Cisco VPN :: ASA 5505 / Site 2 Site VPN With Backup Peer Not Able To Send Traffic

Mar 13, 2011

I have 2 ASA 5505 Firewall, I Configured Site 2 Site VPN no both the fitrewall, as i have a dual ISP, i am able to create the tunnel with primary but once my primary is down i am not able to create the tunnel with back up ISP. During the troobleshoothing by typing Show isakmp sa and Show ipsec sa, i can see my tunnel is up, but not able to decap the packets.
As it will look like
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0      #pkts compressed: 0, #pkts decompressed: 0      #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0      #send errors: 0, #recv errors: 0

View 4 Replies


Cisco Firewall :: ASA 5505 Site To Site RTP Traffic Is Hitting Deny All Rule?

Aug 13, 2012

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows
 Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny

It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

View 2 Replies View Related

Cisco :: ASA 5505 Site To Site RTP Traffic Is Hitting Deny All Rule?

Aug 14, 2012

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows

Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny


It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

View 3 Replies View Related

Cisco VPN :: ASA 5505 Site-to-Site VPN Tunnel Up But Not Passing Traffic

Apr 3, 2013

I do have a 5505 up and running, and passing data... url...Now I am trying to get a IPSEC VPN tunnel working.I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned: name  Eventual  (HQ Site behind Firewall)name  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP:  T1  (Remote site - Outside interface of 5505:  Local  (Remote Network - internal interface of 5505: 10.20 9. 0.3)  On a ping to the HQ network from behind the ASA, I get port map translation creation failed for icmp src inside: dst inside: (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the traffic, and that I may have to exempt/route the traffic for the HQ network (, but I haven't been able to get the correct entries to make it work. [code]

View 22 Replies View Related

Cisco VPN :: ASA 5505 Site-to-site Vpn Not Passing Traffic

Feb 4, 2011

I've setup a site-to-site vpn between 2 5505s, with 1 subnet per site directly behind the ASAs.The VPN establishes connection successfully, but i can only access resources from site2 to site 1. E.g. I can ping or rdp from a server in site2 at IP to a site1 server at IP I cannot make the opposite connection, i.e. to

View 2 Replies View Related

Cisco VPN :: ASA 5510 - ISP Site To Site Failover With Single Remote Peer Address

Apr 16, 2011

I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.

View 0 Replies View Related

Cisco WAN :: AES-128 IPSEC Site-to-Site VPN Multiple Crypto Maps For One Peer

Jan 28, 2013

With à customer we have à site to site VPN connection. In this tunnel there is one subnet routed with a 3des-sha encryption / hash. Now the want to add a new subnet in this tunnel, but with a AES-128 / MD5 encryption / hash. Is it correct if we make a new crypto map with a higher seq. number?

View 5 Replies View Related

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510.  I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).

View 11 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: ASA 5505 Site To Site Connection / Remote Site?

Mar 6, 2011

i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?

View 1 Replies View Related

Cisco VPN :: ASA 8.02 - Backup Site To Site VPN Configuration

Feb 2, 2011

We are attempting to implement a VPN configuration using an ASA 8.02 at a Central site which terminates remote site VPN connections from IOS routers (12.4), using static crypto maps. We have a functional configuration, but looking to implement a backup site-site configuration on the ASA, using different service providers. The observation is that as soon as i add the 'connection-type originate-only' to the crypto map on the ASA, the tunnel is fatally broken. As soon as statement is removed the tunnel comes is restored. just wanted to confirm that the 'connection-type originate-only' configuration on the Central ASA is supported with the Cisco IOS peer. Documentation seems to indicate there is some sort of proprietary exchange that is supported only between ASA peers.

View 7 Replies View Related

Cisco VPN :: 1800 Site-to-Site VPN Tunnel Bandwidth For Voice Traffic

Jun 22, 2011

I have some challenges with a VPN config I recently setup for a client.I have at the HO the following:

- 1800 router
- Avaya phones and Gateway
- 1MB radio internet access
At the BO(branch office), i have:

- 871 Router
- Avaya phones
- 256k internet bandwidth
The only reason we setup the VPN in the first place was for the phones at the BO to be able to connect to the gateway at the HO and also able to make calls and receive calls as if the phones were at the HO.The phones at the BO successfully register to the HO, but are unable to recieve calls and dial out. Everytime I try to make a call, the phone displays a "connecting..." message. [code]

View 2 Replies View Related

Cisco VPN :: ASA 8.2 - Site-to-Site VPN Stops When Traffic Volume Rekey Reached

Jan 12, 2010

We have several site-to-site IPSec VPN's setup.

All are running on ASA's 8.2(1).

All have a Security Association Lifetime (Time) of 8 hours.
All have a Security Association Lifetime (Traffic Volum) of 4608000 KiloBytes.

We have an issue when we do Oracle logshipping between the sites.

This triggers the Traffic Volume rekey as can be seen by this entry in the logs: -

%ASA-7-702307: IPSEC: An inbound L2L SA (SPI= 0x169FA1C1) between and (user= ) is rekeying due to data rollover.

However it does not appear as if the renegotiation is occurring properly. Within 10 to 15 minutes data stops being transmitted along the link, even though the IPSec tunnel still appears up in the ASDM GUI.

The 'fix' for this is that we are using is to login to the ASDM GUI and bounce the link by going to Monitoring => VPN => VPN Statistics => Sessions => IPSec Site-to-Site. Then select the appropriate VPN tunnel and click on 'Logout'. This forces a link renegotiation which works fine.

I have attached a logfile from the local ASA (there's nothing in the logfile of the remote ASA until we bounce the VPN tunnel).

View 10 Replies View Related

Cisco Wireless :: Configuring 5508 At Remote Site To Tunnel Traffic From WLC At Main Site?

Sep 20, 2012

At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG).  In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG".  None of the SSIDs are "anchored".
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs.  This site contains two customers.  One customer is the Main customer with the second customer leasing space.
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan).    I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500.  It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site.  This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
For my test, I am starting simple.  I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low).  I have anchored this test WLAN to that controller.  At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site.  I am unable to obtain an IP address from the remote site.  I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at and the 2500 is at What could I be missing?

View 5 Replies View Related

Cisco VPN :: 876 ISR / Traffic From Easy VPN Client To Remote End Of Site-to-site?

Apr 27, 2011

A user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.

View 1 Replies View Related

Cisco VPN :: ASA 5520 - Routing Traffic Between Two Site To Site Tunnels

Feb 24, 2013

I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C

View 5 Replies View Related

Cisco VPN :: ASA 5580 Site To Site VPN With Netgear Established But No Traffic

Mar 24, 2011

I have set up a site to site VPN from a Cisco ASA 5580 to a Netgear  FVS318v3 using 3DES, MD5, GH 2 and preshared key, My VPN Tunnel is always up, I can see on the netgear and firewall ASA that the connection VPN is established at both phase 1 and phase 2 level, but no traffic is flowing through the tunnel sometimes. The only way I can see the traffic passing, it is reload the tunnel on the firewall netgear.the configurations on the firewalls are same.

I can see the requests of the ASA Red_Lan to server located at the remote site, behind the Netgear Firewall and observe traffic on the ASA but on the outside/inside interfaces of the firewall Netgear there are not traffic. Is necessary to configure and others parameters for VPN?

View 1 Replies View Related

Cisco Routers :: Routing All Traffic To Vpn Site-to-site With SRP527W

Aug 21, 2011

I'd like to create a site-to-site vpn between an SRP527 and an other vpn gateway. The problem is i don't see how to route all traffic from the local network (network defined by the lan ip interface of the SRP527) to the other vpn gateway? It seems to be only possible to define the destination network (accessible via the vpn) with ip/mask (but only for "small" network: for exemple i tried with mask and it's ok but i tried with mask -> it's not working. I obtain the message "invalid ip")

View 1 Replies View Related

Cisco VPN :: 851 - Configure QOS For Voice Traffic Over Site-to-site VPN Tunnel

Jun 16, 2011

I want to configure QoS for voice traffic over a site-to-site VPN tunnel. I have a Cisco 851 router on the branch end and a Cisco 1800 router at the HQ. The setup is an Avaya Gateway located at the HQ and the idea is that the phones at the branch office are connected over the VPN tunnel to the gateway at the HQ.

I have a 1MB internet link at the HQ from a service provider and 256kbps internet link (from a different service provider) at the branch office. The branch office has just 3 users.

View 12 Replies View Related

Cisco VPN :: Route Another Subnet Traffic Via Site To Site VPN On ASA 5500

May 7, 2012

I have a functioning site-to-site VPN between two ASA 5505 appiances. Sub-net on one side is (inside I/F) and on the other side is (inside I/F). VPN is built over public Internet (outside I/Fs of those two ASAs).
Now I connected another subnet on - e.g. Traffic from subnet is routed to via Gateway at IP.
My task is to make packets from subnet to go to subnet and vice versa.
I setup a static route on 20.0 ASA's Inside interface as to I also created NAT examptions for outbound packets from 20.0 to 35.0 and inbound as well. I also added destination network of 35.0 to VPN cryptomap traffic selection (on both ASAs).

View 2 Replies View Related

SSL-VPN 2000 / TZ100 -Routing Traffic Over Site To Site VPNs

Jun 2, 2013

I'm working with a client who has a site to site VPN between the main office and a branch office. The main office is and the branch office is The issue is when the branch office users use the VPN in they receive a 192.168.200.x address, however, they cannot access a server or any other resources at the branch office.

They have a SSL-VPN 2000 connected to a TZ100 at the main office and a Juniper device at the branch office. I did try setting the Tunnel All mode on the NetExtender but that does not allow me to access the resources at the branch office. Additionally, those users at the main office can access the resources at the branch office without getting on the VPN.

View 8 Replies View Related

Cisco VPN :: 1841 / 1811 - Site To Site VPN Is Up But No Traffic Gets Through?

Jul 28, 2012

Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.Just so you know, the 1841 device already has a functioning VPN tunnel to another site. The peers I am concerned about are 141.0.59.x and 109.238.78.x.

View 12 Replies View Related

Cisco VPN :: ASA5520 - How To NAT Inbound Traffic From Site To Site VPN

Oct 31, 2011

I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using networks. All have public IP's and very little knowledge so are unable to NAT from their end.The idea is to create some /28 blocks of IP's ( and manage this on our end.
How do I get this to work?  
example: (all IP's are fictional)
My side "outside"
Their side "outside"
My side "inside"
Their side "inside" NAT'ed to


View 3 Replies View Related

Cisco VPN :: 2901 / 2921 / 5505 ASA - Router Versus Firewall Site To Site VPN?

May 30, 2013

I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?

2) which is the best choice if using in site to site VPN connection ? 

View 9 Replies View Related

Cisco VPN :: 5505 Connection To Mapped File Shared Dropping On A Site-to-Site VPN

Nov 27, 2011

We've just deployed a site-to-site VPN using a 5505 ASA on the client's site and a checkpoint Nokia FW on our site. Everything seems to be fine except that the user's connections to their file shares seem to be intermittently dropping. One minute the connection to the shares is there, next thing it's lost. There is no logic to it because no two users are experiencing issues at the same time, as a matter of fact even on the same PC where a user has access to 3 shares on 3 different servers, one could be showing as connected whereas the other two be dropping. [code]
As you can see the Duplex and Speed are set to auto, I've rectified this since then and I'm keeping a close eye on the output errors, and collisions. However, I'm afraid that this did not rectify the issue and the users are still experiencing intermittent connection dropping to their file shares over the VPN!

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Site To Site VPN Using Public Addresses On Local Network

Jul 28, 2011

I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet ( They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 - Unable To Access Certain Ports Over Site To Site VPN

Jan 16, 2013

We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \ from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
version 12.4
no service pad


View 1 Replies View Related

Cisco VPN :: Setup Site-to-Site Connection With 5505 ASA Using IPSec And Isakmp?

Aug 8, 2011

im drawing a blank trying to setup a site to site connection with a 5505 ASA using ipsec and isakmp.i have the pre shared key as well as the external address of the other end of the tunnel but do not remember what the commands are to setup the crypto map and isakmp.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 - Procedure For Monitoring Site-to-site VPN Tunnel?

Apr 30, 2012

Need to know the step by step procedure for monitoring site-to-site VPN tunnel (up/down) using SNMP on Cisco ASA 5505. 

View 1 Replies View Related

Cisco WAN :: 5505 Correct Site-to-site / SSLVPN Security Device

Dec 12, 2012

I have tried Cisco presales but got bounced - go Cisco !So, i have a small customer who requires a single device which will provide .....
1/ Leased Line connection @ 10mb
2/ ADSL failover onbox (so configurable from CLI, unlike the 860’s which I see only have one ‘active’ wan port)
3/ IOS based
4/ integrated 4 ports (min) switch
5/ site to site VPN
6/ up to 10 x SSLVPN remote users
I did pitch in with ASA5505 with external ADSL router but he is “space-constrained”.It worries me when Cisco doc's say only one WAN port is 'active' - since it doesn't say the second port automatically comes up if the first goes down so I can't take a gamble on that being the case.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Site To Site VPN Route From Multiple LANs?

Dec 19, 2012

I've set up a standard site-to-site VPN between 2 ASA 5505s and the VPN is working fine for traffic between these ASAs and computers which are in the same LANs.but when I'm trying to connect to computers which are in another VLAN I have a problem.

View 1 Replies View Related

Cisco VPN :: Site To Site VPN IPSEC Tunnel From ASA 5505 To Clavister Firewall

Nov 20, 2012

I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
All these remote networks are at the Main Site Clavister Firewall.

View 1 Replies View Related

Cisco Routers :: Site-to-site VPN From SRP527W (dynamic IP) To ASA 5505 (Static)

Sep 6, 2011

I have an ASA5505 running which is on a static IP. I have just got an SRP527W for a remote worker and want to create a site-to-site VPN into the ASA. I have a number of other router of non-cisco brand which just all dial-in and connect no problem.
On other routers I have been abloe to specify the DDNS hostname in the VPN setup so that the ASA can identify it. I'm not sure how I setup the SRP527 to connect to the ASA.

View 3 Replies View Related

Copyrights 2005-15, All rights reserved