Cisco VPN :: ASA 5520 8.2(3) - Allow Remote Clients To Access Other Networks
Oct 24, 2012
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
site A : ASA 5510 VPN gateway for remote users LAN 192.168.192.0/22 site B : ASA 5505 LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
Here is a part of my configuration :
On Site A (ASA 5510) -------------------------------- name 192.168.192.0 SiteA_Internal_Network name 192.168.208.0 SiteB_Internal_Network name 192.168.133.0 VPNPool_AnyConnect name 192.168.133.32 VPNPool_VpnClient
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5). We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the group policy.I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clients may ignore this option anyway.
I have a RV082 and several of my remote laptops cannot access my server using its domain name. It can be accessed using its internal ip address. The issue is that you can log onto the server using remote access and the ip however you cannot use any shortcuts using the domain name. You can see the server with the domin name however no access path is available. This is only on a few remote user laptops. Others work perfectly.
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
same Modem >> same switch >> router2 >> switch >> computer
Now I want to access computers from router 1 to router 2 computers.I opened the router 2 web page and forwarded it. I put service port no. 3389, ip address of a computer of router 2 network. Now I can access the specific computer via remote desktop from router 1 computers using public ip .But what I need is I want to access via mstsc all computers of the router 2 network. using service port, ip address of one computer, I can access only one computer.
A customer has a ASA 5505 with a remote access vpn. They are moving their internal network to a new scheme and would like users who come in on the vpn to access both the exisiting and new networks. Currently the can only access the exisiting. WHen users connect to the remote access vpn, the asa gives them an address of 192.168.199.x. The current internal network is 200.190.1.x and they would like to reach their new network of 10.120.110.x.
I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN. At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.I've added the below to make sure traffic going to the IP is going across the VPN.
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
I have five (5) sites all connected via static VPN tunnels. They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site, because of the static VPN tunnels. I have the external IP (routeable) addresses connecting to each other.
Site A: 10.1.0.0 /24 Site B: 10.2.0.0 /24 Site C: 10.3.0.0 /24 Site D: 10.5.0.0 /24 Site E: 10.10.0.0 /20
I have remote users who connect using Cisco AnyConnect 3.1 to Site E. They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection. In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following: Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0 What am I missing? Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
I Have asa 5520 terminate the remote access VPN Connection,when successfully connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.
We have 2 5520 ASA's working in an active/standby function at our central site. The remote agencies have control of their ASA's or other devices able to create VPN tunnels back to the central site. When a new remote agency wants to connect to our central site we assign them a network range that is routable on the central sites network.We ask that the remote agency NAT into the addresses we provided them.This way we are able to route back to them. We assign the interesting traffic and then they we start communicating by way of the tunnel.
Since the central site can't control the traffic coming in on the site to site tunnel other than just defining the interesting traffic AND we aren't able to control the NAT on the remote end how can I put an access list on the central site ASA to allow only certain ports and IP's by way of access list? Ultimately, I'm trying to limit traffic on the central site coming inbound to only allow traffic I want. I tried applying a group policy to the lan2lan site to site tunnel, but it failed for some reason. It actually prevented all traffic. Can I apply a group policy to a site-to-site tunnel?
I'm struggling here a bit as I don't have control of the remote end. They can NAT whatever they want to an address in the range we assigned them. The tunnels interesting traffic is set to full ip to the central site's destination. The interesting traffic on the central site is set the same. However, on the central side...I want to limit that traffic to only certain ports by way of an acl. If it is possible to assign a site-to-site tunnel a group policy and filtering is done in that method, can
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
------------------------------------------------------------------------------------------------------------------------- WORKING CONNECTION ------------------------------------------------------------------------------------------------------------------------- %ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device NAT-Traversal auto-detected NAT. %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding.
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address
I have 2 4402 WLC's and a central office and was trying to configure an H-Reap Ap but now the entire wireless network is down. Clients arent getting IP's. I cant see anything that is wrong but things are not working like they should.
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
You have a Cisco ASA 5520 where clients connect using Cisco Anyconnect SSL VPN, say the URL is connect.whatever.org. You would like for when a user enters either [URL] or just connect.whatever.org into their web browser that it automatically puts the required url...
I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;
The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!
When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?
Here's is the crypto ipsec sa output:
Result of the command: "show crypto ipsec sa | i caps|ident|spi"
local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM) remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ) #pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712 #pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: A4FA947A
I am using Cisco 2911 router , i configured remote client in that . i need to provide the static ip to the remote users instead of providing from the dhcp pool. is it possible? if it is how we can do that.