Cisco VPN :: ASA 5520 / Access To DMZ From Remote Sites Over S2S VPN?
Nov 10, 2011
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
I would like to know if there is a possibility to create 2 Remote access VPNs for 2 ASA situated in different sites and using only one PCF file.Is set up a tunnel between the 2 ASA the only way to reach the 2 destinations with the same PCF file?
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
I Have asa 5520 terminate the remote access VPN Connection,when successfully connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.
We have 2 5520 ASA's working in an active/standby function at our central site. The remote agencies have control of their ASA's or other devices able to create VPN tunnels back to the central site. When a new remote agency wants to connect to our central site we assign them a network range that is routable on the central sites network.We ask that the remote agency NAT into the addresses we provided them.This way we are able to route back to them. We assign the interesting traffic and then they we start communicating by way of the tunnel.
Since the central site can't control the traffic coming in on the site to site tunnel other than just defining the interesting traffic AND we aren't able to control the NAT on the remote end how can I put an access list on the central site ASA to allow only certain ports and IP's by way of access list? Ultimately, I'm trying to limit traffic on the central site coming inbound to only allow traffic I want. I tried applying a group policy to the lan2lan site to site tunnel, but it failed for some reason. It actually prevented all traffic. Can I apply a group policy to a site-to-site tunnel?
I'm struggling here a bit as I don't have control of the remote end. They can NAT whatever they want to an address in the range we assigned them. The tunnels interesting traffic is set to full ip to the central site's destination. The interesting traffic on the central site is set the same. However, on the central side...I want to limit that traffic to only certain ports by way of an acl. If it is possible to assign a site-to-site tunnel a group policy and filtering is done in that method, can
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding.
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address
MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway 18.104.22.168 with subnet mask 255.255.255.240 after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.
I'm looking to put together a solution for a customer that wants to "bridge" between their current office and a new office space they have rented. I know how to set up a site-to-site VPN between two sites with different private IP ranges. For example, site A is 192.168.1.0/24 and site B is 192.168.2.0/24. But is it possible to make both sites appear as a single IP block? This way, systems could be moved one by one without renumbering.I am guessing there might be a way to tunnel the layer 2 traffic and make it work, but I am concerned about broadcast services being broken. I am using non-cisco platforms so I am just looking for pointers on the protocols that might be used so I can do further research.
I have inherited a sbs 2008 network where they have a SBS2008 server and Server2008 running as a terminal sever at the main office and they have 2 satellite offices. These offices all connect through router to router vpn tunnels. The main site is on 10.0.0 and dhcp is done by the sbs. Satellite site a is on 10.0.10 and dhcp is done by the vpn router and Satellite site b is on 10.0.5 and dhcp is also done by the vpn router. All client computers can run rdp to access shares / programs etc on the two servers but when trying to push out group policy, antivirus updates or even using remote control through the SBS2008 server it is hit or miss. DHCP records on the SBS server do not seem to update correctly, manually changing the ip address in DNS records results in warnings that the PTR record cannot be created.
So I am wondering if the configuration they currently have setup is correct. What might be stopping some but not all computers from updating, why I can connect to some but not all computers at site "a" but I am not able to remotely connect to any computers at site "b".Why I can do remote installs of Eset Endpoint Security on roughly 10% of the clients but the other 90% fail.
I have been asked to setup wireless and we have purchased WLC 5508 and 1142 APs.We have several remote sites and a centralized WLC. The requirement are to have a common SSID (Corporate) advertised across all the remote sites and have that SSID locally switched, and have another two SSID Guest and Mobile tunneled back to the central site (WLC).I want all the wireless (Corporate) clients to use the same subnet as the wired clients at each remote site, the IP assigment will be done by a DHCP server at the central site. The Guest and Mobile users will use a common subnet each across all the site and this will also be handled by the DHCP server at the central site.
I have enabled H-REAP with Centralized Authentication and Local switching but I'm not sure about the second part which is to have a common SSID (Corporate) across the remote sites and localy switched whilst having the other two SSIDs tunneled back to the WLC. Cisco TAC told me to configure dynamic interfaces for each of the remote site but then he said I still wouldn't be able to switch the Corporate traffic localy if I use a different subnet to the wired subnet for the wireless clients.
I am installing 2 ASA 5505s at home offices with dynamic IPs. The EasyVPN server is a ASA585x. I am using the 5505s in NEM mode. I configured a unique DHCP scope on each 5505. I have a dynamic crpto map on the server. I configured unique tunnel groups, group policies and usernames for each site on the server. This seems to work fine. Is it normal to configure unique tunnel groups, group policies and usernames for each remote site?
We have a Cisco 2921 router at the head office (Easy VPN Server) and been deploying Cisco 887VA (EasyVPN remote - Network Extension) for remote offices using EasyVPN. We are allowing Voice and Data traffic over VPN. Everything has been working great until this issue was discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in either direction.
Calls to/from head office and external mobiles/landlines are fine. Only calls between two remote sites are affected. As there is no need for DATA connection between Remote office, our only concern is Voice support.
I think "hair-pinning" of traffic over VPN interface is needed. (Examples configs etc).
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
2- Any sample config for ASA 5520 for this type of network?
I have got two 878 integrated services routers and I need to configure them as transparent bridges in order to connect 2 remote sites over ATM.
As I'm testing the topology, I configured two switches (representing the sites) at each end with a VTP domain. VTP works while the switches are connected directly with eachother, but it won't work with the bridges in the middle. [code]
I have been working with my ASA 5505 VPN Concentrator to maintain a connection with one of my remote sites. I have several tunnels that work fine and dont have any issues at all, but one tunnel with outside IP ending in 146 and inside LAN 192.168.3.0 goes down every 24 hours. Attached is the config from the concentrator. I changed around the Security Association Lifetime Settings and the tunnel would drop after that amount of time expired. If I set it to 24 hours, the tunnel would drop every 24 hours. If I set it to 8 hours it would go down every 8 hours.
I have swapped the router a few times, double and triple checked my key settings, disabled keep alives on both ends, and this problem just started happening a few weeks ago after working fine for years. I also get the following e-mail error every time it goes down:
<161>Jul 10 2011 16:19:47: %ASA-1-713900: Group = xxx.xxx.xxx.146, IP = xxx.xxx.xxx.146, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
for example, there are 3 sites, A, B and C. A and B are 1.5 km apart and both are separate LAN(mixture of wireless and wired). C is 35 km apart from A and B. I have to connect A, B and C so that they can communicate with each other. Security is required.
I am going to hook my laptop directly up to my wireless router via ethernet. I will be showing them security, SSID, etc. My issue is when I put in my WAN and LAN settings. What exactly is the difference between a WAN address and a LAN address.I kept my Lan address that same as the router. 22.214.171.124.I create WAN addresses as 126.96.36.199 with subnet mask as 255.255.255.000 abut not sure what to put in for my gateway. Logic say 198.162.128. 1; however that doesn't work.I then configured my tcp/ip to reflect this. Although I can always access my router website, I cannot access any other web sites.
So I had trouble connecting to some sites before like apple and such right? No big deal, just one site. Probably down. Then more and more.I got worried, then figured it was my ISP and went to neighbor to check. No. It wasn't. I ran home and checked my router, googled it before all my internet went down. I read something about UPNP being enabled and so after my internet was down, I went and checked, it was, disabled it.
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
I have 2 dual ASA 5520 devices running VPN at two geographically different locations. What is the best way to do failover between the two remote locations?i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.
The problem is that the 10.0.0.0/8 internetl network establishes the connection via the outside interface. However, the return path is via the inside interface. But the vpn concentrator keeps showing next-hop not reachable for USP 500. Why does it show that when it has a route via the inside interface.
6|Jan 29 2013 13:44:38|110003: Routing failed to locate next hop for udp from NP Identity Ifc:202.x.x.x..29/62465 to outside:10.163..x.x/5892
Also, since we are trying to send traffic from outside to the inside interface, I tried to NAT the source ip i.e 202.x.x.x and left the source unaltered. But it still doesnt work.
I am wondering why is the ASA not routing via the inside interface and looks for the return traffic via the same outside interface the traffic entered in. The outside has a security-level of 0 and the isnide has a sec-level of 100.