Cisco VPN :: ASA 5510 / LAN-to-LAN IPsec VPN With Overlapping Networks?
Feb 14, 2012
I'm trying to connect two operlapping networks via IPsec.
Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound
which results in:
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: real-address conflict with existing static
[code]...
View 2 Replies
ADVERTISEMENT
Jun 6, 2012
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
View 25 Replies
View Related
Apr 18, 2011
how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below). I'm able to ping from host1 to 40.40.40.2 (host 2) and it works, as does pinging from host 2 to 50.50.50.2 (host 1). The issue I'm having now is that I've replaced that router with another ASA (second configuration below). Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well. I'm only seeing issues when using two ASAs. I've verified that ICMP and telnet are permited inbound on the ASAs as well. I even tried seperating the final host with another router (third configuration).
Initial configuration:
Host 1 --------------------------- Router -------------------------- ASA--------------------------- Router ---------------------- Host 2
30.30.30.2 e0: 30.30.30.1 in: 10.10.10.2 e1: 20.20.20.1 30.30.30.2
NAT: 50.50.50.2 e1: 10.10.10.1 out: 20.20.20.2 e0: 30.30.30.1 NAT: 40.40.40.2
[code]....
View 1 Replies
View Related
Sep 4, 2012
I am setting up a customer site. One side is RV180W and the other side is Checkpoint 500W.
RV180W side
LAN - 192.168.100.0/24
Checkpoint side
LAN - 172.26.1.0/24
VOIP - 172.26.2.0/24
Need to setup an ipsec tunnel between the site. However, from the RV180W side, I can only ping the VOIP network, but not LAN. I have heard that RV180W only can talk to one remote network via ipsec, correct? workaround this other than changing out the RV180W?
View 4 Replies
View Related
Sep 9, 2012
I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.
View 5 Replies
View Related
May 5, 2012
i have started managing a asa 5510 firewall which is already having 10 ipsec tunnels , the problem i am facing is they are configured as "ipsec vpn map"
i have attached sample config, i am finding it difficult to understand the parameters used in each tunnel as the configration seems bit complex to me, how it works .
View 9 Replies
View Related
Mar 10, 2011
I need to create a IPSec Site-Site VPN in the Single mode firewall. Is it possible to create the tunnel. I have ASA 5510 Security Plus with Ver 8.3
View 5 Replies
View Related
May 12, 2011
We're in the process of setting up an ASA 5510 as our main VPN appliance.
The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network. The 5510 uses radius for authentication going to a server on the same subnet for the authentication. That works fine. VPN client can connect to the 5510 and successfully authenticate. Routes are pass through to the VPN client, no problem. PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.
My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.
The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100. The 5510 is sitting on a separate subnet (50.x/22). This seems to work on the Cisco 1700 that it will be replacing just fine. I mirrored routes and ACLs as well onto the new 5510. No luck. Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510.
View 24 Replies
View Related
May 17, 2012
I have an ASA 5510 running 8.4(2) which has a site to site IPSec VPN to a 3rd party who run some form of Checkpoint. The VPN establishes and allows access to a server in our DMZ on all ports that we have tested (so far HTTP, SSL, RDP, FTP) except for SQL which doesn't even seem to reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a TCP conversation from their server on any of the working ports to the server I see all of the expected packets arrive with the correct IPs etc (no NAT takes place across the VPN) but when an ODBC client attempts to query the SQL server on our DMZ box the packets do not arrive at the server. What I can see is the RX byte count on the VPN increasing each time the query is run but definitely no SQL arriving at the server.
Also if I revert the ASA back to the old PIX it has replaced with the same VPN config but on version 7.x then it works just fine.
View 16 Replies
View Related
Aug 6, 2012
We have an ASA 5510 running 8.3 that we need to use to terminate a LAN to LAN IPSEC VPN.
Problem is we only have one public address available so have had to configure the link between the ASA and the Internet Router on private addresses.
Is it possible to NAT the public address to the inside or outside interface of the ASA and terminate the VPN on that interface?
View 7 Replies
View Related
Aug 31, 2011
I have been given the following details by a company for us to connec to their IPsec VPN.
IP Address 200.9.21.214
VPN Device Description Cisco ASA
VPN Device Version 5510
Encryption Domain 10.152.24.10
Authentication Method Pre Shared Key
Encryption Scheme IKE
[code]....
I was going to use VPNC with linux but the company said they do not use remote access. So I tried a draytek vigor 3300v, that as well did not work. Had very bad logging so i couldn't troubleshoot.In the end I have decided to buy the cheapest cisco device that will allow me to connect to this.
View 3 Replies
View Related
Jun 1, 2012
I am trying to trouble-shoot / map out a large network with a freaking butt load of over lapping IP addresses
View 8 Replies
View Related
Mar 20, 2012
We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.
View 8 Replies
View Related
Apr 20, 2011
I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired. Below are the interfaces, security and ip addresses .
Ethernet0/0 DC_SERVER security-level 100
ip address 172.16.11.12 255.255.255.0
Ethernet0/1 Branches security-level 50
[Code]....
View 1 Replies
View Related
Sep 18, 2012
I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.
View 5 Replies
View Related
Apr 22, 2012
I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:
192.168.0.0/24
192.168.43.0/24 (the intended migration network)
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
[code]......
Upgrading the firmware is not really an option?
View 3 Replies
View Related
Feb 22, 2011
I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.
View 1 Replies
View Related
Nov 13, 2012
I have an ASA 5510 running ver 8.0(2) that has (4) Ipsec tunnels going from it to various other locations. I am having an issue with data transfer speed on only one of the Tunnels. This tunnel is between the 5510 and the 5555, on that link I am getting a dat transfer rate of a little over 120k a second, whereas if I pull the same set of files from another location I am seeing a transfer rate of 5m per second.
I have verified that it is not a capacity issue on the Internet bandwidth on both locations, and I can pull the same data from the same location to various other locations via Ipsec tunnels, I am only having an issue with a specific tunnel going from the 5510 to the 5555.
Since it is not affecting other tunnels on the 5510 nor is it affecting tunnels on the 5555 going to other locations, I am leaning toward a routing issue within the ISP? I will say the ISP is taking me a long way around to stay in the same Metropolitan area.
View 1 Replies
View Related
Jun 8, 2011
i've an Cisco ASA 5510 with Security Appliance Software Version 8.0(2), in this ASA i've many L2L tunnels to this ASA, anda sometims new tunnels can't connect, the older tunnels still ok and working, yesterday this situation occured again and i've tried to clear all ipsec tunnels and try to reconnect again no one cames up again. At the time of this situation memory usage was about 78% and CPU is was around 5%. I've made a reload without changes and the situation returns to the normality.
At the time of the fail i've collect the outpu from debug crypto isakmp 255, the outpu was in the annexed file.
View 1 Replies
View Related
Mar 28, 2013
I've got random connection issue when I try to connect to a VPN gateway through an ASA 5510 (IPSEC client ->ASA 5510->VPN Gateway).
When the tunnel is coming up, those two lines appears in the captured traffic on the internal interface :
<private internal IP>.500 > <destination IP>.500: udp 541
<public external IP>.500 > <destination IP>.500: udp 541
When it's not coming up, the port nuimber for the public IP is not 500
(private internal IP).500 > (destination IP).500: udp 541
(public external IP).442 > (destination IP).500: udp 541
I don't understand why sometimes the port for the public external IP is 500 and sometimes not.
View 1 Replies
View Related
Jul 16, 2012
We have built IPSEC VPN over MPLS P2P circuit between Head & Branch office using Cisco ASA 5510. Client systems at Branch office connects to Citrix app at Head office, but it gets disconnect intermittently for all user. if any recommendations/changes required for Citrix App whn passing over IPSEC VPN/ ASA.
View 2 Replies
View Related
May 22, 2013
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
i've had two different CCNA's look at this numerous times to no avail. A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network. [code]
View 1 Replies
View Related
Oct 27, 2011
I have a 2811 that is my HQ router with a 10MB pipe. I was trying to configure a IPSEC tunnel to connect to my ASA that has access to our companies internal servers on the 10.33. and 172.16.31 network. I am having a problem getting phase 1 to even come up. I've looked over the configurations and unless i'm overlooking something I dont see what could be keeping it from at least completing phase 1
Below are the configs.
2811-CFG
crypto isakmp policy 10
encr 3des
hash md5
[Code] ....
View 6 Replies
View Related
Oct 11, 2011
I currently have an ASA 5510 setup with Dual homed ISP's and a remote access IPsec VPN setup to terminate at either interface. The first interface is named Outside and the second is simply called Outside-2. When outside the company(such as at home), the VPN client will connect on the Outside-2 interface and work normally. The problem is while testing on our DMZ, the VPN Client will not connect on the Outside-2 interface. It will try that interface fail to connect and then connect to the backup Outside interface. This isn't a huge concern because it still connects, but if we were ever to get rid of one of those connections, it would be nice to reliably test from our DMZ.
View 1 Replies
View Related
Jan 18, 2012
I am trying to pass Traffic thru the IPSEC tunnel but it does not work ([Cisco Router 892] <---> [Cisco ASA 5510] <---> [Cisco Router 892]) The Cisco ASA 5510 doesn't pass traffic UDP=500 & UDP=4500 ports...
View 1 Replies
View Related
Aug 17, 2011
Attached are the configuration files for the devices in question. I have a 5510 that belongs to my company and a 5505 that belongs to another company. The 5505 sits behind the 5510 and is able to connect to the Internet. My thought was that VPN access should be a trivial pursuit. I was planning on just giving the admin at the remote office the public IP address that's natted to the 5505 and all would be good.
View 7 Replies
View Related
Oct 11, 2009
WRVS4400N Version V2.0.0.7.I have been attempting for weeks to connect an IPSEC tunnel between a Cisco ASA 5510 Version 8.0(2) and a WRVS4400N . Phase one seems connect okay, where as phase two always give me the errors below. This as far as I have got, I tried disabling keep alive monitor, the device never attempted phase 2. I have read endless documentation on both devices and tried almost every combination of setting that I am aware of. The best case scenario answer would be detailed steps on how to setup the IPSEC VPN (linksys) & the site to site VPN (CISCO) as I cannot find any reference material for this combination .
View 6 Replies
View Related
Jun 23, 2011
Co-worker just got a Blackberry Playbook tablet and, try as I might, we cannot get the darn thing to successfully set up a working IPSEC/L2TP vpn tunnel to our ASA 5510, which acts as a multi-purpose VPN concentrator. Any luck setting up L2TP/IPSEC VPN to ASA from Blackberry Playbook?
View 0 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Apr 10, 2011
I have created an IPSec VPN between our ASA (5510) and a Cisco Router running IOS.Only problem i have is that the VPN goes down if there's no interesting traffic from the router and i can't find anything to initiate the VPN Tunnel from the ASA (so we need to wait 'till someone connects on the other side).
Is there any way to make this connection persistent, just like an ASA-to-ASA tunnel?
View 3 Replies
View Related
Sep 1, 2011
I'm opening a new topic related to my problem with the VPN connection, to avoid confusion, since there are many, in the old information, no longer required.
I would like to configure my ASA5510 L2PT/IpSec to accept connections from Windows clients. I happen to authenticate via AD credentials. When I try to connect is because the error 691. I enabled debugging on the machine the following:
debug crypto isakmp 3
debug crypto ipsec 3
debug ldap 255
View 4 Replies
View Related
Jan 23, 2012
im lookin to establish a a multiple L2L ips tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?
View 6 Replies
View Related
Jul 31, 2012
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
View 7 Replies
View Related
