Cisco VPN :: ASA 5505 / Site 2 Site VPN With Backup Peer Not Able To Send Traffic
Mar 13, 2011
I have 2 ASA 5505 Firewall, I Configured Site 2 Site VPN no both the fitrewall, as i have a dual ISP, i am able to create the tunnel with primary but once my primary is down i am not able to create the tunnel with back up ISP. During the troobleshoothing by typing Show isakmp sa and Show ipsec sa, i can see my tunnel is up, but not able to decap the packets.
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External allow ip any any allow tcp any any allow udp any any default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External allow ip any any allow tcp any any allow udp any any default deny
[code]....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
I do have a 5505 up and running, and passing data... url...Now I am trying to get a IPSEC VPN tunnel working.I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned: name 10.0.0.0 Eventual (HQ Site behind Firewall)name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.20 9. 0.3) On a ping to the HQ network from behind the ASA, I get port map translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work. [code]
I've setup a site-to-site vpn between 2 5505s, with 1 subnet per site directly behind the ASAs.The VPN establishes connection successfully, but i can only access resources from site2 to site 1. E.g. I can ping or rdp from a server in site2 at IP 192.168.3.250 to a site1 server at IP 192.168.10.250. I cannot make the opposite connection, i.e. 192.168.10.250 to 192.168.3.250.
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
With à customer we have à site to site VPN connection. In this tunnel there is one subnet routed with a 3des-sha encryption / hash. Now the want to add a new subnet in this tunnel, but with a AES-128 / MD5 encryption / hash. Is it correct if we make a new crypto map with a higher seq. number?
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
We are attempting to implement a VPN configuration using an ASA 8.02 at a Central site which terminates remote site VPN connections from IOS routers (12.4), using static crypto maps. We have a functional configuration, but looking to implement a backup site-site configuration on the ASA, using different service providers. The observation is that as soon as i add the 'connection-type originate-only' to the crypto map on the ASA, the tunnel is fatally broken. As soon as statement is removed the tunnel comes is restored. just wanted to confirm that the 'connection-type originate-only' configuration on the Central ASA is supported with the Cisco IOS peer. Documentation seems to indicate there is some sort of proprietary exchange that is supported only between ASA peers.
I have some challenges with a VPN config I recently setup for a client.I have at the HO the following:
- 1800 router - Avaya phones and Gateway - 1MB radio internet access
At the BO(branch office), i have:
- 871 Router - Avaya phones - 256k internet bandwidth
The only reason we setup the VPN in the first place was for the phones at the BO to be able to connect to the gateway at the HO and also able to make calls and receive calls as if the phones were at the HO.The phones at the BO successfully register to the HO, but are unable to recieve calls and dial out. Everytime I try to make a call, the phone displays a "connecting..." message. [code]
All have a Security Association Lifetime (Time) of 8 hours. All have a Security Association Lifetime (Traffic Volum) of 4608000 KiloBytes.
We have an issue when we do Oracle logshipping between the sites.
This triggers the Traffic Volume rekey as can be seen by this entry in the logs: -
%ASA-7-702307: IPSEC: An inbound L2L SA (SPI= 0x169FA1C1) between and (user= ) is rekeying due to data rollover.
However it does not appear as if the renegotiation is occurring properly. Within 10 to 15 minutes data stops being transmitted along the link, even though the IPSec tunnel still appears up in the ASDM GUI.
The 'fix' for this is that we are using is to login to the ASDM GUI and bounce the link by going to Monitoring => VPN => VPN Statistics => Sessions => IPSec Site-to-Site. Then select the appropriate VPN tunnel and click on 'Logout'. This forces a link renegotiation which works fine.
I have attached a logfile from the local ASA (there's nothing in the logfile of the remote ASA until we bounce the VPN tunnel).
At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG). In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG". None of the SSIDs are "anchored".
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs. This site contains two customers. One customer is the Main customer with the second customer leasing space.
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan). I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500. It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site. This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
For my test, I am starting simple. I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low). I have anchored this test WLAN to that controller. At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site. I am unable to obtain an IP address from the remote site. I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?
A user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.
I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C
I have set up a site to site VPN from a Cisco ASA 5580 to a Netgear FVS318v3 using 3DES, MD5, GH 2 and preshared key, My VPN Tunnel is always up, I can see on the netgear and firewall ASA that the connection VPN is established at both phase 1 and phase 2 level, but no traffic is flowing through the tunnel sometimes. The only way I can see the traffic passing, it is reload the tunnel on the firewall netgear.the configurations on the firewalls are same.
I can see the requests of the ASA Red_Lan to server located at the remote site, behind the Netgear Firewall and observe traffic on the ASA but on the outside/inside interfaces of the firewall Netgear there are not traffic. Is necessary to configure and others parameters for VPN?
I'd like to create a site-to-site vpn between an SRP527 and an other vpn gateway. The problem is i don't see how to route all traffic from the local network (network defined by the lan ip interface of the SRP527) to the other vpn gateway? It seems to be only possible to define the destination network (accessible via the vpn) with ip/mask (but only for "small" network: for exemple i tried with 10.2.0.0 mask 255.255.0.0 and it's ok but i tried with 10.0.0.0 mask 255.0.0.0 -> it's not working. I obtain the message "invalid ip")
I want to configure QoS for voice traffic over a site-to-site VPN tunnel. I have a Cisco 851 router on the branch end and a Cisco 1800 router at the HQ. The setup is an Avaya Gateway located at the HQ and the idea is that the phones at the branch office are connected over the VPN tunnel to the gateway at the HQ.
I have a 1MB internet link at the HQ from a service provider and 256kbps internet link (from a different service provider) at the branch office. The branch office has just 3 users.
I have a functioning site-to-site VPN between two ASA 5505 appiances. Sub-net on one side is 192.168.20.0/24 (inside I/F) and on the other side is 192.168.30.0/24 (inside I/F). VPN is built over public Internet (outside I/Fs of those two ASAs).
Now I connected another subnet on 192.168.30.0/24 - e.g. 192.168.35.0/24. Traffic from 192.168.30.0 subnet is routed to 192.168.35.0 via Gateway at 192.168.30.250 IP.
My task is to make packets from 192.168.20.0 subnet to go to 192.168.35.0 subnet and vice versa.
I setup a static route on 20.0 ASA's Inside interface as 192.168.35.0 255.255.255.0 to 192.168.30.250. I also created NAT examptions for outbound packets from 20.0 to 35.0 and inbound as well. I also added destination network of 35.0 to VPN cryptomap traffic selection (on both ASAs).
I'm working with a client who has a site to site VPN between the main office and a branch office. The main office is 192.168.200.0/24 and the branch office is 192.168.1.0/24. The issue is when the branch office users use the VPN in they receive a 192.168.200.x address, however, they cannot access a server or any other resources at the branch office.
They have a SSL-VPN 2000 connected to a TZ100 at the main office and a Juniper device at the branch office. I did try setting the Tunnel All mode on the NetExtender but that does not allow me to access the resources at the branch office. Additionally, those users at the main office can access the resources at the branch office without getting on the VPN.
Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.Just so you know, the 1841 device already has a functioning VPN tunnel to another site. The peers I am concerned about are 141.0.59.x and 109.238.78.x.
I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.
How do I get this to work?
example: (all IP's are fictional) tunnel1 VPN My side "outside" 10.10.10.10 Their side "outside" 20.20.20.20 Networks My side "inside" 172.30.30.0 Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28
We've just deployed a site-to-site VPN using a 5505 ASA on the client's site and a checkpoint Nokia FW on our site. Everything seems to be fine except that the user's connections to their file shares seem to be intermittently dropping. One minute the connection to the shares is there, next thing it's lost. There is no logic to it because no two users are experiencing issues at the same time, as a matter of fact even on the same PC where a user has access to 3 shares on 3 different servers, one could be showing as connected whereas the other two be dropping. [code]
As you can see the Duplex and Speed are set to auto, I've rectified this since then and I'm keeping a close eye on the output errors, and collisions. However, I'm afraid that this did not rectify the issue and the users are still experiencing intermittent connection dropping to their file shares over the VPN!
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes ! version 12.4 no service pad
im drawing a blank trying to setup a site to site connection with a 5505 ASA using ipsec and isakmp.i have the pre shared key as well as the external address of the other end of the tunnel but do not remember what the commands are to setup the crypto map and isakmp.
I have tried Cisco presales but got bounced - go Cisco !So, i have a small customer who requires a single device which will provide .....
1/ Leased Line connection @ 10mb 2/ ADSL failover onbox (so configurable from CLI, unlike the 860’s which I see only have one ‘active’ wan port) 3/ IOS based 4/ integrated 4 ports (min) switch 5/ site to site VPN 6/ up to 10 x SSLVPN remote users
I did pitch in with ASA5505 with external ADSL router but he is “space-constrained”.It worries me when Cisco doc's say only one WAN port is 'active' - since it doesn't say the second port automatically comes up if the first goes down so I can't take a gamble on that being the case.
I've set up a standard site-to-site VPN between 2 ASA 5505s and the VPN is working fine for traffic between these ASAs and computers which are in the same LANs.but when I'm trying to connect to computers which are in another VLAN I have a problem.
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
All these remote networks are at the Main Site Clavister Firewall.
I have an ASA5505 running which is on a static IP. I have just got an SRP527W for a remote worker and want to create a site-to-site VPN into the ASA. I have a number of other router of non-cisco brand which just all dial-in and connect no problem.
On other routers I have been abloe to specify the DDNS hostname in the VPN setup so that the ASA can identify it. I'm not sure how I setup the SRP527 to connect to the ASA.