Cisco VPN :: PIX515 - Routing WRT Site-to-site VPN

May 30, 2013

I'm setting up a site to site VPN link between two PIX515 running 6.3(5) and I have some questions about routing. The layout is this:
 
10.30.29.0/24 -|Remote Pix515|- 216.xxx.xxx.19 ~~~~ Internet ~~~~ 96.xxx.xxx.101 -|HQ Pix515|- 10.30.20.0/24 

The remote Pix serves as the gateway/NAT firewall for general internet traffic as well as the VPN endpoint. Its inside IP is 10.30.29.1. The Pix at HQ serves only as the site-to-site VPN endpoint . Its IP is 10.30.20.3. NAT is disabled on VPN traffic and all IPSEC traffic is permitted (by way of"sysopt connection permit-ipsec").The gateway for the HQ subnet is at 10.30.20.1.I need machines on the remote side to be able to "see" shares at HQ. Machines on the remote side don't need to be visible to HQ.
 
It seems to me the remote PIX will correctly handle routing traffic bound for the HQ subnet through the tunnel using the crypto map/ACLs. And I suspect the HQ PIX will correctly handle traffic bound for the remote subnet if/when it receives such traffic on its inside interface for the same reason. But, I have to get packets leaving machines on the HQ subnet, that are bound for the remote subnet, to the HQ PIX's inside interface somehow, right?
 
My question: Is it sufficient to setup a static route on the HQ gateway  that routes packets bound for the remote subnet to the HQ PIX?

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: Site To Site VPN Between PIX515 And ASA 5505 With Dual ISP?

Apr 13, 2011

We have got site to site VPN configured between local site with PIX515 6.3(5) and remote site with ASA 5505 7.2(4) . Because of very unreliable internet connection in remote site , we have added new ISP link  which we want to use as redundant link .i understand ASA 5505 can be configured with two ISP link with SLA monitor method for redundancy as per this document ,[URL]
 
my question is how do i set up this pix 515 to have redundant VPN tunnel with remote site (when primiary ISP link fails in remote site and  secondary ISP links takes over ) .  I was thinking of using   PIX 515 with 2 peers in same crypto map used for that sepcific site to site vpn tunnel,not sure that is the right way or not though.But how would i configure ASA 5505 to use backup interface(where secondar isp router conects ) to particitae in Site to site Tunnel .

View 4 Replies View Related

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only  My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.

View 2 Replies View Related

Cisco VPN :: 5520 Requirement To Terminate Site-to-site VPN From Remote Site

Jun 17, 2012

We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?

View 1 Replies View Related

Cisco VPN :: 877 / How To IPsec Site To Site Vpn Port Forwarding To Remote Site

Jun 13, 2012

The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
 
Below are my configure on the Cisco 877 in site A.  
 
Building configuration... 
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad

[code]....

View 1 Replies View Related

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510.  I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).

View 11 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: ASA 5505 Site To Site Connection / Remote Site?

Mar 6, 2011

i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?

View 1 Replies View Related

Cisco Switching/Routing :: 1941 / K9 Unable To Ping Over Site To Site IPSEC

Jul 12, 2012

I am trying to set up a site to site ipsec connection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.

View 4 Replies View Related

Cisco Switching/Routing :: ASA 5525 - Configure Site-To-Site IPsec VPN To 3 Peers

Nov 21, 2012

I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?

View 10 Replies View Related

Cisco Switching/Routing :: HSRP / BGP / Site To Site VPN On Router 2811

Apr 2, 2012

hsrp+bgp+site to site vpn on router 2811.

View 2 Replies View Related

Cisco Routers :: RV082 - SRP527W Site-to-site VPN - Routing Table?

Sep 2, 2012

i'm trying to create a VPN IPSEC link between 2 offices. The VPN link is created, and i can communicate but only one way. Clients in Office B seems to have routing problem.
 
Details :
Office A :
- SRP527W router.
- Client Network : 192.168.0.0 / 24

[Code].....

View 5 Replies View Related

Cisco VPN :: ASA 5520 - Routing Traffic Between Two Site To Site Tunnels

Feb 24, 2013

I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
 
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
 
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
 
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C

View 5 Replies View Related

Cisco Switching/Routing :: 2851 / Site-to-Site VPN Through EVPL?

Mar 26, 2013

I have been tasked with creating a VPN tunnel between our site and a vendor's support center.  I successfully created the tunnel, which negotiates fine, but I can't seem to get the traffic flowing properly.  The issue that I think I am having is that the vendor is using a public IP address for their remote internal network instead of a public one.  At least that's what I think the problem is, but I'm probably wrong   Here is a diagram of how the traffic should be flowing:
  
Office #3             Office #3                       Office #1            Office #1                         Vendor       Vendor
Desktop PC          Gateway                        Gateway            Firewall                           Public IP     Private LAN
192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 192.68.48.0/22
                             Cisco 2851                    Cisco 2851        ASA 5510                      Cisco 7206
 
When I trace a route from the desktop PC to an IP address on the remote vendor end, instead of going to the ASA the traffic goes to another office.  Here is what is happening to the traffic:
 
1     <1 ms     <1 ms     <1 ms     192.168.5.1          (Office #3 Gateway)
2       3 ms       3 ms       3 ms     172.20.254.5        (Office #3 EVPL VLAN to Office #2)
3       3 ms       3 ms       3 ms     192.168.1.14        (Office #2 Gateway)
4       4 ms       4 ms       4 ms     173.xxx.xxx.xxx   (Public Internet)
 
The office with the desktop PC has no local internet access, so all internet traffic gets routed to office #2 (192.168.1.0) as shown above.  I'm asuming this is happening because the vendor is using a public IP address instead of a private IP address for their network.  The routers look for the shortest route, which would be the internet, and then route the traffic there.  Instead they should be routing the traffic to office #1's ASA and then on to the remote vendor site.  The 2851 routers are using EIGRP.  I don't know if that is causing this to happen but I tried adding static routes and the traffic always goes to the same place.  I can provide configurations on any of the devices mentioned, save for the vendor's. 

View 2 Replies View Related

Cisco VPN :: ASA 5520 / Routing Site-to-Site VPN To Remote Users?

Oct 29, 2011

We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3  ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between  remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.

View 7 Replies View Related

Cisco Routers :: Routing All Traffic To Vpn Site-to-site With SRP527W

Aug 21, 2011

I'd like to create a site-to-site vpn between an SRP527 and an other vpn gateway. The problem is i don't see how to route all traffic from the local network (network defined by the lan ip interface of the SRP527) to the other vpn gateway? It seems to be only possible to define the destination network (accessible via the vpn) with ip/mask (but only for "small" network: for exemple i tried with 10.2.0.0 mask 255.255.0.0 and it's ok but i tried with 10.0.0.0 mask 255.0.0.0 -> it's not working. I obtain the message "invalid ip")

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Site-to-Site With UC540 Routing?

Dec 4, 2012

We are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site.
 
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
 
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC.  I added the static route there and was able to ping, so something in the ASA seems to be preventing it. 
 
I also can't seem to get the ASA at the remote site to ping 10.1.10.1.  I've tried adding the static route there in hopes it would forward it through the VPN tunnel.

View 1 Replies View Related

Cisco VPN :: ASA 5520 / Site To Site Failover VPN Connection And Routing?

Apr 8, 2013

We have 3 sites, with a Cisco ASA 5520 at each location.
 
HQ (Headquarters)              internal network: 172.16.110.0/24,
DR (Disaster Recovery)       internal network: 172.16.120.0/24
BO (Branch Office)               internal network: 172.16.150.0/24
 
HQ and DR have a 100Mbps permanent MPLS link between each other.Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR. This works perfectly.Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...

View 4 Replies View Related

SSL-VPN 2000 / TZ100 -Routing Traffic Over Site To Site VPNs

Jun 2, 2013

I'm working with a client who has a site to site VPN between the main office and a branch office. The main office is 192.168.200.0/24 and the branch office is 192.168.1.0/24. The issue is when the branch office users use the VPN in they receive a 192.168.200.x address, however, they cannot access a server or any other resources at the branch office.

They have a SSL-VPN 2000 connected to a TZ100 at the main office and a Juniper device at the branch office. I did try setting the Tunnel All mode on the NetExtender but that does not allow me to access the resources at the branch office. Additionally, those users at the main office can access the resources at the branch office without getting on the VPN.

View 8 Replies View Related

Cisco Switching/Routing :: Do VPN Site-to-site Between Two ASA 5505?

Jan 29, 2012

1. Is it possible to do vpn site-to-site between two ASA5505?

2. Is it possible to do vpn site-to-site between ASA5505 and MS ISA 2006?

3. Is there "Traffic shaping" in ASA5505?

View 3 Replies View Related

Cisco VPN :: ASA5510 - Site To Site With Dynamic IP In One Site

Jan 27, 2012

i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
 
how i can configure the site to site between them?

View 2 Replies View Related

Cisco Switching/Routing :: Site-to-Site VPN Routing On 5510

Oct 28, 2012

I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24 10.1.1.2 is a gateway that has access to the site. If I add to any server on the 10.1.1.0/24 subnet route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2 it is able to connect to any system on the 212. xxx. xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn. I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510. [code]

View 2 Replies View Related

Cisco :: Site To Site VPN Routing

Oct 30, 2012

I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24, 10.1.1.2 is a gateway that has access to the remote site. If I add to any server on the 10.1.1.0/24 subnet 'route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2' it is able to connect to any system on the 212.xxx.xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn.I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510.

View 1 Replies View Related

Protocols / Routing :: Site-To-Site VPN

Aug 29, 2012

I am struggling to setup a site-to-site VPN connection between 2 sites. I have a feeling it's because I configured NAT'd IP addresses on both routers. The IP address range and subnet details are listed below, including the make/model of my VPN router.

View 4 Replies View Related

Cisco Security :: ASA 5510 - Site To Site IPSEc VPN Configuration Access List

Sep 12, 2011

I configurated Ipsec vpn at asa 5510. my inside ip 192.168.10.156my public ip: 85.x.x.xmy peer ip : 62.x.x.x
 
the project is that:
the remote site want the interesting traffic like that:
source ip 172.16.1.104 can access destination ip 10.0.154.27

My inside ip is 192.168.10.0/0 and i can not to change it 172.16.1.0/24 and i can not to add this ip at my network.

View 3 Replies View Related

Cisco VPN :: 2901 / 2921 / 5505 ASA - Router Versus Firewall Site To Site VPN?

May 30, 2013

I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
 
1) what is the different to build site to site VPN between router and firewall ?

2) which is the best choice if using in site to site VPN connection ? 

View 9 Replies View Related

Cisco VPN :: 5510 Site-to-Site VPN Internet Access From Branch Office For Group

Mar 6, 2013

Our Headquarter (asa 5510) is running a site to site vpn connection with a Branch office (router 2811). All remote users are accesing the internet through the VPN and also accesing headquarter file servers.I want to know if there is a way for some remote users to be able to use the vpn for accesing the file servers but to access the internet through the branch office.  The rest of the remote users will be still accessing the internet through VPN.

View 2 Replies View Related

Cisco VPN :: 5505 Connection To Mapped File Shared Dropping On A Site-to-Site VPN

Nov 27, 2011

We've just deployed a site-to-site VPN using a 5505 ASA on the client's site and a checkpoint Nokia FW on our site. Everything seems to be fine except that the user's connections to their file shares seem to be intermittently dropping. One minute the connection to the shares is there, next thing it's lost. There is no logic to it because no two users are experiencing issues at the same time, as a matter of fact even on the same PC where a user has access to 3 shares on 3 different servers, one could be showing as connected whereas the other two be dropping. [code]
 
As you can see the Duplex and Speed are set to auto, I've rectified this since then and I'm keeping a close eye on the output errors, and collisions. However, I'm afraid that this did not rectify the issue and the users are still experiencing intermittent connection dropping to their file shares over the VPN!

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Site To Site VPN Using Public Addresses On Local Network

Jul 28, 2011

I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
 
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.

View 5 Replies View Related

Cisco VPN :: ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN?

Apr 22, 2012

I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic.  When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Site To Site RTP Traffic Is Hitting Deny All Rule?

Aug 13, 2012

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows
 
 Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny

 [code].....
 
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

View 2 Replies View Related

Cisco VPN :: ASA 5510 - AnyConnect Users Cannot Access Remote Office Over Site-to-site

Jul 15, 2012

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4

Site A internal: 192.160.x.x     External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x     External: 66.66.666.54(all)

I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?

Here is my NAT config:

nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL

[code]....

View 3 Replies View Related

Cisco VPN :: Remote Client Cannot Connect To Local Network Or Site To Site ASA 5510

Jul 21, 2011

I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.

I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved