Cisco VPN :: IPSec On ASA5520 With ADSL Peers Ok But Not Fine With Mobile
Jun 18, 2012
We have an ASA5520 configured with a IPSec VPN, from any ADSL home/office our VPN clients can connect without any problem, but when we use our cellular phones in tetering mode (as an accesspoint) our VPN clients are impossible to connect. Same machines,same software, same operating system, same remote IP (ASA5520 external IP) only change Wifi connection (ADSL to cellular phone). The signal of cellular phones is not the problem we was doing the tests with different phones (IPHONE & ANDROID), different locations (all in spain) and differents providers (vodafone, orange and movistar) of internet by cellular phone.We think that perhaps the problem is the licenses that our ASA5520 has..
Our ASA5520 comes with this licenses:
------------------------------------------------------------------------------------------
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.
I am trying to get a 2811 to accept two IPSec peers however can only get one working at a time. I have setup fa0/0 and fa0/1 with their own public facing IP addresses with crypto maps associated to each interface however can only establish connectivity to one interface at any one time.
Couldn't connect to mobile hotspot but could connect to other networks, none of which were from a phone. When attempting to connect to hotspot, my phone displays the information of my computer as name unknown, IP address 0.0.0.0, but gives a MAC address. (My computer has a name, I can't find my IP address, idk what a MAC address is)I tried using remote desktop connection, but the computer I was trying to connect to couldn't find mine.
To be honest, I'm not sure I did it correctly, though.Displayed as 0.0.0.0 on phone when attempting to connect to mobile hotspot.I typed ipconfig in command prompt but got nothing about an IP address. There were several lines that began with "Tunnel adapter" all followed by "Media State : Media Disconnected" then "Connection-specific DNS Suffix: I currently have no internet connection (I'm on my phone), so I can't find it that way either.
Under Network Location it specifies that it cannot connect to MEMORYCARD (\EPSON00) (Z:) and upon clicking on it I receive an error message: "Microsoft Windows Network: The network path was not found. This connection has not been restored."I've spilled water on my keyboard before, but this took place after these problems arose. I dried the computer and had it sit with rice for 2 days. The only issue that came of this incident that I am aware of was a few stuck keys.
I am able to access ASA via hostname but with IP address it does not work.Need to know what config i need to put so i am able to access it using IP by ssh and ASDM? ASA is 5520 version is 8
I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?
I want to do this connection:-DSL cable--> Modem --> Wireless Router --> use WiFi on my mobile.Is it okay or I need a PC in between????? I don't have PC with WiFi Connectivity.....
I'm using a windows7 pc with orange 20mb ADSL and the other day the broadband went down, so I connected my Iphone5 on EE up, and did a speed check and averaged 7mbps down and 2 up (the upload is double the ADSL!), I noticed on the network and sharing menu, there's an option in the 'change adapter settings' that allows you to bridge connections, so I selected both the ADSL router and Iphone connections together, right clicked and selected 'Bridge connections', and after a moment a third connection appearead, but there doesn't appear to be an option to just select using that connection, only disable it, so I thought that it was bridged.
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150
[Code]....
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520 Remote Office A = ASA (Unknown Model) Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
We have ASA 5520 running 8.2(3) software and we're trying to make Remote Access VPN (l2tp/ipsec) working from Android. We succeeded in making IPSEC tunnel (ending "Phase 2 completed"), but we cannot make L2TP tunnel working.We're using RADIUS for L2TP authentication, but ASA doesn't even try to check credentials entered by use. The same set of credentials entered on Windows {XP, VISTA, 7, Mobile} works ok. Which debugging options should we turned on?
I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.
I have an exisitng ASA5520 which is already working with remote clients using Cisco vpn client configured using ipsec over tcp, I am now trying to get vpn access for Iphones working and having a problem where once connected the Iphone cannot ping any internal device. The configuration on the Iphone does not allow for Ipsec over tcp and therefore uses udp 500 by default, if i create a new profile from a pc and do not use ipsec over tcp it has the same issue where it establishes a vpn tunnel but cannot ping any internal device as soon as I change the profile to ipsec over tcp it works fine.
I'm trying to set up an IPSec tunnel between 2 3845 routers that each sit in a private LAN behind an ADSL modem. Each modem does have a static public IP address from the ISP.
Thus:
Cisco 3845-1 <-> ADSL modem <-> WAN <-> ADSL modem <-> Cisco 3845-2 3845-1 Gi 0/0 - private ip l NAT
[code]....
So I would like to set up IPSEC between the GI 0/0 interfaces on the 3845's.
The setup is a S2S VPN with failover to 3G HWIC in a Cisco 1941 however the IPSEC tunnel needs to remain up through 3G if ADSL fails.The failover works ok, however when plugging ADSL back in, the - "sh crypto session" shows both dialer 0, and dialer 1 with the crypto map session to the other side of the VPN and either side is now not pingable.The NoIP DDNS updater client runs on a server in the network and all IP resolution to host1,host2 works ok (other side of VPN is Cisco 1921 with ADSL HWIC and 3G HWIC). [code]
I need to create multiple ip-sec vpn tunnels on A Cisco 837 ADSL Router. I am able to create one tunnel but the second connection is asking for the outside interface which is atm and already taken by the first tunnel. How can i create more tunnels?
Secondly, after creating the first tunnel i am able to access the remote lan network but when i tried tracert "remote lan ip of a pc" from my pc i got "request timed out" after passing my 837 but succeeded to reach the target. Does tracert needs something to be opened in the router?
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
I cannot get it to work : if interesting traffic comes ffrom the IPSO side, the box would not even try to set up the tunnel. and If it comes fomr the ASA side, the box attempts to do so but it with this strange message : AM_WAIT_MSG2
Had a question regarding creating dial peers through sip trunks. It will be through verizon fios so it'll be terminated through the fa0/0 port. I know to the provider i'll implement something along the lines of this:dial-peer voice 1 voipsession target ipv4:1.2.4.4sipv2port fa0/0Many of the documentation I came across really only shows pots dial-peers will a voip dial-peer work the same? Something a long of the lines of this:dial-peer voice 2 voipdesination-pattern 91[2-9]..[2-]...... no digit-stripport fa0/0
I have a Cisco ASA 5505 which is setup as an EasyVPN client to e remote VPN concentrator.
The Cisco ASA has the 50 internal user license with 10 VPN peers.
We just upgraded the license from the base 10 internal user to 50 user license but it has not resolved the problem and only 10 internal users still work, the 11th fails.
Does each EasyVPN client on the inside network take up 1 of the 10 VPN peer licences?
This seems to be the issue from what I can see, just need confirmation.
I have one ASA with two tunnels. Each going to a different 3rd party Checkpoint firewall (site A, site B) Each site has two servers (A1, A2, B1, B2)I can only connect to A1 and B1. any connection to A2 and B2 fails. I have defined B2 and A2 in the crypto map to be protected.If I only have B2 or A2 in the crypto map ACL then the tunnel fails. Phase 1 does not come up. Its as if the ASA is ignoring the entries for B2 and A2.ASA running 8.4(2).I have also trashed the VPN and built via the wizard, same result.
At our organisation our routers all have at least 3 BGP peers, each from a different connectivity provider. The different providers that we use all have different internet transit CDRs. Is there a way that I can configure a priority for the 3 BGP peers on our routers so that outbound traffic to the internet is sent to the BGP peer from the provider with the highest CDR?
What is the reason of following NTP error. I am unable to configure further ntp peers on the router. Could not able to understand the reason of 100 peers. I am adding only 2nd peer on the router but getting this error. There is no problem adding peers in other 6500s .
I'm running 12.2(33)SXJ1 on a 6500 with several IPv6 BGP peers. Is there any way to monitor the BGP status of IPv6 peers? I've been through the BGP4 mib and cant seem find a way to check the status of IPv6 peers.
I am imagining a smallish networking (AS1234) with say three full BGP table peers that provide transit to the network (just to keep the maths simple here); Lets say AS100 and AS200 are preferred transit providers with AS300 as a backup/least prefered (AS prepends or similar stop us from using this network by default). So in this scenario our little network gets two different paths across the Internet, as not to rely solely on one provided, with a backup provider to hand also.
How do you mange issues like packet loss somewhere in AS100's or AS200's network? So lets say a host on our AS1234 network is talking to host in AS888 and the preferred route is through AS100 but somewhere deep in AS100 a link is flapping (for example) and I can't get to AS888 reliably through there anymore, but I can through to other peers of AS100 OK. We can postulate that AS100 is the best path for 50% of the Internet and AS200 for the other 50% (this is a best case fictional scenario). I can't ping 50% of the internet via AS100 and then in the event a ping fails (or some other more reliable test) tear down the BGP session to use AS100 until it's fixed again, nor vice versa with AS200.
First of all, I asume you don't know about the issue between AS100 and AS888 until someome moans about it to you? Secondly, do you then some how modify the route(s) to AS888 that come from AS100 (route map for example to change the weight or preference) so AS200 is now preferred for AS888? Do you infact shut down the AS100 peering and now use AS200 & AS300? How do you rectify these situations that are beyond you control using what is in your control?
i have a problem with my adsl line connected on a HWIC-ADSL on router 2901 it was working good until yesterday the atm interface is down but the interface dialer is up .i connected this line into home adsl modem and the line is working good?
A Cisco RV220W router/firewall connects the local LAN to the internet. The router is connected to a new Cisco SG300-28P switch configured in Layer 2 mode. There are two new AIR-1142N wireless access points running in autonomous mode connected to 2 ports on the SG300 powered through PoE. The AIR-1142N access points are running the latest firmware version 15.2(2)JB. There are two VLANs defined: VLAN1 is the native on all devices, and VLAN2 is for wireless guest traffic to provide access to the internet only.Internal/staff traffic is on 192.168.100.x, and the wireless SSID is MYNetS.Guest traffic is on 192.168.200.x and the wireless SSID is MyNetG.IP addresses are being assigned by the RV220W.
All works well with one exception. Wireless clients on the internal SSID are able to ping/access the switch, router, and other clients on wired ports on the switch. The router, switch, and wired clients can ping wireless clients. However, wireless clients, on the same SSID and the same 1142N cannot ping/access one another. They are being isolated from each other. We absolutely need to have this capability.The SG300 does not have port security enabled on any port. none of the workstations/laptops have a firewall enabled. These laptops are all Macs btw. I have checked that neither of the 1142N access points have Public Secure Packet Forwarding enabled on either of the VLANs.I am at a loss as to why the wireless clients are being isolated.
I need to change providers from Verizon to AT&T. This modem came with the AT&T Sim card installed in my notebook. The software (Dell Mobile Broadband Utility Help) says " Choose Network Selection from the Settings Menu. Select AT&T and click Load." Unfortunately, Network selection is not an option.
How do I do it? This modem is compatible with Verizon, AT&T and Sprint networks.
internet | | Gateway2 | | | RX========== <sw 2960g>==========(Gi0/1)(Gi0/2)Gateway 1 ============>internet | | | Cache server
Now from RX the traffic is out , it may go to Gateway1 router or Gateway2 router
Note that router Gateway 1 has its traffic cached by Cache server. But the Gateway 2 router has not configured to cache its traffic , note that Gateway 1 router has two interfaces connected with sw but Gateway 2 only 1 interface connected to sw .
In the end , if I want Router Gateway 2 to hve its traffic to be cached by cahce server , can I do as the same config which is currently exist in Gateway 1 , or there is different behaviuor ???? Is there new modification on cahce server ?? im using suid cahe based linux .
I will include a brief info about only cache config in gateway1 router
====================================== ip access-list extended CACHE5 deny tcp any host x..x.x.x eq www deny tcp any host x.x.x.x permit tcp x.x.x.x x.x.x.x any eq www ================================== [Code] ........
