Cisco VPN :: ASA5510 - AnyConnect Using Windows DHCP Server But Can't Access LAN PCs?
Oct 1, 2012
I've got my AnyConnect setup to get an IP from our Windows DHCP server just fine. It grabs the IP, mask, and DNS just fine. But I can't ping any of the lan devices or do any DNS lookups. I need it to work this way since we have a ton of site-to-site's with remote offices and getting them all to adjust their firewalls to allow another subnet is a nightmare.
I have split-tunneling enabled. I'm sure it's a nonat command that I'm missing, but not sure what.
Before connecting to VPN:
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24 10.10.1.1/24
After they connect to AnyConnect
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24 10.10.1.1/24
10.10.1.45/24
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
I am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
Can I configure ASA as DHCP server for my LAN?
Can I configure WLC as DHCP server for my LAN?
If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key * group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000 ---snapshot Ping test to DHCP-Server 10.1.1.200---- ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
My Windows xp computer can't connect to the DHCP server correctly and thus can't connect to the internet. It is connected through an Ethernet cable to a wireless router. All other computers on the same network connect fine to the router, both wired and wireless.This all started after I left my computer alone for a few hours and came back with it not coming out of idle. After shutting it off and turning it back on, it would not connect to the DHCP server.It assigned me the autoconfig address 169.254.189.73 because it couldn't connect to the DHCP server. I even tried a static IP but even that wouldn't fix it. I have tried the same ethernet cable in another computer and it worked fine so I know that it is because of my computer.I have tried renewing and releasing the connection using ipconfig in the command prompt but that did nothing. The settings are all the same as the other computers running through the same router. I have tried shutting down all the other computers and reconnecting the trouble one but again still nothing.The last thing I'm not sure about is the network adapter driver. I have reinstalled it but I'm not sure if the driver is correct. I have an NVIDEA nforce 10/100 Mbps Ethernet adapter. I attempted to reinstall but I'm not sure I selected the correct generation when I downloaded the driver installer. My computer says nothing about the generation of the adapter so I just chose the newest generation. My adapter is integrated in the motherboard.
I have a machine with Windows Server 2003 running an Exchange Server in a office with 5 workstations attached. The server is being used for a basic outlook calendar across the various workstations, nothing major. Our current ISP provides us with a Static IP address. The party that installed and configured the server set it up to run the DHCP server on the server PC itself. As in, the machine running windows server is also running a software DHCP server for the entire network. THE SETUP: As of right now we have a wall port (internet access) with a cable running to a 8 port unmanaged netgear switch that has cables hooked up to the 5 workstations as well as the server itself. Pretty simple.THE QUESTION: How do I configure the ISP static settings on the DHCP Server portion of the Server PC? We may be getting a new ISP with a dynamic address OR a new static address. WHAT I'VE TRIED: I've tried configuring the IP address on the Server PC the way I would via the NIC adapter settings but it already has a internal IP address from the DHCP Server running on that PC so changing that was no good.
I'm totally new to using Windows Server 2003 (or any windows server edition) but I do have a basic understand of networking. I have a machine with Windows Server 2003 running an Exchange Server in a office with 5 workstations attached. The server is being used for a basic outlook calendar across the various workstations, nothing major. Our current ISP provides us with a Static IP address. The party that installed and configured the server set it up to run the DHCP server on the server PC itself. As in, the machine running windows server is also running a software DHCP server for the entire network. As of right now we have a wall port (internet access) with a cable running to a 8 port unmanaged netgear switch that has cables hooked up to the 5 workstations as well as the server itself. How do I configure the ISP static settings on the DHCP Server portion of the Server PC? We may be getting a new ISP with a dynamic address OR a new static address.
I've tried configuring the IP address on the Server PC the way I would via the NIC adapter settings but it already has a internal IP address from the DHCP Server running on that PC so changing that was no good. I guess what I'm basically looking for is a screen like this (I hope you're familiar with the configuration pages of Linksys Routers) url...
I have trouble with a Cisco 892 Router from my Internet service provider.
Last week we switched from a virtual Router to a hardware Router. But after plugging it in our LAN Switch, the Windows DHCP Server stopped leasing IP's. I got many BAD_ADDRESS with MAC like e1:80:10:ac, e2:80:10:ac, e3:80:10:ac, e4:80:10:ac, e5:80:10:ac, ea:80:10:ac, eb:80:10:ac, ec:80:10:ac and so on.
I do not have access to the Router config, so I can not dump the config to you. We have a flat LAN, single SUB-Net(172.16.0.0/16) and no VLAN, no Spanning Tree. A Keep it Simple, Stupid(KISS) System.
A tech guy from service provider, is telling us, the error is not there fault and my switch is not correctly configured. But this is ********. For years we had a another Cisco Router from the precursor ISP and for 2 years the virtual Router from our current ISP. No trouble with my DHCP. But after plugging the new Router in, my DHCP stopped working.On the 892 is no running DHCP, but something interferences with my Windows Server 2008 R2 SP1 DHCP Server.
We have a 5508 controller authenticates with WPA2-enterprise to 3 possible AAA servers. Today I tried migrating our DHCP server from a Windows 2003 machine to Windows 2008 R2. Migration went smoothly and all wired clients could get IP's. Reservations intact, scopes intact, etc.. you name it. I though it was a great success.
Fast forward about an hour when people started coming into work for the day. Calls started coming in about their laptops not able to connect to the network. I double checked with a spare laptop in our IT department and also my iPhone. Same issue. Seems the only thing I changed today was the DHCP server (from 10.1.1.1 to 10.1.1.2).
After racking my head on it for awhile, I re-enabled the "old" dhcp server (10.1.1.1) and disabled it on the new (10.1.1.2). Instantly wireless clients were able to connect.
Am I missing some configuration step in the 5508 controller when moving DHCP servers? I do plan on running 2 DHCP servers (10.1.1.2 and 10.1.1.10) for redundancy once I get the primary one moved over and working correctly.
I want to decommision the older 2003 server. Its time to raise the domain functional level.
I am setting up a clientless SSL VPN and AnyConnect on a ASA5510 running 8.4. When I login to clientless SSL VPN I get a menu with AnyConnect showing as an option. When I click on that AnyConnect it try to load. Half way loading an error message pop up.Error message:The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No address available for SVC connection.When I load AnyConnect seperately then it works. I don't have that problem when using 8.2.
I have a small issue with the AnyConnect client. Under Windows XP, I was able to accept and install the certificate from the firewall and get a vpn connection working. But under Windows 7, I have to accept the certificate everytime I conect. Is there a reason for that?
I have a small issue with the AnyConnect client. Under Windows XP, I was able to accept and install the certificate from the firewall and get a vpn connection working. But under Windows 7, I have to accept the certificate everytime I conect. Is there a reason for that?
We have an ASA5510 with the Anyconnect Essentials license. I'm in the process of setting up Anyconnect and immediately run into a question. We have a /29 subnet setup and AFAIK i must use the outside interface address for Anyconnect. However i already have an https service PAT forward on this address. So, can i setup Anyconnect to listen on eg. the second ip in my public subnet?
I ve setup Anyconnect on ASA 5510 and it seems to be working fine but cant get Jabber to work on smart phones. When using the packet tracer i see my packets dropped on WEBVPN-SVC. I am not using NAT anywhere and i can normally ping the CUCM from the client , i can open the web page of cucm but jabber says connection error.
I currently have our ASA5510 setup for AnyConnect 3.0 VPN clients and IPSec VPN clients. I'm trying to add Clientless SSL VPN functionality for employees without company laptops. Because they won't be using company PC's I want them to connect to the webvpn portal without having to install any type of client.
I have a Clientless SSL VPN connection profile setup and have it set to use Clientless SSL VPN only. However, whenever I login to the portal it automatically tries to download and install the AnyConnect client. How do I enable the VPN web portal without the AnyConnect trying to install?
We have about 160 users setup using the Anyconnect client connecting to a ASA 5510. We are using split tunneling and also using the Websense endpoint client. Every now and again after installing the endpoint client we are unable to connect the AnyConnect. It asks for credentials waits for a while and then fails with the error "AnyConnect was not able to establish a connection to the specified secure gateway.Please try again later."
If we uninstall the endpoint client it works again and normally after reinstall it fails again ( I know). Eventually it just works and then its fine.
We have logged a call with websense and sent packet traces of working and none working . Then only thing they came back with is if we filtered the non working trace with port 80 you could see a few RST,ACK coming from the ASA to the client so they blamed the Cisco components.
I'm trying to install the anyconnect package on an ASA 5510 running version 9.0.1. I'm getting the following error:
labfwpix(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg copying 'disk0:/anyconnect-win-3.1.01065-k9.pkg' to a temporary ramfs file failed
Is there something that I'm doing wrong when installing the package?Also, is there away to manually install the client on a stand alone PC without a deploying method, similar to the IPSEC client software?
I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside Interface1 = LAN Interface2 = DMZ Interface3 = unused Running ASA version 8.2[1]
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3Dec 03 201212:10:50710003[DMZ client address]51031[AnyConnect ExternalAddress]443TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443 If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
we have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below. [code]
and currently in right panel of Active Algorithms i have only RC4-SHA1,
We have a Cisco ASA5510 configured to work with Microsoft Radius Server. VPN authorization and authentication is working well with L2TP over IPSec, and users are authenticating with MSChapV2 like we want them to.
Now we are trying to setup Anyconnnect to do the same. How do we tell AnyConnect to use MSChap-V2 versus PAP? using ADSM? I think I know how to do the Microsoft Part of it, but I don't know where to go in ADSM to configure this.
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
! ASA Version 8.2(5) ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.6.0.12 255.255.254.0
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
We have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500) no other things are going on , and i get error as shown below.
Secure VPN Connection terminated Locally by the client Reason 412: Remote peer is no longer Responding Connection terminated on.
i am suspecting it is VPN-3DES-AES activation key issue.when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below [ERROR] sl encryption rc4-sha1 des-sha1 The 3DES/AES algorithms require a VPN-3DES-AES activation key and currently in right panel of Active Algorithms i have only RC4-SHA1,