Cisco VPN :: ASA5510 - Remote IPsec VPN DHCP-Server IP Assignment?

May 5, 2010

i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
 
below is my configuration
 
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
 ---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
 
the DHCP server is working when i assign ip address to the LAN network.

View 20 Replies


ADVERTISEMENT

Cisco VPN :: ASA5510 / Remote IPSEC VPN ASA Behind NAT?

Mar 18, 2012

i want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end

View 1 Replies View Related

Cisco VPN :: ASA5510 Remote Vpn Ipsec Not Working

Feb 29, 2012

I configured my cisco client with the info from the vpn wizard and get the following error :
 
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
  
I'll explain briefly what I'm trying to do here :
 
* Remote vpn with windows users having cisco clients
* Group authentication and in the asa5510 LOCAL authentication
 
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
 
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
 
ASA Version 8.2(5)
!
hostname xxxx
domain-name xxxx

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA5510 - Use Internal DHCP Throughout VPN IPSEC

Oct 19, 2011

I've a question about VPN IPSEC on ASA5510
 
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?

View 1 Replies View Related

Cisco VPN :: ASA5510 Easy VPN Remote / IPsec Session Count

Feb 21, 2013

I recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?

View 6 Replies View Related

Cisco VPN :: ASA5510 Remote IPSEC Client Not Using Dedicated IP Address

Aug 8, 2011

i am just installing my ASA 5510 and i want to configure it for remote access VPN IPSEC client.i use this doc : URl,When i start the connexion, the Client uses the first address of the pool and not the dedicated address ?,i have forget something ?

View 2 Replies View Related

Cisco Firewall :: Can Configure ASA5510 As DHCP Server For LAN

Oct 13, 2011

I am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
 
Can I configure ASA as DHCP server for my LAN?

Can I configure WLC as DHCP server for my LAN?

If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)

View 1 Replies View Related

Cisco VPN :: ASA5510 - AnyConnect Using Windows DHCP Server But Can't Access LAN PCs?

Oct 1, 2012

I've got my AnyConnect setup to get an IP from our Windows DHCP server just fine. It grabs the IP, mask, and DNS just fine. But I can't ping any of the lan devices or do any DNS lookups. I need it to work this way since we have a ton of site-to-site's with remote offices and getting them all to adjust their firewalls to allow another subnet is a nightmare.
 
I have split-tunneling enabled. I'm sure it's a nonat command that I'm missing, but not sure what.
 
Before connecting to VPN:
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24                                                  10.10.1.1/24
  
After they connect to AnyConnect
Home user-------------------> ASA 5510 --------------> Office Lan
192.168.1.0/24                                                  10.10.1.1/24
10.10.1.45/24    

View 11 Replies View Related

Cisco VPN :: ASA 5505 / Misconfigured Remote VPN Server Using IPSEC Client?

Mar 22, 2011

The environment is:
 
ASA 5505 running 8.2 with ASDM 6.2.
VPN Client Version 5.0.05.0290
 
I've installed both the anyconnect and ipsec VPN clients and successfully connected for remote VPN server access; however, the client shows no packets being returned.  Thinking that I misconfigured, I reset to the factory default and began again.  Now I only have the ipsec vpn configured and I have exactly the same symptoms.  I followed the directions for configuring the ipsec vpn in Document 68795 and rechecked my configuration and I don't see what I've done wrong.  Given that I can connect to the internet from the inside network, and I can connect to the VPN from outside the network (and the ASDM Monitor shows an active connection with nothing sent to the client) I have to believe it is either a route or an access rule preventing communication but I can't quite figure out where (and I've tried static routes back to the ISP and a wide variety of access rules before flushing everything to start over). 

[Code] .....

View 4 Replies View Related

Cisco :: WLC 4.0 - Dynamic VLAN Assignment And DHCP

Jan 16, 2011

I have just upgraded our WLC from 4.0 to 7.0 (via 4.2). Before the upgrade we had our ACS returning a VLAN based on user group.  This seemed to be working without an issue.  Now that the WLC is on version 7 this is no longer working correctly.  The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
 
Example configuration:
 
SSID-----VLAN
 
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
 
PN-Others-----CSCVlan: No DHCP
 
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
 
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

View 8 Replies View Related

Cisco VPN :: Remote Access With ASA 5510 Using DHCP Server?

Nov 28, 2011

why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:

!
ASA Version 8.2(5)
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0

[code]....

View 3 Replies View Related

Cisco VPN :: Remote Access With ASA 5510 Using DHCP Server

Jan 15, 2013

why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
 
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:

!
ASA Version 8.2(5)
!
interface Ethernet0/1

[Code]....

View 9 Replies View Related

Cisco Wireless :: 2504 / Assign IP Addresses To Remote Site Wi-Fi Users From Local DHCP Server?

May 29, 2012

Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
 
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC

View 1 Replies View Related

Cisco :: ASA Dhcpd Server Assignment Based On Mac

Sep 24, 2011

is it possible to use the asa dhcp server function to assign based on mac address (yet)? I have read numerous places that it was not possible (as of 8.2) at least, but I am workin in 8.4. I should have mentioned that I've already tried commands (asa 5510 btw)

View 4 Replies View Related

Cisco VPN :: All Remote Wireless IPSec Remote Clients Fail Connecting To ASA 5500

Sep 12, 2012

We have two ASA 5500 series Firewalls running 8.4(1).  One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients.  Authentication is performed by an Radius server local to each site.
 
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
 
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel.  They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
 
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client.  They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
 
Using myself as an example.
 
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues. 
 
2. The same creditials USED to work for Atlanta as well but have now stopped working.  I get stuck until it times out.
 
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
 
This makes absolutely no sense to me.  Why would the far end of the cloud care if I have a wired or wireless network adapter?  I should just be an IP address right?  Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail.  We've also rebooted the Atlanta Firewall and nothing changed.
 
We've tried all sorts of remote client combinations.  Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior.  Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta.  The New York ASA is fine for wired and wireless connections.  Same with some other remote office locations that we have.
 
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection.  At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection.  Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.

-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
 %ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
 %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
 %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user

[code]...

View 1 Replies View Related

Cisco VPN :: ASA5510 7.2 - GRE Over IPsec / ASA And NAT-T?

Nov 20, 2011

I want to establish GRE over IPsec tunnel between four branch offices and head office. At branch offices, I have 1841 router with Advanced Security software. At head office, I have a ASA5510 7.2 as frontend with one public IP addres and 1841 router behind it in private address space. Since ASA is not supporting GRE tunnels, can ASA be endpoint for GRE over IPsec? If not, can ASA pass this tunnel to the 1841 router behind it, so 1841 would be logical tunnel endpoint? What should I pay attention? Should both ASA and every 1841 support NAT-T, or just ASA?

View 1 Replies View Related

Cisco VPN :: IPsec L2L VPN Between A ASA5510 And ASA5505

Jul 25, 2011

I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
 
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)

- the ACL's used in the crypto maps are exactly the opposite of each other

View 2 Replies View Related

Cisco VPN :: 837 Router To ASA5510 IPsec VPN

Mar 19, 2012

I have a 5510 running 8.42 code with multiple site to site tunnels coming into it.  Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly.  That being said I think the ASA side is good.  I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA.  When I ping from the E0 interface I get the following debug output and nothing else.  I've made a lot of changes to no avail in getting closer to a successful configuration. [code]

View 1 Replies View Related

Cisco WAN :: IPSec VPN Backup ASA5510

Jan 3, 2013

I have the need to configure a backup VPN, I have remote branches with cisco 800 routers that make a VPN to an ASA5510 in the main offices, but as a DRP I want to have a backup VPN to another site. I dont know if it is a failover configuration or backup VPN, how to start investigating.

View 2 Replies View Related

Cisco WAN :: ASA5510 Routing Through IPSEC Tunnel

May 20, 2013

I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.

View 6 Replies View Related

Cisco VPN :: ASA5510 - Latency Through IPsec Vpn Site Tunnel

Apr 26, 2012

I have an asa 5510 that has many(17)ipsec vpn site tunnels on it.  One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it.  It does appear to be the tunnel only because there is no latency to the internet.  I cleared the tunnel group out and readded it to no effect.  isp says everything fine.  any other known causes for this

View 2 Replies View Related

Cisco WAN :: Config ASA5510 For Multiple IPsec Tunnels

May 13, 2013

How to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.

View 20 Replies View Related

Cisco VPN :: ASA5510 - Slow Traffic On IPSec Tunnels

May 2, 2013

We have many VPN tunnels back to our corporate office.  All of these tunnels are very slow (same with our client VPN's).  Our main firewall device at the corporate office is an ASA5510.  We have a 100 Mb/sec Metro Ethernet internet connection here.  We do not allow split-tunneling.

Our remote sites vary.  We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down).  The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.

To take an example.  On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms.  And I'm pinging back through another 100 Mb/sec connection.  If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100.  Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue. 

Right now, all my MTU's are just set to the default 1500.  Perhaps this is too high.  I used this site to check my max: [URL]
 
I did a few tests from behind several of my firewalls.  I pinged from a machine on one side of the tunnel to the firewall on the other end.  I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right?  The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)

So, do I just need to set my MTU values to the appropriate amounts?  I have tried changing the value, but I don't see any change in speed/performance.  But I also don't know if I need to reboot the firewalls after changing the MTU.  I know with Catalyst switches, you have to reload.  But I didn't see any messages about needing to reboot on the ASA's/PIX's.

View 10 Replies View Related

Security / Firewalls :: IPSec VPN On ASA5510 Using DynDNS?

Nov 15, 2011

I want to configure a remote VPN for our clients on Cisco ASA 5510 using Dyn DNS as I dont have static IP address.

View 9 Replies View Related

Cisco Firewall :: Wrong Default Gateway VPN IPSEC ASA5510

Nov 24, 2011

I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).

View 7 Replies View Related

Cisco VPN :: Remote Access VPN On ASA5510?

Dec 11, 2012

how to configure simple VPN access for a user to login to the corporate network and access the resource and get emails I do not want to use CA certificate for authentication instead a very simple method is what i plan to start up with the configuration step so i can test this out.

View 4 Replies View Related

Cisco VPN :: ASA5510 Remote Access Vpn

Sep 20, 2011

I have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.
 
But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.
 
there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24.All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
 
The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go.

View 2 Replies View Related

Cisco VPN :: Remote Access VPN In ASA5510?

Mar 20, 2011

I like to create a remote access VPN in our company. But it already has a site to site VPN.
 
1. Can we implement it with existing ASA?

2. How many users can be logged in at a time?

3. Is the currently available bandwidth sufficient at a high traffic ? Current bandwidth is 2Mbps (Expect maximum 30 users at a time)

4. How can we make authentication using active directory?

5. Can we use default VPN client in windows with ASA?

6. How can we monitor user’s activity while logging in using VPN?

View 7 Replies View Related

Cisco VPN :: ASA5510 8.2 Outside Interface With Dhcp

Mar 14, 2013

on the outside interface i cant perform the command ip address dhcp setroute.I get the error: IP and subnetmask form invalid pair indicating broadcast or network address.The commands are there when I do the ? command.  It just will not accept the command with or without dhcp.I am trying to test an ASA-5510 as a 4G failover to our ASA-5520.  This is Verizon's solution but they did not provide IPs, they use passthru on the 4G modem so I'm trying to set up dhcp.  It worked a few days ago.  Not sure what Im missing. The IP I got last time from Verizon was 192.168.0.199. 

View 7 Replies View Related

Cisco VPN :: Remote VPN On ASA5510 Getting Static IP From ASA5520

May 22, 2013

i configured a remote VPN on cisco ASA 5520 and everythings seems to be working fine...DHCP IP were been lease to users that connect to the VPN. but the issue now is that our customer want a static IP to be given to a particular user when he connect via VPN.

View 1 Replies View Related

AAA/Identity/Nac :: ASA5510 With 2 Remote Access VPN And 2 MS IAS

Jun 17, 2011

We have a Cisco 5510 with 2 IPSec Connection Profiles each using a different IAS for authentication.If we add another VPN profile we need another IAS.With Cisco ACS can it be configured for different VPN profiles from the same ASA 5510?

View 4 Replies View Related

Cisco VPN :: ASA5510 - Windows 7 Connects To It But Not Remote Desktop

Mar 15, 2010

we just got several laptops that came with Windows 7 Pro 32bit installed, and we have installed the VPN Client 5.0.06.0110.  The VPN client appears to connect to our ASA5510, but we are unable to connect to any machines on our network as it does on our XP machines. 

Furthermore, we cannot ping any as well.  Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not!  I've seen alot of people posting on the internet about the same issue, but I have not run into any resolutions that work.

View 14 Replies View Related

Cisco Firewall :: Connecting ASDM To ASA5510 Over Remote VPN

Apr 19, 2011

I have two ASA5510 with a peer to peer VPN configuration which is working pretty well.I'm trying to connect to my remote ASA (ASA2) with ASDM on my PC through the VPN on the local ASA (ASA1)I already connected the ASDM to ASA1 through the inside interface but I cant connect to the ASA2 the same way (over the VPN).
 
When I ping the ASA2 inside interface from my computer, I get the following events:
 
ASA1:
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built outbound icmp connection
192.168.2.1(ASA2 inside interface)  |   0    |   192.168.1.36  |   512  |  Teardown icmp connection
 ASA2
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built local-host Corporativo(outside):192.168.1.36
192.168.2.1(ASA2 inside interface)  |   0    |   192.168.1.36  |   512  |  Built local-host identity:192.168.2.1
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Built inbound icmp connection
192.168.1.36(My PC)                     |  512  |   192.168.2.1    |    0    |  Teardown icmp connection
 
This is my config in ASA2
 
ASA Version 8.0(5)!hostname ciscosnqdomain-name chaco.com.boenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.2.10 SNQ-Servername 192.168.1.21 Srvplxaname 10.30.30.30 e-Servername 192.168.1.0 Experion-networkdns-guard!interface Ethernet0/0 nameif Corporativo security-level 0 ip address 10.64.12.6 255.255.0.0!interface Ethernet0/1 nameif ExP_LS security-level 90 ip address 192.168.2.1 255.255.255.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif management security-level 100 ip address 192.168.0.2 255.255.255.0!boot system

[code]....

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved