I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.I have attached running configuration for your reference.
-FW : ASA5510
-Version : 8.0
Site to Site VPN is working without any issues
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
[code]....
In my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.
we are not able to access [URL] (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.
We are accessing with ip address http://192.168.1.51:8280. and [URL] not working from inside.
But all works fine with old cisco RV042.
I have the following config below on my ASA5505, where I want to be able to access remote computers who are VPN'd into the inside network, for support purposes.I want to be able to ping the VPN ip from the LAN, and be able to connect to these computers via the VPN ip. [code]
View 4 Replies View Relatedip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
[code]....
We have an ASA5510 and a few days ago we were unable to access some segments from remote access VPN, the problem was not the config. A few hours later the problem was resolved on its own and I suspect we have an IOS bug. This has happened a few times in the past and its becoming an issue. How can this be confirmed and which IOS should we upgrade to? Prefer not 8.3 given the syntax difference
View 1 Replies View RelatedI have a client that just got a second public IP (x.x.x.252) for a new program. I've setup that second IP on their UC540 on the public-facing port and it's accessible all day long from the outside, no problem. The problem comes in where users from within the LAN can't see the new public IP at all; however, they CAN get to the original public IP x.x.x.250. I've looked at the rules every which way and can't see anything that either 1) only allows LAN traffic to get to the original public IP, or 2) a NAT rule that only allows the same thing.
[Disclaimer: I just inherited this client and their setup, so other than me adding the IP and opening ports to it, I didn't program it.]
Here is the port configuration:
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 63.234.195.252 255.255.255.248 secondary
ip address 63.234.195.250 255.255.255.248
ip access-group 106 in
no ip redirects
no ip (code )
I can't figure out why .250 is internally-accessible, but .252 isn't. .252 is in the routing table as a directly-connected address, but I also added ip route 63.234.195.252 255.255.255.255 FastEthernet0/0 to the routing table and it still won't go. Everything is controlled by the UC540: The internal servers do not run DNS or DHCP or even a domain. There are no NAT outside rules.
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
View 1 Replies View Relatedhow to configure simple VPN access for a user to login to the corporate network and access the resource and get emails I do not want to use CA certificate for authentication instead a very simple method is what i plan to start up with the configuration step so i can test this out.
View 4 Replies View RelatedI have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.
But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.
there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24.All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go.
I like to create a remote access VPN in our company. But it already has a site to site VPN.
1. Can we implement it with existing ASA?
2. How many users can be logged in at a time?
3. Is the currently available bandwidth sufficient at a high traffic ? Current bandwidth is 2Mbps (Expect maximum 30 users at a time)
4. How can we make authentication using active directory?
5. Can we use default VPN client in windows with ASA?
6. How can we monitor user’s activity while logging in using VPN?
I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network. I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y. HTTPS/443 connectivity. I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.
The Cisco tech entered the following static NAT statement to "fix" the problem - nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface.
The y.y.y.y is on a remote, routed network within my private, corporate MPLS network. My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x. Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.The NAT statement above will break my network. How to NAT this connection without killing my Inside network? Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.
We have a Cisco 5510 with 2 IPSec Connection Profiles each using a different IAS for authentication.If we add another VPN profile we need another IAS.With Cisco ACS can it be configured for different VPN profiles from the same ASA 5510?
View 4 Replies View RelatedWe have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
i have ASA 5510 with firmware version 8.4.2 and ASDM firmware 6.4.5 , it is a new system and there is no configuration other than inside network and HTTP server enable , allow my ip address to access http server.i am able to ping the firewall but no access throguh ASDM
[code]....
Have a few users on Vista/7 using Windows L2TP to connect to our ASA5510. It is reported that after a few hours the connection drops. From what I have seen this can be anywhere around 5-6 hours. Of course my connection will drop after an amount of time has passed and no traffic has passed the tunnel. But the users are adament that this drops during large transfers; i.e. not a timeout issue. Before I spend anymore time on this I just want to know if this is normal behavior for a remote access L2TP using Windows to disconnect on it's own after this amount of time. Never had a reason myself to remain connected that long, and when I did I used a site 2 site tunnel.
View 2 Replies View Relatedi have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
Internet access is working fine, however I cannot get my computers to work on the network therefore cant share any files or play any network games. The router is set up as DHCP server therefore IPs are automatically assigned, this is setup on the PCs and the router. The work group is also set. Exactly same settings basically as my old router which worked fine but wont on this one! I have 3 wired PCs and a wireless laptop. 2 PCs are windows XP the other is Windows 7 and the laptop is windows 7. The wireless win7 laptop will recognize my win7 wired PC and vice versa and can share everything without problems, but they wont have anything to do with the wired winxp PCs, on top of that the 2 winxp wont recognize each other either so don't think its anything platform specific. I have also tried setting up static IPs for each computer - still no joy.This is a brand new D-Link DIR-655 Rev B1 firmware 2.00
View 3 Replies View RelatedI have 2xASA5510 with securityPlus license.i have configured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?
View 3 Replies View RelatedI have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured. My remote users can access inside LAN servers as well as the Internet from their remote location. What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet? Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall. This will allow the same security as if they were sitting in the office.
View 4 Replies View RelatedI have an ASA5510, and site-to-site VPN with several remote clients. I have to add another client but their network range overlaps an existing tunnel. Both are using 172.16.0.0/16. I would like to 1-to-1 NAT them as 172.17.0.0/16.
Is it possible to perform the NAT on my device, post-decryption, or is it necessary that I have them perform the NAT at their end?
I have a similar problem, I'm able to connect via VPN client and ping only one host on the remote lan and nothing else. I'm using both split-tunnel and non-split-tunnel, but none has worked. My main objective is to make the remote user connect to office lan (remote lan for him) and office Internet connection.
View 6 Replies View RelatedNot very familiar with ASA and NAT'ing in general so hopefully, this will make sense.
I've created a Site-to-Site IPSec VPN tunnel with one of our clients (who uses a PIX). The remote user can connect to our local, private LAN servers without a problem. However, when the remote user tries to connect to servers on our corporate network (which is linked over WAN routers from LA to Dallas) they cant get through.
When I run Packet Trace in ASDM on our ASA all is well until the packet attempts to traverse from the Inside interface back through the Outside interface (back to the remote client side of the VPN tunnel).
I see the following "error" within the Packet Trace tool;
-----------------------------------------------------------------------------------------
Type - NAT Subtype - rpf-check Action - DROP
Config
object network obj_any
nat (inside,outside) dynamic interface
-------------------------------------------------------------------------------------------
I've attached my ASA config. The remote client-side address is 74.8.221.195, its being PAT'd to 172.30.12.75 and the remote host/network its not able to reach is 172.30.101.20 ( /24 net mask). The local segment in my LA network is 172.30.12.0/22 and the servers in this network are all able to communicate with the remote client-side user at 74.8.221.195.
I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205. Have a new basic config, nothing special at this time. I just cannot seem to get from the inside to the outside. From the outside interface I can ping, so I have a good Internet connection. [code]
View 3 Replies View RelatedMy customer has a 5510 with the inside interface connected to a routed port on a Cat3560G.When I look at the arp cache on the 5510 all inside IPs have the MAC of the 3560's routed port. [code]
View 6 Replies View RelatedI cannot seem to determine exacly why I am not able to ping from the inside to outside using the standard 100/0 security levels respectively. I am dynamic natting the inside to the outside interface, something I don't usually do but cannot see why ICMP's are not passing through.
The Packet trace tool says there is something in the ACL but there really isn't.
Is there simply an issue of Natting to the WAN interface on a 5510?
We got an ASA5510 (8.2x) with an inside, guest and outside interface.On the guest interface, we have DHCP function on the ASA.On the outside, there is web-ssl vpn (dns hostname on a public isp-dns server) configured.
When an user on the guest net tries to get connected with the web-ssl dns-name, it resolves the public, outside interface-ip , the ASA dropps it.
I know, with static NAT it can be resolved url...but on this scenario, we are trying to build a connection from a guest inside IP to the public-ip form the outside ASA interface.If the guest users try an web-ssl connection on the guest-ASA IP, it works with a certificate error ( because there is no internal DNS on the guest net to resolve the dns name to the guest-interface IP).
So how can this be achieved? Can the ASA provide DNS server function? Can a NAT static entry (outside ip to interface guest) solve it? It's the only solution an inhouse DNS server in the guest-net?
I have setup a few Vpn clients but no ones able to access the inside network.The clients all get a Ip address from the pool and DNS servers Ip's. But cannot ping or connect to there pc's. I'm thining its somewhere in the ACL.
View 2 Replies View RelatedI have an ASA 5510 which works great except I'm unable to connect to the remote access VPN from inside the network (behind the ASA). Is there a special NAT exemption required? [code]
View 6 Replies View RelatedWe have a RV042. remote management is set to DISABLE - but even after restarting the router i can access the interface remotely over the internet.even when i enable it and change the port to say 5555 i can connect to the web interface using either port 5555 but ALSO on port 80.what's wrong here?the only way to stop that was to create a rule that blocks port 80 on the WAN interface. (btw. could this rule affect LAN users when browsing the web?)
View 7 Replies View RelatedWe currently have a central hub using an ASA5510 and then a few site-to-site VPN connections to our support staff homes. The devices at the homes are Cisco routers. We were running version 8.25 on the ASA and all was working fine. We recently upgraded to version 8.42 and although all the functionality of the network is ok and it does what it should, our support staff cannot ping, ASDM or telnet to the ASA inside interface anymore whereas they could before the upgrade. The home VPNs all run on a 10.30 subnet (i.e. 10.30.1.x, 10.30.2.x etc etc). I can post our config (security edited of course), but it is quite a big config. The command management-access inside is specified and the 10.30.0.0/16 subnet is permitted to ASDM and Telnet. Are there any extra things that have to be done in version 8.42 to get this to work as the support staff do have to access the firewall for configuration purposes. At the moment, they have to telnet to one of the routers on the local LAN and then Telnet to the firewall from there.Prior to the upgrade, they were all able to ping the inside ASA interface and also telnet and HTTPS to it from their PCs at home. Now they cannot and the only change made was an upgrade to 8.42. Immediately after the upgrade none of them can ping the interface anymore and it seems it can only be accessed from the local LAN. I cannot find any access-lists that might be blocking the packets so can only assume it's something in the way 8.42 works.
View 8 Replies View RelatedWe have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . make context's and separate each Inside and Outside alone?
View 1 Replies View RelatedI'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
View 1 Replies View Related