Cisco VPN :: IPSec On ASA5520 With ADSL Peers Ok But Not Fine With Mobile
Jun 18, 2012
We have an ASA5520 configured with a IPSec VPN, from any ADSL home/office our VPN clients can connect without any problem, but when we use our cellular phones in tetering mode (as an accesspoint) our VPN clients are impossible to connect. Same machines,same software, same operating system, same remote IP (ASA5520 external IP) only change Wifi connection (ADSL to cellular phone). The signal of cellular phones is not the problem we was doing the tests with different phones (IPHONE & ANDROID), different locations (all in spain) and differents providers (vodafone, orange and movistar) of internet by cellular phone.We think that perhaps the problem is the licenses that our ASA5520 has..
Our ASA5520 comes with this licenses:
------------------------------------------------------------------------------------------
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
[code]....
View 8 Replies
ADVERTISEMENT
Feb 17, 2011
I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.
View 1 Replies
View Related
Dec 12, 2011
I am trying to get a 2811 to accept two IPSec peers however can only get one working at a time. I have setup fa0/0 and fa0/1 with their own public facing IP addresses with crypto maps associated to each interface however can only establish connectivity to one interface at any one time.
Relevent configuration below:
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
[code]....
View 1 Replies
View Related
Mar 11, 2013
Couldn't connect to mobile hotspot but could connect to other networks, none of which were from a phone. When attempting to connect to hotspot, my phone displays the information of my computer as name unknown, IP address 0.0.0.0, but gives a MAC address. (My computer has a name, I can't find my IP address, idk what a MAC address is)I tried using remote desktop connection, but the computer I was trying to connect to couldn't find mine.
To be honest, I'm not sure I did it correctly, though.Displayed as 0.0.0.0 on phone when attempting to connect to mobile hotspot.I typed ipconfig in command prompt but got nothing about an IP address. There were several lines that began with "Tunnel adapter" all followed by "Media State : Media Disconnected" then "Connection-specific DNS Suffix: I currently have no internet connection (I'm on my phone), so I can't find it that way either.
Under Network Location it specifies that it cannot connect to MEMORYCARD (\EPSON00) (Z:) and upon clicking on it I receive an error message: "Microsoft Windows Network: The network path was not found. This connection has not been restored."I've spilled water on my keyboard before, but this took place after these problems arose. I dried the computer and had it sit with rice for 2 days. The only issue that came of this incident that I am aware of was a few stuck keys.
View 2 Replies
View Related
Jan 7, 2013
I am able to access ASA via hostname but with IP address it does not work.Need to know what config i need to put so i am able to access it using IP by ssh and ASDM? ASA is 5520 version is 8
View 12 Replies
View Related
Nov 21, 2012
I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?
View 10 Replies
View Related
Aug 22, 2012
I want to do this connection:-DSL cable--> Modem --> Wireless Router --> use WiFi on my mobile.Is it okay or I need a PC in between????? I don't have PC with WiFi Connectivity.....
View 6 Replies
View Related
Apr 28, 2013
I'm using a windows7 pc with orange 20mb ADSL and the other day the broadband went down, so I connected my Iphone5 on EE up, and did a speed check and averaged 7mbps down and 2 up (the upload is double the ADSL!), I noticed on the network and sharing menu, there's an option in the 'change adapter settings' that allows you to bridge connections, so I selected both the ADSL router and Iphone connections together, right clicked and selected 'Bridge connections', and after a moment a third connection appearead, but there doesn't appear to be an option to just select using that connection, only disable it, so I thought that it was bridged.
View 1 Replies
View Related
May 15, 2012
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code]....
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
View 4 Replies
View Related
Mar 18, 2012
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520
Remote Office A = ASA (Unknown Model)
Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
4 Mar 19 2012 15:18:01 106023 67.50.19.230 50234 TWT-hq-e 31326 Deny udp src TWT-outside:67.50.19.230/50234 dst inside:TWT-hq-e/31326 by access-group "outside-in" [0x0, 0x0]
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
View 1 Replies
View Related
Jan 25, 2011
We have ASA 5520 running 8.2(3) software and we're trying to make Remote Access VPN (l2tp/ipsec) working from Android. We succeeded in making IPSEC tunnel (ending "Phase 2 completed"), but we cannot make L2TP tunnel working.We're using RADIUS for L2TP authentication, but ASA doesn't even try to check credentials entered by use. The same set of credentials entered on Windows {XP, VISTA, 7, Mobile} works ok. Which debugging options should we turned on?
View 3 Replies
View Related
Sep 9, 2012
I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.
View 5 Replies
View Related
Aug 16, 2012
I have an exisitng ASA5520 which is already working with remote clients using Cisco vpn client configured using ipsec over tcp, I am now trying to get vpn access for Iphones working and having a problem where once connected the Iphone cannot ping any internal device. The configuration on the Iphone does not allow for Ipsec over tcp and therefore uses udp 500 by default, if i create a new profile from a pc and do not use ipsec over tcp it has the same issue where it establishes a vpn tunnel but cannot ping any internal device as soon as I change the profile to ipsec over tcp it works fine.
View 2 Replies
View Related
May 4, 2011
ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.13.50 dst DMZ2:192.168.13.15 (type 8, code 0) denied due to NAT reverse path failure
Cant seem to get around this one yet. I have a remote ASA that I can VPN into. It has 2 dmz's, outside and inside interface configured.
Inside subnet is 192.168.11.0 / 24
DMZ2 is 192.168.13.0 / 24
VPN client pool is 192.168.15.0 /24
I login in fine. But have no access to the DMZ2 subnet. I get the failure listed above.
View 1 Replies
View Related
Apr 9, 2013
I'm trying to set up an IPSec tunnel between 2 3845 routers that each sit in a private LAN behind an ADSL modem. Each modem does have a static public IP address from the ISP.
Thus:
Cisco 3845-1 <-> ADSL modem <-> WAN <-> ADSL modem <-> Cisco 3845-2
3845-1
Gi 0/0 - private ip
l
NAT
[code]....
So I would like to set up IPSEC between the GI 0/0 interfaces on the 3845's.
View 1 Replies
View Related
Jul 23, 2012
The setup is a S2S VPN with failover to 3G HWIC in a Cisco 1941 however the IPSEC tunnel needs to remain up through 3G if ADSL fails.The failover works ok, however when plugging ADSL back in, the - "sh crypto session" shows both dialer 0, and dialer 1 with the crypto map session to the other side of the VPN and either side is now not pingable.The NoIP DDNS updater client runs on a server in the network and all IP resolution to host1,host2 works ok (other side of VPN is Cisco 1921 with ADSL HWIC and 3G HWIC). [code]
View 5 Replies
View Related
Nov 4, 2011
I need to create multiple ip-sec vpn tunnels on A Cisco 837 ADSL Router. I am able to create one tunnel but the second connection is asking for the outside interface which is atm and already taken by the first tunnel. How can i create more tunnels?
Secondly, after creating the first tunnel i am able to access the remote lan network but when i tried tracert "remote lan ip of a pc" from my pc i got "request timed out" after passing my 837 but succeeded to reach the target. Does tracert needs something to be opened in the router?
View 2 Replies
View Related
Dec 1, 2011
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
I have four hosts say: 10.240.1.1-10.240.1.4
They need access to two different networks:
205.100.150.0
140.175.200.0
I woud like to NAT them as something like:
7.5.210.1
7.5.210.2
7.5.210.3
7.5.210.4
View 1 Replies
View Related
Aug 10, 2011
I cannot get it to work : if interesting traffic comes ffrom the IPSO side, the box would not even try to set up the tunnel. and If it comes fomr the ASA side, the box attempts to do so but it with this strange message : AM_WAIT_MSG2
View 3 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Sep 24, 2012
Had a question regarding creating dial peers through sip trunks. It will be through verizon fios so it'll be terminated through the fa0/0 port. I know to the provider i'll implement something along the lines of this:dial-peer voice 1 voipsession target ipv4:1.2.4.4sipv2port fa0/0Many of the documentation I came across really only shows pots dial-peers will a voip dial-peer work the same? Something a long of the lines of this:dial-peer voice 2 voipdesination-pattern 91[2-9]..[2-]...... no digit-stripport fa0/0
View 9 Replies
View Related
Jul 11, 2011
I have a Cisco ASA 5505 which is setup as an EasyVPN client to e remote VPN concentrator.
The Cisco ASA has the 50 internal user license with 10 VPN peers.
We just upgraded the license from the base 10 internal user to 50 user license but it has not resolved the problem and only 10 internal users still work, the 11th fails.
Does each EasyVPN client on the inside network take up 1 of the 10 VPN peer licences?
This seems to be the issue from what I can see, just need confirmation.
View 1 Replies
View Related
May 6, 2013
I have one ASA with two tunnels. Each going to a different 3rd party Checkpoint firewall (site A, site B) Each site has two servers (A1, A2, B1, B2)I can only connect to A1 and B1. any connection to A2 and B2 fails. I have defined B2 and A2 in the crypto map to be protected.If I only have B2 or A2 in the crypto map ACL then the tunnel fails. Phase 1 does not come up. Its as if the ASA is ignoring the entries for B2 and A2.ASA running 8.4(2).I have also trashed the VPN and built via the wizard, same result.
View 12 Replies
View Related
Jun 20, 2012
At our organisation our routers all have at least 3 BGP peers, each from a different connectivity provider. The different providers that we use all have different internet transit CDRs. Is there a way that I can configure a priority for the 3 BGP peers on our routers so that outbound traffic to the internet is sent to the BGP peer from the provider with the highest CDR?
Routers are C2821
View 2 Replies
View Related
Nov 5, 2012
What is the reason of following NTP error. I am unable to configure further ntp peers on the router. Could not able to understand the reason of 100 peers. I am adding only 2nd peer on the router but getting this error. There is no problem adding peers in other 6500s .
View 2 Replies
View Related
Nov 5, 2011
I'm running 12.2(33)SXJ1 on a 6500 with several IPv6 BGP peers. Is there any way to monitor the BGP status of IPv6 peers? I've been through the BGP4 mib and cant seem find a way to check the status of IPv6 peers.
View 4 Replies
View Related
Nov 11, 2012
I am imagining a smallish networking (AS1234) with say three full BGP table peers that provide transit to the network (just to keep the maths simple here); Lets say AS100 and AS200 are preferred transit providers with AS300 as a backup/least prefered (AS prepends or similar stop us from using this network by default). So in this scenario our little network gets two different paths across the Internet, as not to rely solely on one provided, with a backup provider to hand also.
How do you mange issues like packet loss somewhere in AS100's or AS200's network? So lets say a host on our AS1234 network is talking to host in AS888 and the preferred route is through AS100 but somewhere deep in AS100 a link is flapping (for example) and I can't get to AS888 reliably through there anymore, but I can through to other peers of AS100 OK. We can postulate that AS100 is the best path for 50% of the Internet and AS200 for the other 50% (this is a best case fictional scenario). I can't ping 50% of the internet via AS100 and then in the event a ping fails (or some other more reliable test) tear down the BGP session to use AS100 until it's fixed again, nor vice versa with AS200.
First of all, I asume you don't know about the issue between AS100 and AS888 until someome moans about it to you? Secondly, do you then some how modify the route(s) to AS888 that come from AS100 (route map for example to change the weight or preference) so AS200 is now preferred for AS888? Do you infact shut down the AS100 peering and now use AS200 & AS300? How do you rectify these situations that are beyond you control using what is in your control?
View 2 Replies
View Related
Aug 24, 2012
i have a problem with my adsl line connected on a HWIC-ADSL on router 2901 it was working good until yesterday the atm interface is down but the interface dialer is up .i connected this line into home adsl modem and the line is working good?
View 2 Replies
View Related
Apr 3, 2013
A Cisco RV220W router/firewall connects the local LAN to the internet. The router is connected to a new Cisco SG300-28P switch configured in Layer 2 mode. There are two new AIR-1142N wireless access points running in autonomous mode connected to 2 ports on the SG300 powered through PoE. The AIR-1142N access points are running the latest firmware version 15.2(2)JB. There are two VLANs defined: VLAN1 is the native on all devices, and VLAN2 is for wireless guest traffic to provide access to the internet only.Internal/staff traffic is on 192.168.100.x, and the wireless SSID is MYNetS.Guest traffic is on 192.168.200.x and the wireless SSID is MyNetG.IP addresses are being assigned by the RV220W.
All works well with one exception. Wireless clients on the internal SSID are able to ping/access the switch, router, and other clients on wired ports on the switch. The router, switch, and wired clients can ping wireless clients. However, wireless clients, on the same SSID and the same 1142N cannot ping/access one another. They are being isolated from each other. We absolutely need to have this capability.The SG300 does not have port security enabled on any port. none of the workstations/laptops have a firewall enabled. These laptops are all Macs btw. I have checked that neither of the 1142N access points have Public Secure Packet Forwarding enabled on either of the VLANs.I am at a loss as to why the wireless clients are being isolated.
View 5 Replies
View Related
May 1, 2012
I keep seeing these messages in my logs very frequently on a Nexus 5548UP.
%LLDP-3-DETECT_MULTIPLE_PEERS: Multiple peers detected on mgmt0
what might be causing these? Google has shown less than desirable amounts of information on this message.
View 4 Replies
View Related
Aug 9, 2011
I need to change providers from Verizon to AT&T. This modem came with the AT&T Sim card installed in my notebook. The software (Dell Mobile Broadband Utility Help) says " Choose Network Selection from the Settings Menu. Select AT&T and click Load." Unfortunately, Network selection is not an option.
How do I do it? This modem is compatible with Verizon, AT&T and Sprint networks.
View 1 Replies
View Related
Oct 10, 2012
i have the topology below :
internet
|
|
Gateway2
|
|
|
RX========== <sw 2960g>==========(Gi0/1)(Gi0/2)Gateway 1 ============>internet
|
|
|
Cache server
Now from RX the traffic is out , it may go to Gateway1 router or Gateway2 router
Note that router Gateway 1 has its traffic cached by Cache server. But the Gateway 2 router has not configured to cache its traffic , note that Gateway 1 router has two interfaces connected with sw but Gateway 2 only 1 interface connected to sw .
In the end , if I want Router Gateway 2 to hve its traffic to be cached by cahce server , can I do as the same config which is currently exist in Gateway 1 , or there is different behaviuor ???? Is there new modification on cahce server ?? im using suid cahe based linux .
I will include a brief info about only cache config in gateway1 router
======================================
ip access-list extended CACHE5
deny tcp any host x..x.x.x eq www
deny tcp any host x.x.x.x
permit tcp x.x.x.x x.x.x.x any eq www
==================================
[Code] ........
Can I do the same config on router gateway 2 ?
View 2 Replies
View Related
Apr 29, 2013
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies
View Related
