Cisco VPN :: ASA 5510s / Remote VPN Users Need To Access Networks Connected By Static VPN
Oct 23, 2012
I have five (5) sites all connected via static VPN tunnels. They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site, because of the static VPN tunnels. I have the external IP (routeable) addresses connecting to each other.
Site A: 10.1.0.0 /24
Site B: 10.2.0.0 /24
Site C: 10.3.0.0 /24
Site D: 10.5.0.0 /24
Site E: 10.10.0.0 /20
I have remote users who connect using Cisco AnyConnect 3.1 to Site E. They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection. In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following: Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0 What am I missing? Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?
View 10 Replies
ADVERTISEMENT
Feb 27, 2013
I have DSL service with AT&T and I have a Motorola 3360 modem. We also have a /28 network of static IPs from AT&T. When I login using PPPoE on the modem it gets x.x.x.190 as it's address. Our range is 177-190. I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch.
I want to setup this DSL connection as a backup to our main Internet connection. I cannot figure out what setting on the DSL modem to use to make this happen. I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode. There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address. So do I configure the ASA interface as 190 with one of the other addresses as it's standby? What do I set my route on the ASA to for use of this connection? Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?
View 4 Replies
View Related
Mar 20, 2012
We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.
View 8 Replies
View Related
Nov 1, 2011
Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...
Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?
View 1 Replies
View Related
Feb 12, 2013
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
View 4 Replies
View Related
Apr 12, 2011
We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
View 1 Replies
View Related
Mar 16, 2011
I was trying to access some computers in network via remote desktop. All those computers had been used by other staffs.What I noticed that, for some computers I can access via remote desktop by forcing them to log off (people who were using the computers)But for some computers, I got the message similar to "user is currently logged onto the computer, you are not allowed to connect"I want to force them too and access these computers. How I can do it?
View 6 Replies
View Related
Sep 14, 2011
I configurated ipsec remote vpn at catalyst 6500.
192.168.14.0/24-- my servers are assigned this subnet
vpn user:10.10.10.0/24
192.168.10.229 ---- webserver ip address
[code]...
View 3 Replies
View Related
Apr 5, 2011
How to designate access-list for the remote access vpn users in order to let them access specific subnet or host,asa 5510 and acs is in the picture
View 9 Replies
View Related
Mar 12, 2011
Modem >> switch router1 >> switch >> computer
same Modem >> same switch >> router2 >> switch >> computer
Now I want to access computers from router 1 to router 2 computers.I opened the router 2 web page and forwarded it. I put service port no. 3389, ip address of a computer of router 2 network. Now I can access the specific computer via remote desktop from router 1 computers using public ip .But what I need is I want to access via mstsc all computers of the router 2 network. using service port, ip address of one computer, I can access only one computer.
View 2 Replies
View Related
Jan 17, 2013
A customer has a ASA 5505 with a remote access vpn. They are moving their internal network to a new scheme and would like users who come in on the vpn to access both the exisiting and new networks. Currently the can only access the exisiting. WHen users connect to the remote access vpn, the asa gives them an address of 192.168.199.x. The current internal network is 200.190.1.x and they would like to reach their new network of 10.120.110.x.
Below is the config:
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code].....
View 2 Replies
View Related
Oct 24, 2012
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
View 5 Replies
View Related
Jun 9, 2013
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
View 1 Replies
View Related
Jul 4, 2012
My company is using an RV016 router as a gateway to our internal network. My end goal is to allow remote users to access network shares via Samba.I've been trying to create a VPN using the router with absolutely no luck. I've tried QuickVPN. I've tried creating a client-to-site group vpn. I've tried creating a client-to-site tunnel vpn. I've tried pptp. Nothing will allow me to establish a VPN connection. Sometimes there is information logged in the router but most of the time there is not.
View 1 Replies
View Related
Sep 15, 2011
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I can't find it.I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this: [code] I do this,but it's not work.When I use EasyVPN client to connect ASA 5520,user could through authentication but will not get that static IP address which I configuration on Internal Users.so,what should I do,if anyboby knows how to use ACS 5.2 to create a static ip address user for remote access VPN.
View 2 Replies
View Related
Sep 17, 2011
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I dont't know how to do it.
I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this:
Step 1Add a static IP attribute to internal user attribute dictionary:
Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users.
Step 3Click Create.
Step 4Add static IP attribute.
Step 5Select Users and Identity Stores > Internal Identity Stores > Users.
Step 6Click Create.
Step 7Edit the static IP attribute of the user.
I just do it,but it's not work.When I use EasyVPN client to connect ASA 5520,user could success to authentication but will not get the static IP address which I configure on Internal Users,so the tunnel set up failed.I try to Configure a IP pool on ASA for ACS users get IP address,and use EasyVPN client to connect ASA , everything is OK,user authenticate successed.but when I kill IP pool coufigurations and use the "add a static IP address to user "configurations,EzVPN are failed. how to use ACS 5.2 to create a static ip address user for remote access VPN?
View 7 Replies
View Related
Nov 24, 2011
I have a sonicwall firewall connected to the LAN port of the RV016 router and two DSL modems connected to the WAN ports.
Ip address allocation:
Firewall
192.168.50.9
RV016
LAN - 192.168.50.10
WAN - 192.168.60.1
WAN - 192.168.61.1
What configurations do I need to enter into the RV016 to allow other networks connected to the firewall(192.168.3.0, 192.168.2.0) to access the internet?
View 1 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Aug 14, 2011
I have set this up on pre 8.3 code and 8.3 code as well. I have the following configured on the ASA, but it is not working and I am not seeing the ASA trying to NAT the VPN pool IP address that the client gets assigned.
object network VPNPool
subnet 192.168.70.0 255.255.255.0
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
View 3 Replies
View Related
Jul 23, 2011
If we have catos 6509 and MSFC and we need to connect new building with L3 I want to Do static route between two network i need to but ip in interface of switch should I but this ip on catos or MSFC,
Switch(config)# interface fastethernet 2/1
Switch(config-if)# ip address x.x.x.x x.x.x.x
In catos if want want do like above command what is the command .
View 6 Replies
View Related
May 14, 2012
is it possible to prevent the users with static IP's to connect the Network?We use Cisco sw 4500 series as an access and distribution switches.Is there any features on the switches that fit my request?
View 3 Replies
View Related
Apr 25, 2012
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
View 8 Replies
View Related
Dec 30, 2011
One of our accounting administrators will be working in our server this weekend from his home remotely. He wanted to know if there was a way I could temporarily lock users from remoting in a few days to prevent them from messing up his work.The only way I could think of was disabling the accounts in Active Directory and then re-enabling them once he was done. Server is running Windows Server 2003 with the users remoting in via RDP. They all have accounts in Active Directory.
View 1 Replies
View Related
Oct 19, 2011
I have setup an SA520W and configured SSL-VPN for our small business. Everything seemed to go smoothly and I tested SSL VPN by logging in and playing around a bit which seemed to be fine. However, shortly after deployment I started getting complaints about it being much slower than our old VPN through the consumer grade router I just replaced. I investigated and tested with IE8 and Chrome on Windows XP 32-bit with several different machines, and in all instances it did seem very slow indeed. While looking around I noticed that the Task Manager under the Networking tab shows the SSL VPN connection as VirutalPassage at 64 Kbps. Going into Network Connections shows VirtualPassage under the Dial-up heading with device name Virtual Passage SSLDrv Adapter. Additional properties describe it as an ISDN channel. I have attached an image of the Task Manager pane.The router is running the latest firmware of 2.1.51. It is connected via a static IP that does not require a login, to our dedicated 5 Mbit / 5 Mbit ethernet over copper link to our ISP. We get great speeds and low latency through everything but SSL VPN connections. I haven't done anything fancy so the router certificate is the factory default. Currently we are using the existing 2 SSL VPN licenses that come with the router until we need more access, at which point I want to upgrade to the 25 user bundle. However, I don't feel comfortable upgrading until I get this resolved, because 64kbps simply cannot work for us for a VPN solution.how to configure the SSL VPN to not limit at 64kbps? My engineers are making fun of me for bringing us back to dialup, and I have to agree with them!
View 1 Replies
View Related
Apr 5, 2011
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies
View Related
Dec 16, 2012
Here's my basic setup:
Computer A:
IP- 192.168.0.3
Mask- 255.255.252.0
Gateway- 192.168.0.2
[Code]....
Computer A can ping Firewall 1 and Firewall 2, but not Computer B. Computer B can ping Firewall 1 and Firewall 2, but not Computer A. Firewall 1 can ping Firewall 2, Computer A, and Computer B. Firewall 2 can ping Firewall 1, Computer A, and Computer B.
Why can't the computers ping each other, but their default gateways can? I've specifically allowed ICMP any any on all the affected interfaces.
View 6 Replies
View Related
Oct 29, 2012
I have a problem on a Cisco ASA5520 version 8.2(5). A customer has set up a syslog to keep tracks of tcp sessions made by vpn users. On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection. When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection. I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed; if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message. I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere. Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
View 2 Replies
View Related
Mar 7, 2011
I am using my ASA 5505 to remote VPN. I use both windows and Macs. I use the Cisco VPN client software on the windows machine, on the Mac I have used both the Cisco VPN software and the built in OS X VPN client.
I am able to VPN with all machines, but randomly the VPN will disconnect all users. I know there is a setting that may fix this which I think I tested in the past and it did not work, but I have now forgotten it.
View 4 Replies
View Related
Nov 24, 2012
I've been trying to connect my printer to my wireless router/modem. The install program is giving me the following error {The PC and the printer are connected to different networks(192.168.15.0 and 192.168.0.0). They must be connected to the same network. This can happen when you use the manufacturer's default network name (SSID) and another nearby network is using the same name.} I just had the computer built and have been setting it up. How do I know which is the right IP address?
View 6 Replies
View Related
Jan 17, 2012
I cant not get to connected to any wireless networks, it keeps saying unable to connect
View 1 Replies
View Related
Jun 4, 2011
The server is running Microsoft Windows Server 2008 R2.The four other systems connecting to the server are running Microsoft Windows XP.Is it possible to have all four users connected at the same time remotely using a remote desktop client to the server? I'm using Teamviewer right now, but not sure if it will work with that.
View 3 Replies
View Related
Jul 1, 2006
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes
HPMFIRE(config-tunnel-general)# authen
HPMFIRE(config-tunnel-general)# authentication-server-group none
ERROR: The authentication-server-group none command has been deprecated.
The isakmp command in the ipsec-attributes should be used instead.
--[code]....
I couldn't find anything under isakmp to disable it.
View 2 Replies
View Related
Apr 9, 2012
Currently we have a CISCO 3020 VPN Concentrator to terminate Lan-to-Lan tunnels and have our mobile workers connect via CISCO VPN client (300 users-employees and contractors-). Since this device is coming to an EOL this year we purchased a CISCO 5520 (below are the current licenses on it)
The licensing seems rather complicated, therefore this is my question:
- What VPN solution do you recommend for our users and contractors? it is my understanding the CISCO VPN client does not work with ASA 5500 series devices
- Is there a license needed to deploy VPN solutions for our remote users(employees/contractors)?
View 3 Replies
View Related
