Cisco VPN :: ASA5505 - Connection Reset When Trying To SSH Over IPSEC Tunnel
Feb 20, 2008
Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
View 12 Replies
ADVERTISEMENT
Aug 9, 2012
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
View 8 Replies
View Related
Oct 6, 2011
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
View 2 Replies
View Related
Jul 31, 2012
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
View 7 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jan 3, 2013
We just took on a new client and they do not have the username or password for their ASA 5505. we need to reset to factory defaults. I have read some instructions online how to do this, but they require the password. How do we do it without the password?
View 4 Replies
View Related
Feb 27, 2013
I got a ASA5505 back from a Office. I don`t know the IP Address to connect to the ASA. How can i reset the System to the Factory Settings.
View 1 Replies
View Related
Jun 17, 2012
Can I have two IPSec tunnels over two different Internet links to two different destination?
View 1 Replies
View Related
Nov 10, 2011
I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office. Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
View 18 Replies
View Related
May 9, 2013
We have a HUB ASA5505 SEC+ with a few other ASA's connected to it via L2L VPN. We have 1 active Static L2L, 1 Active Dynamic L2L, and I'm currently trying to add a Second Static L2L Tunnel.I verified that each WAN Interface can ping each other, and both devices have full internet connectivity. There is no double nat or content filtering going on either. I did notice that my Cisco Remote Access VPN Client won't connect properly through the ASA despite full internet connectivity, but when I connect directly to the modem I was able to connect properly. So apparently the ISP isn't blocking IPSEC traffic AFAIK.
Static2 is currently using a Temporary TAC License since our license is currently awaiting arrival, but a show version output shows that all VPN/3des features are enabled. [code]
View 1 Replies
View Related
Jul 25, 2011
I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
View 2 Replies
View Related
Jun 10, 2013
I currently have my 5505 setup for AnyConnect SSL VPN connections. Is it possible to also configure the 5505 for IPSec VPN connections? So, essentially my ASA will be capable of running SSL and IPSec VPN tunnels, concurrently.
View 2 Replies
View Related
Sep 18, 2011
I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.Routing is working correct (connect to Internet from siteA is working trought 1st also second ISP) but IPSEC is working just trought the first ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets are just encrypting but not decrypting.
I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)
config site A:
##########################################################################
ASA5505 Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.65 255.255.255.248
!
interface Vlan2
[code]....
View 7 Replies
View Related
Nov 27, 2011
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies
View Related
Feb 14, 2011
Got a problem routing trafic to my L2L tunnel...
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
View 2 Replies
View Related
Feb 26, 2013
I'm a CIsco ISR, Setting up my first ASA, which seems to be going well.I've setup an IPSEC VPN to a non Cisco device. And have connectivity between devices in each subnet.
-Subnet A - non Cisco - 10.10.13.0/24
-Subnet B - ASA 5505 - 192.168.2.0/24 (ASA is .254)
From Subnet A I can ping every device except the ASA on .254.
Edited Config attached, IP's changed for privacy, passwords removed.Let me know if I've removed too much of the config.
View 3 Replies
View Related
Mar 2, 2012
I am having all sorts of trouble connecting a Cisco RVS4000 to a Cisco ASA5505 over IPSec... I have used the "site to site" vpn wizard, I have a fress "factory reset" on my asa 5505...
View 11 Replies
View Related
May 20, 2012
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
View 3 Replies
View Related
Nov 7, 2012
I have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested
Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
View 8 Replies
View Related
Jan 21, 2013
I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site
View 4 Replies
View Related
Jun 13, 2011
Currently, I have in a number of remote sites (with dynamic public address) a C800.On this Cisco, I have a config for initiating an agressive-mode tunnel to a central ASA.relevant part of the config:
---
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp peer address 1.2.3.4
[code].....
Now I need to replace these C800 by ASA5505. But I don't know how to replace the "crypto isakmp peer address" command in ASA.The C800 transmits both the password (abcdefg in my example) and the fqdn (remotesite1 in the example). how to configure the ASA to build the tunnel the way the C800 did?
View 5 Replies
View Related
Oct 19, 2011
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
View 1 Replies
View Related
Jun 18, 2012
I'm having problems configuring an IPSEC VPN between an SRP521 with a dynamic IP and a ASA5505 with a static IP. Static to Static is fine between these devices and I can configure that without problems. Dynamic to Static however.
View 1 Replies
View Related
Jun 2, 2013
We are facing a strange issue with GRE tunnel. We are using this tunnel from a branch office to Hub office. All other tunnels terminated on Hub router are working fine. Issue with this tunnel is that whenever WAN connection goes down Line protocol on tunnel interface some times comes up and sometimes not (therefore we have to reset the tunnel interface and it comes up). IOS used on this router : c2900-universalk9-mz.SPA.152-1.T2
View 5 Replies
View Related
May 28, 2011
inside network----ASA5505========internet===========Remote VPN client.
The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.
Q1: Is it possible?
Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client.
View 5 Replies
View Related
Jan 20, 2013
I'm trying to make a very plain and simple network with the ASA 5505, I've strated from scratch over a dozen times triyng to find where I'm going wrong. My main goal is to simply create an IPSec VPN connection to my ASA 5505 and simply ping and connect to devices with the "inside network", so far I can easily create and establish a IPSec VPN Connection, but up to this point, I cannot successfully ping or access a single device on the ASA 5505 inside network.I've taken, create the IPSec profile with the ASDM wizard, add exemption for the VPN IP Pool, add access-list from this Cisco link, url...All this and I can't make a single connection to the inside network. [code]
View 7 Replies
View Related
Sep 28, 2011
We have two sites connect with an IPSec L2L VPN.
-Site A: 192.168.13.0/24
-Site B: 192.168.2.0/24
On both sites we have a ASA5505(Base license) to terminate the tunnel.On Site B we also got a remote access vpn to which we can connect using the vpn client.The lan2lan tunnel works fine and so the remote access vpn.Now i want to connect to Site A using my vpn client connected to Site B. [code] There are no vpn-filters or other special policys in place..If tried to ping from my vpn client to Site A while i was debugging ipsec 255 on site B: the asa matched the l2l-tunnel for traffic sourced from 192.168.25.x to 192.168.13.x but when im doing a show crypto ipsec sa detail there are no packets getting encrypted..so of course no packets reaching my asa on site a.
View 9 Replies
View Related
Jan 9, 2013
Recently, I set a ASA5505 with Ipsec VPN. And I try AAA authenticate with internal Windows 2008 server. As docuemnt I read, I configure from ASDM authentication with "NT Domain". And then point to internal DC, which is Windows 2008 server. While I test it, it shows error
"Authentication test to host 192.168.xxx.xxx failed. Following error occurred -- ERROR: Authentication server not responding. No Error"
View 3 Replies
View Related
Jun 20, 2011
I have a XP workstation behind my ASA that can not connect to a client's network via Cisco VPN Client using IPSec...
In the logs it shows the translation is working on 500 but the VPN Client has the error 412, that the client is not responding.
Config below
ASA Version 8.2(1)!hostname RWFW1enable password encryptedpasswd encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address x.x.x.x
[Code].....
View 16 Replies
View Related
May 4, 2011
how to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
View 4 Replies
View Related
Mar 9, 2011
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
View 2 Replies
View Related
May 4, 2011
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
[Code].....
View 3 Replies
View Related