I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies View RelatedTwo 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
I have 2 Cisco 871 set up to vpn in to an ASA 5510. Everything has worked even when the 871 is behind a nat.
We use these routers to send to employees home for temporary use.
The WAN ports on the 871 are configured to pick up an IP via DHCP.
Office ASA 5510 - Public IP address
WAN - Public IP
Internal - 192.168.1.0/24
|
Internet
|
Home Router
WAN - Public IP
Internal - 192.168.1.0/24
|
Cisco 871 picks up 192.168.1.x on WAN port from user's home router
Internal vlan1 192.168.10.x/24
The problem is - this user's home router is using the same subnet as the internal network at the office. Is there anyway to force traffic bound for 192.168.1.x to go over the VPN tunnel? It does this correctly if the 871's WAN port is not also on the same subnet. The vpn tunnel does come up. And I can ping to and from the router, it's just the clients behind the 871 that cannot ping or access the corp network.
We have a VPN setup and here's the configuration on the Cisco ASA 5505: [code] The problem is that i'm able to ping the otherside of the tunnel i.e. 192.168.23.14 from the dmz IP 172.16.1.2 but i'm unable to ping from the hosts behind the ASA.Also the other side is able to ping 172.16.1.2 IP but no IP's behind the ASA.
View 9 Replies View Related I currently have two Cisco ASA 5505. They are at different physical sites (SITE A, SITE B) and are configured with a site-to-site VPN which is active and working.
I can communicate with the subnets on either site from the other and both are connected to the internet, however I need to ensure that all the traffic at my site B goes through this VPN to my site A.
I changed this access-list : access-list outside_2_cryptomap extended permit ip network_siteB network_siteA to access-list outside_2_cryptomap extended permit ip network_siteB any
But this does not work. If I do [URL], site B IP address is not same that site A.
I am trying to set up a LAN-to-LAN VPN tunnel between two sites. One site has a 5505, and the other site has a 5510. It looks like the tunnel is being established fine (both ISAKMP and IPSEC SAs look OK), but traffic doesn't appear to be routing across the internet between the devices. [code]
View 15 Replies View Relatedhere is my situation:
home users ------ internet ------ ASA 5510----- CORP LAN
we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them. my question is : "How to enforce home user internet traffic to VPN tunnel ?" we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN. but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel. so far , i did what i know :
1. remove "split tunnle" from group-policy
2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510
but i don't get that why it doesn't work.
We have a new site-to-site configuration comprised of two ASAs (a 5505 at the remote site and a 5510 locally). The site-to-site tunnel is up and appears to be working fine, with the exception of one thing; two identified IP addresses on the remote end cannot seem to communicate across the tunnel.
For example: address 192.168.3.81 is able to see resources at our facility, but 192.168.3.82 (an HP Laser jet P2055dn) cannot. However, 192.168.3.82 is ping able from the inside interface of the remote ASA and doesn't appear to be having any other connectivity issues. Also, the default gateway of this device appears to be set properly. When checking the real-time log viewer, I'm not seeing any error messages, it just appears as if the .82 device is not routing to the remote ASA, but strangely enough the local ASA's logs do seem to show communication with .82. (See the below logs.)
When we attempt to ping the 192.168.3.82 address from a local PC (10.10.10.10) that participates in the VPN tunnel, we see the following:
Local ASA
6|Jan 31 2012|16:03:53|302021|192.168.3.82|0|10.10.10.10|512|Teardown ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512
[ code]....
Remote ASA
6|Jan 31 2012|16:03:53|302021|10.10.10.10|512|192.168.3.82|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0
[ code].....
We can successfully ping 192.168.3.81 from the same local workstation we see the following on the remote ASA :
6|Jan 31 2012|16:03:38|302021|10.10.10.10|512|192.168.3.81|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0
[Code]....
We have no IP address overlapping and neither ASA's logs show any errors. Unfortunately, we don't have access to the remote site's router configurations, but we've been assured that the issue is not on their end.
Is there any difference with traffic shaping capability on the 5510 as opposed to the 5505? is there anything the 5510 can do that the 5505 cant? with regards to TShaping?
View 4 Replies View RelatedI have a site to site VPN setup between a 5510 and 5505. All traffic is sent ovet the VPN from the remote site to the home office. Everything is working fine but the remote site "www" traffic is not going to the Barracuda. ISP -> CISCO ASA -> Barracuda -> Internal Switch.The Barracuda is setup "inline" with the internal network.
View 7 Replies View RelatedI do have a 5505 up and running, and passing data... url...Now I am trying to get a IPSEC VPN tunnel working.I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned: name 10.0.0.0 Eventual (HQ Site behind Firewall)name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.20 9. 0.3) On a ping to the HQ network from behind the ASA, I get port map translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work. [code]
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies View RelatedEnvironment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies View RelatedCurrently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 Replies View Relatedi have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
is it possible to tunnel all TCP traffic to UDP under port 137?
View 1 Replies View RelatedWe just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]
View 12 Replies View RelatedI have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies View RelatedI have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network
10.252.x.x
-------------->
FIREWALL
a.a.a.1
INTERNET
RV042a WANa <<------------------------------->> WANb RV042b
a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies View RelatedI'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
View 1 Replies View RelatedI'm trying to setup a VPN between an RV042 V3 and an RV082 V2 router. They get connected but no traffic gets through the tunnel. I tried with and without firewall,DPD, Keepalive, forward secrecy but nothing worked. What should I do? I don't want to throw out the V2 routers. V3 to V3 connects fine.
View 1 Replies View RelatedWe've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
we have two offices connected with a lan-to-lan ipsec tunnel. My question is about one of the sites.
At the site a Cisco 870-series router is used for connection to the internet and setting up the tunnel. Two subnets exist, 172.22.x.x and 10.30.x.x.
The router itself has an address in the 172.22.x.x-range. Traffic from the 10.30.x.x subnet needs to be able to reach:
- A host in our network over at the other office (also 172.22.x.x but other range). NATting is needed otherwise it won't traverse the tunnel because the lan-to-lan has only 172.22.x.x in its properties. - The internet. NATting is also needed otherwise it won't be routable on the internet. The packets need to go out of the router directly, not through the tunnel.
How do I accomplish this?
Here is a snippet from the config:
interface ATM0.1 point-to-point
ip address <public ip address>
ip nat outside
ip virtual-reassembly
pvc 8/35
class-vc Office(code)
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
I have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
