Cisco VPN :: ASA 5510 VPN NAT Conundrum
Oct 25, 2011
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17. I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.
My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.My idea is that I will take an IP on my net, say 166.110.128.10, and do an inbound NAT to an address to 192.168.100.200. This way they communicate with a known address to them, but my server is on another VLAN.Should this be done at the level of the VPN tunnel, or can I NAT between VLANs on the cat4500?
View 1 Replies
ADVERTISEMENT
May 26, 2011
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
View 12 Replies
View Related
Jul 18, 2011
We have an ASA5510 which keeps resetting itself for no apparent reason. It does this several times a day and I cannot see any pattern to the times etc. I don't believe it is load related as it also happens overnight when very little is going through the device. When it happens the device just drops off the network (all interfaces) and then when it comes back a few minutes later we can see from the system uptime that it has in fact rebooted itself.I initially thought it was faulty hardware, so I swapped the device for another 5510, but that does the same thing. I then added a third 5510 and configured it in with the second one as an Active/Passive failover pair. Both devices do the same as the first, the only differences now is that the passive device kicks in and takes over, so we have a little less service disruption each time.
View 9 Replies
View Related
Sep 11, 2011
I'm running into and interesting issue concerning a twice NAT config.
We have a remote site that needs to connect to a server cluster on our end. Using ASDM I have created a NAT rule that uses PAT to map our server addresses to a single IP (this is due to constraints placed on us by the remote site). This in and of itself shouldn't be a problem. The issue is that the VPN tunnel won't come up unless I also map an address to the remote site's sever.
Example:
Appliance: ASA 5510
ASA Version: 8.4(2)
ASDM Version: 6.4(5)
Original Packet:
Source Interface: inside
Destination Interface: outside
Source Address: Server_Cluster
Destination Address: Remote_Server
Service: any
Translated Packet:
Source NAT Type: Dynamic PAT (Hide)
Source Address: Mapped_Server_Cluster_Address
Destination Address: Mapped_Remote_Server_Address
Service: -- Original --
Within the Translated Packet section, if I set Destination Address to the actual remote server address nothing happens when I attempt to bring up the tunnel. However, if I map an address to the remote server, the tunnel begins to come up and then fails during phase two (as the mapped address doesn't match the addressing that has been defined in the remote end's connection profile).
Initially I thought the issue may be due to an IP addressing overlap since both sites are running similar numbers, but the default route statement on our ASA, should contend with this issue. Also, each time I change the NAT rule, I change the connection profile to match those changes.
So, ultimately, what I wish to accomplish is to allow connectivity between my site and the remote site without having to map another address to their remote server. How may I do this?
View 2 Replies
View Related
Jan 26, 2011
i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.What do i need added to allow remote ends without a nat device to also work?
View 4 Replies
View Related
Feb 8, 2011
I have an 1841 at a remote site that terminates its ipsec vpn to an asa5510. I want to create a GRE tunnel to I perform the following on the router.
View 2 Replies
View Related
Apr 20, 2011
I am upgrading an ASA 5510 from ASA822-k8 to ASA841-k8. I know I have to upgrade the RAM to 1GB from 256MB, but was wondering if it is a direct upgrade, or do I have to step through some of the 8.3(x) versions?
View 2 Replies
View Related
Jan 2, 2013
I have a problem with my vpn between two ASAs, I review the running config of two devices, but I couldnt see anything out of normal.As you can see in the image the VPN is up, but in the ASA 5510 I don't have Bytes Rx (ZERO), I tried to config again two ASAs but I have the same trouble.
View 19 Replies
View Related
Mar 23, 2012
I want to ask for the possibility of configuration below? 2x Cisco ASA 5510 running Multi-Context mode and Active/Active Failover1 Cisco ASA 5510 (ASA 1) has AIP-SSM1 Cisco ASA 5510 (ASA 2) has CSC-SSMThere are 2 contexts, context A and context BASA 1 is the primary firewall for context A, and secondary firewall for context BASA 2 is the primary firewall for context B, and secondary firewall for context A
Can AIP-SSM on ASA 1 inspects traffic of context B which primarily runs on ASA 2?Can CSC-SSM on ASA 2 inspects traffic of context A which primarily runs on ASA 1?
View 2 Replies
View Related
Feb 14, 2013
I would like to ask if the ASA5510 can support TLS 1.1 above?On the ASDM it can only be chosen between SSLv3 or TLSv1.When "Negotiate SSL V3", the Active-X plugin can not be loaded (IE 9 with supported SSL v3). It seems that the plugin only works with TLSv1.Is there some roadmap for the TLS1.1/1.2?
View 1 Replies
View Related
Sep 18, 2011
1 isp connection which splits into two. One plugs into 5510 with ouside ip and the other plugs into the other 5510 with outside ip address.
see diagram below:
Router routes are set as:
ip route 0.0.0.0 0.0.0.0 10.x.x.1
##
ip route 10.x.x.0 255.255.255.0 10.x.x.2
We will be introducing another isp into our network. We want to remove our current isp and switch. But we dont want to do the cut overnight. We will migrate into our new isp. so for a while we will have both isp connections.
What i am thinking of doing is taking one of the ports on 10.x.x.1 and configuring it for our replacement isp network and the same for 10.x.x.2. Will that work?
Can i have ASA 5510 configured for 2 seperate ISP connections? What kind of route will i set on my router?
View 1 Replies
View Related
Apr 7, 2013
My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup? Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.
This is what my current OUTSIDE interface looks like.
interface Ethernet0/0
duplex full
nameif OUTSIDE
security-level 0
ip address PUBLICIP1 255.255.255.224
!
View 7 Replies
View Related
Jul 25, 2012
I am getting the error "cypto map policy not found" when attempting to connect the VPN. My running config is below.I am attempting to connect from a draytek 2820.
View 5 Replies
View Related
Oct 31, 2012
So I loaded the shiny new ASA 9.0(1) on a test/dev cluster of 5510's with the SecPlus license.In 8.4.4 (or maybe 8.4.3?) new password-policy commands were introduced, which allowed for very granular password policies for local users. This appears to be gone in 9.0.1. Is this by design? These commands met certain compliance regulations. EIGRP is supported in multiple context mode now, however the contexts dont appear to form EIGRP neighborships with each other on a shared interface. I did issue the mac-address auto command in system mode if that matters. All contexts do form EIGRP neighborships with a regular IOS device, however routes are still not propegated from CTX1 to CTX2, 3, etc.It's entirely possible I'm doing something wrong, this is my first stab at multiple contexts, or its possible this doesnt work by design?
View 4 Replies
View Related
Jan 1, 2012
Since last week we are having problems with remote users working with VPN client on Windows XP.The connection is stablished but no data traffic occurs.
As we didn't do any change in vpn remote settings I did a test from Linux machine running VPNC client and it works well.It sounds so weird because it happens only on Windows client platform.We have CISCO ASA 5510 and PIX 515 running 8.0(4).
View 4 Replies
View Related
Nov 5, 2011
We have an ASA 5510 in which remote access VPN os configured. The problem is that we are able to access all the internal resources and after an hour we get disconnected. The VPN is still up though. We have to reconnect VPN to get things going again.
View 0 Replies
View Related
Apr 4, 2012
I'm trying to get a tunnel to come up between a 5510 and a 5505. I currently have a vpn tunnel up and running from the 5510 to another remote site. [code]
View 2 Replies
View Related
May 29, 2011
I need to buy a firewall for my company and have set my eyes on ASA 5510. However we want to use IPSec both as firewall to firewall VPN and for staff working from home.If i understand right i need to set up a VPN client on the users machine at home to be able to use the IPSec solution. Ist this the case?
I have a few mac users running 64bit OS and it seems that this is not supported by any cisco VPN client. Any workaround to this problem other than anyconnect as i want to use IPSec. For example, is it possible to use another client? or to do it with out a client with some built in Mac VPN?
View 1 Replies
View Related
Sep 8, 2012
Today we physically moved an ASA 5510 across town and took another location off of fiber and onto a VPN with the asa 5510, via a brand new 5505. The VPN seems to be up however no local traffic seems to be passing. The ASA 5510 can ping to the internal network of the 5505 but not vice versa.
The site that was moved is the 62.0 network, it is connected to the rest of the network through the new ASA 5505. I'm sure this is something elementary that I somehow missed.
View 16 Replies
View Related
Jul 19, 2011
I have an ASA5510 with VPN L2L two operand normally. I need to create another VPN L2L. When you add the 3rd VPN always drop one of those that were operating. What can be?
View 2 Replies
View Related
Aug 9, 2011
I would like to allow my remote users to access all resources behind the ASA and my remote branches. Here is my setup. ASA5510 as hub at data-center.
Internal network 172.21.x.x Directly connected
DMZ 172.22.1.x.x Directly Connected
Branch1 10.47.x.x L2L VPN
Branch2 10.47.y.x L2L VPN
Remote users 172.21.y.x L2TP Windows Client
I can access my internal resources connected to the ASA but not the DMZ or branch offices. Do I need routing and reverse route injection?
View 4 Replies
View Related
Jun 5, 2012
I am using ASA5510 as firewall and vpn is configured. Inside my office i have two networks one with 10.X.X.X and 192.X.X.X . My inside firewall interface configured with 10.X.X.X network.
When I connect from outside using VPN client I can access 10.X.X.X network but other network I can't access.How can I make it.
View 1 Replies
View Related
May 17, 2013
I have a ASA5510 with VPN Configured on it. My goal is to be able to access our Rv082 Router after connecting to the VPN and from any PC inside the LAN. I don't want to be able to access the ASDM on the ASA5510 or the RV082 from outside the LAN UNLESS you are using VPN.
My Inside IP Subnet is 10.0.1.0/24 on the CISCO ASA5510. The CISCO ASA5510 Outside Interface is 172.16.15.2
The CISCO RV082 (172.16.15.1) is connected to the ASA5510 Outside Interface.
Our VPN Addresses start at 10.0.10.240 and I think they are NATTED to the Inside Interface of the LAN.
At this time, after connecting via VPN, we cannot access the RV082 at 172.16.15.1.but we want to. I think we need a static Route to do this but I don't know which one to add, or how to add it ?
View 2 Replies
View Related
Feb 18, 2012
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1
|
|
|
SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
[Code].....
View 4 Replies
View Related
Mar 17, 2013
Ongoing problem I have been having regarding a l2l VPN connection between our ASA 5510 and a client's ASA 5505. The client's main ISP is Comcast and he uses a secondary AT&T internet connection as a failover. When Comcast goes down, AT&T comes up and everything works great...except for the VPN to our ASA5510. I have not been able to get the VPN connection to work on the failover network. I have set up a separate, "Backup_WAN", interface in the firewall for AT&T. All of the same rules are in place for AT&T as there are for the primary Comcast connection (the VPN for Comcast works just fine) but I still cannot get the VPN to work with the failover.
Why the VPN would not be working?
View 11 Replies
View Related
Jul 11, 2012
Good tutorial video or site for the ASA 5510s?how to get around the GUI; adding rules.
View 4 Replies
View Related
Mar 26, 2013
I basically want to get windows rt vpn to connect to the asa 5510.
View 1 Replies
View Related
Dec 13, 2011
Here is my current situation, I have 3 Internet connections as below, at the moment they are terminate into the ASA.
ADSL Modem 1 (routed mode) ADSL Modem 2 (routed mode) Mid band Ethernet Tail (10m/10m)
ASA 5510 LAN Switch
I want to change it to the following, in order to use PBR on the router. ADSL Modem 1 (/29 Ip block) ADSL Modem 2 (/29 ip block) Mid band Ethernet Tail (10m/10m) (/28 block)
Router ASA 5510 LAN Switch
I need your opinion on the following points
1. What is the best suited router considering i have 2 adsl connections and i will need 3 WAN + 1 LAN ports in total.
2. Where should I run the NAT ? on ASA or the router. (I do have around 20 L2L IPSEC VPN tunnel on the ASA). In the new setup I would like to use ADSL 1 for the internet browsing and use ADSL 2 and Ethernet Tail for incoming service (+some outgoing to specific destinations or based on specific services)
3. I have an old 1841 with 2 Ethernet ports, am i better off buying 2 x ADSL2+ cards and use them with expansion slots?
4. Both adsl connections are PPPOA based, Can I put both adsl modems into bridge mode and create pppoa connections on 1841? (I will still have to buy a HWIC 2 ports Ethernet card).
5. Should i go for any of the above options or am i better of buying a new router?
View 4 Replies
View Related
Jul 22, 2012
I have several IPsec vpn tunnels to the main site. The remote locations are using 871 routers and the main site is using an ASA 5510. I am using the tunnels for both voice and data. I would like to implement Rip or some type of dynamic routing between them. but according to what I have found using IPsec it is not possible.
View 3 Replies
View Related
Dec 12, 2012
It appears we had a vendor setup an SSL certificate for our vpn. I see it under the ASDM on configuration -> device management -> Certificate management -> identity Certificates
there is the certificate there and I also see it pointing to the outside under configuration -> device management -> advanced -> ssl settings and under outside the primary enrolled cert is the ssl cert.
only thing i can see which may be incorrect is if i look at the cert details under indentity certificates and select issued to the url says http not https..
View 3 Replies
View Related
Oct 8, 2012
I'm currently dealing with a problem related to the integration between the a Cisco ASA 5510 and an AD Microsoft CA on a windows2008R2. I'm basically trying to enroll the ASA in the CA and get a certificate for the ASA to use for SSL VPNs. I'm using SCEP enrollment and I've set up NDEP on the Win2008 CA.
Everything seems to be working just fine and I get the certificate but If I assign it to the interface, first the client receives a warning and then a blank page is shown (everything works just fine with the ASA self-signed certificate). The problem looks like to be related to the purpose of the keys (key usage field) which is not Server authentication. The certificate is automatically generated using the IP Sec (offline) template.
View 3 Replies
View Related
Jan 3, 2013
Current configuration:
2xASA5510s (Active/Standby) --->3925 Internet Router---->Internet
Going to:
2xASA5510s(Active/Standby)---->3925 Internet Router A----->ISP (Primary)
---->3925 Internet Router B----->ISP (Backup)
Note: Only one ISP just different speed connections
We're going to be using BGP to the ISP. Our goal is to advertise one subnet via BGP over both links using routerA as the primary and routerB only if it fails. How can should I configure my ASA and the internet routers to accomplish this?
View 2 Replies
View Related
Aug 15, 2011
I am facing some issues on static NAT,after my IOS upgrade from 7.2(3)
I am getting some peculiar error
%ASA-6-302013: Built inbound TCP connection 654734 for dmz:172.19.19.141/27685 (172.19.19.141/27685) to inside:192.168.16.250/3389 (172.19.22.91/3389)
%ASA-6-302014: Teardown TCP connection 654734 for dmz:172.19.19.141/27685 to inside:192.168.16.250/3389 duration 0:00:00 bytes 0 TCP Reset-I
Configuration
static (inside,dmz) 172.19.22.91 192.168.16.250 netmask 255.255.255.255
access-group dmz_in in interface dmz
access-list dmz_in extended permit ip host 172.19.19.141 host 172.19.22.91
I am trying to access a machine in Inside from Dmz
interface Ethernet0/2
nameif dmz
security-level 50
interface Ethernet0/1
nameif inside
security-level 100
View 1 Replies
View Related