Cisco VPN :: ASA 5505 - Unable To Access Company LAN
Oct 24, 2012
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
FWBKH(config)# show running-config
: Saved
:
ASA Version 8.2(2)
Basically we have 5 users in one of our offices and the internet works completely fine.However we cannot access the company Intranet. We receive 'The page cannot be displayed'.I have no idea why because all other sites work okay!Note: The Intranet can be accesed from home and libraries as I have checked aswel as 2 offices we have, everything works fine.It's just the one office and everything else works fine.
I have just moved and my ISP is the same ( Comcast) but I'm in a different region of the country. The former service (modem) was a cisco (1 port) that I connected my EA 2700 Cisco router to and it worked like a charm. My IP phones came right up as well. Now I have an modem/router combo (provided by my ISP) and when ever I attempt to connect to my VPN it will give me an error and not connect. I was told by my ISP that I could bridge the router and try that way.Do I need to set up all over again? or have the settings remained. Also I am unable to access my router with admin/password. How do I reset the password?
We have 25 remote sites that use MPLS back to the company HQ that has one connection to the internet.Also at the HQ we have a seperate ISP connection.The remote sites and HQ have AP's which provide internal company access. We would like to have a seperate Guest WLAN at these remote sites to provide access to the ISP connection at the HQ's. Do we need to have an anchor controller? From documentation I have been reading it looks like anchor controllers are mostly used for networks that have a single connection to the internet and they use the FW to control/ secure the guest and company network from each other. Is there a differnt way of seperating the guest wireless and company wireless network securely from each other but use the same WLC's and AP's??
I have an ASA 5505 which is unable to acces the internet, even when reloading just the basic config.If i setup my laptop with the outside ip or another ip in the subnet, it does work.
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result : Flow-lookup Action : allow Info: Found no matching flow, creating a new flow Route-lookup Action : allow Info : 192.168.5.203 255.255.255.255 identity
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
I am trying to “build up” a small home-network and using some of following Cisco equipment’s
ASA 5505 v8.4.3 witch base licenseCisco Catalyst 3750G with ipservices version 15.0.xand 1 qty of AP1142N I am not able to get internet access from any VRF’s.
From "MILAN (LAN) VRF, I am able to ping my gw: 10.45.45.1 but I am not able to ping for example: “linknett VRF”.
It seems that i am missing some NAT rules on ASA or ?
If i connect my laptop directly to the ASA, i am able to get internet access!
I am not feeling comfortable with a new ASA 8.4 code yet, so im not so sure which exact code's i am missing on ASA ...
attached digram including configuration files from ASA and 3750 sw.
I am working on a site that has recently added a new subnet and I am unable to ping any of the stations on this new network. I have configured an Exempt NAT rule just the same as the rules allowing access to other networks. I have a feeling the problem is in the Site-to-Site VPN configuration since the new subnet is at the primary location over the VPN.
In the site-to-site configuration I added the new subnet to the list of "Remote Networks" and I still can't communicate with any of the devices on the network. If I go to the main site I have no problems so it appears to be related to the VPN or a configuration in the ASA on that site.
A port scan shows that all the traffic is "filtered" so somewhere either the site ASA or the main ASA is blocking the traffic.
I have a Cisco ASA 5505, with basic 50 license, that is connected directly to the Cable Modem with a public IP. I have VPN configured and active on the Outside interface. When we connect, we connect just fine with no errors, but we are not able to access any resources on the remote network.
ASA IOS version 8.2(5) Remote Network IP: 10.0.0.0/24 VPN IP Pool: 192.168.102.10 - 25
How does one configure the router so that Internet users can access internal company websites? The only thing that appears is the Cisco router login. Also I need to configure Terminal Services and its not on the list under Service.
I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.
Topology is: RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24
SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24
From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).
Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.
At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes ! version 12.4 no service pad
I recently changed webhosting partners for my company's website. With the Change I can view my company's website from inside the LAN but can outside of the LAN.
I am running a smaller hosting company and i am currently looking at a Cat6506 switch with a SUP720 Supervisor Engine. I have also been looking at a Cat6509 with a SUP2-GE Supervisor Engine. At the moment i am getting my connection from a ISP but i am going to get my own BGP AS now.. My question is just, how much will the SUP720 be able to route, and how many routes will i need to get it to route my packets in and out of my AS? I have seen that the full BGP table is over 400,000 and the SUP720 is only capable of 256,000, but do i really need the full table? I
major differences between the SUP720 and SUP2-GE Supervisor Engines?
By default SBS 2011 places a shortcut on the desktop to companyweb and adds shortcut in the start menu under Windows SBS to companyweb as well.
I found the instructions to edit out the xlm file for SBS 2008 to prevent this from happening but that does not work with SBS 2011 as I do not see those settings.
I did also find the login script for SBS 2008 settings to remove those after the fact all of the time and that is easy enough to change to make it work with SBS 2011; but I would much rather just prevent the shortcuts from being placed in the first place.
Nowadays my Company works with autonomous APs (AP1142 most of them.We have a WLC 5008 and I am working on the implementation project... So far so good.BUT, I have just realized that the Company didnt buy a second WLC (this project started 1 year ago and I wasnt an employee here yet...).If I transform all autonomous APs we have (around 25, locally and some of them remotes)... And then If I have a HW problem with our single WLC... those APs will continue working ?
I need to use the company laptop to connect to home broadband. However, when it is connected, it shows "no or limited connectivity".All the other laptops/computer at home can connect without any problem.When I try to use my iPhone as hotspot. My company laptop can connect and browse websites (but extremely slow because is 3g speed).
I'm no network security expert but have been asked to "investigate" someone who has been connecting their personal laptop to the company network and using our internet to do "questionable" activities.
Basically I have this information taken from our domain controller's logs:
- DHCP address that was leased to the laptop at the time of the "infractions".
- Computer name of the laptop.
- Precise date and time of when this person was connected to our network.
Based on the DCHP address, I can somewhat narrow it down to a few different switches at different locations in the building, but there's no way to pinpoint it exactly. If I can figure out which switch they connected to, I would know who did it.
I am getting crazy with our Cisco Linksys RV016. It handles 3 simultaneous connections to the internet using 3 ISP. All our company goes to the internet using this cisco linksys RV016, our corporate switches are connected as clients to the router. Sometime ago, this router started to drop POP3 connections to our network, when this problems is present, all users get Receiving' reported error (0x80042108) in Outlook 2007-2010. Currently i have setup POP3 service to use the First ISP connection, but when this problem is present, the only way to eventually resolve it is to switch the link POP3 Service from the First to the Third ISP, sometimes it works immediately, sometimes don't. We are using this router since 2007 but this problems started to arise from this month.
Our switch is the latest firmware available is Cisco website, this is the Firmware Version: 3.0.2.01-tm.
how can I configure a Catalyst 3750, which interface is patched on the ISP router (internet uplink bandwidth = 20Mbps with) to allow all active users are sharing the bandwidth (either 5, 50, 100, user simultaneously..in internet surfing. right now it's like when a user starts a larger download that it uses the bulk of the bandwidth, and other users can reach all remaining extremely slow access times.
I have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -
a. Confidential Access - For senior management. b. Public Access - For employee access.
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups? I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.
we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
i wanted to know if i could setup a netgear wireless router to my ethernet cable that is coming out of the wall. is it as easy as plugging the cable coming out of the wall into the internet port on the router?
I've studied and labeled out MPLS and MPLS VPNs several times. The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books. I've attached a diagram.
We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo. This allows our HQ office to reach the private sub nets in our core without using a Cisco VPN client. The problem we are running into is that this seems to be putting undue strain on the Cisco 2811. I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed. During this time, certain Cisco SCCP phones on our Broad works platform cycle while the SIP phones on the same platform are OK. We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private sub net communication. The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table.
The flow would be this: -going to a public address use the public internet routing table -going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.
This is a little different of a set up from most of the VRF VPN examples I've seen. Most of those the CE devices is completely private. This is not the case at our HQ.
I would like to know the basic configurations for Win Server 2008 Standard for a small office (60 clients) The company has a Sales, HR, warehouse, and Accounting, and VPN for some sales, what configuration do you recommend me for each area? Right now my server has DHCP, DNS, and AD (do I need to install any other role?), Also what other configuration do I need in order to control my clients and users, and for security? how can I make the clients to save their files in my server? or make a copy of their files from their computers to my server? Any information for security? in my server or Router?
Like the tittle say, I just want to know all the configurations needed in a network for a small company.
I have a company issued laptop with a VPN client in it. I use that laptop and that VPN client to logon to the company network. How can I install the same VPN client in my personal laptop and dial to the company network?
