Cisco VPN :: ASA 5520 - Configure VPN To Dual Remote Endpoints
Dec 13, 2011
Not sure if my subject is a good decription of the problem or not.
I have an ASA 5520 at my home office and a SonicWALL NSA2400 at my remote office. The remote office has dual internet connections and I wanted to create two seperate VPNs between the devices using each internet connection on the SonicWALL.
I know how to configure this on the SonicWALL, the problem is on the ASA 5520
OK Basic network config
Main Office
ASA Public IP 1.1.1.1
ASA Internal network 192.168.1.0 (VPN source)
Remote office
Public IP 1 2.2.2.2
Public IP 2 3.3.3.3
Iternal network 192.168.2.0 (VPN destination on ASA)
If I have a VPN from the main ASA to either one of the SonicWALL's public IPs everything works fine
If I create 2 VPN tounels from the main ASA, 1 to each public IP on the SonicWALL, the VPN shows as up but no traffic flows.
View 1 Replies
ADVERTISEMENT
Jan 22, 2013
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
View 8 Replies
View Related
Apr 16, 2012
i have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
i want the time user connected .how log it is connected .If any error while connecting ?
View 4 Replies
View Related
Jan 26, 2013
Region : Singapore
Model : TL-WDR4300
Hardware Version : V1
I need to set up remote access to my HDD connected to my WDR4300, so I can always go online when I am out to retrieve the saved files in the HDD. However I have zero knowledge of network setting of the FTP servers, I can gain access when I am home and connected to the Wireless network, but how to gain access remotely.
View 6 Replies
View Related
Feb 3, 2013
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
View 3 Replies
View Related
Jul 6, 2011
Is it possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel? I have to create 18 ASA5505 tunnels back to one ASA5510. Instead of having 18 subnets out there it sounds more efficient for my application just to have one. Sort of a CLOUD (there's that word) arraignment.
View 10 Replies
View Related
Jan 15, 2013
I need two vpn tunnels from one ASA5510 to two customer endpoints but with the same host on the remote side, the two tunnels are for redundancy reasons. Can I just configure two tunnels with the same host on the remote side and assume the ASA will understand to just use one of the tunnels when both active or the one left when one is down? Or do I need extra configuration for that.
View 1 Replies
View Related
Dec 30, 2012
I configured dual ISP on ASA 5520 following cisco doc below. Now I would like to configure SSL VPN to work with this for failover? I tried to find an article regarding this but I could not. [URL]
View 3 Replies
View Related
Mar 7, 2011
how I can give endpoints on a SOHO router network Public IPs so I can access an Electronic Whiteboard over the Internet. Do I need to purchase more that one Public IP or is there something I can do with subnet masking?
View 2 Replies
View Related
Mar 12, 2011
I have Cisco ASA 5520 . I want to deploy this in the following scenario. Two ISP( for internet) links are connected in the ASA. Three zone ( Outside , DMZ , Inside) specified on the ASA.In DMZ , there are two proxy server ( proxy 1 , proxy 2) . Branch user will use proxy server 1 and Head office will use proxy 2.
In the above scenario management requirements are, Proxy 1 will use ISP 1 and proxy 2 will use ISP 2.If ISP 1 goes down then proxy 1 will use ISP 2 for internet. Please suggest me how I will configure the ASA in the above requirements or if possible send me the configuration.
View 3 Replies
View Related
Jul 10, 2011
We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
ASA Version 8.2(1)
hostname Corp-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
View 1 Replies
View Related
Mar 8, 2013
We have a server which in addition to other services is used to stream live hi-def video from our building during special events.We use a software video/audio production mixer which works very well. But we now would like to make a change in the system.Is it possible/practical to use Remote Desktop via the second - as yet unused - LAN in our server. We really would like to put the operators in a different location where they have both video and in-person view of the event being streamed. But we don't want to use more bandwidth on the LAN...the production mixer handles a *lot* of uncompressed video and tends to be a bandwidth hog.
View 4 Replies
View Related
May 31, 2013
I would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!
View 3 Replies
View Related
Aug 3, 2010
I have a client that is requesting redundant internet connections using 2 7204 routers to 2 asa 5520 in an active standby configuration. There is no load balancing requirement this is strictly for failover. The issue that I am having is that I have to have 1 of there public IP addresses on the Lan side of the 7204 for the ASA connectivity. Because of this both routers advertise out their public subnet to the respective providers, but the issue is that when the wan link on the primary router fails and traffic traverses the secondary wan the return traffic comes back in the secondary wan and stops because it sees the link to the asa as being up even though the asa is in standby. No matter what route manipulations I do a directly connected route is alway going to be better. How I can get this to work. Below is a rough sketch:
Verizon------Router A (Primary)-----ASA A (Active)--------------Nexus1
| | |
| IBGP | Keepalive | VPC Link
| | |
AT&T---------Router B (Backup)-----ASA B (Standby)------------Nexus2
View 6 Replies
View Related
Mar 30, 2012
I created three different Remote VPN connections with three different networks . i can make them one but for some reasons i don't mix all.and iam using Cisco asa 5505 with Shrew Soft VPN software , so my problem is,- i connected Shrew soft remote vpn , if i try to connected another remote vpn connection this will not accept the second connection, any remote vpn connection software that accepts more than one connection
View 1 Replies
View Related
Dec 14, 2011
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
View 3 Replies
View Related
Dec 6, 2012
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies
View Related
Aug 9, 2011
I am attempting to get a solid setup for a remote office we have going up and I am running into little issues that I cant seem to get around.
Basically, we have a remote office that will have dual ISPs, one hard wired circuit from a local carrier and the other will be a Verizon 4G router that plugs in via Ethernet and hands out DHCP to my Cisco router.The Cisco router is a 2911 with IP SLA configured. I have it setup to ping my DC out one interface and if that fails, it removes the default route and injects a new default route from the other ISP,
The problem I am having is with the VPN. I figured using EZVPN would be the only solution because the Verizon 4G only supports DHCP so I have to be able to connect from a dynamic remote host. The other caveat is that failover needs to be seamless as we have no person onsite that can troubleshoot. Its fine if it takes a few minutes, but the VPN just needs to come back up on its own without any intervention.
I attempted to setup two different EZVPN crypto maps on the router but realized you can only have one inside cryptomap per interface, which would cause a problem with the internal network. I thought I could just create subinterfaces off the router to have two inside interfaces to work with but that wouldnt have supported because they would now be on different subnets.
I decided that adding an ASA5505 behind the router may be the simplest solution. Use the router only for the purpose of handling routing between the two ISPs and performing NAT out the interfaces. Then use the ASA to do EZVPN from. This works well but there are some issues I am trying to work through.
First, when the ISP fails over to the backup, the NAT translations have to timeout before things start working again. For a constant ping, this is fine, I have the timers set down to 15 seconds for NAT timeouts and after 15 seconds the ping picks right back up again. However, this breaks the EZVPN. The ASA keeps trying to bring up the ISAKMP nearly every second, which keeps resetting the countdown on the NAT timeout for the remote EZVPN server. Because of this, the VPN will never come up until I manually clear the NAT translations on the router. So my first question is this; is there a way to adjust the timer that the VPN uses to try to bring the tunnel up? I tried the crypto isakmp keepalive command but that didnt work, it looks like it doesnt work with EZVPN.
The second issue is really with the IP SLA and is only an issue because of the first issue I mentioned. When the router first comes up after a reboot, both the primary and secondary interfaces come up. However, since the primary default route is only injected into the routing table once IP SLA is up and can reach its destination, the secondary route gets injected initially and the VPN comes up over the secondary ISP. In a few seconds, the primary default route is injected, changes the path and because of the NAT translation, breaks the tunnel and never comes up again because of the first issue with the VPN tunnel renewing the NAT translation continuously.
I could easily go out and purchase a $100 Linksys router that will do the failover and clear its NATs and everything, but I need better reliability out of the hardware than that. There has got to be a way to do this on a Cisco device since consumer level equipment can.
View 1 Replies
View Related
Oct 9, 2011
We are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.
We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.
I need to answer the following questions:
Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.
I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.
View 23 Replies
View Related
Jul 7, 2012
i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
View 1 Replies
View Related
Aug 30, 2012
I would like to configure & utilize the dual WAN / ISP to which we have subscribed. At present we are serving web-pages through our primary ISP which is working fine.
View 3 Replies
View Related
May 17, 2011
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
View 1 Replies
View Related
Sep 16, 2012
I have the following: 1 5520 ASA connected to the internet, 2 core switches, and several access switches.Aside from implementing RSTP, VRRP, hard code access and trunk ports, is there any other recommendation you would like to add.
View 7 Replies
View Related
Mar 27, 2013
I am attempting to set up failover dual ISP on a 5505 running 8.4(4) with the Sec Plus license. Everything i have been able to reference so far, points to old commands not available or relevant in 8.4
For instance:
global (backup) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route backup 0.0.0.0 0.0.0.0 30.30.30.1 10
What is the new syntax that should be used to mimic these commands? I have the sla and trach reachability configuration already set up.
View 1 Replies
View Related
Jul 4, 2011
I have a pix515 v6.3.3. Is it possible to configure dual ISP on two interfaces and have redundancy between them?
View 1 Replies
View Related
Mar 5, 2012
We have a RV082 configured with two ISP Wan connections. We recently implemented a VOIP phone system (SIP) (192.168.1.50) that is being used in appliance mode on our network. We currently have two WAN connections Load Balanced. My goal is to configure all my VOIP traffic to go out through the 1st ISP and the rest of the data through ISP #2. is this possible to achieve using the RV082? We are using a Skype SIP Trunk connection.
View 1 Replies
View Related
Aug 19, 2011
I need configuring Cisco RV042 dual wlan and port forwarding for 2 servers web and dns in LAN
View 1 Replies
View Related
Mar 17, 2013
I've 3 interfaces on router:
Gb0/0-ISP01 with DHCP client
Gb0/1-ISP02 Static IP 192.168.2.x/24
Fa0/0 - LAN 192.168.1.1/24
I want to know, how to configure:1. Set the IP of interface Gb0/0 as dhcp client from ISP01 and make it as default route.
2. How to configure the ip nat.....overload?
3. How to use the ip sla to monitor internet connectivity to 8.8.8.8 for ISP01, if it fails, to go to ISP02.
View 3 Replies
View Related
Apr 22, 2013
Cisco RV042 Dual WAN VPN Router -how to configure dynamic DNS without having to use the pre-programmed DDNS companies that are populated by default if my DDNS company is not listed and you cannot manually enter another company that is not on the list?
View 1 Replies
View Related
May 24, 2012
I need to configure a 4507 chassis with two SUP 7 installed. I havenot done SUP redundancy comnfiguration and i was owndering
View 9 Replies
View Related
May 25, 2012
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
View 7 Replies
View Related
Jan 27, 2013
I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
View 4 Replies
View Related
Nov 10, 2011
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
View 6 Replies
View Related
