Cisco VPN :: Setting Up Two Separate 5510 At Two Different Locations
Nov 1, 2011
I'm setting up two separate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly: [code]
My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?
View 2 Replies
ADVERTISEMENT
Feb 11, 2011
setting up networks with multiple locations and multiple wireless points.For example: My sisters' home has here modem in her main computer room, it has a Belkin router hooked to the modem. Then a line goes from there to my nephew's room where I tried to expand their network by adding another router. I really just wanted an access point, but they don't seem to sell these as much as they used to. Anyway, I had it working, but it was two different networks, NETWORK1 and NETWORK2. So they had to swap networks when moving around the house. what would be the best hardware setup to provide both sides of the house with some Hardwired access as well as wifi access? Right now, we have two routers, a DIR615 (or something like that) and a Cisco E1000, and again hardwire going from the main computer room to my nephew's room.Also, in my house, I have lots of stuff... I have an Actiontec Router from FIOS, feeding a small hub as well as a switch in my main room. Which then feeds a Ps3, Wii, laptop, Denon reciever, and Access Point... and also feeds my Apple TimeCapsule, which also feeds my printer. My wireless devices range from cameras, iphones/ipads, and a wifi unit (I forget what it's called, but it connects my DVR wirelessly to my network, and the DVR itself doesn't have wifi).
my question about my setup is, should everything be on one network... as in let the ActionTec handle most of the duties and use switchers and accesspoints to extend the network. Should everything be on the same wireless network and channels? Like if I used my access point to extend, do I want the same settings as my main wireless router, and would that be the same for the Apple Airport Extreme?Also, does having all these wireless networks going create any kind of hinderance on my performance. For example, the PS3 has some sort of wifi in it... it produces a SSID, but I never connect to it. Should I make sure that's off? And in my main room, should I go with just the AirPort extreme over using it and the Wireless Access point.
View 1 Replies
View Related
Mar 22, 2011
We are facing a major issue of VPN tunnel going down very often. I have 7 Site-2-Site VPN connectivity, this works fine for some days and suddently VPN tunnel goes down intermettenly for one or few locations and i need to clear isakmp sa for that speicific tunnel to come up.When tunnel goes down the vpn phase 1 status.....
6 IKE Peer: 125.18.0.38
Type : L2L Role : initiator
Rekey : yes State : MM_ACTIVE_REKEY
7 IKE Peer: 125.18.0.38
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
After clearing phase 1 for specific tunnel the VPN tunnel come up.
7 IKE Peer: 125.18.0.38 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
CINBLR01-SQDR-FIREWALL-00002# sh version
Cisco Adaptive Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)
Compiled on Thu 07-Aug-08 20:53 by buildersSystem image file is "disk0:/asa804-k8.bin"Config file at boot was "startup-config"
CINBLR01-SQDR-FIREWALL-00002 up 1 day 17 hours
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHzInternal ATA Compact Flash, 256MBBIOS Flash M50FW080 @ 0xffe00000, 1024KB
[code]....
This platform has an ASA 5510 Security Plus license.
View 7 Replies
View Related
May 23, 2011
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies
View Related
Oct 3, 2012
I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.
We two locations, Location A and Location B. Both locations have a 100MB internet conection. Location A has a ASA 5510. Location B has a 5505. Users at both locations access the internet via their respective ASA. Location A is the headquarters and Location B is a disaster recovery site. We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.
View 30 Replies
View Related
Feb 5, 2012
I would like to set up two separate networks from one internet connection(modem), with the goal being to have a public network(Network A) that would have a small server on it, and then having a second secured network(Network B) that would have my personal computers on it. And both networks having connection to the internet. (The idea being that if the server somehow became compromised that my personal computers and their data would be safe)I have done some research and found that many people claim this can be done with just two or three routers, but none of them go into any detail about how to configure the routers. Below are the physical setups of the two options that I have come up with in my research, which if either would you recommend? And how would I configure each of the routers?
--------------
Modem/router 1 (Network A public)
--Internet-in WAN port
--port 1 to WAN of router 2-------------l
--port 2 server
[code]...
View 2 Replies
View Related
Oct 3, 2012
I'm new at this stuff and very stumped. I have one WAP with multiple SSIDs that support VLAN ID (for a private and guest wireless network) and a managed switch that supports tag or port based VLAN ID. How do I set up the switch so that the networks are separate, but can still reach their own routers to get on the Internet? In case details are necessary, the WAP is a Cisco Aironet 1130AG and the switch is a Netgear FS750T2
View 14 Replies
View Related
Feb 17, 2011
I am setting up a 1921 with two ethernet WAN ports going to two seperate ADSL ISP's (via bridged modems) and one connecting to the internal LAN. There is a single e-mail / web server behind the router.
I have been reading the following which is exactly what we want to do, but I have questions. Maybe failover would be better because Load Balancing seems a little too quirky without BGP. url...
How do we define public static IP's, the example seems to show DHCP?In order to detect if a line is down, it has to ping an IP address that is specific to the connection - correct? So could I use the gateway for the ISP? The issue I have with this is the gateway might be up, but the Internet down. Next, we need to make sure that when someone visits one of our public IP addresses, the return data is sent through the connection requested. What we don't want is a situation where incoming connections are not working.From experience, load-balancing causes certain websites and SaaS applications to break because requests are coming from two different ISP's. Is this the case with OER? Finally, any links, config or something to advise how a fail over only configuration would work given we have internal servers (PAT/NAT inbound would need to translate properly with the failover IP)? Basically if ISP 1 goes down, I.E. router cannot ping 8.8.4.4 then it switches to ISP 2, until ISP 1 comes back online and switches back? This would need to change the NAT rules for inbound as described.
View 4 Replies
View Related
Jun 13, 2012
I have a 4-port Netgear modem/router (DG834), and need to distribute its Internet connection according to the following criteria:
1.There are 11 access points (3 wired, 8 wireless) across 4 floors of a building - all cabling is from a central point, which will connect through a switch.Cat 5e cabling is in place.
2.The wireless points need Power over Ethernet connections
3.The 4 router ports serve 2 PC's and a printer in an office, the fourth being the connection to the switch.
4.There must be network separation so that:
- all points have Internet access
- there are three separate groups - one for the office, one for staff (wired) and one for guests (the wireless points), the purpose being to ensure that no user in one group can access any user's device in the other 2 groups. I'm assuming VLAN is the method for this.
5.Traffic on the network is likely to be fairly low casual use of the wireless ports, the office PC's only being used for Internet access and email no transactional systems, large databases or other resource / network-intensive functions.
1.Both the Netgear FS726TP and GS724TP look as if they will do what I want, using WNAP210 wireless access points. Could I achieve the same outcome with 2 x GS108PE switches? Any other hardware recommendations?
2.Do I need any additional hardware?
3.Are there any other considerations I have not thought of?
View 10 Replies
View Related
Jan 19, 2013
We have a two separate businesses in the same building who will both need access to shared resources and the same internet connection. They will need to remain on separate subnets and cannot communicate directly to each other. The current switch is a Cisco ESW-520-48P and we are looking at purchasing an SG-300-20P for the new business moving in. Heres how we envisage setting it up:
ESW-520 will host Company A's network. Workstations, servers etcSG-300 will have two VLANS. VLAN1 will host all Company B's network. Workstations, servers etc. VLAN2 will host the shared resources such as printers. The internet gateway is a UNIX based system with 3 NICS. 2 NICS are taken up by ADSL connections while the other NIC is the LAN, which would connect to VLAN2 on the SG-300. We would like to define which ADSL connection to route through depending on which subnet traffic is originating. The ESW-520 will need access to the shared resources and internet gateway on VLAN2 on the SG-300.
View 4 Replies
View Related
Sep 2, 2012
is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?
View 6 Replies
View Related
Jan 5, 2013
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
View 1 Replies
View Related
Oct 18, 2011
The Voip pbx resides on a seperate lan, not connected to the ASA. Users from behind the ASA (inside) try to connect to the VOIP pbx using a soft phone. The Voip connection is established, however users cannot here conversations on either end.Im assuming this is possibly a Sip and Pat issue? The ASA firewall is using a seperate Global IP for PAT. Also I have opened ports on the outside interface for SIP udp 8081, 2088,16000-16010 and 15000-15511. I have both SIP and H323 h225 inspection in place as well.
View 5 Replies
View Related
Dec 25, 2012
We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP. The addresses are not contiguous. Is there a way to configure an interface on the ASA to handle both sets of public address pools? If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool? Then just NAT/PAT to my heart's content? At that point I would want both to route to our inside network. So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network... Right now the outside interface is configured with our first set of IP addresses. We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool. Hence the question. I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?
View 4 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
Sep 11, 2012
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
View 4 Replies
View Related
Feb 2, 2012
I have to configure failover Active/Standby on my ASA 5510.I am wondering how i could do for the outside interface, i mean, actually the ASA1 outside interface is linked directly to our Internet router.So now if i have to add ASA2 connecting to that router i will need a switch between them.I have already a switch for DMZ & LAN.The thing is that i will have to allow 3 switchs ports to communicate with each others.
- 1 for ASA1--outside
- 1 for ASA2--outside
- 1 for Internet router
How could i isolate these 3 ports to make them communicate alone ? Should i use VLAN for that ?And if i use VLAN, will this require to make any change of configuration on my firewalls (ASA1 & ASA2) outside interface ?I am a bit lost with this, if i am correct i will not have to do some "vlan tagging" on the firewall itself ?
View 1 Replies
View Related
Jan 16, 2013
My fiance recently signed up for the Screen-wise Panel for Google research. Basically they monitor your TV usage and your internet usage. As part of the program they installed a Cisco WIFI router. I've got no issue with them logging the sites visited etc but I'm a little worried about them possible collecting private information (banking / work related stuff) that I don't want going out there. According to what I've read what's supposed to happen is they replace your router with the new Cisco router.The "technician" who came in and installed the router was actually a builder and not an IT technician and rather than replace our router he connected the Cisco router into port 4 of our router... I wasn't in at the time.
What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.This is exactly what I'm looking to do, I could then connect the kids machines / tablets / ipods to the Cisco router and have the main machine and my work laptop on the main router... but I don't have a clue how to do it. </quote> Is this something that I am able to do with the Netgear router I own and is it hard to set up?
View 1 Replies
View Related
Jan 10, 2012
'm trying to set up a vpn connection through two ASA 5510 firewalls.My network is as follows:
PC | FW A | Internet |FW B| - lan |
I am trying to achieve the following:
PC | FW A | Internet |FW B| - | DMZ | - | FW C| - | lan |
However, I am not sure where the VPNs will need to terminate and how I will achieve this taking into account the WAN IPs.
View 1 Replies
View Related
Aug 14, 2011
My company has leased some office space to an outside company that handed me a 5505 and said "We want to VPN to our HQ through your Internet". I have two issues: I need this to work and I need to be able to access the 5505 from the management network. I don't care about the VPN aspect as much as making sure that I have basic communication down. I have everything configured per the diagram, but I can't ping the 5505 outside (Vlan 2) interface. I want to be able to configure and test the VPN setup on the 5505 from Putty on my PC.
The default route on the 5520 sends traffic to 10.10.1.1 and the default route on the 5510 sends traffic to the WAN interface. I added this route on the 5510:
outside 10.94.4.0 255.255.255.0 10.10.8.1
I still can't ping the default gateway on the 5505. There is a switch between my PC and the 5520 but the default route passes the traffic to the 5520. However on my tracert I don't even get to the 5520. What's going on here? Do I have to add a route to the switch just to manage the ASA 5505?
View 30 Replies
View Related
May 3, 2011
I have multiple offices that I want to vpn into one office.... So is there anything special I have to do to establish this....Or can i do the same set up for one office then copy those setting to the next office?
Office 1 - main office .........asa 5510......ip 111.111.111.111
Office 2 - remote office......asa 5505......ip 222.222.222.222
Office 3 - remote office......asa 5505......ip 333.3333.333.333
I want office 2 and 3 to be able to vpn into office 1.
Currently I have already set up the vpn connection for office 2 to office 1. Everything works well with that so I know it is good! So could I basicly copy those setting to office 3? Or is there some weird settings or anything I should do or avoid by now setting out office 3 to vpn into office 1??
View 2 Replies
View Related
Jun 30, 2011
I'm trying to understand my options for assigning addresses to VPN clients on an ASA 5510. Under the ASDM, I have a field for DHCP servers, radio buttons: none, dhcp link, dhcp subnet, and field: client address pools. Cisco's VPN examples demonstrate setting up a client address pool, which I did, but the VPN client isn't assigned a gateway in the process so it can't connect to anything; I really don't understand the point of this. I'd like to create a DHCP pool on the ASA for VPN clients as this seems to be the standard configuration. However, I don't know where in the ASDM to configure this and how it's applied. The only DHCP options I found involved creating a DHCP server on an interface, which I don't want to do since VPN users aren't on a physical interface, right?
View 6 Replies
View Related
Jan 23, 2012
I have a Cisco ASA 5510 firewall, my problem is that when the first VPN connections is established everything is good. But when that connections is cancel or terminated due to non connectivity. No one can connect to that firewall through that VPN unless that firewall is restarted.
View 1 Replies
View Related
Mar 21, 2013
I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
Here it is:
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0
[Code]......
View 1 Replies
View Related
Jun 23, 2011
Co-worker just got a Blackberry Playbook tablet and, try as I might, we cannot get the darn thing to successfully set up a working IPSEC/L2TP vpn tunnel to our ASA 5510, which acts as a multi-purpose VPN concentrator. Any luck setting up L2TP/IPSEC VPN to ASA from Blackberry Playbook?
View 0 Replies
View Related
Apr 9, 2012
setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
[code].....
View 3 Replies
View Related
Mar 5, 2012
how to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem. I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits. So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?
View 2 Replies
View Related
Oct 14, 2011
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
View 4 Replies
View Related
Nov 11, 2008
I have allways configured and run LDAP Server Groups authenticating to Active Directory Domain Controllers using LDAP, never an issue, until I hit a Domain Controller running on a Windows Server 2008. I have been unable to authenticate with the common setting with an ASA5510 running 8.0.1.
View 4 Replies
View Related
Jan 31, 2011
Is there any way to get reports on voice utilisation on WAN links so that CAC settings can be proactively managed for each location on our CUCM cluster? Our service provider is advising that this is not possible which means that we rely on customer/staff complaints to recognise where CAC thresholds are being reached. Our preference is to be able to run traffic reports (or the Cisco equivalent) as could be done on our previous (traditional) telephony network and provide additional capacity if and when required BEFORE congestion is reached, thus minimising customer/staff impact.
View 1 Replies
View Related
Jan 15, 2011
I need to keep surveillance on two separate remote locations, each on a different continent. They're both indoor locations and have broadband. One of these setups should be fully bidirectional so I can see them and they can see me, while the other location is unidirectional so I can see them but they can't see or hear me. In both of these farflung locations the people there have the computer skills of your average escargot, so it's going to be a complete and utter miracle if they can even figure out how to boot the PC. I would like to provide netbooks to each location and have them automatically launch a fullscreen webcam on bootup. How to get this set up properly so that it works in a foolproof manner.
View 1 Replies
View Related
Jan 28, 2012
Has a small home network in 2 buildings with 2 wireless routers. He has fiber from the building where the dsl comes into, running up to his house where a second wireless modem is. Both are broadcasting DHCP but I only want one of them to do this. Ultimately I want his server(2008) to broadcast DHCP, but just one of the modems is fine for now.
View 1 Replies
View Related
May 1, 2012
I know how to connect 2 routers in 2diffrent states using internet.Also which service is used for that purpuse
View 1 Replies
View Related
