Cisco VPN :: ASA 5520 / VPN Phase 2 Complete But LAN Traffic Doesn't Pass
Aug 6, 2011
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
View 2 Replies
ADVERTISEMENT
Aug 5, 2012
I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
[code]....
View 6 Replies
View Related
May 2, 2011
I setup the ikev1 client and can connect but I can't pass traffic either way. I have tried icmp, port 80, smb etc... here is my config: ........
View 9 Replies
View Related
Jul 24, 2011
How to do the above thing.
View 3 Replies
View Related
Mar 20, 2013
How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.
View 3 Replies
View Related
Dec 4, 2012
asa 5505 do not pass traffic as a patch cord, how to make it pass traffic? [code]
View 2 Replies
View Related
Jun 20, 2011
I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .
View 1 Replies
View Related
Apr 17, 2012
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
View 1 Replies
View Related
Dec 12, 2010
i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]
View 4 Replies
View Related
Feb 8, 2012
Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2 packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.
Remark: See ASA ADSM:
- 1. Duplicated Phase II (!!)
- 2. Phase I
- 3. Phase II
View 4 Replies
View Related
Jan 10, 2013
We have RV220W at corporate office...intent is to have (5) groups of (3) users each connecting via VPN. Had assumed would be using QuickVPN and have set up users, etc and connections at current locations are quick, smooth, reliable. I have set up (2) locations (6 users so far). However, after 4th connection (no matter where or in what order) client hangs at "Verifying Network" and doesn't complete connection. So, I have unique usernames, etc but each of the (3) at a location are hitting the router with the same IP. Is this the problem? I'm sure the RV220W can handle 15 simultaneous connections, but can the router deal with (3) connections from the same external IP?
View 3 Replies
View Related
Apr 29, 2011
A former coworker of mine setup VPN capabilities to our office network shortly before he left. It is no longer working. We can connect to VPN but I'm not able to ping any devices on the remote network or Remote Desktop to any of the server. After 30 minutes, the VPN connection drops. I have attached our ASA 5505 config to assist in troubleshooting.
View 3 Replies
View Related
Jul 9, 2011
I can telnet to the router and ping places on the inside and outside. However when I connect a laptop to the inside interface I can ping to the outside for a bit but can't open a web page and then connectivity is gone all together. At first I thought it was a NAT issue but I know I am good on that front. I have attempted to change the speeds and duplex settings on the outside interface but it does not seem to work. Again if I take the cable from the outside interface and plug it into a laptop it works fine. The thing that makes me wonder is why can I connect to the outside interface and configure it just fine?
View 4 Replies
View Related
May 24, 2012
I'm having some trouble with my P660RU-T1 configuration. I have recently set up a linux SFTP server at my home and am trying to access it via my public ip (eg 1.1.1.1), the problem is this public IP goes to the router which doesnt pass on the requests to the server.Last summer when i first messed around with this i had no problems with using the public ip to access the server, its only recently.
View 1 Replies
View Related
Jan 25, 2013
I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]
View 6 Replies
View Related
Jan 7, 2011
A PC connected to a Cisco 877 router and 877 router is connected to another router (7301) via GRE tunnel,Cisco 7301 router is a NAS server and is being used as a PPPOE server.If user create a PPPOE connection on his computer and dial with a username/pass we want to send the PPPOE traffic to 7301 router, so 877 router should pass the PPPOE traffic to 7301 and user will be able to connect,User -> 877 -> 7301(PPPOE server).
View 4 Replies
View Related
Nov 15, 2011
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut
[Code]....
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
View 5 Replies
View Related
May 6, 2008
i read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:
inspect pptp.
pptp connection cannot setup.
show connection in pix:
pptp tcp 1723 is ok.
gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).
View 5 Replies
View Related
May 22, 2013
|_voip PBX___|-----|__3650___|------fiber-------------|__3650_____|------|_voipphone__| I have a case where voipphone is registered on the voippbx but peaple on both end can't hear each other . No ACL on both 3650 , no firewalls between them , distance is about 2 miles . I tried to make telnet x.x.x.x 1720 or 1719 or 1721 (h323 ports) to opposite switch -connection refused . How can test if ports are open on the 3650 ? Is it coorect If I create allowing acl and apply it on both 3650 on the interfaces connected one switch to voippbx "IN" , second switch on the interf connected to voipphone "IN" ?
View 3 Replies
View Related
Aug 11, 2011
I am trying to use a ASA 5510 with AnyConnect as an in-line SSL VPN device. I have a separate firewall that NAT's 443 to the inside IP of the ASA, which is the only configured interface on the ASA. I can connect to the ASA from the WAN just fine and the AnyConnect client connects just fine, I get an IP lease across the VPN on my LAN, all looks well. The problem is that I cannot pass any traffic. The only device on my LAN that I can ping is the ASA, nothing else including the default gateway is accessibe. I have setup a static route on the ASA pointing 0.0.0.0 0.0.0.0 to the LAN gateway, but no dice.
View 1 Replies
View Related
Sep 13, 2011
We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?
View 3 Replies
View Related
May 28, 2013
I have a 7206 VXR router between a several Mikrotik routers on our backbone. We have the Mikrotiks on both sides of the CIsco 7206VXR setup for MPLS/VPLS. I need to simply setup the 7206 to pass the MPLS/VPLS tagged packets to the next router on the link. We are using OSPF as the routing protocol. I am told by our Mikrotik guy that I just need to enable LDP and VPLS tunnels 4:0 on the 2 gig interfaces on the 7206VXR to let it pass the MPLS/VPLS traffic. It sounds simple but I'm not sure how to do this.
Any commands I need to imput to allow this router to pass this MPLS/VPLS traffic.
View 1 Replies
View Related
Mar 7, 2012
we have a Cisco 3825 router which does not work well with a DSL modem(ISP provided). I have configured the Gi0/0 port of the router to plug into this DSL modem but it does not ping to the ISP gateway. If we do a shut/no shut on the interface then it work fine for about 30 secs. Sometimes even for 1 hr. Then the packets drop and we cannot pass any traffic through this interface.
Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet.I have tried various options like using a straight/cross cable. I have tried to configure the interface negotiation for 100/full, 100/half, auto/auto and almost all the options.I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.
View 5 Replies
View Related
Jan 11, 2013
I recently upgraded from a Cisco 3900 series router to a Cisco ASR1k router. Since the upgrade, I have internal clients who claim they cannot connect to external VPNs. These internal clients are behind a NAT that routes a public IP address to a group of clients with private IP addresses.
How can I ensure that all VPN traffic is able to pass through the NAT?
View 2 Replies
View Related
Jan 17, 2013
[OK] Site to Site IPSec + GRE = success, no problems.
[OK] IPSec remote access = success, no problems.
[NO] SSL VPN = remote users can successfully connect to all internal systems. Cannot pass traffic to the Internet.
Hardware:
Cisco 2811, Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3) . Software: Cisco Any Connect Secure Mobility Version 3.1.01065
Single hub router terminating IPSec+GRE site to site, IPSec remote access, and SSLVPN remote access VPN services. All services currently configured and running successfully with the exception of the SSLVPN service. Remote users can initiate and successfully establish SSL VPN sessions. While established, connectivity to all internal systems/resources are successful. Only when the remote access client tries to connect to "Outside" Internet resources does traffic not pass successfully. Troubleshooting has pointed to a NAT related issue (I believe).
When connecting from a remote access workstation, utilizing IPSec remote access client (built-in Cisco IPSec client from Mac OS), the session establishes and the client works flawlessly. Examining the Cisco 2811 router, you see the /32 host route from the remote access session get installed, and you see the corresponding NAT translation entries created when the client accesses outside (Internet) resources. Appropriate configuration to implement "hair pinning" have been included to handle the in and right back out (with NAT translation) needed for remote clients to access the Internet.
Configured the 2811 for SSL VPN, and remote access clients can successfully connect and access all internal network resources. Examining the Cisco 2811, the /32 host route for the remote access client is installed, pointing to SSLVPN-VIF0 interface with a next hop of 0.0.0.0 When checking the NAT translation table, there are NO entries for the remote access client address created which leads me to believe the hair pinning/NAT function is not being invoked for SSLVPN clients.
Originally, the IPSec remote access VPN local pool was 10.0.100.0 /24. To keep from having to adjust the existing NAT translation, PBR Route-MAP for the hair pinning function - I took the 10.0.100./24 and broke it into a pair of /25 networks. Bottom half for the IPSec remote access VPN pool (10.0.100.0 /25); upper half for the SSL VPN pool (10.0.100.128 /25). By utilizing SSL VPN, is the traffic somehow bypassing the DIALER1 interface where both the crypto map (and more importantly: IP NAT OUTSIDE, and PBR configuration for the hair pinning function)? I cant explain why NAT translation entries are not being created for SSLVPN client sessions.
Cisco 2811 Configuration has been included. IPSec & SSL VPN Remote Access Sessions Captures (performed from same remote client) have been included.
View 2 Replies
View Related
Oct 2, 2012
We have a Cisco ASA 5520
We are attempting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 68.0.0.0.3/28.
I set a static NAT rule to allow all traffic pointed at 68.0.0.4 to be directed to 10.10.10.20 and have ACLs allowing the following.
esp, ah, udp/500, udp/4500, udp/1701
Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I attempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.
View 2 Replies
View Related
Jul 14, 2011
I cannot telent to 1941 router from a Window 7 PC and I can a Window XP PC. Telnet is enabled on Win 7 PC. I upgraded 1941 to latest IOS.Compters running Windows XP can telnet to router and hit the internet. Computers running Windows 7 cannot hit the internet. I replaced the 1941 with a 1760 router and Win 7 computers can telnet to router and hit the internet. I used the same config from the 1941 on the 1760.
View 5 Replies
View Related
Mar 1, 2011
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies
View Related
Dec 14, 2011
we have two routers CISCO881-K9 and we have established l2tpv3 pesuduwire between two routers: attached the configuration file for both routers.
Although the l2tp established but we are unable to pass the DHCP or other traffic through l2tp tunnel from router A to router- B. [code]
View 1 Replies
View Related
Mar 10, 2013
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
View 2 Replies
View Related
Sep 12, 2011
I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed..[code]
View 4 Replies
View Related
Feb 9, 2013
I run a AirPort Extreme router. I have my F9K1106 range extender set up and working. works awesome. I get home from work the next day and the range extender seems to fall asleep , it won't pass any traffic. I power cycle it and its back up and running. this happens everyday no fail for a week now.
View 1 Replies
View Related
Sep 9, 2012
Im using 1131AG AP.Locally switched WLAN don't have problem.Authentication used: open/wpa-psk/wpa2-psk.Pinging the IP Address of the vWLC dynamic interface (WLAN-SSID Mapping) is ok, but with the gateway failed.
View 12 Replies
View Related