using this set-up. If it comes down to it, I'd like to be able to honestly tell him that I exhausted every resource in trying to find a way to make this work for him before giving up and going to "Plan B".
View 2 Replies
View Related
Feb 9, 2012
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies
View Related
Mar 23, 2011
I want to give access to remote subnet on firewall 5505.
Remote subnet is 16x.15X.56.0
Here is my access list
access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.254.0 16x.15X.56.0 255.255.254.0
View 7 Replies
View Related
Jan 31, 2012
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. How to configure the subnet 10.1.5.0 to access the internet or to get the subnets to communicate. Below is a streamlined version of our current config.
!interface Vlan1nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0 ospf cost 10!interface Vlan2nameif outsidesecurity-level 0ip address 66.66.66.66 255.255.255.240 ospf cost 10!interface Vlan13nameif corporatesecurity-level 100ip
[Code].....
View 15 Replies
View Related
May 4, 2011
I'm new to Cisco equipment much more familiar w/ Sonicwall w/ that said......I have a 5505 w/ Security Plus licensing
I have set up multiple VLANs as follows
VLAN 1 inside - still setup as 192.168.1.1 (will not be using this for our lan)
VLAN2 - outside
VLAN100 - LAN 10.1.1.1/24
[Code]....
If I do add all the VLANs above I understand I will probably have to make a trunk port since I only have 5 usable interfaces
View 12 Replies
View Related
Oct 7, 2012
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
View 3 Replies
View Related
May 21, 2011
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24
View 5 Replies
View Related
Jul 29, 2011
I have a 5505 with the security plus license. I have a web server in the DMZ that needs to talk with a server on the inside network but it doesn't seem to be able to. Im guessing there is something I need to do to enable the DMZ to talk to the inside network.
Here is the config.
[code]...
View 1 Replies
View Related
May 14, 2012
I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 8.8.8.8 and 4.2.2.2 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 8.8.8.8 and 4.2.2.2 in ipconfig. I can ping/tracert 8.8.8.8/ 4.2. 2.2/74.125.137.147(what url... resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to url.... [code]
View 1 Replies
View Related
May 14, 2012
We recently purchases the Cisco ASA 5505 to get familiar with it, possibly buying more appliances for our branch offices. However, since the appliance is installed, our SIP telephones no longer register with our SIP service provider.
The SIP phones are all on 10.0.1.0/24 while the SIP provider is external via the outside network. I copied our configuration below. how to enable SIP for all 10.0.1.0/24 hosts and ports 5060, 5160, 5260, 5360?
gcxfw# show running-config
: Saved
:
ASA Version 8.4(3)
[Code].....
View 2 Replies
View Related
May 21, 2012
I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?
View 10 Replies
View Related
Sep 13, 2011
I'm having problems getting AnyConnect clients to reach a server (192.168.139.3) on the Inside interface of my ASA 5505. Ideally, this would be accessible from the DfltAccessPolicy or another dedicated policy, but right now I'm happy with any access. Everything else seems to be working as expected. I've rebuilt this config a number of times without success. I can ping the IP from the ASA itself.
View 2 Replies
View Related
Sep 29, 2012
I have 2 ASA and would like to build a Side-to-Side VPN between these ASA. So I can learn something about configure a ASA for different thinks. But now I don`t can Ping from a Client to the Internet-Router.My Configuration is:
Client IP 192.168.1.100 <===> ASA Inside 192.168.1.1 /Outside 192.168.178.254 <===> Router 192.168.178.1
Is there something wrong at my config? or do I need inside private Adresses and at the Outside Global IP`s.
At the Router I have a Static Route that the 192.168.1.0 / 24 ist to find over Gateway 192.168.178.254
View 2 Replies
View Related
May 20, 2011
I have a ASA 5505 Sec Plus. I would like to allow outside hosts to our mail server and also our FTP server. So i would like to allow only SMTP, HTTP (for Outlook Web Access) and FTP.
View 10 Replies
View Related
Sep 16, 2012
I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.
The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
[code]....
I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine
interface Vlan12
description Used only for guests access to the Internet - no access to the corporate resources
no forward interface Vlan1
nameif guests
security-level 20
ip address 192.168.2.1 255.255.255.0
My problem is that when I try to add NATing from the dmz to the outside I get a:
ERROR: Address a.b.c.d overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
with either:
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic interface
[code]....
Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work:
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic a.b.c.d
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic a.b.c.d
View 5 Replies
View Related
Apr 2, 2013
I have a test ASA 5505 with the setting below:
How can I connect to the internet (Vlan 1 to VLan 11)
[code]....
View 1 Replies
View Related
