Cisco VPN :: Creating GRE Tunnel Over ADSL Between ASA 5510 And 2901 Router?
Jul 6, 2011
I've been looking to see if its possible to create a GRE tunnel between a Cisco 2901 with 3 adsl WIC cards and a Cisco ASA.The Cisco 2901 is at our remote office and we have 3 adsl lines for resillience as they tend to go down alot.The Cisco ASA is at our Head Office sitting behind our ISP's managed router.
The desired end result would be to have three GRE tunnels, 1 for each DSL line terminating on the ASA at head office and use EIGRP routing protocol to move traffic across to another tunnel should one fail, and encapsulate all of that with IPSEC.
View 8 Replies
ADVERTISEMENT
Aug 24, 2012
i have a problem with my adsl line connected on a HWIC-ADSL on router 2901 it was working good until yesterday the atm interface is down but the interface dialer is up .i connected this line into home adsl modem and the line is working good?
View 2 Replies
View Related
Dec 5, 2011
i want to use the cisco 2901 router with two adsl cards(EHWIC-VA-DSL-B) and would like to know if that possible without any restrictions with the ip base license.
View 2 Replies
View Related
Sep 14, 2011
Have an ADSL router (887) at a site which has a GRE tunnel to to a 3745.The GRE tunnel is setup with default ip mtu of 1476.If I ping from the 3745 to the ADSL router (or in the reverse direction)with a packet size of 1500 bytes this works fine.However if I ping from a router (R1) that is directly connected to 3745 to the ADSL router with a pkt size of1500 bytes then the first ping succeeds while the subsequent pings fail.Pkt sizes less than or equal to 1476 work okay.Pinging between R1 and the 3745 with a packet size of 1500 bytes works fine.If I set the tunnel ip mtu size to 1500 bytes then it works.This is obviously something to do with fragmentation, but I don't undertsand why itdoesn't work with the default mtu set to 1476.
View 11 Replies
View Related
Nov 6, 2012
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 Replies
View Related
Nov 5, 2012
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
View 5 Replies
View Related
Jul 10, 2012
I have a VM (Alice).I want to route ALL its traffic through a server of my own in the UK.It needs to be 'fail-safe' in the sense that the traffic must either be routed through the server, or not at all (EG with windows VPN dialer, if the VPN connection is dropped it will immediately begin routing traffic normally again - that's not acceptable*). I need to run windows on the VM, the server can be anything.The VM is connected to the internet via a linux firewall/router box in my house (set as default gateway for the VM).How can I set this up?
View 5 Replies
View Related
Oct 11, 2012
I'm getting the following error in the log of a 2901:
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
I'm a bit confused by this since there is only 1 active SA at the time.Here is some more info:
2901#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 768 active, 2800 max, 0 failed
View 3 Replies
View Related
Feb 29, 2012
I'm looking for Routing Design scenarios to complete our configuration needs for remote branches. We will have two 1921 routers in each location, one with a T1 from our MPLS carrier, the other with a DSL connection from an ISP. The T1 router will have an assigned AS and use BGP to router back to head quarters. The DSL router will have an IPSec tunnel back to an ASA 5510 at head quarters. I envisions a GRE tunnel from the DSL router back to head end routers connecting to MPLS at head quarters. Not sure yet how to manipuate the routing between head quarters and the branches such that the T1 router is the primary route to and from the branches and the DSL router is for failover/backup.
View 1 Replies
View Related
Jul 20, 2011
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
View 2 Replies
View Related
Feb 16, 2012
I have two sites connected via 2901 routers to a head end with an ASA 5510, the WAN circuits are LES running at 100MB and at the head end we have a 100MB leased line. All WAN circuits are provided wires onlyby another supplier. I have setup the two 2901 routers with inside IP addresses on GE0/0 and a /30 subnet for the GE0/1 interfaces to the ASA over the LES circuit.
The LES circuits are set to 100MB but the problem I am having is that one of the 2901s will only negotiate at 10MBps Half Duplex with the ASA at 100MB Half Duplex, the other will negotiate at 100MBps Full Duplex at both ends. My WAN provider tells me both LES circuits are the same so I cannot work out why one will negotiate at 100MB Full and the other at only 10Mb Half.
At the head end I have and ASA 5510 connected to the WAN providers 100MB circuit but testing from my end sites I can only get 6MB download and 0.5MB upload on an Internet Speedtest.
I used Wireshark when downloading from my end sites and I can see lots of TCP retries and duplicates so I think this is a duplexing issue, my question is, my WAN provider is stating the issue is nothing to do with them and it is my 2901 and ASA that is at fault, they state if they connect a laptop to the LES circuit and then their leased line they get 100MB up and down.
View 4 Replies
View Related
Jan 15, 2012
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
View 7 Replies
View Related
Dec 12, 2012
We have approx 40 branch offices - all of which are connected to a single core site over VPN Tunnels using various gear. At one particular site, we are having issues with the tunnel dropping sporadically throughout the day - some days it happens 10 times, some days it happens none. This just randomly started happening two weeks ago, without any changes taking place. Since it started happening, I have upgraded the code to latest versions, but still the issue persists. This particular site has a 2901 and connects back to a 2951.
Below is the output from:
debug crypto ipsec
debug crypto isakmp
[code].....
View 1 Replies
View Related
Jan 29, 2013
We are using SRP527 routers with PPPoE ADSL connections. From the SRP527 we create an IPSec tunnel to our core routers (Cisco ASR). We are wanting to change the IPSec tunnels to L2TP, and I need to know if this can be done from the SRP527. I cannot find any L2TP configuration options in the setup options.Can the SRP527W act as an L2TP tunnel initiator over the ADSL PPPoE interface?
View 1 Replies
View Related
Nov 16, 2011
I have a site with a 887, they use VOIP and one user wants a phone at home (as remote extensions, firewalls and NAT, and voip don't really mix very well)
They have a dynamic IP on a cable line at the moment...
I was thinking of using, a 851, plugging thier cable modem into that and creating a site to site VPN tunnel to the 887.
Will the 851 do this? I don't want to spend money I don't have too...
Will this work generally? and with the dyanamic client IP (could I set up the 887 as an EZVPN server and the 851 as an EZVPN remote?)
View 1 Replies
View Related
Jun 11, 2013
We currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
View 4 Replies
View Related
May 2, 2012
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
View 5 Replies
View Related
May 30, 2012
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
View 20 Replies
View Related
Dec 12, 2011
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
View 4 Replies
View Related
May 23, 2011
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies
View Related
Apr 25, 2013
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
View 4 Replies
View Related
Dec 5, 2010
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies
View Related
Nov 27, 2012
I don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
View 1 Replies
View Related
May 15, 2013
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Nov 7, 2012
I have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested
Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
View 8 Replies
View Related
Jun 8, 2011
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Mar 31, 2012
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
View 12 Replies
View Related
Jul 31, 2012
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
View 7 Replies
View Related
Nov 5, 2011
I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works.
When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows;
[code]...
View 14 Replies
View Related
