I need two vpn tunnels from one ASA5510 to two customer endpoints but with the same host on the remote side, the two tunnels are for redundancy reasons. Can I just configure two tunnels with the same host on the remote side and assume the ASA will understand to just use one of the tunnels when both active or the one left when one is down? Or do I need extra configuration for that.
View 1 RepliesIs it possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel? I have to create 18 ASA5505 tunnels back to one ASA5510. Instead of having 18 subnets out there it sounds more efficient for my application just to have one. Sort of a CLOUD (there's that word) arraignment.
View 10 Replies View RelatedVPN Tunnels Monitoring on ASA5510 with IOS 7.0 (Monitoring through Nagios Server).I want to use Nagios to monitor each of the S2S Tunnels built on ASA 5510. I can use the icmp on Nagios by adding Nagios host in IPSEC network of each tunnel but in that case the change needs to be done at other end of Tunnel as well.
View 2 Replies View RelatedI have 3 tunnels established (full mesh) with 3 CISCO ASA (all security+), through Internet : - Site A : ASA5510 - Site B&C : ASA5505, There is no main site or client site, each site has more than one network behind it. So I'd like to setup OSPF between all the ASA for them to exchange their route within the tunnel. I thought this was automatic when establishing the tunnel, but it isn't.
View 1 Replies View RelatedHow to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.
View 20 Replies View RelatedWe have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.
View 3 Replies View RelatedI have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.
View 1 Replies View RelatedNot sure if my subject is a good decription of the problem or not.
I have an ASA 5520 at my home office and a SonicWALL NSA2400 at my remote office. The remote office has dual internet connections and I wanted to create two seperate VPNs between the devices using each internet connection on the SonicWALL.
I know how to configure this on the SonicWALL, the problem is on the ASA 5520
OK Basic network config
Main Office
ASA Public IP 1.1.1.1
ASA Internal network 192.168.1.0 (VPN source)
Remote office
Public IP 1 2.2.2.2
Public IP 2 3.3.3.3
Iternal network 192.168.2.0 (VPN destination on ASA)
If I have a VPN from the main ASA to either one of the SonicWALL's public IPs everything works fine
If I create 2 VPN tounels from the main ASA, 1 to each public IP on the SonicWALL, the VPN shows as up but no traffic flows.
how I can give endpoints on a SOHO router network Public IPs so I can access an Electronic Whiteboard over the Internet. Do I need to purchase more that one Public IP or is there something I can do with subnet masking?
View 2 Replies View RelatedHow do you assign each customer to a vlan ? and what kit do you use at the core to roll out VLANS to each pop? We are thinking of using Juniper kit - putting customers on there own VLAN, and having a managed service like TR-069 on those VLANS.Is it do-able and what does everyone use for a TR-069 server - I've been looking on the net and havent had much joy in finding a server - or is it not as easy as I understand it to be.
View 4 Replies View RelatedWe have a new remote site for customer which only have 3G connection and to add more pain to that they have dynamic IP address.the easist possible solution was EZY VPN.....client has 2800 router with 3G and at our end we have ASA.....the issue is that , that always server (clients nehind) asa initiate connection to the remote site ie to 3G.....the rule of thumb is that whenever client(ie EZY VPN) will initiate conection the tunnel will establish.
View 1 Replies View RelatedWe are upgrading a customer network and have found that users of a particular application [which is very bursty/bandwidth hungry] have experienced a marked performance drop. I see lots of output drops on the interfaces. This is only happening on 2960S-48 the rest of the users on 2960PSTL [all PoE] are not having nearly as bad a time.I have tried various QoS configs with little success. I have seen on some other blogs that the 2960S has less buffers than the rest of the family.
Removing QoS or upping the users to 1Gb cures the performance problem.
I run a small coffee shop and want to offer free wifi to my customers while also having a secure network for my point of sale/internal network. What is the best way to do this on a limited budget? And what is the best way to protect the secure network?
View 1 Replies View RelatedI'm part way through trying to set a Catalyst 4510R to factory defaults, One thing I'm stumped on is how do i remove the Customer Disclaimer eg what commands do i need to remove this and any other customer text within the switch, below is copy of text from the switch with customers details omitted.
View 5 Replies View RelatedI have a Cisco 3750 switch stack and am performing QOS against a number of SVI vlans on per customer basis. I have 8 customers, each with a /29 public subnet and each with an SVI as a gateway within that /29 range. I then have a "routable" SVI vlan for routing upstream to the internet. [code]
The service policy attached to the interfaces above is supposed to perform policing on download and upload traffic. The service policy is attached to the Routable VLAN for download policing and the Customer VLAN for upload policing. For example, traffic entering the routable VLAN will be policed based on traffic matching an access list to the customers IP range (download). Traffic entering the customer VLAN will be policed based on traffic matching an access list from the customers IP range (upload).The command I am using to police is as follows - police 10485500 966080 exceed-action drop.The problem I am experiencing is traffic into the routable VLAN is being successfully policed down to the 10Mbps i have specified on a per customer basis (download).Traffic entering the customer VLAN is NOT being policed at all (upload).I am limited as to the use of the parent policy map I have specified on the interface, as I can only assign it in one direction (input).
one of my customer has CSACS & has bought CSACS-5-BASE-LIC, at the time of registration i ,had put the end customer as my company, how to change the end customer details on the license.
Had sent a mail to licenseing@cisco.com, they changed the end user details at there end, but the same is not reflecting on the physical box at the customer site.
I am looking for a simple First name, surname and email in exchange to unlimited free access to our wifi. Would want the data to load on to Infusionsoft?
View 1 Replies View RelatedWe use a Flex7500 with local switching and centeral authentication. My question is can i use the Customer's radius server in order to authenticate? or should my WLC have IP conncetivity to any radius server im adding?I guess what i'm really asking is should my WLC know the radius server or does the request can go back to the AP and from there to customer radius on his subnet?
View 6 Replies View RelatedWe have Cisco 4507-R installed at customer site which got hang twice and became normal after getting booted.I have analyzed show tech-support for this switch after reboting but not found relevant logs for hang issue,
View 7 Replies View RelatedI am a beginner, and my customer complaining about the internet connection performance which is very slow, the network description is given below:
Description:
The building has four floors and each floor has one mount rack which contains one 26 port switch + 16 port switch. and each floor has 32 pc as well.
- 4, Cisco SR2024 un managed switches.
- 4, Cisco SR2016 un managed switches.
- 1, Cisco access point for internet connection.
- 1, Active directory server.
- 1, Mail Server.
- Internet ADSL connection, 1 MB speed.
This is the current topology.
*Note:The links and cable type "100BASE-TX under Cat 5" among all switches.
*Note:Whenever I connect to the main router "Access point" the internet becomes very fast.
i have a simple router on a stick config which is providing dhcp to a customer SSID. however i don't want employees to stay on it and eat the band width since its open. the lease is set to an hour, is there anyway that i could set it so that once your lease expired it can't be renewed for 4 about 8 hours? I am using a cisco 2600 router in this setup.
View 1 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedMy ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies View RelatedI set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies View RelatedI have read that the cisco 1841 can handle up to 100 VPN tunnels by default. Can this IOS version handle SSL VPN tunnels as well?
View 3 Replies View RelatedConfiguring MPLS over GRE tunnels. I did not find any proper configuration example. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.
View 20 Replies View RelatedI am trying to setup a VPN tunnel between a PIX and an ASA. I went through the IPSec Site to site wizzard using the same settings but I cannot ping hosts from either side.
Here is the setup
ASA 5520
Device Manager 6.4(5)106
Software version 8.0(5)
Inside network 10.0.0.0/24
Inside IP 10.0.0.1
[code]....
I have an ASA5515 and our remote sites which have a mesh topology of VPN. At some times of the day router to particular links are down do to the ISP core, but the tunnels from the same firewall can communicate to other sites. Is it possible to have a way where you could route traffic to another ASA which has a connection to both the ASA which want to communicate and have the traffic hairpinned, I know this is possible but is it possible to make this automated.
View 5 Replies View RelatedI have a Cisco 1921 and it has 2 VPN IP-sec site-to-site tunnels up and running. Lets say the tunnels goes from the Cisco to Site A and Site B.
Now i want Site A to reach Site B through the existing tunnels. I'm guessing that static routes maybe the answer but i cant seem to get it working.
The LAN networks is as follows:
Cisco: 192.168.15.0/24Site A: 192.168.0.0/24Site B: 10.27.27.0/24
At Site A i have set up a static route as follows:
Traffic destined for 10.27.27.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
At Site B i have set up a static route as follows:
Traffic destined for 192.168.0.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.I have included parts of my config and screen shots of bandwidth usage for troubleshooting. [code]
View 3 Replies View RelatedI am having an issue where the GRE tunnels are up/up but are not pingable. The GRE tunnels are on a cisco 1811 and cisco 2811 routers The tunnel source and destination IP addresses are private addresses. These private addresses are pingable to each other and they are connected via IPSEC. The IPSEC tunnels are generated from the ASA to which the cisco routers connect. Probably the tunnels are up/up because keepalives are not configured. But I am still not able to see why I cnt ping the end points. The ACL for IPSEC in ASA includes the "permit gre host <Private IP 1> hist <Private IP 2>" commands.
View 2 Replies View Related