Cisco VPN :: ASA 5510 - ISP Site To Site Failover With Single Remote Peer Address
Apr 16, 2011
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.
View 0 Replies
ADVERTISEMENT
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Mar 15, 2011
I configured ASA 5510 using dual ISP( Failover). Now my ASA working fine. Here my problem is My ASA 5510 configured for Site to Site VPN also.How my VPN switch to Secondary ISP automatically when primary ISP fails.
View 2 Replies
View Related
Nov 24, 2010
I have configured ISP failover on ASA 5510 its working fine, when Primary ISP fails, Traffic is shifting to secondary ISP. On the ASA i have configured Site to Site VPN its working fine on primary ISP, when failover happens to the secondry ISP. Site to Site VPN should work on the secondry ISP.
View 3 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Jul 21, 2011
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
View 6 Replies
View Related
Mar 9, 2011
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
View 6 Replies
View Related
Feb 14, 2011
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies
View Related
Jun 28, 2012
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
View 3 Replies
View Related
Feb 20, 2013
I have a situation where I need to have remote users vpn into my ASA 5510 and then turn around and hit a site to site tunnel. Now when I am in our office I can hit the site to site vpn fine. When I am at home and vpn to the asa I can not get to the site to site resources. Do you see where my config is incorrect? result of the command: "show run"
ASA Version 9.1(1)
!
hostname xxxxx
domain-name xxxx
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[ code]....
View 3 Replies
View Related
Aug 8, 2011
can I configure Site-To-Site VPN and Remote Access VPN at the same time in one ASA 5510?
View 8 Replies
View Related
Oct 17, 2012
I need configure a VPN site-to-site between two offices (Office A e Office B)The Office A (headquarters) have a Router CIsco 5510 and we have approximately 200 employess?
The Office B (branch) dont have any cisco Router but we will buy one ( is a small office, we have aproximadaly 20)?So I need configure a VPN site-to-site using the IPSec (do this is easy), but i need control the computers in the Office B that can access the Office A.
I Think that I can use a acl using the Mac Address to control, but how can I apply a control access List by Mac Address in the VPN site-to-site that is configured using a IPSec?
Is there other form to control the access of the Office B to Office A? We have a big fear for example, a unknow computer connect in the Office B using any mode off access (Ethernet cable, or Wirelless), and this "unwanted" computer access the Office A.
View 1 Replies
View Related
Jan 28, 2013
With à customer we have à site to site VPN connection. In this tunnel there is one subnet routed with a 3des-sha encryption / hash. Now the want to add a new subnet in this tunnel, but with a AES-128 / MD5 encryption / hash. Is it correct if we make a new crypto map with a higher seq. number?
View 5 Replies
View Related
Mar 13, 2011
I have 2 ASA 5505 Firewall, I Configured Site 2 Site VPN no both the fitrewall, as i have a dual ISP, i am able to create the tunnel with primary but once my primary is down i am not able to create the tunnel with back up ISP. During the troobleshoothing by typing Show isakmp sa and Show ipsec sa, i can see my tunnel is up, but not able to decap the packets.
As it will look like
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
View 4 Replies
View Related
Oct 17, 2012
I need configure a VPN site-to-site between two offices (Office A e Office B) the Office A (headquarters) have a Router CIsco 5510 and we have approximately 200 employess The Office B (branch) dont have any cisco Router but we will buy one ( is a small office, we have aproximadaly 20 guys) So I need configure a VPN site-to-site using the IPSec (do this is easy), but i need control the computers in the Office B that can access the Office A.I Think that I can use a acl using the Mac Address to control, but how can I apply a control access List by Mac Address in the VPN site-to-site that is configured using a IPSec? Is there other form to control the access of the Office B to Office A? We have a big fear for example, a unknow computer connect in the Office B using any mode off access (Ethernet cable, or Wirelless), and this "unwanted" computer access the Office A.
View 5 Replies
View Related
Jun 17, 2012
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies
View Related
Jun 13, 2012
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad
[code]....
View 1 Replies
View Related
Oct 11, 2011
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
View 11 Replies
View Related
Mar 6, 2011
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
View 1 Replies
View Related
Dec 18, 2011
Can I use a single Public IP address for both Internet access and site to site vpn access?If not, can I configure the RV220W as a bridge and still use it via another gateway configured for vpn passthrough as a VPN appliance/server on the LAN?
View 3 Replies
View Related
Apr 16, 2011
I have a ASA5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.Secondly request also they need failover over the ISP link.how we implement the same on ASA 5510.
View 0 Replies
View Related
Jan 23, 2012
I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
View 3 Replies
View Related
Apr 8, 2013
We have 3 sites, with a Cisco ASA 5520 at each location.
HQ (Headquarters) internal network: 172.16.110.0/24,
DR (Disaster Recovery) internal network: 172.16.120.0/24
BO (Branch Office) internal network: 172.16.150.0/24
HQ and DR have a 100Mbps permanent MPLS link between each other.Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR. This works perfectly.Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...
View 4 Replies
View Related
Mar 11, 2012
I have a setup like this:
A central WLC 5508 running code 7.2 with management vlan 10 ( range 10.10.10.0/24), corp-user vlan 100 (10.11.10.0/24) with WPA2 key, guest vlan 200 (192.168.0.0/24, on local dsl modem) with WPA2 key...
A remote WLC 5508 with code 7.2 with management vlan 10 (range 10.20.10.0/24), corp-user vlan 101 (10.21.10.0/24) with WPA2 key and guest vlan 201 ( 192.168.0.0/24, on local dsl modem) with WPA2 key
corp ssid "Corp-user" on both sites
Guest ssid "Guest" on both sites
Intention is that the AP's (3500) on the remote site should fail over to the central WLC in case of any failure on the remote WLC and that the users could remain in their local vlan.
What kind of configuration would make this work?
View 8 Replies
View Related
Sep 25, 2011
One local site where i have one ASA5520 . I have to create a site to site vpn with the remote site1 and site 2.vpn with site1 is primary and other is backup. local address on ASA is 192.168.10.10 and on the remote site1 and site2 is 10.10.10.1.I have to make sure that if vpn with the site1 is active then the routing for 10.10.10.1 should be towards vpn to site1. and if it goes down then failover to vpn2 to site 2.In case if the vpn1 to site1 comes up, the traffic should shift to VPN1 to site1.Access is from ASA5520 end client to the remote server.
View 7 Replies
View Related
Apr 15, 2013
I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?
Here is my configuration for the cryptos and SLA tracker:
crypto map outside_map 10 match address ACL_VPN_1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer x.x.x.x x x.x.x.x
crypto map outside_map 10 set transform-set NAME_SET
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000(code)
View 3 Replies
View Related
Apr 3, 2013
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
View 9 Replies
View Related
May 19, 2011
It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20
Config Below:
: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host
[code]....
View 4 Replies
View Related
May 21, 2011
Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24
View 5 Replies
View Related
Sep 20, 2012
At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG). In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG". None of the SSIDs are "anchored".
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs. This site contains two customers. One customer is the Main customer with the second customer leasing space.
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan). I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500. It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site. This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
For my test, I am starting simple. I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low). I have anchored this test WLAN to that controller. At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site. I am unable to obtain an IP address from the remote site. I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?
View 5 Replies
View Related
Dec 6, 2012
We have successfully establish a site-to-site vpn, but we have some difficulties when PPTP users try to access the remote network linked by this tunnel. LAN users can access the remote network without problem, but users who are connected remotly to the lan (PPTP) can't access computer on the remote network. Is there a way to allow PPTP user to access the remote network ? Adding a route ?
View 1 Replies
View Related
Jun 28, 2011
I have a site-to-site VPN already established, everything is working as it should. I'm trying to block the remote network from accessing our network since we only need to access theirs. I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505.
View 5 Replies
View Related
Apr 27, 2011
A user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.
View 1 Replies
View Related