Cisco VPN :: Remote User VPN Across Interfaces 5510
May 5, 2013
I have a client that wants to segment their wireless network behind their ASA. We currently have a normal setup, 5510, 2 interfaces, outside, inside. On the inside network there are Cisco Wireless APs that allow for internal access to the network. We want to move the APs to a new interface on the ASA and only allow traffic bettwen this new "Wireless" network and the internal network by using remote user VPN. So my question is, can you use remote user VPN from the new Wireless network to the inside network??
View 1 Replies
ADVERTISEMENT
Oct 20, 2011
ip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
[code]....
View 4 Replies
View Related
Jun 30, 2011
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
View 2 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Jun 20, 2012
Can ASA sub-interfaces run separate IP Sec VPN tunnels eg
There are 02 sub-interfaces of 01 physical interface of Cisco ASA5510 [ASA Version 8.2(5)] and I need to run 01 IP Sec VPN tunnel on each of these
View 1 Replies
View Related
May 4, 2012
I have two inside interfaces (both security level 100) inside and inside110. Inside is 192.168.105.3/24 and inside110 is 192.168.110.3/24. I have a PC on the 192.168.105.0/24 network. I cannot ping the 192.168.110.3 IP of interface inside110.
View 2 Replies
View Related
Aug 20, 2012
I am trying to enable a second WAN interface on our ASA.the end goal is to move all internet traffic to the new connection, but first i want to test it working.I have setup my computer as an object in the ASDM and the interface is configured correctly (same settings on a different router and that was working)I setup a route with a lower metric ( 1 lower than the default route which routes everything through current main internet interface) to route traffic from my computer out through the new interface but i am still connected on the old interface.I duplicated some of th NAT rules (but i would have thought if these werent working then i would have no internet connection anyway)
View 5 Replies
View Related
Mar 12, 2011
I configured ASA 5510 ...
Totally it had 5 ports..
How to provide communication between two different interfaces which had configured as same security level?
How many trunks will support ASA 5510 with base-license?
How to configure trunk to an interface with different VLNs( Router on a stick).
View 6 Replies
View Related
Jan 5, 2013
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
View 1 Replies
View Related
Jun 11, 2013
I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com
[Code].....
View 1 Replies
View Related
Feb 13, 2012
I have a question regarding firewall configurations. Is it possible to have two interfaces ( for two internet service providers) one for voice and one for data. Can I have two Outside Interfaces that one will apply to a pppoe client group and the other will apply to a static IP? Is this possible and if so What would be the steps on applying this connection? Also to note I have a point to point connection already established for the pppoe. I also have another point to point connection for data, but however I do not know how to apply this to the firewall.
View 3 Replies
View Related
Mar 12, 2011
Is it possible to provide communication between two different interfaces which had configured as different security level in ASA 5510?
View 3 Replies
View Related
Oct 23, 2011
I have a Cisco ASA 5510 configured to access the internet, with an:
inside interface (ethernet 0/1) 130.130.0.254 and outside interface (ethernet 0/0) x.x.x.x
I have now configured another inside interface (ethernet0/2) on ASA with the IP 172.16.0.254 and I have connected it directly to another switch with a management IP 172.16.0.5.
The problem is that the two inside interfaces (130.130.0.254 &172.16.0.254) cannot communicate with each other thus the e0/2 172.16.0.254 interface cannot access the internet.
View 5 Replies
View Related
Mar 6, 2012
How to force traffic back out the same interface from whence it entered. Review the following topology.
Internet ---> ASA 5510 ---> Static IP1 ---> F3.1 ---> 1811 F0
|-------> Static IP2 ---> F3.2 ---> 1811 F5 ---> VLAN Int
ASA F3.1 10.1.254.9/30
ASA F3.2 10.1.254.13/30
1811 F0 10.1.254.10/30
1811 F5 10.254.1.14/30
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
View 1 Replies
View Related
Jan 15, 2013
I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:
ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....
View 9 Replies
View Related
Jun 21, 2012
I use 3 interfaces on an ASA 5510. First interface is Lan, Second interface is Outside, Third interface is ADSL The Outside interface is used for VPN L2L and smtp traffic. (Leased line on router managed by ISP)The Adsl interface is used for Http traffic. (Adsl Cisco router) I use this configuration found on another forum subjet for routing.route outside 0.0.0.0 0.0.0.0 x.x.x.x 1route adsl 0.0.0.0 0.0.0.0 y.y.y.y 2 nat (inside) 1 0 0global (outside) 1 interfaceglobal (Adsl) 1 interface static (Adsl,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0 The problem is now I have an www intranet server on the VPN remote site. How i can exempt the http traffic to the intranet server routed through Adsl interface?
View 7 Replies
View Related
Apr 8, 2013
I am trying to setup intervlan routing with a Cisco ASA 5510 and two 2960-S switches. The 5510 currently is using ASA Version 7.0(2) and has a base license. I tried to create a sub interface today based on some info I found regarding the routing piece and it didn't recognize the command. I'm thinking I may need to update the IOS code or the license on the firewall. I know the syntax was correct because I looked it up and found it in a Cisco document.
View 15 Replies
View Related
Jun 10, 2013
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack. Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack. for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document [URL]
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
View 1 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
Dec 30, 2012
I have a Cisco ASA 5510 with 3 inside interfaces each connected to a 3750X switch port in a vlan. Outside interface is connected to external router with 209.155.x.x public IP. Static route exists for outbound traffic on outside interface.
3750X is configured for inter-vlan routing. VLANs 10, 20, and 30 have 172.16.x.1 IP address with static routes pointing to the each of the ASA inside interfaces - 172.16.x.254. Connected hosts are configured with gateways pointing to the appropriate vlan interface IP - 172.16.x.1.
Inter-vlan routing appears to be working - I can ping back and forth between hosts on different vlans, and I can ping each vlan IP.I can also ping each ASA inside interface from a host in the appropriate vlan, but I cannot ping internet sites (4.2.2.2 or 8.8.8.8) from hosts on the inside interfaces.
I can ping 4.2.2.2 from the ASA CLI. I can ping internal hosts on vlans 10,20,30 from the ASA CLI. But, no luck with pinging from inside host to internet hosts
View 12 Replies
View Related
Nov 13, 2011
Unable to create VLAN interfaces in ASA 5510
View 1 Replies
View Related
Jun 6, 2011
How do I setup remote login that would allow 3 or 4 people to login to the same computer.Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.
View 11 Replies
View Related
Jun 6, 2011
Each person would have their own Windows User Account name, with differentprivileges.I don't know what software could do this.The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.This is a very small business and keeping costs under control is important
View 9 Replies
View Related
Jun 21, 2011
It seemed that show vpn-sessiondb ra-ikev1-ipsec will not provide the client type of the remote vpn user as show vpn-sessiondb remote did before.
Is there a way to find it out on ASA running 8.3?
View 1 Replies
View Related
Aug 19, 2012
Someone hacked into my computer through my Netgear router. They took over as Administrator and setup a Atheros (sp) driver. They pretty much have total control over my computer. How can I rid myself of this hack and protect nyself in the future?
View 5 Replies
View Related
Apr 19, 2011
I want to share the My Documents folder from an XP machine with ONLY one user (the administrator) on a networked Win 7 machine. I have turned off simple sharing on the XP machine. I hate XP!! So complicated to do anything. Anyway, under security, I have tried share this folder, and not to share folder. I have gone into Advanced and messed around with permissions, taking out Everyone, using Admin only, using Network. At one point I ended up not being able to access My Documents on the local computer and had to jump through many hoops to change ownership and disable read only so that the user could use her own files!The problem is, under Advanced in the permissions area, I cannot see the users on the remote pc to choose which one should be allowed access. how to actually find a particular user on the Win 7 pc and give ONLY that user permission to read (not to change) the files in My Documents on the XP pc.
View 3 Replies
View Related
Jun 6, 2011
How do I setup remote login that would allow 3 or 4 people to login to the same computer. Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.his is a very small business and keeping costs under control is important.
View 6 Replies
View Related
Sep 15, 2011
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I can't find it.I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this: [code] I do this,but it's not work.When I use EasyVPN client to connect ASA 5520,user could through authentication but will not get that static IP address which I configuration on Internal Users.so,what should I do,if anyboby knows how to use ACS 5.2 to create a static ip address user for remote access VPN.
View 2 Replies
View Related
May 5, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone, There is a document that describe a solution to this? What IP adressess should I use?
View 2 Replies
View Related
Oct 3, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone
View 3 Replies
View Related
Apr 5, 2011
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
View 2 Replies
View Related
Jul 5, 2011
I need to configure our ASA5505 firewall for remote access to our network using EasyVPN software installed on a laptop. That laptop will be connected in the different places, using DSL or 3G toggle or Public Wi-Fi. For some people it's very easy, but I don't have any experience with firewalls.
View 9 Replies
View Related
Jun 16, 2012
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies
View Related
