Cisco VPN :: ASA5520 Remote Access VPN Pool Migration?
Nov 29, 2012
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
I am configuring IPSec Remote Access VPN on a ASA 5505. There are one external interface and one internal interface configured on the device. Internal interface connected to subnet 192.168.1.0/24.en VPN client get connected, I would like to assign the IP from some subnet(for example 192.168.2.0/24) other than the current internel subnet (192.168.1.0/24), but the VPN client can still access to 192.168.1.0/24. Is there a way to do this?
Is the following sysntax correct in removing a remote access vpn address pool and inserting a new one on an ASA5510?
(config)# NO ip local pool BWCVPN 192.168.200.1-192.168.200.128 (config)# ip local pool BWCVPN 192.168.300.1-192.168.300.128 (confif)# tunnel-group BWCVPN ciscovpn general-attributes (config-general)# address-pool BWCVPN
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
I have a existing wireless setup of 4400 WLC with some AP's connected remotely,now i am migrating the whole setup to the new WLC 5500. All the AP has been registered to the new WLC 5500 except the remote location AP's.As there was no option of giving IP address in GUI of the controller in 4400 WLC, i have changed the controller name and restarted the AP, but even though it is going back to the old controller.
i configured a remote VPN on cisco ASA 5520 and everythings seems to be working fine...DHCP IP were been lease to users that connect to the VPN. but the issue now is that our customer want a static IP to be given to a particular user when he connect via VPN.
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520 Remote Office A = ASA (Unknown Model) Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
I have one issue on Vlan in Cisco 3750X switches , I have 2 Offices , I am sitting at corp OFfice and i have one 3750 ( 10.10.1.36)Switch at my location , in my remote office i have one more switch 3750 ( 10.10.33.1) and i am able to access the both vlan IPS with out any issue , now i have some network components in Vlan33 ( 10.10.33.1) at my remote office . i am able to ping 10.10.33.1 IP from my corp office , but i am not able to ping any network devices in 10.10.33.5 example : 10.10.33.5 is my Cyberoam IP at remote location and i am not able to ping , i have taken a trace route and not able to find the issue as i am not much femilar , ping 10.10.33.5 at remote location devicec
I am giving the Configuration for both locaitons below :
10.10.1.36 - Corp Office 3750 Switch: sh run L3-#sh running-config Building configuration...
I cannot access WLSE, after migration from ACS 4.2 to ACS 5.2. WLSE was configured with tacacs+ management. In ACS 5.2 I've configured the optional custom attributes: groups = "System Admin"
I have just upgraded a ASA5510 from 8.2 to 8.3 using migration tool.All seemed to go well, still double checking the config as this is a bench test of upgrade prior to filed upgrades.
Anyway one thing that is slightly frustrating is that the migration has expanded all of my access-lists, so we maybe had 10 lines of config relating to access-lists based on access-groups, now we have hundreds of lines.On ASDM this is bad enough but on CLI with show run its a bit of a bind.
Is there any way to un-expand the access list or do I simply delete and start again using my access groups.
I need to access remote users system for troubleshouting and I cannot ping or access anything on their laptop when they are connected to VPN. For example, a user would get an IP of 172.16.4.132 when logged into vpn but I cannot ping him from the CLI, or can I access his laptop via RDP. S 172.16.4.132 255.255.255.255 [1/0] via 207.x.x.x, dmz What could be the issue and how can I fix this? Im on 10.8.24.0/24 network S 10.8.0.0 255.248.0.0 [1/0] via 172.16.0.7, Internal which has a route to 172.16.0.0/16 C 172.16.0.0 255.255.0.0 is directly connected, Internal The ASA is 172.16.0.3 which i can ping from my desktop on 10.8.24.0. Device info: This platform has an ASA 5520 VPN Plus license. Cisco Adaptive Security Appliance Software Version 7.2(5) Device Manager Version 5.2(5) Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
I am creating access rule on a ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) and found that the GUI has less option then when creating access rule on a ASA5505 running ASA 7.2 (3) and ASDM 5.2(3) (see attachment). Is there an option that enables me to get the same configuration options on the ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) as I have on the ASA5505 running ASA 7.2 (3) and ASDM 5.2(3).
I recently had a vendor configure our 2 firewalls (ASA5520). We are replacing a active-failover PIX525 firewall in 2 locations. After the vendor configured the new ASA5520's, I was unable to access the ASDM. The configurations are a basically modified versions of the config on the PIX525. I did find that they did not set the ASDM image path. [code]
I have tried from my browser as well as downloading and installing th ASDM on my computer.
I have an ASA 5520 new. I am trying to migrate from a PIX 515E. I can connect via the CLI and ASDM on the management port (IP 192.168.1.1 the default) What I am having an issue with though is when I change the management port to 10.0.1.1 via the CLI or ASDM I can no longer use ASDM. I issue the show IP command in the CLI and I see that the IP has indeed changed but I still can not get into it. I must be missing something really simple, but this is driving me insane. I want to change the IP because I need the a different interface to be 192.168.1.1.
Im currently connected to a remote acess vpn setup using the vpn client and am unable to get anywhere around my network, this normalyl works fine The only difference i can see is that the are multiple virtualaccess interfaces pointing to my public ip address, which im presuming is causing routing issues How can i clear these unsed virtual access lines and how can i make it forget them automatically after disconnects?
We have an ASA5510 and a few days ago we were unable to access some segments from remote access VPN, the problem was not the config. A few hours later the problem was resolved on its own and I suspect we have an IOS bug. This has happened a few times in the past and its becoming an issue. How can this be confirmed and which IOS should we upgrade to? Prefer not 8.3 given the syntax difference
Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...
Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
I am using a range of IPs from my inside LAN for my IPSec VPN clients. For example my inside network is 172.16.1.0/24 and I have a pool setup like this: ip local pool vpnpool 172.16.1.200-172.16.1.210 mask 255.255.255.0.
Before the upgrade to 8.4 it was working and now it isn't. Clients can connect and pickup and IP but can't cominuicate with the inside LAN. I think I have to do manual NAT to nonat this range. So I want to try the following:
object network obj-vpnpool range 172.16.1.200 172.16.1.210 nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
However there are two things preventing me from doing this:
1) When I try to create obj-vpnpool I get an error stating that this object overlaps with local pool 2) Even if I create the obj-vpnpool with a non-overlapping range, when in the VPN config I don't have an option for selecting obj-vpnpool.
ON ASA, I understand that we can assign a static IP for a specific VPN client, or we can use a DHCP pool to assign IP. Now if I want to create DHCP pools, say pool_A and pool_B, for user A, B and C they use the IP from Pool_A, and user D, E, and F they get the IP from pool_B. Is there a way to do this in ASA?
I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
We have the configuration below set up in a 3560 switch (addresses and names modified for privacy). We are running out of dynamic IP’s in the current pool (6.35.159.0 – 6.35.159.255). We have a new set of IP’s that we can use (6.44.56.0 – 6.44.57.255 – an additional 512 addresses). Although I can figure out the commands to add a new dhcp pool, secondary subnet, etc., I’ve never done this before so I’m not sure of everything I need to do. The end result I need is that the 3560 needs to be able to hand out IP addresses from the current and new pool to anything connecting to vlan 300 – our datanet where computers access the Internet. What I need to do as far as modifying the vlan, adding the secondary subnet, defining helper IP’s, gateways, whatever, so that computers connecting via vlan 300 have Internet access via either of the pools? I have been told that all I need to do is create the pool, but not sure if that is correct...
We are testing the upgrade from version 8.2 to 8.4 on an ASA 5505 and ran into a problem. For VPN connections we had pools created. A few of the pools were limited to a single IP address. After the upgrade the ASA rejects the pools that only had one IP address instead of a range. In the command line if you enter a question mark after typing in "ip local pool (pool keyword)" in config mode it says "Specify an IP address or a range of IP addresses:start[-end]" with the word "or" it sounds like it should except a single IP address but it doesn't. The error is "Please enter a valid IP address range."
