Cisco VPN :: ASA 5520 Unable To Access Certain Vlans In Network
May 27, 2012
I have an issue where my vpn clients are unable to access certain vlans in my network.I have configured an ASA 5520 with VPN access using the wizard and using the ASA as a dhcp server for VPN clients. I find that this allows the clients to access server resources such as the Exchange and Domain Controller but I find that these vpn clients are unable to ping each other as well as certain vlans that I have.Is there a way to configure the ASA to use a particular vlan that is already configured on the core switches?If I create a vlan interface and set the IP of it to 10.50.x.x then the vpn clients are suddenly unable to connect to any network resources...
View 1 Replies
ADVERTISEMENT
Feb 23, 2012
I have configured vlans in 3560G switch but vlans notable to accessing Internet
View 6 Replies
View Related
Dec 9, 2010
I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
[Code]....
View 7 Replies
View Related
Jul 16, 2012
We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
"Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address
[Code]....
View 15 Replies
View Related
Apr 4, 2011
I've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it.
I want to use PAT on the outside interface.
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
configure NAT for this scenario. I've got only 1 external public IP address.
View 1 Replies
View Related
Apr 29, 2012
I have a Cisco 3560X 48 port Ip base switch with v lan configured and ip routing. Ports 1 and 2 are in ether channel and routed ports to ASA and have their own network of 192.168.22.49/30. The ASA is configured with the same config for ports 1 and 2. The channel group ip address on the 3560X is 192.168.22.49/30 while the other end of the up link is the ASA and its configured with .50/30.
I have 6 v lans plus the one native v lan. They are all configured with ip addresses. Each V lan should be able to talk to one another other than DMZ v lan which is trunk and routed directly in the ASA. On the switch I can ping the IP address on the ASAs up link .50/30 but I cannot ping the ASA from any host on any of the V lans. My switch config file is posted below. The ASA seems to be able to ping any host in the VL ANS due to static routes that are in place. Why I'm not able to communicate to other v lans or even ping the ASA?
Config for 3560X
L3Switch#sh run
Building configuration...
Current configuration : 8056 bytes
! Last configuration change at 00:45:43 UTC Mon Mar 8 1993
version 15.0
no service pad
[code]....
View 2 Replies
View Related
Jan 23, 2012
Currently, we have a Cisco router (28xx), ASA 5520, and a core switch 4500. We have different vlans. We also have Auto QoS running for our Cisco IP Phones.My manager just asked me to see if I can either reserve some certain bandwidth for one vlan, or give that vlan higher priority on internet traffic than the others.
1.) Anyway we can reserve some more bandwidth for one vlan than other vlans?
2.) If #1 cannot be done, how can we provide higher priority on the internet traffic to one vlan than the others?
3.) Is #1 or #2 the same config? If not, which one would be easier (without changing our current QoS settings)?
4.) If 1 or 2 can be done, which device I should config the settings on?
5.) This question may be duplicate, but do we need to reset our current QoS to achieve the goal?
View 6 Replies
View Related
Apr 1, 2013
I have a home office with multiple VLANS/subnets I have many VPNs that connect only a specific subnet to a specific remote offfice. On a 5520, can I create a S2S VPN to different remote offices that have the same IP scheme, but from different home office subnets? For example at my home office let's say I have two independant, distinct VLAN/subnets: 192.168.140.0/24 and 192.168.150.0/24. Can I create an S2S from the 140 subnet to a remote office with a 10.10.10.0 addressing scheme and another S2S from the 150 subnet to a totally different office also with a 10.10.10.0 scheme?
View 1 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Mar 14, 2011
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies
View Related
Mar 26, 2012
I'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
I have set-up the 3 remote access groups:
Group 1 - subnet 192.168.1.48/28Group 2 - subnet 192.168.2.0/25Group 3 - subnet 192.168.3.0/25
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
[code].....
View 12 Replies
View Related
Feb 28, 2013
I have created a new sub-interface on our ASA 5520 for guest internet access.
My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.
The order of the rules I plan to setup on the guest interface inbound are:
#1. <rules to allow access to specific services in the dmz>
#2. <block any ip access to the entire private network ip address space>
#3. <permit ip any any>
#1. These rules will give access to the guest user to services located in the dmz
#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)
#3. This rule is to allow access to any other services i.e. the internet.
Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?
(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)
View 2 Replies
View Related
Aug 23, 2011
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies
View Related
Jun 12, 2011
I am trying to configure a UCS 520 and need to setup the VLAN for the phones. I tried to use the vlan command from the config prompt and also from the vlan database and each time I get the following message:
UC520(vlan)#apply
% not enough space on flash to store vlan database. trying squeeze...
% error squeezing flash - (Operation not supported on this file)
Error on database apply 40: NV storage failure
Here is what my nvram is showing:
UC520#dir nvram:
Directory of nvram:/
246 -rw- 6461 <no date> startup-config
247 ---- 1933 <no date> private-config
248 -rw- 6461 <no date> underlying-config
1 -rw- 577 <no date> IOS-Self-Sig#1.cer
2 -rw- 0 <no date> ifIndex-table
3 ---- 61 <no date> persistent-data
262144 bytes total (250626 bytes free)
View 4 Replies
View Related
Feb 21, 2012
Have cisco ASA5520 on place and i want to configure it to access my webserver outside of my network throught sftp/ftp with filezila what command to add so as port/service associate to it should be able to run?
View 1 Replies
View Related
Jul 7, 2012
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X
2. VLAN 100 - ( SVI IP address 192.168.100.1 /24)
3. VLAN 200 - ( SVI IP address 192.168.200.1 /24)
4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
View 4 Replies
View Related
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
May 31, 2012
I have 2 ISPs terminating on 2 FE ports on my 2811 router.ISP1 had always been here, used for the following:Internet access to LAN usersInternet access with public IP mapping to servers in different security zones (VLANS)Site to Site VPN tunnels to 3rd party partnersRemote VPN access to 3rd party partners We recently got a second ISP, mainly for the following:Internet access and public IP mapping to servers on seperate security zones (VLANS)Site to Site VPN tunnels to 3rd party partners as above, but different hosts So far, ISP1 and all the above service have worked based on the config below. However, having added ISP2, I have not been able to successfully create the site-to-site VPN tunnels.
version 12.4
!
ip source-route
!
ip cef
!
ip name-server 4.2.2.2
ip name-server 137.65.1.1
ip inspect WAAS enable
[code]....
Whenver I try to establish a tunnel on SDM_CMAP_2 and run a test using CCP, I get 2 failure reasons:
1. The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface - 4.58.130.130
2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - 4.58.130.134
The tunnels on SDM_CMAP_1 are all active Do I need to include a default route for the second ISP on the router? If so, how do I get this done? When I tried it, I had loops on the user LAN segment of the network.
View 5 Replies
View Related
Jul 3, 2012
I have a situation where i am installing SGE2000Ps to replace my old switches and configuring VLANS. The time clock will not communicate across the VLANS. If I unplug the network cable and plug it back in I will get two successful pings. If i use a PC configured with the same network settings as the time clock and plug it into the port for the time clock it communicates fine.
View 9 Replies
View Related
Jun 25, 2012
I have setup a few Vpn clients but no ones able to access the inside network.The clients all get a Ip address from the pool and DNS servers Ip's. But cannot ping or connect to there pc's. I'm thining its somewhere in the ACL.
View 2 Replies
View Related
Jan 1, 2012
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
View 1 Replies
View Related
Jul 20, 2012
ethernet link light is green(blinking), but i am unable to access the network
View 2 Replies
View Related
Nov 19, 2012
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can som point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
View 2 Replies
View Related
Jun 24, 2012
I have a Cisco ASA 5505, with basic 50 license, that is connected directly to the Cable Modem with a public IP. I have VPN configured and active on the Outside interface. When we connect, we connect just fine with no errors, but we are not able to access any resources on the remote network.
ASA IOS version 8.2(5)
Remote Network IP: 10.0.0.0/24
VPN IP Pool: 192.168.102.10 - 25
View 4 Replies
View Related
Aug 29, 2009
I just bought an LG Bluray DVD player (BD390) which is unable to find the access point in my home network.My router is a WRT54G, ver. 2.2, running firmware: Ver.4.21.1. My home network uses high speed cable with two computers on the wireless network, all working with no problems.The router is on the second floor but the two computers and the new BD390 are on the first floor - about 35 feet away. I have the wirelss security set to none and use only the specific computer MAC addresses to allow connection to this network.
I found directions in the forum for a setup using the LG BD390 but with a different Linksys router. I changed the security to WPA (AES); the Beacon interval from 100 to 75; the Fragmentation Threshold from 2346 to 2304; and the RTS Threshold from 2347 to 2307. The DVD wireless connection still failed to find my network. There is a "Push button" connection feature on the BD390 setup which I tried, but the only "button" on the router I could find was in the basic wireless setting, a green icon for the wireless SSID setup. No connection was made there either.
The recommendation connection from the LG manual is for a network cable, but that would be over 50 feet and a real pain to connect, so I would prefer WiFi.
View 3 Replies
View Related
May 25, 2011
I have been using this wireless internet connection for a long time, but the other day I went to go online, it didn't work. Ive tried lots of things but nothing seems to work.I'm able to acess the same wifi from my phone and it works fine, so i know its not the actual network, its something on my side.pics of xirrus screenshot & intel proset config attached[CODE]
View 11 Replies
View Related
Oct 23, 2011
I have no admin privileges or access to the router, I have contacted support and they've tried various fixes on their end and just told me it must be a problem on my side. the network registers a mac address under your account name and then assigns an ip.My problem is that my comouter connects to the network fine, and tells me I have internet access, but I can't actually access the internet when I try. I'm definitely connected to the network as i can access the ask4 page that allows me to register a new device, which i access with an ip address of 10.142.0.1 so I'm guessing that's stored locally somewhere on the network. I have tried internet explorer, FireFox and chrome, as well as connecting through game portals and none of them are able to access the internet.
IE gives an error that it says can't be fixed as its an error with the server and Chrome gives error 101 (net::ERR_CONNECTION_RESET). I've tried various fixes, some of which have worked temporarily. After trying most of them I've had internet access that has lasted between 5 minutes and a few hours, but the problem has always returned and the same fix that worked first time hasn't always worked again. I have an xbox that I connect to the same network port in the wall and that accesses the internet perfectly. My computer has 2 Ethernet ports and both have the same problem.
My network adapters are 2 NVIDIA nforce networking controllers (drivers are up to date)When the problem started I was on Windows vista, but I've upgraded to Windows 7 64 bit as an attempt to fix it.I've tried different Ethernet cables, connecting both ports, uninstalling my network adapter drivers, disabling and re-enabling them, resetting my IE settings, disabling and uninstalling my AntiVirus,connecting through an Ethernet switch and disconnecting and reconnecting the cable.
View 1 Replies
View Related
Mar 6, 2013
every once in awhile we have a machine that seems to just lose the ability to access network shares and networked printers. The way I have been "fixing" the issue is to join a workgroup temporarily and restart computer and rejoin the domain.
I understand this is probably not the best fix available, but I am not sure what is causing the problem and/or what a better solution to this problem is.
why this happens and how best to solve this without just rejoining the domain?
View 15 Replies
View Related
Mar 14, 2013
I am able to ping and remote dial into my Main PC from laptop, but I am not able to access its folders from my laptop. I can access the network folders on my laptop from my Main PC, so I am confused. I have performed the ipconfig release and renew and flush the DNS and still no success.
View 3 Replies
View Related
Mar 14, 2011
I am having trouble with routing in PIX501.I have one Pix 501 and one Cisco router.Cisco Router is configured for IPSEC VPN ( LAN interface 172.19.194.1) and PIX is configured for access the internet.Default gateway of Pcs in LAN are PIX inside interface ( 172.19.194.2) but people are unable to access to corporate network but can access the internet.If i set default gateway to Cisco router LAN interface ( 172.19.194.1)then i can access to corporate network.Purpose is to pass the internet traffic using PIX 501 and corporate network traffic using Cisco router.
View 6 Replies
View Related
Jun 23, 2011
I can not connect to my home wireless network (we did change routers back in Dec and did at that time have problems as well getting it to connect) the router is a Linksys E2000.when I checked further I saw that the IP address was different than the ones on my other laptops so I changed those settings by adding the new IP address..
[code]...
View 1 Replies
View Related
Aug 27, 2012
Just to set the stage, we used to have a network which ran in the following order:
For wired workstations: bridged DSL modem->wireless Linksys E900 router->Dell PowerConnect 2824 switch->2 modular 4-port jacks->individual workstations For wireless: bridged DSL modem->wireless Linksys E900 router->workstations The workstations were set up to pick up IP addresses automatically.After an infrastructure upgrade where we added some Cat6 cables and swapped the modular jacks for a patch panel, we lost all connectivity. I restored the connectivity to the wired workstations by assigning IP addresses. But we have no wireless and I cannot access the router GUI at its IP address (even when plugged directly into the router). All the workstations show the default gateway as 192.168.10.1, so I don't know what's going on.
View 3 Replies
View Related
Apr 23, 2013
I would like to setup a VPN to allow employees nomad that connect to our network from outside. Our router is a Cisco SA520 I tried different configurations without success ...Here is the current VPN configuration:I created my users IPSec, I can connect remotely, but I do not have network access ... Unable to access network shares, impossible to ping.
View 1 Replies
View Related
