Cisco VPN :: Initiate VPN From Router On Local LAN Behind ASA 5540?
Sep 16, 2012
We currently have an ASA with site to site VPN and anyconnect VPN being utilized. We received a third party cisco router which will be used to initiate their own site to site VPN from inside our local LAN to their LAN through our ASA.
1. Would NAT Traversal be required on our ASA? 5540(config)#crypto isakmp nat-traversal
2. Would the ports listed below interfere with ports for site to site VPN and anyconnect VPN?
SSH
- allow access from xxxxx on TCP Port 22
ICMP
- allow access from xxxxx - protocol 1
ISAKMP
- allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T
[code]....
View 1 Replies
ADVERTISEMENT
Jul 12, 2011
i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
its an active/standby failover pair
i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive has any one came across this or know whether it can be enabled?
View 4 Replies
View Related
Oct 15, 2012
I've been meaning to ask this for some time. I have several wired pc's and several wireless pc's on my home LAN. I tend to use one of my wireless notebooks the most. I choose to keep a relatively small HDD in it, so I don't use it for storage. I have SHARED folders on my wired PC's that I use for storage. So when I download a file using my laptop, I save it to one of my wired PC's shared folders. The problem is it is really downloading to my laptop first and THEN simply moving the file to the shared folder. It is using the resources twice. I would like the laptop to initiate the download to a networked shared folder and that download be independent of the laptop from that point, so if I were to even shut the laptop off, the download would still continue to the networked shared folder.
View 4 Replies
View Related
Dec 4, 2012
I have configured a site to site VPN tunnel using my Cisco ISR 891 router. The tunnel connects between my network 10.88.10.0 to the remote network 10.210.65.0. When I ping the remote nnetwork my VPN tunnel comes up and all is well.
I have recently connected a second network to my 10.88.... network. The new local network is 192.168.0.0. I have now managed to get the two local networks pinging each other. I can also carry out RDP sessions between systems on both networks. Hence I am happy that both networks are communicating.
I used the Fastethernet Port 8 on my ISR 891 to physically connect to the new 192.168 network and then entered the appropraite 'Static Routes' on the 192.168 exisiting router(Netgear Router). Hence certain traffic arriving at the netgear will now be forwarded to Port FE8 on the cisco ISR 891.. See FE8 Port config at the bottom of this post. I have used tracert to ensure that the traffic does arrive at Port FE8,(192.168.0.235).
I cannot seem to ping any device on the remote 10.210.65.0 network from the 192.168 network. However, as stated above I can sucessfully ping the same remote device from the local 10.88 network. I must be missing something that allows the 192.168 traffic to use the existing VPN tunnel. I have added the following command to the IpSec rules for the VPN tunnel using the Cisco Configuration Professionla tool.
Permit 192.168.0.0/0.0.0.255 10.210.0.0/0.0.255.255 ip
View 4 Replies
View Related
Sep 8, 2012
I have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity. What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router. I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map. However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works. Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24. I've also got two static NATs for inbound access from the data center and those seem to work fine.
Current configuration : 2787 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
[code]...
View 2 Replies
View Related
Feb 26, 2012
I'm trying to find out what is the minimum downtime for a Cisco 2800 series LAN interface configured as DHCP client, in order to initiate a new DHCP discover. How much time does it need to take for the Cisco to "sense" the phy disconnection ?
View 4 Replies
View Related
Apr 2, 2012
I've configure two ACE 4700 in a SLB modus http to a web server.To understand how the ACE works and to see if all are ok, I want to test it? but how?
How do I do to initiate a http connection between my test pc to the webserver through the ACE?
View 5 Replies
View Related
Apr 10, 2011
Using Cisco ASA5510 Security Plus (Post May 2010) with 8.2(1)
I was trying to limit the number of internet IP Address that can initiate Remote Access VPN connection to the firewall. I have plan to only allow internet IP Address from few ISPs for control.
However, blocking AHP, ESP, ISAKMP, NON500-ISAKMP, and IPSec Over TCP Port Assigned in the firewall outside interface doesn't work. But it works by putting the ACL in the router before the firewall. It seems that the firewall have a "hidden" process VPN first before user entered ACL (or explicit rule), similar to Checkpoint FW's implied rule. How to get around it?
View 4 Replies
View Related
Apr 22, 2012
i'm trying to setup a local DNS server to manage small office local-only domain names for our servers. i have the DNS working properly (resolving local machines and using the ISP dns if it can't). so i put the DNS server ip into the "Static DNS 1" field of the router settings. the other 2 static dns fields are empty.the problem is that the router is still using the ISP dns server as the primary and my local dns server as the secondary. i verify this in two places. first, if i go to the "status" tab, DNS 1 shows the ISP server while DNS 2 shows my local DNS server. secondly, if i connect to the wireless device with a linux-based machine, the /etc/resolv.conf file shows the nameserver ips in the same incorrect order.
View 1 Replies
View Related
Apr 4, 2012
I have a site to site vpn to set up between an asa 5540 and an 800 router
i only want the vpn to be initiated from the asa with the remote 800 listening for inbound connections
i know i can set the connection type on the asa as originate-only but i can find a command equivalent to answer-only for the remote 800
Is it sufficient to simply configure the asa as originate-only for this crypto map
View 3 Replies
View Related
Feb 7, 2011
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
View 3 Replies
View Related
Mar 17, 2012
I'm setting up a facility with many different computers where I don't have access to their hosts files. How would I map test.com to a local server without using the hosts file? Can this be done using a simple home router?
I'd like to be able to tell guests: "If you're on our wifi, you can just go to test.com to view our local website."I'd prefer to keep answers hardware-agnostic, I'm using a D-link DIR-655.
How can I map a domain name to an IP address and port?
View 2 Replies
View Related
Dec 3, 2012
Can I bind SSL license key from 1 ASA to another , we recently got 5540 and i want to use my SSL 5510 license on the new firewall
View 1 Replies
View Related
May 21, 2013
I have a Cisco ASA 5540 running 8.2(5). When I dial a phone on the other of the the VPN the first time I get a blank after it rings(i.e when the voice mail get activated if someone picks the phone up), however works the second and consequent times i dial.
A little background. Two sites A and B connected via IPsec Tunnel. No problems in communication except for the VoIP issue. A Phone in on site A(172.17.168.x) and other on site B(192.168.103.x). Site A and Site B is connected via an IPsec tunnel on the Cisco ASA. First call fails. Second call works. Result of a packet trace is also the same. The UDP packet get drops when tried for the first time but subsequent ones pass.
First time
ASA5520# packet-tracer input inside udp 172.17.168.95 10000 192.168.3.103 10000
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
[code].......
View 0 Replies
View Related
Sep 5, 2011
i am trying to use ApexDC++ using a wifi router for local LAN sharing.The problem is that when i connect the LAN cable on LAN port of the router i am able to connect to local HUB but at the same time unable to connect to internet. And when i connect the LAN cable on internet port of the router i get connected to the internet but unable to connect to local HUB for LAN sharing.I have tried port forwarding also but of no use.
The ip details provided for local LAN sharing is,
LAN IP - 192.168.100.3 - 192.168.100.xxx
Subnet mask - 255.255.255.000
Default gateway - 192.168.100.1
This is the configuration on the LAN port of my wifi router. Where as when i connect the LAN cable on the internet port of router, it takes the ip automatically from server (DHCP) which is not the same as ip detail provided for LAN sharing hence unable to connect to local HUB. If i try to configure the internet port of the router with above configuration i am unable to connect to local HUB as well as internet.I want to connect to local HUB while connected to internet using a wifi router.I don't find any problem while connected directly. I have configured my computer's LAN card manually with the above configuration provided for LAN sharing & able to connect to internet as well through dial up connection.(connected directly without using a router).i am unable to figure out the difference between the two (direct connection & while using a router.
View 2 Replies
View Related
Mar 17, 2011
We have ASA 5540. After setting up one-to-one nat, do I need to do anything else? static (Inside,Outside) public ip address private ip address netmask 255.255.255.255.
View 4 Replies
View Related
Jul 14, 2012
I have a ASA 5540 on which VPN is configured (Both SSL through Browser and Anyconnect) , everything was working fine but suddenly the webpage has stopped working and gives the page cannot be displayed error , moreover anyconnect client also fails to connect to the ip.
View 7 Replies
View Related
Feb 11, 2013
I have 2 ASA 5540 in our network. I want to upgrade it from 8.0.4 to 8.4.3. I want assistance in the configuration because I know that there is a change a configuration while migrating from 8.0.4 to 8.4.3.Is there any tool available on Internet that facilitates me to convert the current configuration computable to 8.4.3.
View 2 Replies
View Related
Apr 29, 2012
I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.
View 2 Replies
View Related
Mar 21, 2011
We setup both site-to-site VPN and Remote Access VPN client on VPN 3005 Concentrator. We want to migrate all the configs to the new ASA 5540. Do you recommend that we migrate all the configurations for VPN client first before setting up the site-to-site VPN on the ASA or it does not make any difference?
View 5 Replies
View Related
Aug 14, 2012
Any method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time? For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box. We are trying to determine current license capacity of the device.
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.
View 1 Replies
View Related
Jul 19, 2011
We have two ASA's 5540, running IOS 8.2(4). Is there a command to find out the password that we setup for VPN Load balancing? I recall there was a command that you type under CLI and it will display all passwords.
View 3 Replies
View Related
Jul 16, 2012
i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
View 2 Replies
View Related
Feb 28, 2011
We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.
View 5 Replies
View Related
Nov 24, 2011
I've configured in an ASA5540 (8.4) access to a server in my LAN using telnet with webVPN. I've installed the ssh/telnet plug-in in the ASA and SSH access to the servers works fine but when I try telnet access I always get this error:
Could not connect to: "ip server" 23
Reason: java.io.IOException: Connection failed
It happen with any server I try. I'm not trying to access to the ASA, just servers inside my LAN that I can access with anyconnect correctly. There is a Cisco bug (CSCsq89467) saying that not configuring any Web-acl in the ASA solve the problem. Telnet always show the same error.
View 1 Replies
View Related
Jun 6, 2011
I have a problem with one of our IPSec site-to-site vpns.
-we use ASA5540 and the remote site uses a software based FW (steelgate borderware). -there are some old ACLs on our FW that have the remote site's IP address as an incoming node having TCP.... access to some servers on our LAN (why they didn't use static/dynamic NAT for clients of both end to have TCP connection???)
-when I try to set up the vpn the name entry of the remote site (which is optional) changes with IP address of the peer in vpn profile and it confuses the vpn, so the IKE phase1 won't establish. the name entry is because of those ACLs that have been entered in the past.
Q- How to stop ASA creating names via ASDM when adding ACLs?
Imagine the other site's network people are the most inflexible IT guys to do any changes in terms of using static or dynamic nat for their clients to have access to ours, so I can replace their FW IP address in ACL with other NAT addresses.
View 1 Replies
View Related
May 9, 2012
I have one established IPSec tunnel between the host at the far end. When they try to eatablise a second IPSec tunnel to our seconf IP we get this error
May 9 18:51:51 odc-np-gw %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47995CC7, sequence number= 0xCF) from 23.24.138.185 (user= 23.24.138.185) to 205.144.144.4. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 205.144.158.29, its source as 23.24.138.189, and its protocol as icmp. The SA specifies its local proxy as 205.144.158.30/255.255.255.255/ip/0 and its remote_proxy as 23.24.138.189/255.255.255.255/ip/0.
23.24.138.185 is the far end peer
205.144.144.4 is the local peer
23.24.138.189 is the remote configured protected host
205.144.158.29 is the local configured protected host
205.144.158.30 is the working local configured protected host
we have a Cisco 5540 on the far end also.
View 8 Replies
View Related
Nov 19, 2011
ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
View 2 Replies
View Related
Oct 25, 2012
I have just installed a new router, a HUAWEI HG533 I am not able to connect wirelessly with my Acer Aspire 5520 (with Vista home premium).I can connect my new router using the ethernet cable, and last time I tried my old router would connect wirelessly.If I hover over the network icon, it says 'Unidentified Acess:local only'My smartphone (and my wifes) will connect (but oly mine to the old router!).I have tried removing the microsoft 6to4 adapters (suggested on another forum) this didn't work. (I then re-installed, no better).I've had a look at other posts on this forum, and Have done a couple of the tests suggested (wireless and mini toolbox, which I will post separately as it exceeds 20000 characters!)I have tried support from my ISP (who also supplied the router) and got a generic email in response, no luck.
View 14 Replies
View Related
Jun 16, 2012
I got a new TP-Link WR740N router and I'm having a problem with it. Everytime I enable security (WEP, WPA etc.) the signal on all notebooks will go "local access only" immediately, even if I use the right password. Router signal is always there, but Internet access will only be available if security is set to "unprotected" on the router setup. Funny thing is that my old router (Linksys WRT54) had WPA2 on and everything was ok.
View 4 Replies
View Related
Jul 27, 2011
When I try to set up my Belkin mondem router I can only get local connection only as soon as i remove the wired setup cable. The routor itself is connect to the internet and other laptops can connect when given the password. I tried to set it up on a different laptop and got the same result. I have reset the factory setting and tried again with the same result I connect to the routor but not the internet. If I reconnect my talktlalk routor there is no problem.
View 5 Replies
View Related
Nov 21, 2012
I have the DIR-655 (H/w Ver B1, F/W Ver 2.05NA) set up as router on my network (TWC/RR - modem is Motorola SURFBoard 6121 - modem only, no router or other services provided). I have configured the router sufficiently to allow all computers on the local network to access the Internet, and have configured the DHCP server on the router to provide IP addresses to the local network. I have configured the router to provide the DNS addresses for my local DNS resolvers (so that I can provide DNS resolution for an "internal" domain). Configuration specifics available on request, but everything mentioned so far is working satisfactorily, at least so far.
So, my question: The "Local Domain Name" setting on the router, as indicated in the documentation, provides a connection-specific domain name when DHCP supplies an IP address to the local system. This setting, however, is overridden if the ISP provides a domain name when it assigns an IP to the WAN connection. I have verified by experiment that this is true (no matter what I put in the Local Domain Name field - whether a valid domain, or blank - the local machines receive the domain name supplied by the ISP.I wish to modify this behavior. I wish to have the router provide the domain name specified in the Local Domain Name field *regardless* of what the ISP provides.
View 6 Replies
View Related
Jun 10, 2012
I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies
View Related
