Cisco VPN :: ASA5510 - AnyConnect Using Windows DHCP Server But Can't Access LAN PCs?
Oct 1, 2012
I've got my AnyConnect setup to get an IP from our Windows DHCP server just fine. It grabs the IP, mask, and DNS just fine. But I can't ping any of the lan devices or do any DNS lookups. I need it to work this way since we have a ton of site-to-site's with remote offices and getting them all to adjust their firewalls to allow another subnet is a nightmare.
I have split-tunneling enabled. I'm sure it's a nonat command that I'm missing, but not sure what.
Before connecting to VPN:
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24 10.10.1.1/24
After they connect to AnyConnect
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24 10.10.1.1/24
10.10.1.45/24
View 11 Replies
ADVERTISEMENT
Dec 2, 2012
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.0(2)
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
#show webvpn anyconnect
1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
3,1,00495
Hostscan Version 3.1.00495
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')
View 2 Replies
View Related
May 9, 2012
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
View 5 Replies
View Related
Aug 27, 2012
How do I configure the ASA5510 to allow VPN clients to have access to the Internet while they are connected via AnyConnect?
View 6 Replies
View Related
Oct 13, 2011
I am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
Can I configure ASA as DHCP server for my LAN?
Can I configure WLC as DHCP server for my LAN?
If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)
View 1 Replies
View Related
May 5, 2010
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
View 20 Replies
View Related
Dec 12, 2012
I can make some "local policy" with client of SSL VPN AnyConnect and block access to internet?
The user would only have access to the internet if he was connected to the VPN (by internal proxy).
View 10 Replies
View Related
Sep 29, 2011
i am facing the same problem now but am using windows 2003 server
View 1 Replies
View Related
Feb 22, 2011
i want to setup DHCP using my windows xp
View 1 Replies
View Related
Apr 17, 2012
My Windows xp computer can't connect to the DHCP server correctly and thus can't connect to the internet. It is connected through an Ethernet cable to a wireless router. All other computers on the same network connect fine to the router, both wired and wireless.This all started after I left my computer alone for a few hours and came back with it not coming out of idle. After shutting it off and turning it back on, it would not connect to the DHCP server.It assigned me the autoconfig address 169.254.189.73 because it couldn't connect to the DHCP server. I even tried a static IP but even that wouldn't fix it. I have tried the same ethernet cable in another computer and it worked fine so I know that it is because of my computer.I have tried renewing and releasing the connection using ipconfig in the command prompt but that did nothing. The settings are all the same as the other computers running through the same router. I have tried shutting down all the other computers and reconnecting the trouble one but again still nothing.The last thing I'm not sure about is the network adapter driver. I have reinstalled it but I'm not sure if the driver is correct. I have an NVIDEA nforce 10/100 Mbps Ethernet adapter. I attempted to reinstall but I'm not sure I selected the correct generation when I downloaded the driver installer. My computer says nothing about the generation of the adapter so I just chose the newest generation. My adapter is integrated in the motherboard.
View 19 Replies
View Related
May 7, 2011
I have a machine with Windows Server 2003 running an Exchange Server in a office with 5 workstations attached. The server is being used for a basic outlook calendar across the various workstations, nothing major. Our current ISP provides us with a Static IP address. The party that installed and configured the server set it up to run the DHCP server on the server PC itself. As in, the machine running windows server is also running a software DHCP server for the entire network. THE SETUP: As of right now we have a wall port (internet access) with a cable running to a 8 port unmanaged netgear switch that has cables hooked up to the 5 workstations as well as the server itself. Pretty simple.THE QUESTION: How do I configure the ISP static settings on the DHCP Server portion of the Server PC? We may be getting a new ISP with a dynamic address OR a new static address. WHAT I'VE TRIED: I've tried configuring the IP address on the Server PC the way I would via the NIC adapter settings but it already has a internal IP address from the DHCP Server running on that PC so changing that was no good.
View 2 Replies
View Related
Aug 22, 2011
I'm totally new to using Windows Server 2003 (or any windows server edition) but I do have a basic understand of networking. I have a machine with Windows Server 2003 running an Exchange Server in a office with 5 workstations attached. The server is being used for a basic outlook calendar across the various workstations, nothing major. Our current ISP provides us with a Static IP address. The party that installed and configured the server set it up to run the DHCP server on the server PC itself. As in, the machine running windows server is also running a software DHCP server for the entire network. As of right now we have a wall port (internet access) with a cable running to a 8 port unmanaged netgear switch that has cables hooked up to the 5 workstations as well as the server itself. How do I configure the ISP static settings on the DHCP Server portion of the Server PC? We may be getting a new ISP with a dynamic address OR a new static address.
I've tried configuring the IP address on the Server PC the way I would via the NIC adapter settings but it already has a internal IP address from the DHCP Server running on that PC so changing that was no good. I guess what I'm basically looking for is a screen like this (I hope you're familiar with the configuration pages of Linksys Routers) url...
View 14 Replies
View Related
Apr 16, 2013
I want to set up a domain for a file server and MS SQL 2005 server on my server machine and installed windows server 2008 in it.
Do I need to set up DHCP server and DNS on Windows server 2008R2 or leave them to the router to do the job?
View 1 Replies
View Related
Mar 27, 2012
I have trouble with a Cisco 892 Router from my Internet service provider.
Last week we switched from a virtual Router to a hardware Router. But after plugging it in our LAN Switch, the Windows DHCP Server stopped leasing IP's. I got many BAD_ADDRESS with MAC like e1:80:10:ac, e2:80:10:ac, e3:80:10:ac, e4:80:10:ac, e5:80:10:ac, ea:80:10:ac, eb:80:10:ac, ec:80:10:ac and so on.
I do not have access to the Router config, so I can not dump the config to you. We have a flat LAN, single SUB-Net(172.16.0.0/16) and no VLAN, no Spanning Tree. A Keep it Simple, Stupid(KISS) System.
A tech guy from service provider, is telling us, the error is not there fault and my switch is not correctly configured. But this is ********. For years we had a another Cisco Router from the precursor ISP and for 2 years the virtual Router from our current ISP. No trouble with my DHCP. But after plugging the new Router in, my DHCP stopped working.On the 892 is no running DHCP, but something interferences with my Windows Server 2008 R2 SP1 DHCP Server.
View 15 Replies
View Related
Dec 5, 2012
We have a 5508 controller authenticates with WPA2-enterprise to 3 possible AAA servers. Today I tried migrating our DHCP server from a Windows 2003 machine to Windows 2008 R2. Migration went smoothly and all wired clients could get IP's. Reservations intact, scopes intact, etc.. you name it. I though it was a great success.
Fast forward about an hour when people started coming into work for the day. Calls started coming in about their laptops not able to connect to the network. I double checked with a spare laptop in our IT department and also my iPhone. Same issue. Seems the only thing I changed today was the DHCP server (from 10.1.1.1 to 10.1.1.2).
After racking my head on it for awhile, I re-enabled the "old" dhcp server (10.1.1.1) and disabled it on the new (10.1.1.2). Instantly wireless clients were able to connect.
Am I missing some configuration step in the 5508 controller when moving DHCP servers? I do plan on running 2 DHCP servers (10.1.1.2 and 10.1.1.10) for redundancy once I get the primary one moved over and working correctly.
I want to decommision the older 2003 server. Its time to raise the domain functional level.
View 6 Replies
View Related
Jul 29, 2011
dhcp server failed while running network diagnostic test for windows xp
View 1 Replies
View Related
Dec 15, 2011
I am setting up a clientless SSL VPN and AnyConnect on a ASA5510 running 8.4. When I login to clientless SSL VPN I get a menu with AnyConnect showing as an option. When I click on that AnyConnect it try to load. Half way loading an error message pop up.Error message:The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No address available for SVC connection.When I load AnyConnect seperately then it works. I don't have that problem when using 8.2.
View 1 Replies
View Related
Dec 22, 2011
I have a small issue with the AnyConnect client. Under Windows XP, I was able to accept and install the certificate from the firewall and get a vpn connection working. But under Windows 7, I have to accept the certificate everytime I conect. Is there a reason for that?
View 3 Replies
View Related
Feb 24, 2011
I have a small issue with the AnyConnect client. Under Windows XP, I was able to accept and install the certificate from the firewall and get a vpn connection working. But under Windows 7, I have to accept the certificate everytime I conect. Is there a reason for that?
View 2 Replies
View Related
Aug 28, 2012
We have an ASA5510 with the Anyconnect Essentials license. I'm in the process of setting up Anyconnect and immediately run into a question. We have a /29 subnet setup and AFAIK i must use the outside interface address for Anyconnect. However i already have an https service PAT forward on this address. So, can i setup Anyconnect to listen on eg. the second ip in my public subnet?
View 4 Replies
View Related
Dec 6, 2012
I ve setup Anyconnect on ASA 5510 and it seems to be working fine but cant get Jabber to work on smart phones. When using the packet tracer i see my packets dropped on WEBVPN-SVC. I am not using NAT anywhere and i can normally ping the CUCM from the client , i can open the web page of cucm but jabber says connection error.
View 1 Replies
View Related
Feb 21, 2011
I currently have our ASA5510 setup for AnyConnect 3.0 VPN clients and IPSec VPN clients. I'm trying to add Clientless SSL VPN functionality for employees without company laptops. Because they won't be using company PC's I want them to connect to the webvpn portal without having to install any type of client.
I have a Clientless SSL VPN connection profile setup and have it set to use Clientless SSL VPN only. However, whenever I login to the portal it automatically tries to download and install the AnyConnect client. How do I enable the VPN web portal without the AnyConnect trying to install?
View 2 Replies
View Related
Apr 16, 2013
We have about 160 users setup using the Anyconnect client connecting to a ASA 5510. We are using split tunneling and also using the Websense endpoint client. Every now and again after installing the endpoint client we are unable to connect the AnyConnect. It asks for credentials waits for a while and then fails with the error "AnyConnect was not able to establish a connection to the specified secure gateway.Please try again later."
If we uninstall the endpoint client it works again and normally after reinstall it fails again ( I know). Eventually it just works and then its fine.
We have logged a call with websense and sent packet traces of working and none working . Then only thing they came back with is if we filtered the non working trace with port 80 you could see a few RST,ACK coming from the ASA to the client so they blamed the Cisco components.
View 1 Replies
View Related
Dec 3, 2012
I'm trying to install the anyconnect package on an ASA 5510 running version 9.0.1. I'm getting the following error:
labfwpix(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg
copying 'disk0:/anyconnect-win-3.1.01065-k9.pkg' to a temporary ramfs file failed
Is there something that I'm doing wrong when installing the package?Also, is there away to manually install the client on a stand alone PC without a deploying method, similar to the IPSEC client software?
View 2 Replies
View Related
Oct 25, 2012
I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
View 8 Replies
View Related
Dec 2, 2012
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside
Interface1 = LAN
Interface2 = DMZ
Interface3 = unused
Running ASA version 8.2[1]
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3Dec 03 201212:10:50710003[DMZ client address]51031[AnyConnect ExternalAddress]443TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443 If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
View 1 Replies
View Related
Dec 21, 2011
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
View 1 Replies
View Related
Aug 21, 2012
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
View 1 Replies
View Related
Mar 31, 2011
we have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below. [code]
and currently in right panel of Active Algorithms i have only RC4-SHA1,
View 7 Replies
View Related
May 13, 2013
We have a Cisco ASA5510 configured to work with Microsoft Radius Server. VPN authorization and authentication is working well with L2TP over IPSec, and users are authenticating with MSChapV2 like we want them to.
Now we are trying to setup Anyconnnect to do the same. How do we tell AnyConnect to use MSChap-V2 versus PAP? using ADSM? I think I know how to do the Microsoft Part of it, but I don't know where to go in ADSM to configure this.
View 2 Replies
View Related
Nov 28, 2011
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
!
ASA Version 8.2(5)
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
[code]....
View 3 Replies
View Related
Jan 15, 2013
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
!
ASA Version 8.2(5)
!
interface Ethernet0/1
[Code]....
View 9 Replies
View Related
Mar 31, 2011
We have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500) no other things are going on , and i get error as shown below.
Secure VPN Connection terminated Locally by the client
Reason 412: Remote peer is no longer Responding
Connection terminated on.
i am suspecting it is VPN-3DES-AES activation key issue.when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below [ERROR] sl encryption rc4-sha1 des-sha1 The 3DES/AES algorithms require a VPN-3DES-AES activation key and currently in right panel of Active Algorithms i have only RC4-SHA1,
View 4 Replies
View Related