Cisco VPN :: ASA5505 And Spoke VPN Between Multiple Sites
Aug 12, 2012
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers. From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks. Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible. I've attached the hub and 2 spokes below. The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?
I am about to deploy a load of Aironet LWAPs into my organization. I've configured the WLC 2504 and have a couple of the APs working at our main site. I just needed to plug them in, and they worked perfectly, straight out the box. But I just want to know the following:
1 - will the same apply if I connect an AP at a remote site? Remote sites are on different subnets and connected via IPSEC. Will the remote APs just find the WLC?
2 - is there anything I need to set up especially on the WLC in order to make this work?
I would like to create two site-to-site VPNs, one for data and one for VoIP, between the same sites. One end is an ASA 5510 and the other is a third party firewall. Is this possible if I use different sets of IP addresses for each tunnel?
I am installing 2 ASA 5505s at home offices with dynamic IPs. The EasyVPN server is a ASA585x. I am using the 5505s in NEM mode. I configured a unique DHCP scope on each 5505. I have a dynamic crpto map on the server. I configured unique tunnel groups, group policies and usernames for each site on the server. This seems to work fine. Is it normal to configure unique tunnel groups, group policies and usernames for each remote site?
Region : UnitedKingdom Model : TD-W8960N Hardware Version : V4 Firmware Version : 1.4.0 Build 111130 Rel.55990n ISP : DEMON
I'm using parental controls to block all devices in the house from using tumblr. I cannot do this at a device by device level as it is being used on iphones/androids, laptops and desktops.Unfortunately, the way that tumblr works is that it use many URLs for the different pages people set up so it is not just a case of blocking url... - so I'm struggling to work out if I can do this via URL blocking on the router settings. How to do this at router level.
For a branch office we have an ASA5505 connected to the ISP with an DHCP provided public IP "locked" to the local MAC This works ok!Now - the ISP may provide up to 5 public IP's (all DHCP assigned).Is it possible to configure 2-5 public interfaces in the ASA?? As IP's are DHCP assigned there must be something (a interface) to request the address.Would this be possible, and if so - what license would be required??NAT routing on the inside should be possible as well.
We are trying to utilize a 5 ip block of addresses provided by our ISP. What we have assigned from them is like this: 10.10.10.46 - 10.10.10.50 is our ip range. 10.10.10.45 is the gateway. Subnet is 255.255.255.248. If we assign 10.10.10.46 to the outside interface how do we accept inbound traffic from the other addresses?
I'm trying to setup a VPN connection for the two PC's in the graphic below. I have the link between the two locations setup and secured, now I just working with the routing elements.what I need to add to the firewall config in order to get this to work? Here is what I have:
SITE A------access-list mpls_vpn_sitea extended permit ip host 126.96.36.199 host 188.8.131.52 access-list mpls_vpn_sitea extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_siteacrypto map mpls_vpn 1 set peer 184.108.40.206 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac SITE B------access-list mpls_vpn_siteb extended permit ip host 220.127.116.11 host 18.104.22.168 access-list mpls_vpn_siteb extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_sitebcrypto map mpls_vpn 1 set peer 22.214.171.124 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
do I need to specify a route between the two networks? What do I need to have for NAT statements?
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
I am at a loss on configuring a new ASA5505 for multiple static port translations.I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations. [code] However, if entered in that order the 8443 overwrites the 8080 static translation.What is the correct procedure to establish multiple translations? If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
The ASA device is going to be the gateway for multiple distinct inside IP subnets. We can have have a unique outside IP address to correspond to each inside IP subnet if needed, but we need some means for a VPN client or a site-to-site VPN to have acess to a pre-definied IP subnet (i.e. if customer A establishes a VPN connection, they have connectivity to IP subnet X; customer B establishes a VPN connection, they have connectivity to IP subnet Y, etc.).Currently, the two inside IP subnets are 10.10.0.0/16 and 10.20.0.0/16. We will be adding more.The problem we are facing is that we cannot reach the VLAN 201 from the ASA we believe this is because. I have setup two addresses on port 0/1 Vlan1, 10.10.20.2 and 10.20.20.1 as an alias. How can we make traffic for the 10.10.0.0/16 subnet untagged and traffic for the 10.20.0.0/16 subnet tagged for VLAN 201.
remote location on MPLS circuit terminated on a Cisco router that has Internet connectivity through Central Site router. We are installing a cable modem at the remote location that is to be used as the Primary Internet Connection but still be able to use Internet through MPLS if the cable Internet goes down. We want the failover/fallback to be handled automatically.
We have an ASA5505 for the cable Internet which then feeds into the ISPs modem.
At first I was thinking about getting a module for the remote router so the cable Internet could be terminated on the remote router as well but that introduces a single point of failure. I would also like to firewall both the MPLS and the cable Internet but if I do so on the ASA there is another single point of failure.
ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 126.96.36.199.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1 | | | SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway 188.8.131.52 with subnet mask 255.255.255.240 after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.
i am trying to set up a tunnel connection between twO 2800 routers A<->B
1) destination ip is-204.x.x.x-ROUTER A2) source ip is 166.x.x.22-ROUTER B The router B has the modem connected to GE0/1 whose interface ip is 166.x.x.22 The ip-forward-protocol nd is configured as below
ip route 204.x.x.x 255.255.255.255 166.x.x.21
Also tunnel 1 configuration,isakmp policy are configured properly when i run show crypto isakmp sa it shows MM_NO_STATE,i checked the preshared key on both ends and they are same.whenever i remove the ip address of the interface Ge0/0 and ip route i can ping the 166.x.x.21 which is the modem gateway.when i revert back the configuration to the above ,the ip 166.x.x.21 cannot be pinged,the dsl connection is live though.ways to fix this so that i can make this tunnel state to QM_IDLE?
I want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
HQ-HUB is the only site with access to the Internet.
So if Site1 or Site2 or Site3 need to access the Internet, traffic will have to go through HQ-HUB and from there reach the Internet.I have routes 2851's on the spoke sites. Which command or mechanism you would explore in this case to make the spoke sites point to the HQ-HUB to reach the Internet?
Would you do this based on DNS settings or getting an access-list & static route defining when the spoke routers traffic need to go the internet, point to the HUB-HQ as the default?
I am having real problems trying to build resiliency into a hub and spoke frame relay scenario. I know the hub is a single point of failure. Is there any way to put some resilience into the network? There is 4 attached branch offices.
I'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?Router is a 2900 ISR,I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers.
I'm working on a new DMVPN configuration with one 3745 at the hub site and a 1941 the spoke. I have internet through gsm for the primary line at the spoke and a dsl line for backup on spoke.I have one tunnel interfaces on both the hub and the spoke.Currently my VPN tunnel is coming up fine , however we are planing to do an ISP failover at spoke side . since in the tunnel interface i can only define one "tunnel source interface" which is gsm cellular interface , i don;t know how to use my another ISP for the same tunnel interface as it will always initiate traffic from gsm.
do i have to create another tunnel interface with same hub site , or do i need another hub as backup? is their any other way to create loopback interface and initiate the traffic from that loopback?
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24 Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing) Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing) Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth) Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?