Cisco VPN :: Site To Site Tunnel Is Up But ACL Is Not Working On ASA5505?

Oct 6, 2012

I have configured Site to site and the VPN tunnel is up. But the ACL's are not working.

View 11 Replies


ADVERTISEMENT

Cisco VPN :: ASA5505 Add Site-to-site Tunnel On Top Of Existing Configuration

May 3, 2011

i have one asa 5505 that have classic remote access vpn set-up and now i need to add site-to-site tunnel on top of the existing configuration. Is that possible with asa 5505 and do i need some special IOS bundle for that? May i use vpn wizard for that or do i need to go through cli since remote access vpn is setup using wizard.

View 2 Replies View Related

Cisco VPN :: Site-to-Site Not Working Between PIX515e And ASA5505

Aug 9, 2011

he IPSec tunnels do not form and I notice the error: 3Aug 09 201105:13:26IP = 39.188.41.188, Error processing payload: Payload ID: 1 Reading up on this it looks like it might be an IKE problem but I'm struggling to find the cause (the new 8.4 commands not useful).
 
The setup is as follows:-
 
Head Office
PIX515e v6.3(4)
LAN IP 10.0.160.254/24
 
Branch Office
ASA5505 v8.4(1)
LAN IP 192.168.47.254/24

View 3 Replies View Related

Cisco VPN :: ASA5505 Site To Site VPN Stopped Working

Sep 18, 2012

We have 2 ASA's that connect to a 2811, but for some reason, the 2nd ASA wont connect anymore. Debuging ipsec or isakmp on the 2811 doesn't come up with any messages. 
 
External IP's still correct, and the sites can ping each other.
 
Only debug on ASA for crypto isakmp comes up with messages (ipsec doesn't give any messages).
 
ASDM says:
Removing peer from peer table failed, no match!
Error: Unable to remove PeerTblEntry
 
I found some info on the above error messages, but those links didn't quite useful.
 
Below is fromt he debug on the ASA:
 
Sep 18 22:06:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:09 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:10 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:13 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:16 [IKEv1]: IP = 64.X.X.X, IKE_DECODE RESENDING Message [code]...

View 11 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: ASA5505 Tunnel Some Traffic (public Host) From Remote Site

Feb 6, 2012

On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]

View 1 Replies View Related

Cisco VPN :: ASA5505 - IP Address Pool In IPSec Client And Site-to-site VPN

Jul 10, 2012

We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling. If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?

There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?

View 4 Replies View Related

Cisco VPN :: ASA5505 Blocking Remote Network / Site-to-site Vpn

Jun 28, 2011

I have a site-to-site VPN already established, everything is working as it should.  I'm trying to block the remote network from accessing our network since we only need to access theirs.  I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505. 

View 5 Replies View Related

Cisco VPN :: ASA5505 Site-to-Site VPN And AnyConnect On Same Device Using IKEv2

Jul 10, 2012

I have 2 ASA5505's connected through a site-to-site using IKEv1 and IKEv2.Recently, I ran through the wizard to configure the AnyConnect software. [code]Now, my site-to-site connection will only come up using IKEv1.Is there a way to have both the Site-to-Site and the AnyConnect VPN connections use IKEv2?

View 1 Replies View Related

Cisco VPN :: Network-access Between ASA5505 And ASA5510 (site-to-site)

May 9, 2011

we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 (192.168.45.0/24) to any host behind the 5510 (192.168.0.0/24) the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some "denied by inside-access in"-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?

View 1 Replies View Related

Cisco VPN :: ASA5505 Site-To-Site And Remote Access On Same Device

Jun 3, 2012

I'm attempting to configure an for both site-to-site and remote access VPNs.  The site-to-site is working fine, however when I connect using the Cisco client, after initial connection and password prompt I get a "not connected" status.  The log states that a policy map match could not be found.  I have successfully set the unit up for remote access with no site-to-site and ran into another host of issues when adding the site-to-site to the working remote access config, so I started over setting up site-to-site first.  I've attempted this through ADSM (hate it) - the current configuration is via CLI.  I'm certain I'm just missing a piece or two.

View 2 Replies View Related

Cisco VPN :: ASA5505 - Site-to-Site Ping From One To Other Network Failed

Oct 1, 2012

I just get it that I can make a VPN Site-to-Site IPSec. But if I try to send a ping from one PC (network 1) to the other PC (network 2) it failed.
 
PC (Network 1) <ASA5505> Switch <ASA5510> PC (Network 2)
 
between the two ASA I have a funkctional VPN IPSec tunnel, but I can`t get access from one to theother network.
 
That are the access-list on the ASA5505:
 
asa5505#
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_ICMP; 4 elements

[Code].....

View 19 Replies View Related

Cisco VPN :: Site-to-Site VPN Over PPoE Internet Using ASA5505?

Feb 8, 2011

I have a client that wants to establisha S2S VPN across the Internet.  His Canada site (using an ASA5510) has a traditional fibre Internet service. However, the Chilean side (using an ASA5505) is using a PPoE Internet service.  The Chilean IP is dedicated, but the host IP they've received is the same as the default gateway (odd).Anyway, given that it's a PPoE Internet connection with authentication required, is it even possible to establish a S2S VPN.  I guess I'm thinking that if the Canada side tries to initiate to the Chilean side without anyone on their end to initiate the traffic first (and therefore authenticate in the process), will this even work?

View 1 Replies View Related

Cisco VPN :: ASA5505 Site To Site IPSec VPN Will Not Connect

May 22, 2012

I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS. [code]

View 2 Replies View Related

Cisco Security :: ASA5505 Site-to-Site VPN And SLA Monitor

May 13, 2012

I have a couple of ASAs 5505 (HQ & Branch) running version 8.2(4).  They are configured with a Site-to-Site VPN over a single WAN link: [code]

I want to enable sla monitor on one of the devices in order to know the real status of my unique link because the interfaces sometimes don't go down, so I don't have any real statistic of failures. 
 
All the information is related to dual ISP links failover.  Is there any extra-consideration for my single link scenario?I already have a static route route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 so I think I have to overwrite it with something like this route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 track 1. Is this correct?If so, when I overwrite it, will the S2S VPN go down and will it go up automatically? 

View 1 Replies View Related

Cisco VPN :: ASA5505 Behind D-Link DSL-2640U Site-to-site

Apr 12, 2013

I am normally a software developer,  however with recent staff changes at my company I am now the sole IT  person.We have to sites: A and B, and we need to make a site to site.
 
I have access only to the Site A, this one contain a ADSL modem/router (D-Link DSL-2640U), and a ASA5505 behind the modem.We have an public fixed IP addresse configured on the modem.All the information that i have to configure the vpn is: Public ip of the site_BThe encryption algorithm 3DES-MD5.Shared secretThe site_B subnetwork to be reached using the vpnAnd i nedd to get this VPN UP, and it must be no nating for pakets going throught the VPN (for maintenance Issus).
 
The D-link modem is configured to get the Public IP from my ISP, and i set on it a DMZ to the ASA5505 (192.168.1.254).Until now, i folowed the site-to-site assistant using the ASDM. [code]

View 1 Replies View Related

Cisco VPN :: 1800 Site-to-Site VPN Tunnel Bandwidth For Voice Traffic

Jun 22, 2011

I have some challenges with a VPN config I recently setup for a client.I have at the HO the following:

- 1800 router
- Avaya phones and Gateway
- 1MB radio internet access
 
At the BO(branch office), i have:

- 871 Router
- Avaya phones
- 256k internet bandwidth
 
The only reason we setup the VPN in the first place was for the phones at the BO to be able to connect to the gateway at the HO and also able to make calls and receive calls as if the phones were at the HO.The phones at the BO successfully register to the HO, but are unable to recieve calls and dial out. Everytime I try to make a call, the phone displays a "connecting..." message. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Allow Only One Host Access To VPN Site To Site Tunnel

May 28, 2012

I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host.  How can I set this up?

View 33 Replies View Related

Cisco Routers :: SRP521W VPN Site-to-Site Tunnel Doesn't Establish

Dec 19, 2011

As you can see i have problems with connecting 2 SRP521W together for an VPN tunnel. I tried as much as I can but now i dont know what to do or how and where is the mistake? the connection between these two devices was there last week, after weekend (nothing changed in configs) the connection suddenly was interrupted, without any reason or warning. another day it worked again and 20 mins later connection was dead again...and now it wont establish at all.. here are some screenshots from the vpnconfigs of my devices. one has a static IP the otherone uses FQDN. These are the IKE policies: Here the IPsec Policies: and the GRE policies:

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 - Procedure For Monitoring Site-to-site VPN Tunnel?

Apr 30, 2012

Need to know the step by step procedure for monitoring site-to-site VPN tunnel (up/down) using SNMP on Cisco ASA 5505. 

View 1 Replies View Related

Cisco WAN :: 3825 Shared Internet Through Site To Site IPsec VPN Tunnel

Apr 24, 2013

I have configured Ipsec vpn tunnel beetween two routers (from site A to site B) over untrusted internet connection by cisco 3825 routers and i can  successfully access both of this routers. But now i need to access internet on site B router sitting on site A router. So that if i run traceroute from A site machine then the gateway by which internet passing through shows the ip of site B.

The Architecture of our both site routers :

Site A  10.1.11.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B 10.4.11.0 

/////Create IKE policy
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
[Code] .....

View 10 Replies View Related

Cisco VPN :: 5510 Hair Pining VPN Clients Through A Site-to-site Tunnel

Apr 30, 2013

I have an ASA 5510 8.2(5) in Site1 and a ASA 5505 8.2(1) Site2 they are setup with a site to site tunnel.Each site has VPN clients that connect and I would like to allow clients from both sides access to servers on the other side of the site-to-site tunnel.
 
I enabled same-security-traffic permit intra-interface I also added the remote networks to access-list that is doing the split tunneling. [code]

View 33 Replies View Related

Cisco VPN :: ASA5520 - Access-list For Site-to-Site IPSEC Tunnel

Dec 1, 2011

How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel?  I'm using an ASA5520 running 8.04.
 
I have four hosts say: 10.240.1.1-10.240.1.4
 
They need access to two different networks:

205.100.150.0
140.175.200.0
 
I woud like to NAT them as something like:

7.5.210.1
7.5.210.2
7.5.210.3
7.5.210.4 

View 1 Replies View Related

Cisco VPN :: 506 Firewall 6.3(4) PDM 1.0 / Broke Remote VPN After Site To Site VPN Tunnel Created?

May 19, 2011

It's been a long time since I played in Cisco CLI.Using a Cisco 506 Firewall 6.3(4) PDM 1.0?Problem is I created a site to site tunnnel with a vendor and since then our remote VPN does not work. Completely times out so I am sure I broke something in the crypto map or something similar.
 
Tunnel is policy 10 using access-list 101
Remote VPN is Policy 20

Config Below:

: Saved:PIX Version 6.3(4)interface ethernet0 10fullinterface ethernet1 10fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password XLk0qAaMaA6kjvA6 encryptedpasswd VeCrsQbWdIFPwnny encryptedhostname RMS-DR-PIXdomain-name RMS.Localfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesobject-group network FTP_Clients description FTP Client PCs network-object host 192.168.xxx.xxx network-object host

[code]....

View 4 Replies View Related

Cisco VPN :: Establish Site To Site IPSec Tunnel Between ASA 5520 And 3030?

Feb 17, 2013

We have configured a site to site tunnel from our ASA to another organizations Cisco 3030.  It appears to have just one way initiation.  We can do a ping to a device on the remote site and it will ping just fine.  however, when the tunnel needs to be initiated from the remote site, it will not work until we have initiated the tunnel and then everything works.
 
I continue to see Error processing payload: Payload ID: 1 errors on the ASDM logs.It appears that all the configuration is in place because we can in fact establish the IPSec tunnel unidirectional.  And once established, traffic can flow bidirectional.

View 1 Replies View Related

Cisco VPN :: Site To Site VPN IPSEC Tunnel From ASA 5505 To Clavister Firewall

Nov 20, 2012

I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
 
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
 
All these remote networks are at the Main Site Clavister Firewall.

View 1 Replies View Related

Cisco VPN :: 2901 / 2951 - Site-to-Site VPN - Constant DPD - Tunnel Drops

Dec 12, 2012

We have approx 40 branch offices - all of which are connected to a single core site over VPN Tunnels using various gear. At one particular site, we are having issues with the tunnel dropping sporadically throughout the day - some days it happens 10 times, some days it happens none. This just randomly started happening two weeks ago, without any changes taking place. Since it started happening, I have upgraded the code to latest versions, but still the issue persists. This particular site has a 2901 and connects back to a 2951.
 
Below is the output from:

debug crypto ipsec
debug crypto isakmp

[code].....

View 1 Replies View Related

Cisco VPN :: 4500 Switch - Dot1q Tunneling Via PPTP IPSec VPN Site-to-site Tunnel?

Nov 28, 2012

I have a situation where the site-to-site tunnel is already established using PPTP IPSec VPN with non Cisco Gateways terminating the link on each end. These non Cisco Gateways do not support L2TP tunneling, and there is no plan to change them.Beyond the Gateways on both ends, we have a Cisco 4500 series switch. We need to forward the 802.1q tagged VLANs between the two sites. Is it possible to use 802.1Q tunneling in this case, going via a PPTP tunnel ?
 
Cisco's setup uses dot1q-tunnel over a L2protocol-tunnel to preserve the original client VLAN tagging, so does this mean that the only option we have is to setup a L2TP tunnel at the Cisco device endpoints, and have that tunnel go through the existing PPTP tunnel (established between the 2 non Cisco VPN Gateways) ?

View 1 Replies View Related

Cisco VPN :: ASA 5505 - Users Aren't Able To Reach Remote Network Through Site-to-site Tunnel

May 21, 2011

Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
 
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
 
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24

View 5 Replies View Related

Cisco Wireless :: Configuring 5508 At Remote Site To Tunnel Traffic From WLC At Main Site?

Sep 20, 2012

At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG).  In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG".  None of the SSIDs are "anchored".
 
I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs.  This site contains two customers.  One customer is the Main customer with the second customer leasing space.
 
I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan).    I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.
 
For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500.  It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site.  This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).
 
For my test, I am starting simple.  I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low).  I have anchored this test WLAN to that controller.  At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site.  I am unable to obtain an IP address from the remote site.  I have placed the remote site WLC in the wlcMain-MG as well. How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at 7.0.220.0? What could I be missing?

View 5 Replies View Related

Cisco VPN :: Establish Site-to-site VPN Tunnel Between ASA 5505 And C881?

Dec 27, 2012

Last week, I was able to establish a site-to-site VPN tunnel between an ASA 5505 and Cisco C881 router just fine. The tunnel was up and and running for a number of days but today the tunnel is no longer up.  I was wondering how, if there are any commands  to re-establish or re-initiate the tunnel.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Setup A Site To Site Tunnel?

Nov 13, 2012

I have a 5505 asa code version 8.3(2). Trying to set up a site to site tunnel with someone and he is asking if I can use ike v2. How do I go about setting up the tunnel to use ikev2? Is ikev2 an option with site to site tunnels?

View 5 Replies View Related

Cisco VPN :: TFTP From ASA Via Site To Site IPSEC Tunnel 5540

Nov 1, 2011

I am having issues getting my ASA 5540 at site A, to pass TFTP and SYSLOG from itself across the IPSEC tunnel to our SYSMON servers (Syslog and TFTP) that live at site B. I have followed the suggestions of other threads and I am still not getting anywhere. Here is a quick topology diagram.

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved