Cisco VPN :: ASA5505 Site-To-Site And Remote Access On Same Device
Jun 3, 2012
I'm attempting to configure an for both site-to-site and remote access VPNs. The site-to-site is working fine, however when I connect using the Cisco client, after initial connection and password prompt I get a "not connected" status. The log states that a policy map match could not be found. I have successfully set the unit up for remote access with no site-to-site and ran into another host of issues when adding the site-to-site to the working remote access config, so I started over setting up site-to-site first. I've attempted this through ADSM (hate it) - the current configuration is via CLI. I'm certain I'm just missing a piece or two.
View 2 Replies
ADVERTISEMENT
Jul 10, 2012
I have 2 ASA5505's connected through a site-to-site using IKEv1 and IKEv2.Recently, I ran through the wizard to configure the AnyConnect software. [code]Now, my site-to-site connection will only come up using IKEv1.Is there a way to have both the Site-to-Site and the AnyConnect VPN connections use IKEv2?
View 1 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Jun 28, 2011
I have a site-to-site VPN already established, everything is working as it should. I'm trying to block the remote network from accessing our network since we only need to access theirs. I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505.
View 5 Replies
View Related
Nov 14, 2011
I have 2 ASA 5505 firewall, Site 2 Site VPN working between two firewall. I attached visio diagram for my senario. I configured IPsec Remote VPN in ASA-01 firewall, a user able connted to ASA-01 network via modem through remote VPN. As i configured site 2 site VPN between two ASA, Is that possible that through remote VPN a user can able to connect to ASA-02.
View 2 Replies
View Related
May 9, 2011
we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 (192.168.45.0/24) to any host behind the 5510 (192.168.0.0/24) the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some "denied by inside-access in"-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?
View 1 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Mar 9, 2011
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
View 6 Replies
View Related
Feb 14, 2011
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies
View Related
Jun 28, 2012
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
View 3 Replies
View Related
Aug 8, 2011
can I configure Site-To-Site VPN and Remote Access VPN at the same time in one ASA 5510?
View 8 Replies
View Related
Jun 17, 2012
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies
View Related
Jun 13, 2012
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad
[code]....
View 1 Replies
View Related
Oct 11, 2011
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
View 11 Replies
View Related
Mar 6, 2011
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
View 1 Replies
View Related
Feb 27, 2013
I'm having a Issue getting my VPN up from out remote site . We have a ASA5505 at the remote site and the Main office we have a PIX-515E.. I followed this temp config I found on line but Im still not able to get the VPN UP..
This script can be used to get you started on a site to site vpn using the older Cisco PIX code. PIX running 6.3 ! ^^^^ Set ISAKMP (phase 1) parameters ^^^^^ {code]...
When I log into the ASA and run these commands This what I get
Colort2# sh run crypto isakmp
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
[code]...
View 1 Replies
View Related
Jul 10, 2012
We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling. If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?
There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?
View 4 Replies
View Related
Feb 10, 2011
I'm having some troubles with SSLVPN connectivity. I've setup SSLVPN at one site and it works great with web access, file share, RDP plugin etc. at the local LAN on that site. But I also would like to reach another site (connected with an IPSEC tunnel). Is this possible? if it is, how do I do it?Both firewalls are ASA5505, one 8.31 and one 8.22 Just a note, it works to connect with IPSEC client and reach the remote site just fine.
View 8 Replies
View Related
May 3, 2011
i have one asa 5505 that have classic remote access vpn set-up and now i need to add site-to-site tunnel on top of the existing configuration. Is that possible with asa 5505 and do i need some special IOS bundle for that? May i use vpn wizard for that or do i need to go through cli since remote access vpn is setup using wizard.
View 2 Replies
View Related
Oct 1, 2012
I just get it that I can make a VPN Site-to-Site IPSec. But if I try to send a ping from one PC (network 1) to the other PC (network 2) it failed.
PC (Network 1) <ASA5505> Switch <ASA5510> PC (Network 2)
between the two ASA I have a funkctional VPN IPSec tunnel, but I can`t get access from one to theother network.
That are the access-list on the ASA5505:
asa5505#
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_ICMP; 4 elements
[Code].....
View 19 Replies
View Related
Feb 8, 2011
I have a client that wants to establisha S2S VPN across the Internet. His Canada site (using an ASA5510) has a traditional fibre Internet service. However, the Chilean side (using an ASA5505) is using a PPoE Internet service. The Chilean IP is dedicated, but the host IP they've received is the same as the default gateway (odd).Anyway, given that it's a PPoE Internet connection with authentication required, is it even possible to establish a S2S VPN. I guess I'm thinking that if the Canada side tries to initiate to the Chilean side without anyone on their end to initiate the traffic first (and therefore authenticate in the process), will this even work?
View 1 Replies
View Related
May 22, 2012
I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS. [code]
View 2 Replies
View Related
Aug 9, 2011
he IPSec tunnels do not form and I notice the error: 3Aug 09 201105:13:26IP = 39.188.41.188, Error processing payload: Payload ID: 1 Reading up on this it looks like it might be an IKE problem but I'm struggling to find the cause (the new 8.4 commands not useful).
The setup is as follows:-
Head Office
PIX515e v6.3(4)
LAN IP 10.0.160.254/24
Branch Office
ASA5505 v8.4(1)
LAN IP 192.168.47.254/24
View 3 Replies
View Related
Oct 6, 2012
I have configured Site to site and the VPN tunnel is up. But the ACL's are not working.
View 11 Replies
View Related
May 13, 2012
I have a couple of ASAs 5505 (HQ & Branch) running version 8.2(4). They are configured with a Site-to-Site VPN over a single WAN link: [code]
I want to enable sla monitor on one of the devices in order to know the real status of my unique link because the interfaces sometimes don't go down, so I don't have any real statistic of failures.
All the information is related to dual ISP links failover. Is there any extra-consideration for my single link scenario?I already have a static route route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 so I think I have to overwrite it with something like this route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 track 1. Is this correct?If so, when I overwrite it, will the S2S VPN go down and will it go up automatically?
View 1 Replies
View Related
Apr 12, 2013
I am normally a software developer, however with recent staff changes at my company I am now the sole IT person.We have to sites: A and B, and we need to make a site to site.
I have access only to the Site A, this one contain a ADSL modem/router (D-Link DSL-2640U), and a ASA5505 behind the modem.We have an public fixed IP addresse configured on the modem.All the information that i have to configure the vpn is: Public ip of the site_BThe encryption algorithm 3DES-MD5.Shared secretThe site_B subnetwork to be reached using the vpnAnd i nedd to get this VPN UP, and it must be no nating for pakets going throught the VPN (for maintenance Issus).
The D-link modem is configured to get the Public IP from my ISP, and i set on it a DMZ to the ASA5505 (192.168.1.254).Until now, i folowed the site-to-site assistant using the ASDM. [code]
View 1 Replies
View Related
Sep 18, 2012
We have 2 ASA's that connect to a 2811, but for some reason, the 2nd ASA wont connect anymore. Debuging ipsec or isakmp on the 2811 doesn't come up with any messages.
External IP's still correct, and the sites can ping each other.
Only debug on ASA for crypto isakmp comes up with messages (ipsec doesn't give any messages).
ASDM says:
Removing peer from peer table failed, no match!
Error: Unable to remove PeerTblEntry
I found some info on the above error messages, but those links didn't quite useful.
Below is fromt he debug on the ASA:
Sep 18 22:06:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:09 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:10 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:13 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:16 [IKEv1]: IP = 64.X.X.X, IKE_DECODE RESENDING Message [code]...
View 11 Replies
View Related
Feb 6, 2012
On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]
View 1 Replies
View Related
Dec 12, 2012
I have tried Cisco presales but got bounced - go Cisco !So, i have a small customer who requires a single device which will provide .....
1/ Leased Line connection @ 10mb
2/ ADSL failover onbox (so configurable from CLI, unlike the 860’s which I see only have one ‘active’ wan port)
3/ IOS based
4/ integrated 4 ports (min) switch
5/ site to site VPN
6/ up to 10 x SSLVPN remote users
I did pitch in with ASA5505 with external ADSL router but he is “space-constrained”.It worries me when Cisco doc's say only one WAN port is 'active' - since it doesn't say the second port automatically comes up if the first goes down so I can't take a gamble on that being the case.
View 3 Replies
View Related
Feb 27, 2012
I recently purchased a new ASA5505 and have been having trouble creating a site to site VPN to another location/device. I've used the VPN Site to Site wizard to configure the VPN but after the wizard completes how does one verify VPN connectivity via ASDM? Also, I've run debug crypto IPSec and isakmp and see absolutely nothing? So how does one verify that the VPN is up and if it is not, how does one troubleshoot why it is not? The other side is configured and I had no trouble getting this same VPN working on an old Watchguard device.
View 4 Replies
View Related
Mar 20, 2013
I need to setup a site to site VPN. Site A has a 5505 running ASA v7.2(4), this has been in place for a few years and is also used regularly for client remote access. For site B i have a brand new 5505 running ASA 8.4(3).Is the ASA version miss match an issue, or should i upgrade site A to the same version as site B? Assuming they should run the same version, which is the best choice to use? There is a choice of 9.0.2 under latest releases, then 9.1.1 ED, and 9.1.1(4) interim.
View 1 Replies
View Related
Apr 11, 2012
Does Cisco ASA 5505 is compatible for site-to-site VPN with any of the following devices?
Airlive: RS-1200 Security gateway Fortinet: Fortigate-60C (FG-60C-BDL)
View 1 Replies
View Related
Feb 6, 2012
We are going to deploy a site to site VPN using two ASA5505. The network I'm going to traverse has a max MTU of 1320. I determined this by experimenting with pings of different sizes. How should I configure MTU on my ASAs?I'm thinking of using these two commands but I don't know if there are any implications to this...
ip mtu outside 1320
ip mtu inside 1280
View 1 Replies
View Related
