Cisco VPN :: PIX515 - Routing WRT Site-to-site VPN
May 30, 2013
I'm setting up a site to site VPN link between two PIX515 running 6.3(5) and I have some questions about routing. The layout is this:
10.30.29.0/24 -|Remote Pix515|- 216.xxx.xxx.19 ~~~~ Internet ~~~~ 96.xxx.xxx.101 -|HQ Pix515|- 10.30.20.0/24
The remote Pix serves as the gateway/NAT firewall for general internet traffic as well as the VPN endpoint. Its inside IP is 10.30.29.1. The Pix at HQ serves only as the site-to-site VPN endpoint . Its IP is 10.30.20.3. NAT is disabled on VPN traffic and all IPSEC traffic is permitted (by way of"sysopt connection permit-ipsec").The gateway for the HQ subnet is at 10.30.20.1.I need machines on the remote side to be able to "see" shares at HQ. Machines on the remote side don't need to be visible to HQ.
It seems to me the remote PIX will correctly handle routing traffic bound for the HQ subnet through the tunnel using the crypto map/ACLs. And I suspect the HQ PIX will correctly handle traffic bound for the remote subnet if/when it receives such traffic on its inside interface for the same reason. But, I have to get packets leaving machines on the HQ subnet, that are bound for the remote subnet, to the HQ PIX's inside interface somehow, right?
My question: Is it sufficient to setup a static route on the HQ gateway that routes packets bound for the remote subnet to the HQ PIX?
View 2 Replies
ADVERTISEMENT
Apr 13, 2011
We have got site to site VPN configured between local site with PIX515 6.3(5) and remote site with ASA 5505 7.2(4) . Because of very unreliable internet connection in remote site , we have added new ISP link which we want to use as redundant link .i understand ASA 5505 can be configured with two ISP link with SLA monitor method for redundancy as per this document ,[URL]
my question is how do i set up this pix 515 to have redundant VPN tunnel with remote site (when primiary ISP link fails in remote site and secondary ISP links takes over ) . I was thinking of using PIX 515 with 2 peers in same crypto map used for that sepcific site to site vpn tunnel,not sure that is the right way or not though.But how would i configure ASA 5505 to use backup interface(where secondar isp router conects ) to particitae in Site to site Tunnel .
View 4 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Jun 17, 2012
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies
View Related
Jun 13, 2012
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad
[code]....
View 1 Replies
View Related
Oct 11, 2011
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
View 11 Replies
View Related
Feb 7, 2011
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
View 3 Replies
View Related
Mar 6, 2011
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
View 1 Replies
View Related
Jul 12, 2012
I am trying to set up a site to site ipsec connection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.
View 4 Replies
View Related
Nov 21, 2012
I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?
View 10 Replies
View Related
Apr 2, 2012
hsrp+bgp+site to site vpn on router 2811.
View 2 Replies
View Related
Sep 2, 2012
i'm trying to create a VPN IPSEC link between 2 offices. The VPN link is created, and i can communicate but only one way. Clients in Office B seems to have routing problem.
Details :
Office A :
- SRP527W router.
- Client Network : 192.168.0.0 / 24
[Code].....
View 5 Replies
View Related
Feb 24, 2013
I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C
View 5 Replies
View Related
Mar 26, 2013
I have been tasked with creating a VPN tunnel between our site and a vendor's support center. I successfully created the tunnel, which negotiates fine, but I can't seem to get the traffic flowing properly. The issue that I think I am having is that the vendor is using a public IP address for their remote internal network instead of a public one. At least that's what I think the problem is, but I'm probably wrong Here is a diagram of how the traffic should be flowing:
Office #3 Office #3 Office #1 Office #1 Vendor Vendor
Desktop PC Gateway Gateway Firewall Public IP Private LAN
192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 192.68.48.0/22
Cisco 2851 Cisco 2851 ASA 5510 Cisco 7206
When I trace a route from the desktop PC to an IP address on the remote vendor end, instead of going to the ASA the traffic goes to another office. Here is what is happening to the traffic:
1 <1 ms <1 ms <1 ms 192.168.5.1 (Office #3 Gateway)
2 3 ms 3 ms 3 ms 172.20.254.5 (Office #3 EVPL VLAN to Office #2)
3 3 ms 3 ms 3 ms 192.168.1.14 (Office #2 Gateway)
4 4 ms 4 ms 4 ms 173.xxx.xxx.xxx (Public Internet)
The office with the desktop PC has no local internet access, so all internet traffic gets routed to office #2 (192.168.1.0) as shown above. I'm asuming this is happening because the vendor is using a public IP address instead of a private IP address for their network. The routers look for the shortest route, which would be the internet, and then route the traffic there. Instead they should be routing the traffic to office #1's ASA and then on to the remote vendor site. The 2851 routers are using EIGRP. I don't know if that is causing this to happen but I tried adding static routes and the traffic always goes to the same place. I can provide configurations on any of the devices mentioned, save for the vendor's.
View 2 Replies
View Related
Oct 29, 2011
We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
View 7 Replies
View Related
Aug 21, 2011
I'd like to create a site-to-site vpn between an SRP527 and an other vpn gateway. The problem is i don't see how to route all traffic from the local network (network defined by the lan ip interface of the SRP527) to the other vpn gateway? It seems to be only possible to define the destination network (accessible via the vpn) with ip/mask (but only for "small" network: for exemple i tried with 10.2.0.0 mask 255.255.0.0 and it's ok but i tried with 10.0.0.0 mask 255.0.0.0 -> it's not working. I obtain the message "invalid ip")
View 1 Replies
View Related
Dec 4, 2012
We are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site.
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC. I added the static route there and was able to ping, so something in the ASA seems to be preventing it.
I also can't seem to get the ASA at the remote site to ping 10.1.10.1. I've tried adding the static route there in hopes it would forward it through the VPN tunnel.
View 1 Replies
View Related
Apr 8, 2013
We have 3 sites, with a Cisco ASA 5520 at each location.
HQ (Headquarters) internal network: 172.16.110.0/24,
DR (Disaster Recovery) internal network: 172.16.120.0/24
BO (Branch Office) internal network: 172.16.150.0/24
HQ and DR have a 100Mbps permanent MPLS link between each other.Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR. This works perfectly.Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...
View 4 Replies
View Related
Jun 2, 2013
I'm working with a client who has a site to site VPN between the main office and a branch office. The main office is 192.168.200.0/24 and the branch office is 192.168.1.0/24. The issue is when the branch office users use the VPN in they receive a 192.168.200.x address, however, they cannot access a server or any other resources at the branch office.
They have a SSL-VPN 2000 connected to a TZ100 at the main office and a Juniper device at the branch office. I did try setting the Tunnel All mode on the NetExtender but that does not allow me to access the resources at the branch office. Additionally, those users at the main office can access the resources at the branch office without getting on the VPN.
View 8 Replies
View Related
Jan 29, 2012
1. Is it possible to do vpn site-to-site between two ASA5505?
2. Is it possible to do vpn site-to-site between ASA5505 and MS ISA 2006?
3. Is there "Traffic shaping" in ASA5505?
View 3 Replies
View Related
Jan 27, 2012
i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?
View 2 Replies
View Related
Oct 28, 2012
I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24 10.1.1.2 is a gateway that has access to the site. If I add to any server on the 10.1.1.0/24 subnet route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2 it is able to connect to any system on the 212. xxx. xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn. I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510. [code]
View 2 Replies
View Related
Oct 30, 2012
I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24, 10.1.1.2 is a gateway that has access to the remote site. If I add to any server on the 10.1.1.0/24 subnet 'route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2' it is able to connect to any system on the 212.xxx.xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn.I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510.
View 1 Replies
View Related
Aug 29, 2012
I am struggling to setup a site-to-site VPN connection between 2 sites. I have a feeling it's because I configured NAT'd IP addresses on both routers. The IP address range and subnet details are listed below, including the make/model of my VPN router.
View 4 Replies
View Related
Sep 12, 2011
I configurated Ipsec vpn at asa 5510. my inside ip 192.168.10.156my public ip: 85.x.x.xmy peer ip : 62.x.x.x
the project is that:
the remote site want the interesting traffic like that:
source ip 172.16.1.104 can access destination ip 10.0.154.27
My inside ip is 192.168.10.0/0 and i can not to change it 172.16.1.0/24 and i can not to add this ip at my network.
View 3 Replies
View Related
May 30, 2013
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
View 9 Replies
View Related
Mar 6, 2013
Our Headquarter (asa 5510) is running a site to site vpn connection with a Branch office (router 2811). All remote users are accesing the internet through the VPN and also accesing headquarter file servers.I want to know if there is a way for some remote users to be able to use the vpn for accesing the file servers but to access the internet through the branch office. The rest of the remote users will be still accessing the internet through VPN.
View 2 Replies
View Related
Nov 27, 2011
We've just deployed a site-to-site VPN using a 5505 ASA on the client's site and a checkpoint Nokia FW on our site. Everything seems to be fine except that the user's connections to their file shares seem to be intermittently dropping. One minute the connection to the shares is there, next thing it's lost. There is no logic to it because no two users are experiencing issues at the same time, as a matter of fact even on the same PC where a user has access to 3 shares on 3 different servers, one could be showing as connected whereas the other two be dropping. [code]
As you can see the Duplex and Speed are set to auto, I've rectified this since then and I'm keeping a close eye on the output errors, and collisions. However, I'm afraid that this did not rectify the issue and the users are still experiencing intermittent connection dropping to their file shares over the VPN!
View 1 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Apr 22, 2012
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
View 5 Replies
View Related
Aug 13, 2012
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
View 2 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Jul 21, 2011
I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.
Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.
I have the same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable.
View 6 Replies
View Related