Cisco VPN :: ASA 5510 - Anyconnect Connects But Won't Pass Traffic?
Aug 11, 2011
I am trying to use a ASA 5510 with AnyConnect as an in-line SSL VPN device. I have a separate firewall that NAT's 443 to the inside IP of the ASA, which is the only configured interface on the ASA. I can connect to the ASA from the WAN just fine and the AnyConnect client connects just fine, I get an IP lease across the VPN on my LAN, all looks well. The problem is that I cannot pass any traffic. The only device on my LAN that I can ping is the ASA, nothing else including the default gateway is accessibe. I have setup a static route on the ASA pointing 0.0.0.0 0.0.0.0 to the LAN gateway, but no dice.
View 1 Replies
ADVERTISEMENT
Apr 29, 2011
A former coworker of mine setup VPN capabilities to our office network shortly before he left. It is no longer working. We can connect to VPN but I'm not able to ping any devices on the remote network or Remote Desktop to any of the server. After 30 minutes, the VPN connection drops. I have attached our ASA 5505 config to assist in troubleshooting.
View 3 Replies
View Related
May 2, 2011
I setup the ikev1 client and can connect but I can't pass traffic either way. I have tried icmp, port 80, smb etc... here is my config: ........
View 9 Replies
View Related
Sep 13, 2011
We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?
View 3 Replies
View Related
Mar 10, 2013
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
View 2 Replies
View Related
Sep 12, 2011
I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed..[code]
View 4 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Jul 9, 2011
I can telnet to the router and ping places on the inside and outside. However when I connect a laptop to the inside interface I can ping to the outside for a bit but can't open a web page and then connectivity is gone all together. At first I thought it was a NAT issue but I know I am good on that front. I have attempted to change the speeds and duplex settings on the outside interface but it does not seem to work. Again if I take the cable from the outside interface and plug it into a laptop it works fine. The thing that makes me wonder is why can I connect to the outside interface and configure it just fine?
View 4 Replies
View Related
Jan 25, 2013
I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]
View 6 Replies
View Related
Jan 7, 2011
A PC connected to a Cisco 877 router and 877 router is connected to another router (7301) via GRE tunnel,Cisco 7301 router is a NAS server and is being used as a PPPOE server.If user create a PPPOE connection on his computer and dial with a username/pass we want to send the PPPOE traffic to 7301 router, so 877 router should pass the PPPOE traffic to 7301 and user will be able to connect,User -> 877 -> 7301(PPPOE server).
View 4 Replies
View Related
Nov 15, 2011
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut
[Code]....
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
View 5 Replies
View Related
May 6, 2008
i read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:
inspect pptp.
pptp connection cannot setup.
show connection in pix:
pptp tcp 1723 is ok.
gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).
View 5 Replies
View Related
May 28, 2013
I have a 7206 VXR router between a several Mikrotik routers on our backbone. We have the Mikrotiks on both sides of the CIsco 7206VXR setup for MPLS/VPLS. I need to simply setup the 7206 to pass the MPLS/VPLS tagged packets to the next router on the link. We are using OSPF as the routing protocol. I am told by our Mikrotik guy that I just need to enable LDP and VPLS tunnels 4:0 on the 2 gig interfaces on the 7206VXR to let it pass the MPLS/VPLS traffic. It sounds simple but I'm not sure how to do this.
Any commands I need to imput to allow this router to pass this MPLS/VPLS traffic.
View 1 Replies
View Related
Mar 20, 2013
How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.
View 3 Replies
View Related
Mar 7, 2012
we have a Cisco 3825 router which does not work well with a DSL modem(ISP provided). I have configured the Gi0/0 port of the router to plug into this DSL modem but it does not ping to the ISP gateway. If we do a shut/no shut on the interface then it work fine for about 30 secs. Sometimes even for 1 hr. Then the packets drop and we cannot pass any traffic through this interface.
Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet.I have tried various options like using a straight/cross cable. I have tried to configure the interface negotiation for 100/full, 100/half, auto/auto and almost all the options.I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.
View 5 Replies
View Related
Jan 11, 2013
I recently upgraded from a Cisco 3900 series router to a Cisco ASR1k router. Since the upgrade, I have internal clients who claim they cannot connect to external VPNs. These internal clients are behind a NAT that routes a public IP address to a group of clients with private IP addresses.
How can I ensure that all VPN traffic is able to pass through the NAT?
View 2 Replies
View Related
Jan 17, 2013
[OK] Site to Site IPSec + GRE = success, no problems.
[OK] IPSec remote access = success, no problems.
[NO] SSL VPN = remote users can successfully connect to all internal systems. Cannot pass traffic to the Internet.
Hardware:
Cisco 2811, Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3) . Software: Cisco Any Connect Secure Mobility Version 3.1.01065
Single hub router terminating IPSec+GRE site to site, IPSec remote access, and SSLVPN remote access VPN services. All services currently configured and running successfully with the exception of the SSLVPN service. Remote users can initiate and successfully establish SSL VPN sessions. While established, connectivity to all internal systems/resources are successful. Only when the remote access client tries to connect to "Outside" Internet resources does traffic not pass successfully. Troubleshooting has pointed to a NAT related issue (I believe).
When connecting from a remote access workstation, utilizing IPSec remote access client (built-in Cisco IPSec client from Mac OS), the session establishes and the client works flawlessly. Examining the Cisco 2811 router, you see the /32 host route from the remote access session get installed, and you see the corresponding NAT translation entries created when the client accesses outside (Internet) resources. Appropriate configuration to implement "hair pinning" have been included to handle the in and right back out (with NAT translation) needed for remote clients to access the Internet.
Configured the 2811 for SSL VPN, and remote access clients can successfully connect and access all internal network resources. Examining the Cisco 2811, the /32 host route for the remote access client is installed, pointing to SSLVPN-VIF0 interface with a next hop of 0.0.0.0 When checking the NAT translation table, there are NO entries for the remote access client address created which leads me to believe the hair pinning/NAT function is not being invoked for SSLVPN clients.
Originally, the IPSec remote access VPN local pool was 10.0.100.0 /24. To keep from having to adjust the existing NAT translation, PBR Route-MAP for the hair pinning function - I took the 10.0.100./24 and broke it into a pair of /25 networks. Bottom half for the IPSec remote access VPN pool (10.0.100.0 /25); upper half for the SSL VPN pool (10.0.100.128 /25). By utilizing SSL VPN, is the traffic somehow bypassing the DIALER1 interface where both the crypto map (and more importantly: IP NAT OUTSIDE, and PBR configuration for the hair pinning function)? I cant explain why NAT translation entries are not being created for SSLVPN client sessions.
Cisco 2811 Configuration has been included. IPSec & SSL VPN Remote Access Sessions Captures (performed from same remote client) have been included.
View 2 Replies
View Related
Jul 14, 2011
I cannot telent to 1941 router from a Window 7 PC and I can a Window XP PC. Telnet is enabled on Win 7 PC. I upgraded 1941 to latest IOS.Compters running Windows XP can telnet to router and hit the internet. Computers running Windows 7 cannot hit the internet. I replaced the 1941 with a 1760 router and Win 7 computers can telnet to router and hit the internet. I used the same config from the 1941 on the 1760.
View 5 Replies
View Related
Mar 1, 2011
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies
View Related
Jun 20, 2011
I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .
View 1 Replies
View Related
Aug 6, 2011
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
View 2 Replies
View Related
Dec 14, 2011
we have two routers CISCO881-K9 and we have established l2tpv3 pesuduwire between two routers: attached the configuration file for both routers.
Although the l2tp established but we are unable to pass the DHCP or other traffic through l2tp tunnel from router A to router- B. [code]
View 1 Replies
View Related
Apr 17, 2012
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
View 1 Replies
View Related
Dec 4, 2012
asa 5505 do not pass traffic as a patch cord, how to make it pass traffic? [code]
View 2 Replies
View Related
Mar 1, 2011
I have a trouble with Cisco ASA 5510. I configured an SSL VPN with bookmarks to some application. When the users make access to the Web Portal they have to login twice: one for enter in the SSL and one for enter in the application.
How to bypass double authentication?
View 1 Replies
View Related
Feb 9, 2013
I run a AirPort Extreme router. I have my F9K1106 range extender set up and working. works awesome. I get home from work the next day and the range extender seems to fall asleep , it won't pass any traffic. I power cycle it and its back up and running. this happens everyday no fail for a week now.
View 1 Replies
View Related
Sep 9, 2012
Im using 1131AG AP.Locally switched WLAN don't have problem.Authentication used: open/wpa-psk/wpa2-psk.Pinging the IP Address of the vWLC dynamic interface (WLAN-SSID Mapping) is ok, but with the gateway failed.
View 12 Replies
View Related
Nov 11, 2012
I restored the HA pair back to Active/Standby.
1 remaining issue.
I have 3 IPsec Site-to_SIte tunnels.
I noticed that when the NEW UNIT becomes ACTIVE that I am unable to pass traffic over the VPN tunnels.When I failback I am able to pass traffic.
View 7 Replies
View Related
May 17, 2013
I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa(code)
View 1 Replies
View Related
Feb 1, 2011
So I have an asa 5505 running ipsec and anyconnect and it has been working great for months. I have not made any changes to the config, but suddenly all of my anyconnect traffic is being dropped. The vpn uses the same subnet as the LAN. I tried putting a rule in to allow all traffic from the LAN subnet on the outside interface. Now I just get the WEBVPN-SVC Action-Drop in packet tracer.
View 1 Replies
View Related
Nov 21, 2011
I've got a VPN setup on an ASA 5510, it connects fine and my users, and myself are able to remote desktop, and ping. However, when accessing the servers by hostname I get nothing. When I want to access a fileshare I have to do it by IP. I've got my internal DNS added in the config.
View 3 Replies
View Related
Apr 18, 2013
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
View 21 Replies
View Related
Apr 3, 2012
I am facing problem connecting via vpn to my asa5510 using anyconnect.My anyconnect client shows "network access: unavailable - no networks detected" before i attempt to establish my vpn.Upon establishing vpn, i was prompted username and password which went through but i was given the error "anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again".I face this problem after replacing my pc. I was able to connect without problems on my previous pc.The vpn connection uses cert which i have already import to my new pc and authentication is fine since no authentication error. No changes made on my firewall.
View 1 Replies
View Related