Cisco VPN :: ASA 5510 - AnyConnect Users Unable To Access Remote Subnet

Jun 9, 2013

I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
 
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.

View 1 Replies


ADVERTISEMENT

Cisco VPN :: ASA 5510 - AnyConnect Users Cannot Access Remote Office Over Site-to-site

Jul 15, 2012

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4

Site A internal: 192.160.x.x     External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x     External: 66.66.666.54(all)

I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?

Here is my NAT config:

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL

[code]....

View 3 Replies View Related

Cisco :: Users From Remote Access VPN Can't Access Other Subnet

Nov 1, 2011

Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...

Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?

View 1 Replies View Related

Cisco Routers :: RV220W PPTP Users Unable To Access Subnet Across Tunnel

Apr 21, 2012

I have two offices connected with an IPSEC VPN tunnel using RV220W routers.  The Tunnel works fine for local users between the two sites(Site 1:10.0.0.x; site 2 is 10.0.2.x).  I have also set up PPTP users for remote access.  PPTP users that connect to site 1 cannot access site 2 and vice versa.   The PPTP users have no trouble accessing the resources on the site that they connect to.  I have tried activating RIP and adding various static routes with no success.  If I PPTP connect to site 1 and I tracert to an IP address on site 2 the route goes to the site 1 router and then goes to the internet(connected to the site 1 router) where it stops.

View 2 Replies View Related

Cisco VPN :: 5510 Restrict Remote VPN Access For MAC OS X Users

Feb 12, 2013

I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
 
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.

View 4 Replies View Related

Cisco Firewall :: 5510 Access List For Remote Vpn Users

Apr 5, 2011

How to designate access-list for the remote access vpn users in order to let them access specific subnet or host,asa 5510 and acs is in the picture

View 9 Replies View Related

Cisco VPN :: 5510 Unable To Access Secondary Subnet From VPN Client

Jun 5, 2012

I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.The setup is as follows:

-ASA inside interface on 192.168.10.240
-VPN clients on 192.168.254.x
 
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet,[code]

View 3 Replies View Related

Cisco VPN :: ASA 5510 - Remote Subnet Group To Access Other Site-site VPN?

Feb 14, 2011

I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.

View 6 Replies View Related

Cisco Firewall :: Unable To Access Remote Network After Connecting ASA 5510 And 5505

Sep 24, 2011

I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall

Feb 26, 2013

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
 
HQ-ASA-01# show  running-config
: Saved
:

[Code]......

View 9 Replies View Related

Cisco VPN :: 5510 Remote Vpn Users Having Address From Pool 2

Apr 5, 2011

can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?

View 7 Replies View Related

Cisco Security :: Disabling XAuth For Remote VPN Users On ASA 5510 Version 7.2(1)?

Jul 1, 2006

how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)? 
 
HPMFIRE(config)# tunnel-group vpn3000 general-attributes
HPMFIRE(config-tunnel-general)# authen
HPMFIRE(config-tunnel-general)# authentication-server-group none
ERROR: The authentication-server-group none command has been deprecated.
The isakmp command in the ipsec-attributes should be used instead.

--[code]....
 
I couldn't find anything under isakmp to disable it. 

View 2 Replies View Related

Cisco Firewall :: ASA5510 / Unable To Establish Remote VPN Through AnyConnect

Mar 31, 2011

We have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500) no other things are going on , and i get error as shown below.
 
Secure VPN Connection terminated Locally by the client
Reason 412: Remote peer is no longer Responding
Connection terminated on.
 
i am suspecting it is VPN-3DES-AES activation key issue.when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below [ERROR] sl encryption rc4-sha1 des-sha1 The 3DES/AES algorithms require a VPN-3DES-AES activation key and currently in right panel of Active Algorithms i have only RC4-SHA1,

View 4 Replies View Related

Cisco :: ASA5505 - AnyConnect VPN Users Lose Internet Access

May 16, 2012

I am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity.  My access list appear to be correct to I'm sort of at a loss.

[code]....

View 6 Replies View Related

Cisco Firewall :: 5510 Two Subnet Unable To Talk To Each Other On Same Inside Interface

Mar 8, 2011

I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.I have added the followings in ASA5510. [code]

View 8 Replies View Related

Cisco VPN :: 5510 Anyconnect Unable To Reach Internal Networks

Sep 18, 2012

I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from  anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.

View 5 Replies View Related

Cisco Firewall :: 5505 / How To Give Access To Remote Subnet

Mar 23, 2011

I want to give access to remote subnet on firewall 5505.

Remote subnet is 16x.15X.56.0

Here is my access list

access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.254.0 16x.15X.56.0 255.255.254.0

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Users Are Unable To Pass Traffic When Connected Through Vpn

Sep 12, 2011

I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed..[code]

View 4 Replies View Related

Protocols / Routing :: Access Secondary Subnet From Remote Location?

Apr 12, 2011

Main Site allows communication from Remote Site via VPN to Windows ServerMain Site also has a secondary subnet that communicates ONLY through internet but NOT to the Windows Server.Sonicwall 192.168.168.x is main siteRemote Site is 192.168.0.x connecting to Main Site to access shared folders on serverSecondary subnet at Main Site is 192.168.0.x using Windows XP PC's. They are accessing a linux server at 192.168.0.215 which Main Site has no access to.VPN remote ip's are 192.168.0.x - they can successfully access the Windows Server at 192.168.168.100 BUT NOT 192.168.0.215.GOAL: Want to connect Remote Site to Secondary subnetWilling to make router changes or whatever is necessary to get Remote Site to access Secondary Subnet with the only exception that the Secondary Subnet REMAINS.VPN DHCP is turned off but willing to turn it on.Willing to make the Linux Server 'discoverable' on the Windows Server. Don't know linux at all but another co-worker set it up and can make changes.

View 4 Replies View Related

Cisco Firewall :: Access ASA5505 With Telnet Or ASDM From Remote Subnet?

Jul 11, 2012

I have a network with 3 sites that are on different subnets.  Each site has an ASA Right now, I am only able to connect to the ASA that is connected to the subnet I am connected to.I want to be able to connect to the ASA that are on the remote subnets on the address of the inside interface.The sites are connected all together by site-to-site VPN.Is there any way I can achieve that without opening the outside interface directly on the Internet?

View 2 Replies View Related

Cisco VPN :: Does AnyConnect 3.0 Support IPSec Remote-access VPN

Jul 12, 2011

I've read on Cisco AnyConnect 3.0 Q&A that it supports IPSec remote-access VPN: url...I've downloaded and installed AnyConnect 3.0.0629 Secure Mobility Client, but I'm not able to get IPSec VPN working. There's also no option to use PCF files from the previous Cisco IPSec VPN client. How to get IPSec VPN working on AnyConnect 3.0?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Can't Access Server On Different Subnet

Sep 7, 2011

First off, let me preface this by saying that I'm a novice when it comes to firewalls and more specifically, the ASA.  I do however, have an above average understanding of switches/routers.
 
We have an ASA 5510 running 8.3 and recently I've decided to clean up the last admin's mess.  All hosts and servers are on the same subnet, multiple subnets on the same VLAN... and a slew of other problems.  Anyway, I recently placed the IT department on another subnet to test some things out before I migrated other departments to different networks.  Everything seems to be working as it should be with the exception of one of our servers.  The IT subnet is 192.168.150.0/24 and the problem server is on the 192.168.10.xxx network.  I'm guessing the issue lies somewhere in the fact this server does have a static NAT and is accessible from the public.  Let me give you an overview of what our network looks like:
 
ISP ---->ASA----->3750----->2960
 
My workstation is directly plugged into the 3750 switch, and the server is plugged into the 2960.  I'm able to ping this server by both IP and hostname.  However, I cannot access port 80 by IP or hostname.  The users that are on the 192.168.10 and 192.168.11 (sadly both of those are on the same VLAN) network are able to access this server without a problem.  Thinking logically, I thought I would send a packet from my workstation, it would head to the layer 3 switch's VLAN interface corresponding to my subnet, realize the .10 network is directly connected and then forward the packet straight to the server.  However, it doesn't seem to be working that way.  It look like it's being routed to the ASA then being dropped.  I guess there's an access rule or firewall rule preventing me from getting to the server.  Is there a specific part of my config you will need to see...

View 15 Replies View Related

Cisco VPN :: ASA5510 Configured Remote Access To Allow Users Log In Via SSL VPN

Apr 12, 2011

We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
 
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?

View 1 Replies View Related

Cisco Switching/Routing :: 3600 Accessing Wireless Access Point From Remote Subnet

Mar 28, 2013

I recently installed a couple of Cisco Aironet 3600 Series Wireless Access Points at a remote site. While I was at the site everything seemed OK, The clients were able to get connected to the access points, the guest network worked fine, I could SSH into the access points, and I could ping them. The problem is when I went back to my home site I tried to SSH into the access points through an ASA IPSec VPN Tunnel and it couldn’t find it. When I try to ping the access points they “time out”. I can ping and connect all other addresses (via RDP, HTTP, etc..) on the same subnet which should rule out an access list problem. A couple of notes to be aware of:
 
The WAP’s have the Autonomous IOS installed (Version 15.2(2)JB) The WAP’s are connected to Dell PowerConnect 5724 (Not by choice.. We are a Cisco shop, these were already there and have plans this year to replace) 

I can ping and SSH with Putty to the WAP’s from the local subnet I cannot ping or SSH from a remote subnet to the WAP’s. I can access all other IP’s and Computers from a remote subnet.

View 12 Replies View Related

Cisco Firewall :: ASA 5510 - Setting Up ACL To Permit Access Only To The Nat Subnet?

Apr 9, 2012

setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
 
permit ip any "Nat_subnet"
 
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration.

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242

[code].....

View 3 Replies View Related

How To Force Users To Log Off And Access Remote Desktop Computers

Mar 16, 2011

I was trying to access some computers in network via remote desktop. All those computers had been used by other staffs.What I noticed that, for some computers I can access via remote desktop by forcing them to log off (people who were using the computers)But for some computers, I got the message similar to "user is currently logged onto the computer, you are not allowed to connect"I want to force them too and access these computers. How I can do it?

View 6 Replies View Related

Cisco WAN :: 6500 - Remote Vpn Users Cannot Access Webserver Locally

Sep 14, 2011

I configurated ipsec remote vpn at catalyst 6500.
 
192.168.14.0/24-- my servers are assigned this subnet
vpn user:10.10.10.0/24
192.168.10.229  ----  webserver ip address

[code]...

View 3 Replies View Related

Cisco :: ASA 5505 Series / Unable To Access New Subnet

Dec 7, 2011

I am working on a site that has recently added a new subnet and I am unable to ping any of the stations on this new network. I have configured an Exempt NAT rule just the same as the rules allowing access to other networks. I have a feeling the problem is in the Site-to-Site VPN configuration since the new subnet is at the primary location over the VPN.
 
In the site-to-site configuration I added the new subnet to the list of "Remote Networks" and I still can't communicate with any of the devices on the network. If I go to the main site I have no problems so it appears to be related to the VPN or a configuration in the ASA on that site.
 
A port scan shows that all the traffic is "filtered" so somewhere either the site ASA or the main ASA is blocking the traffic.

View 7 Replies View Related

Cisco VPN :: ASA 5510s / Remote VPN Users Need To Access Networks Connected By Static VPN

Oct 23, 2012

I have five (5) sites all connected via static VPN tunnels.  They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site, because of the static VPN tunnels.  I have the external IP (routeable) addresses connecting to each other.

Site A: 10.1.0.0 /24
Site B: 10.2.0.0 /24
Site C: 10.3.0.0 /24
Site D: 10.5.0.0 /24
Site E: 10.10.0.0 /20

I have remote users who connect using Cisco AnyConnect 3.1 to Site E.  They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection.  In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following:  Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0 What am I missing?  Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?

View 10 Replies View Related

Cisco VPN :: Asa 5510 Allow AnyConnect Clients Access To Only Few Servers

Jun 26, 2012

We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.

View 1 Replies View Related

Cisco VPN :: ASA 5510 - Allow AnyConnect Clients Access To Only Few Servers

Mar 19, 2012

We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.

View 4 Replies View Related

Cisco :: 5510 - VPN Users Needs Access To All L2L Segments

May 17, 2013

Client has a Cisco ASA 5510 with 4 L2L VPN's all using 5505's
 
The L2L connect to the "outside" interface as do the VPN Users (I'm leary of this
 
The VPN Users need access to the "inside" networks and all L2L subnets.
 
The VPN User has its own subnet (192.168.168.0/24( seperate from the Local LANs (172.16.0.0/16)
 
When the Users VPN in they can get to all the subnets connected to the inside interface but none of the L2L subnets
 
I have verified that the UserVPN Subnet is in the crypto acls and in the route statements of all L2L 5505s

View 3 Replies View Related

Cisco Wireless :: AP1261N - Unable To Access Bvi Interface From Different Subnet

Apr 23, 2013

I can't access the bvi interface I use to manage the AP1261N from an IP address that is not in the same subnet of the bvi interface. The AP is configured as root bridge. Obviously I've the same behaviour for the non-root AP connected to it. For sure it's an ap configuration problem as other devices in the same vlan (vlan1) are reachable by the vlan I'm connected to. This is the conf:
 
version 15.2
no service pad
service timestamps debug datetime msec

[Code].....

View 13 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved