Cisco VPN :: ASA5505 Static L2L Tunnel - Won't Come Up
May 9, 2013
We have a HUB ASA5505 SEC+ with a few other ASA's connected to it via L2L VPN. We have 1 active Static L2L, 1 Active Dynamic L2L, and I'm currently trying to add a Second Static L2L Tunnel.I verified that each WAN Interface can ping each other, and both devices have full internet connectivity. There is no double nat or content filtering going on either. I did notice that my Cisco Remote Access VPN Client won't connect properly through the ASA despite full internet connectivity, but when I connect directly to the modem I was able to connect properly. So apparently the ISP isn't blocking IPSEC traffic AFAIK.
Static2 is currently using a Temporary TAC License since our license is currently awaiting arrival, but a show version output shows that all VPN/3des features are enabled. [code]
View 1 Replies
ADVERTISEMENT
Feb 14, 2011
Got a problem routing trafic to my L2L tunnel...
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
View 2 Replies
View Related
Nov 10, 2011
I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office. Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
View 18 Replies
View Related
Nov 27, 2011
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies
View Related
Aug 9, 2012
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
View 8 Replies
View Related
May 20, 2012
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
View 3 Replies
View Related
Jun 18, 2012
I'm having problems configuring an IPSEC VPN between an SRP521 with a dynamic IP and a ASA5505 with a static IP. Static to Static is fine between these devices and I can configure that without problems. Dynamic to Static however.
View 1 Replies
View Related
Feb 20, 2008
Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
View 12 Replies
View Related
Jan 21, 2013
I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site
View 4 Replies
View Related
Jun 13, 2011
Currently, I have in a number of remote sites (with dynamic public address) a C800.On this Cisco, I have a config for initiating an agressive-mode tunnel to a central ASA.relevant part of the config:
---
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp peer address 1.2.3.4
[code].....
Now I need to replace these C800 by ASA5505. But I don't know how to replace the "crypto isakmp peer address" command in ASA.The C800 transmits both the password (abcdefg in my example) and the fqdn (remotesite1 in the example). how to configure the ASA to build the tunnel the way the C800 did?
View 5 Replies
View Related
Aug 15, 2011
I am at a loss on configuring a new ASA5505 for multiple static port translations.I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations. [code] However, if entered in that order the 8443 overwrites the 8080 static translation.What is the correct procedure to establish multiple translations? If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
View 4 Replies
View Related
Feb 9, 2012
I have just purchased an ASA 5505 for my remote users to access our internal network. I have followed all the setup instructions I can find. I am able to establish a VPN connection using the Anyconnect client and can see some of my internal network. (Basically, only the subnet of the internal interface) However, I have several subnets inside my LAN which are routed by another switch inside my LAN. I have built in the correct static routes so that the ASA will send traffic to that intenal routing switch for any subnets not part of it's inside interface subnet. I can see and ping those subnets from the ASA itself but the AnyConnect clients cannot.
View 9 Replies
View Related
Oct 29, 2012
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
[Code].....
View 1 Replies
View Related
Oct 6, 2011
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
View 2 Replies
View Related
May 28, 2011
inside network----ASA5505========internet===========Remote VPN client.
The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.
Q1: Is it possible?
Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client.
View 5 Replies
View Related
Dec 30, 2011
I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working. [code]
View 3 Replies
View Related
Feb 6, 2012
On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]
View 1 Replies
View Related
Jan 16, 2011
I am looking for an option to do the following. [code] Cisco 6509 with SUP2 with MSFC2 full mem
I would like the cleanest most stable option to allow this to work and still be secure with authentication. I know on the home side, I can just specify the remote ip and add a password. Not sure what can be done on the DC side to allow this to work properly.
View 3 Replies
View Related
Aug 14, 2012
i measured with Iperf over two Cisco 1811 router, that bandwidth speed is higher then is used IPsec+GRE tunnel between two routers, than just using a static routes.Bandwidth over GRE in average is about 91389Kbit/sec Over static routes is about 88474Kbit/sec.
View 1 Replies
View Related
Oct 10, 2012
I'm able to build my tunnel but unable to RDP nor ICMP back to the internal network.
VPN Client IP: 192.168.200.200
INTERNAL IP: 172.17.130.200
my configuration is below:
HOME-ASAFW02(config)# wr t: Saved:ASA Version 8.4(4)!hostname HOME-ASAFW02domain-name hsd1.nj.comcast.netenable password ViPq56cvd3SGvB08 encryptedpasswd 8bcozHCAwCqA5BmN encryptednames!interface Ethernet0/0description OUTSIDE-Connectionswitchport access vlan 2switchport protected!interface Ethernet0/1description INSIDE-Connectionswitchport protectedspeed 100duplex full!interface Ethernet0/2description WiFi-LinkSYSswitchport access vlan 3switchport protected!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!interface Vlan1description INTERNAL-Networknameif insidesecurity-level 100ip address 172.17.130.129 255.255.255.128!interface Vlan2description OUTSIDE-Link-to-ISPnameif
[code]....
View 12 Replies
View Related
May 3, 2011
i have one asa 5505 that have classic remote access vpn set-up and now i need to add site-to-site tunnel on top of the existing configuration. Is that possible with asa 5505 and do i need some special IOS bundle for that? May i use vpn wizard for that or do i need to go through cli since remote access vpn is setup using wizard.
View 2 Replies
View Related
Oct 6, 2012
I have configured Site to site and the VPN tunnel is up. But the ACL's are not working.
View 11 Replies
View Related
Dec 17, 2012
I am using a Cisco ASA 5505 Here is a description of my topology.
Headquarters = 192.168.201.0
Client X = 172.16.0.0
Datacenter = 10.12.0.0
Site to Site Tunnels:
Headquarters ---> Datacenter
Datacenter ---> Client X
I want to ability for computers in the Headquarters subnet to access the Client X subnet.I have tried setting up a static route to push all traffic destin for 172.16.0.0 to the datacenter, but was unsuccessful. how I can route all 172.16.0.0 through the tunnel.I have tried ading a static route on my ASA but without success.
View 3 Replies
View Related
Mar 12, 2013
Today I installed the 1.0.2.6 Firmware on a RV180W. I only have now two problems regarding the Static DHCP support in the GUI.
1. Via the Networking > LAN (Local Network) > Static DHCP I have no buttons to Add a new static Lease.
2. Via the Networking > LAN (Local Network) > DHCP Lease Clients I can thick a Lease and click on Make Static IP. The result is an error: Operation failed.
View 3 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 26, 2011
I've been having a problem with setting up static dns 3 on my WAG, what has been set is...
Static DNS 1: 208.67.222.222
Static DNS 2: 208.67.220.220
Static DNS 3: 208.67.220.222
Now if I look in my router status screen 1&2 are correctly displayed but the 3rd entry is showing my ISP's DNS,
View 9 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Jul 20, 2012
i have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
View 3 Replies
View Related
Jan 22, 2011
We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.The ASA5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.
When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop. I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either. Im running ASA Version 8.2(1) and ASDM Version 6.2(1)Once I get the static IP set and working properly, I can tackle moving the port configs.
View 10 Replies
View Related
Jun 17, 2012
Can I have two IPSec tunnels over two different Internet links to two different destination?
View 1 Replies
View Related
