Cisco VPN :: ASA5505 - Can't Make Tunnel Connection From LAN Home Side
Oct 6, 2011
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
View 2 Replies
ADVERTISEMENT
Feb 20, 2008
Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
View 12 Replies
View Related
Jan 20, 2013
i successfully established site to site with 2 two ASA 5010. The problem is that traffic on not passing, This is current setup:1) Left side : only 1 private network 3) Right side : 1 private network, management network, 2 DMZ networks with public IP, On right ASA some netting is setup so servers in DMZ can be reached from private network. The goal would be that VPN client on left side can reach all resources on the right side (except management network, Just to get things going tunnel is built with only left and right private networks, but after tunnel is established i can't ping anything on other side.
View 4 Replies
View Related
Nov 1, 2012
i have configured site to site VPN between asa 5520.
Site A (192.168.56.0/24)------ASA5520------Internet--------- ASA5520-------Site B ( 192.168.255.0/24)
VPN tunnel is up but i cant access LAN for each side. config Site A
host name CCASA
name 192.168.255.0 CCNetwork
dns-guard interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 41.41.38.156 255.255.255.248
[code]...
View 5 Replies
View Related
Dec 18, 2011
My Linksys WRT110 doesn't seem to have the range to make it to the other side of the house. What range expander is compatible?
View 5 Replies
View Related
Feb 25, 2013
I have been asked to install a ASA5505 on a home network. The home network has a home broadband connection which the ISP provider supplies with an IP address. This is only for 6 weeks until the new line comes in. I know this is going to cause problems but we have no choice but to impletment this.
My questions are below.
1, We have a home hub supplied by the ISP which is configured by an IP address which is NOT static. Can we not use the ASA 5505 instead. I know that if our ISP change the IP address we have to change the IP address on the 5505.
2, Will we be able to use the home network broadband to create a secure connection?
View 1 Replies
View Related
Nov 2, 2012
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505 Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled I can ping from internal LAN of HQ to internal LAN of branch but I cant ping from internal LAN of branch to internal LAN of HQ
HQ ASA 5520 Side
ASA Version 8.4(3)
host name aljoaib-fw01
[ code]....
Branch side ASA 5505
ASA Version 8.2(5)
host name GTC- DMM- FIREWALL
domain-name ALJOAIB.COM
enable password 7pgp93AEPfHtDc5N encrypted
[Code]....
Both sides have static ip address.
View 22 Replies
View Related
Mar 13, 2013
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
View 4 Replies
View Related
Mar 17, 2013
I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.So here is the LAN setup:ASA: 1.1.1.1UC540: 1.1.1.2The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30My PC uses the ASA as its default gateway, 1.1.1.1The ASA then has static routes to the UC networksRoute 10.1.1.1/24 1.1.1.2Route 10.1.10.1/30 1.1.1.2Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?Same-security inter and intra interface is enabled.So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.I am running ASA version 8.4.5?
View 1 Replies
View Related
Jan 30, 2013
My E1500 enters a state where the LAN-side (broadcast, etc.) works, but the WAN-side (internet connection) just goes away. If I go unplug and replug the E1500 the internet connectivity comes back.When this happens, the wireless indicator on my desktop (Dell with Intel wifi) says I have an internet connection, but I clearly don't.
View 2 Replies
View Related
May 24, 2011
I am trying to make an IPSEC tunnell between a 857 and a Sonicwall NSA240.The tunnell goes up but the traffic from the 857 seems to be pushed outside the router to the public internet, not into the tunnel.
Following configuration:
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800crypto isakmp key xxxxx address 111.111.111.111 no-xauth!crypto ipsec security-association lifetime seconds 28800!crypto ipsec transform-set xxxx esp-3des esp-md5-hmac!crypto map xxxx 1 ipsec-isakmp description VPN to xxxx set peer 1111.111.1111.111 set security-association lifetime seconds 3600 set transform-set xxxx set pfs group2 match address 115
ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0!
access-list 115 permit ip 172.28.3.0 0.0.0.255 192.168.22.0 0.0.0.255
If I try a traceroute the traffic is not pushed into the tunel but it seems the it tries to route the traffice over the internet using Dialer0.
View 4 Replies
View Related
Nov 10, 2011
I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office. Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
View 18 Replies
View Related
May 9, 2013
We have a HUB ASA5505 SEC+ with a few other ASA's connected to it via L2L VPN. We have 1 active Static L2L, 1 Active Dynamic L2L, and I'm currently trying to add a Second Static L2L Tunnel.I verified that each WAN Interface can ping each other, and both devices have full internet connectivity. There is no double nat or content filtering going on either. I did notice that my Cisco Remote Access VPN Client won't connect properly through the ASA despite full internet connectivity, but when I connect directly to the modem I was able to connect properly. So apparently the ISP isn't blocking IPSEC traffic AFAIK.
Static2 is currently using a Temporary TAC License since our license is currently awaiting arrival, but a show version output shows that all VPN/3des features are enabled. [code]
View 1 Replies
View Related
Aug 20, 2011
How could i make a vpn tunnel between a router SA520 and a central UC540.
View 3 Replies
View Related
Nov 27, 2011
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies
View Related
Feb 14, 2011
Got a problem routing trafic to my L2L tunnel...
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
View 2 Replies
View Related
Aug 9, 2012
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
View 8 Replies
View Related
May 20, 2012
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
View 3 Replies
View Related
Jan 21, 2013
I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site
View 4 Replies
View Related
Jun 13, 2011
Currently, I have in a number of remote sites (with dynamic public address) a C800.On this Cisco, I have a config for initiating an agressive-mode tunnel to a central ASA.relevant part of the config:
---
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp peer address 1.2.3.4
[code].....
Now I need to replace these C800 by ASA5505. But I don't know how to replace the "crypto isakmp peer address" command in ASA.The C800 transmits both the password (abcdefg in my example) and the fqdn (remotesite1 in the example). how to configure the ASA to build the tunnel the way the C800 did?
View 5 Replies
View Related
May 28, 2011
inside network----ASA5505========internet===========Remote VPN client.
The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.
Q1: Is it possible?
Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client.
View 5 Replies
View Related
Feb 6, 2012
On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]
View 1 Replies
View Related
Oct 22, 2011
I have an older PC with windows 98 running. I used to have it connected to a modem and a router to get internet access.I recently got a new modem as the old one died and have now Wi-Fi in my home. My newer PC takes advantage of the Wi-Fi but my old PC does not.The new modem does not have a connection for the blue cable (Marked USB in back of modem) that was connecting the old PC to the internet.After reading online I think I need a USB wireless adapter but I am not sure on what I need exactly as my online searches return too much stuff (I went on Ebay).
View 3 Replies
View Related
Oct 10, 2012
I'm able to build my tunnel but unable to RDP nor ICMP back to the internal network.
VPN Client IP: 192.168.200.200
INTERNAL IP: 172.17.130.200
my configuration is below:
HOME-ASAFW02(config)# wr t: Saved:ASA Version 8.4(4)!hostname HOME-ASAFW02domain-name hsd1.nj.comcast.netenable password ViPq56cvd3SGvB08 encryptedpasswd 8bcozHCAwCqA5BmN encryptednames!interface Ethernet0/0description OUTSIDE-Connectionswitchport access vlan 2switchport protected!interface Ethernet0/1description INSIDE-Connectionswitchport protectedspeed 100duplex full!interface Ethernet0/2description WiFi-LinkSYSswitchport access vlan 3switchport protected!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!interface Vlan1description INTERNAL-Networknameif insidesecurity-level 100ip address 172.17.130.129 255.255.255.128!interface Vlan2description OUTSIDE-Link-to-ISPnameif
[code]....
View 12 Replies
View Related
Jul 27, 2011
It's been a pretty darn good router for about 8 months now, then today one of the wireless connected PC's started to go intermittent internet, and then dropped the connection.
At first I thought it was the PC, but after checking other connected items (wii, PS3, another pc, 2 ipods, and 2 printers) I discovered all the wireless connections were dropped, and no one could see the SSID. An hour unplugged fixes nothing. 2 wired ports are working fine though.
When it's uplugged and then plugged in, all the little lights come on, then go out, and then, only the 2 wired port lights come on, nothing else.
View 2 Replies
View Related
Feb 7, 2011
I have a desktop and a laptop each using xp. Each is set up to connect to the internet wirelessly, through different networks. I do not wish to disturb those settings.I want to set up a third, ethernet network, linking the desktop and laptop, for file sharing only, no internet.
View 11 Replies
View Related
Sep 25, 2012
My PC connects to internet via LAN(Ethernet based), it has a proxy authentication. I want to share internet from my PC through my wireless adapter.
View 4 Replies
View Related
Apr 7, 2013
how to make a wireless router work on a lan network, where my ISP has set the TTL to 1 so i can`t use a router.
View 3 Replies
View Related
Aug 20, 2012
i live in a dorm and i want to stream movies to my nexus 7 but i dont want to buy a nas. can i connect my external to a router [URL] and use that to stream movies. i dont need to be able to connect to it all over campus (i know that involves hacking the proxy) but mainly in my room would be nice.
View 2 Replies
View Related
Mar 4, 2012
I have a cisco asa 5505 firewall, and I have a normal home ADSL broadband router, the router currently connects via wireless to my pc.What I would like to do is basically connect the asa to my pc, then my router to my firewall.what the best thing to do here, run the aa in transparent mode, OR routed mode and do NAT on the firewall to the private ip address range of my router.
OR, would it be possible to get the outside interface of my asa to get DHCP from my broadband router so it will use a 192.168.1.x address on the outside, and then turn NAT off?
View 2 Replies
View Related
Feb 5, 2013
New to Cisco but learning some. Needing to know what I should code into CLI on my ASA5505 to make it work with comcast modem which uses DHCP for it's addressing from Comcast proper.
View 2 Replies
View Related
Dec 10, 2011
I have a Dlink DIR-655 router for my wired and wireless router for my home network. I have a 100ft cat6 ethernet cable. I pulled it from the router to my home server in my basement.
Does the 100ft cable make a difference or does the fact that it's a cat6 cable make a difference?
When moving similar files at work, it's faster. So I'm trying to find out what's the bottleneck at home. What speeds should I expect for a home network?
View 5 Replies
View Related
Aug 17, 2011
I've tried to get my head around this but beeing used to Juniper and Watchguard devices I just can't get my home webserver published to the outside interface.I have a ASA5505 with ASA version 8.4 and ASDM version 6.4 and the basic license.
Outside interface is X.X.X.32/255.255.255.248 so I have 5 static IP:s on my external interface, .34 is in use for the outside interface.
Inside 10.10.10.0/25
DMZ 10.0.0.0/24
I have a webserver in DMZ located at 10.0.0.253 and would like to publish it to the external IP X.X.X.35.I've tried to make the static NAT but every time I do either nothing goes in or out of the DMZ zone or you can't access the webserver from the outside interface.Right now I deleted all trials since none of them work so only the basic config is applied. Everything get's NAT:ed to the external interface .34 IP.
View 4 Replies
View Related
