I am having all sorts of trouble connecting a Cisco RVS4000 to a Cisco ASA5505 over IPSec... I have used the "site to site" vpn wizard, I have a fress "factory reset" on my asa 5505...
View 11 RepliesI have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.On the site of Router Scientific Atlanta Cisco 2320 this is some info: [code] On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info: [code] Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.I show the configuration on Router Scientific Atlanta Cisco 2320: I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up.As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10.I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
In an established IPSec VPN between a RVS4000 and IOS (2801), everything works great (RDP / UNC File Share / HTTP) - with the exception of SMTP and HTTPS.I can do pretty much everything over the tunnel that I need, except attempting to send anything over port 25 or 443, it's getting destroyed in the tunnel.I've completely disabled the firewall in the RVS4000 and on the IOS side, I just have an extended access list that permits the entire IP protocol. The tunnel works fine, as mentioned above, and stays up with no issues.
View 1 Replies View RelatedI recently purchased a RVS 4000 (firmware V2.0.0.3) and am having some issues creating a second (third...fourth?) IPSec VPN Tunnel. The first one is up and running just fine. On the VPN Summary screen it says [1 Tunnels Used 4 Tunnels Available].
When I go to configure the second tunnel, I select --New-- from the "Select Tunnel Entry" drop down and proceed to fill in all the connection information. When I click Save, it seems to be processing and after a few seconds just returns me to the same screen, with none of the information I just input and no connection created. No errors given.
I have another RVS4000 to connect at a different location which will require a similar setup, but don't want to do anything with it until I have the one mentioned above working fully.
Linksys Small Business VPN endpoint routers?
I have been trying for two days to setup a Linksys RVS4000 to a RVL200 IPSec tunnel and I can't get them to connect.
The internet is via optimum online home internet accounts. From what Cisco said, the ports necessary are 500, 4500, 443 and 60443.
I have a RVS4000 at one location and a second RVS4000 at home. I have established an IPSec VPN tunnel between them and it is UP. I can ping the routers from each end no problem. I can ping the IPs listed in the "Local Group Setup" and the "Remote Group Setup" from both ends no problem. I can even open up a shared resource from a Win 7 machine (e.g. by typing \10.10.10.100 in start-run from a computer on my home network).
But - i can't ping anything else on one network from the other. What gives? I need to access a 10.10.10.101 machine but can't even ping it.
- both RVS4000 boxes have latest firmware (V1.3.3.5)
- home RVS4000 setup with IP 10.10.11.1
- home network has a server with IP 10.10.11.20
- other location RVS4000 setup with IP 10.10.10.1
- other location server setup with IP 10.10.10.100
Tunnel settings on home RVS4000 (the other location properly mirror these).
- Local Security Gateway Type : IP Only
- Local Security Group Type : Subnet
[code]....
Can I have two IPSec tunnels over two different Internet links to two different destination?
View 1 Replies View RelatedWe have used two Cisco RVS4000 to create the IPSec VPN between the main office and the branch office. The main office has SBS 2008. There is a Windows Server 2008 as the domain controller in the branch office. One branch office user has a laptop which is not in the domain, but his exchange account is set up in the Outlook. When he connects the laptop to the branch office network, he cannot connect to the exchange server and get the emails. Is there any configuration to set up in the router, server or Outlook?
View 1 Replies View RelatedI have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
I currently have my 5505 setup for AnyConnect SSL VPN connections. Is it possible to also configure the 5505 for IPSec VPN connections? So, essentially my ASA will be capable of running SSL and IPSec VPN tunnels, concurrently.
View 2 Replies View RelatedI have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.Routing is working correct (connect to Internet from siteA is working trought 1st also second ISP) but IPSEC is working just trought the first ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets are just encrypting but not decrypting.
I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)
config site A:
##########################################################################
ASA5505 Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.65 255.255.255.248
!
interface Vlan2
[code]....
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
I'm a CIsco ISR, Setting up my first ASA, which seems to be going well.I've setup an IPSEC VPN to a non Cisco device. And have connectivity between devices in each subnet.
-Subnet A - non Cisco - 10.10.13.0/24
-Subnet B - ASA 5505 - 192.168.2.0/24 (ASA is .254)
From Subnet A I can ping every device except the ASA on .254.
Edited Config attached, IP's changed for privacy, passwords removed.Let me know if I've removed too much of the config.
When I use QuickVPN under XP, I connect to my RVS4000 without problems. When I switch to new computer running Windows 7 and V4.2.1 QuickVPN I can get all the way to Verifying Network. Then I get the message that: "The remote gateway is not responding. Do you want to wait?" - repeatedly. The icon in the tool bar remains with a red slash and I am unable to ping devices on the lan side of the router. However, when I check the VPN Summary on the router, I see that it thinks I'm connected. When I check the VPN log I see that I am not:
Oct 12 10:27:53 - Configuration changed!
Oct 12 10:28:33 - Configuration changed!
Oct 12 10:28:34 - [VPN Log]: added connection description "ValR_rw_rw"
[Code]....
I've disabled MS Security Essentials and made sure the Firewall is on. IPSec Policy Agent and IKE and AuthIP IPSec Keying Modules services are both started. I've created a rule to allow QuickVPN throught the firwall in and out and a rule to let traffic on 443 and 60443 UDP and TCP through the Firewall.
I'm replacing my RVS4000 with the RV180 but having VPN connection issues with the RV180. Let me know the VPN tunnels work perfectly fine on the RVS4000.I have configured my RV180 for 3 VPN tunnels. My ISP is Comcast (cable) Business class with a Static IP. First VPN tunnel is to another Comcast ISP and the VPN works flawlessly - connects immediately.Second VPN Tunnel is to Business class ISP (Verizon-NJ) and VPN will NOT connect.Third VPN Tunnel is to Business class ISP (Cox Network-VA) and VPN will NOT connect.I had opened both the RVS4000 and RV180 up on a browser and both settings from the units were idential. I reconnect the RVS4000, VPN tunnels work great, I unplug and reconnect the RV180, the Comcast VPN works, but the other two do not.From what the log is saying "[IKE] WARNING: no phase2 found" and the other says "[IKE] ERROR: remote identifier not found". It has to be something with the RV180 that I'm missing or possibly configuring incorrectly.
View 3 Replies View RelatedJust bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
I'm having problems configuring an IPSEC VPN between an SRP521 with a dynamic IP and a ASA5505 with a static IP. Static to Static is fine between these devices and I can configure that without problems. Dynamic to Static however.
View 1 Replies View RelatedI'm trying to connect my WAG160N as a ADSL modem (disable the router function) and connect a real router (RVS4000)So, i put my WAG160N on birdged mode only, disable the DHCP on my RVS4000, i did configure my PPPOE access (user and password), change the IP adress 192.168.0.2.configure the DHCP and try to connect. i tryed to connect the RVS4000 and the WAG160N either with cross cable or a direct cable. I can get access to the RVS4000 192.168.0.2 and get access to the configuration menu but cannot get access to my WAG160N 192.168.0.1 even a simple ping.when i try to test the connection on my RVS4000 (status) it seems that my connection is up but i cannot get access to internet.
View 6 Replies View RelatedI'm trying to make a very plain and simple network with the ASA 5505, I've strated from scratch over a dozen times triyng to find where I'm going wrong. My main goal is to simply create an IPSec VPN connection to my ASA 5505 and simply ping and connect to devices with the "inside network", so far I can easily create and establish a IPSec VPN Connection, but up to this point, I cannot successfully ping or access a single device on the ASA 5505 inside network.I've taken, create the IPSec profile with the ASDM wizard, add exemption for the VPN IP Pool, add access-list from this Cisco link, url...All this and I can't make a single connection to the inside network. [code]
View 7 Replies View RelatedWe have two sites connect with an IPSec L2L VPN.
-Site A: 192.168.13.0/24
-Site B: 192.168.2.0/24
On both sites we have a ASA5505(Base license) to terminate the tunnel.On Site B we also got a remote access vpn to which we can connect using the vpn client.The lan2lan tunnel works fine and so the remote access vpn.Now i want to connect to Site A using my vpn client connected to Site B. [code] There are no vpn-filters or other special policys in place..If tried to ping from my vpn client to Site A while i was debugging ipsec 255 on site B: the asa matched the l2l-tunnel for traffic sourced from 192.168.25.x to 192.168.13.x but when im doing a show crypto ipsec sa detail there are no packets getting encrypted..so of course no packets reaching my asa on site a.
Recently, I set a ASA5505 with Ipsec VPN. And I try AAA authenticate with internal Windows 2008 server. As docuemnt I read, I configure from ASDM authentication with "NT Domain". And then point to internal DC, which is Windows 2008 server. While I test it, it shows error
"Authentication test to host 192.168.xxx.xxx failed. Following error occurred -- ERROR: Authentication server not responding. No Error"
I have a XP workstation behind my ASA that can not connect to a client's network via Cisco VPN Client using IPSec...
In the logs it shows the translation is working on 500 but the VPN Client has the error 412, that the client is not responding.
Config below
ASA Version 8.2(1)!hostname RWFW1enable password encryptedpasswd encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address x.x.x.x
[Code].....
Can I have use a Gateway-to-Gateway IPSec tunnel whereby a user can surf the Internet using his local Internet connection and at the same time connect through the IPSec tunnel to a remote subnet using RVS4000 routers?
View 1 Replies View RelatedI have several locations with time clocks (a Kronos application) on a small home network with outgoing traffic wide open.I have a server in my office behind an ASA5505 router/firewall, also with outging traffic wide open. I have tried taking the device off of the remote network and giving the it a public, static ip address so it is actually on the internet, yet the server cannot see the device, but it can ping it. I was advised to put the device on the remote private network and set up a virtual server using port 8080 at the remote location. The server is still unable to see the device. I also set up a virtual server for VNC. When I am on my server on my work network behind the ASA5505, I can start my VNC viewer and attach to the device at the remote site using the IP of the router (apparently the device has a build in VNC server).
I have also tried to NAT my server to a public IP, I have set up incoming and outgoing rules on the firewalls at both ends.this should be a fairly straight forward connection.
I am connecting to a ASA5505 at from home to the head-office using L2TP VPN.
Head-office then has a connection to other-office via a site-to-site IPSEC tunnel.
When in the head-office (192.168.100.0/24) I can ping/access remote-office (192.168.200.0/24) OK.
When connected remotely to head-office, I can ping/access head-office OK from the road-warrior laptop.
My problem is that when connected remotely from home to the head-office I cannot ping/access the other-office subnet.
On the home laptop the L2TP VPN connection is set to route all traffic to the VPN connection using the HQ as the internet gateway I can confirm this works.
I cant do traceroute (I get timeouts) as my policy doesnt allow and not sure how to enable this properly on the ASA.
names
name 192.168.200.0 othersite
!
interface Vlan1
nameif inside
security-level 100
[code]....
We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling. If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?
There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
View 13 Replies View RelatedI have a remote WRVS4400N that has a dynamic outside address that's initiating a connection to a ASA 5540 with a static address.
I'm all set on the ASA side. My questions relate to the 4400N. It doesn't appear to have a very robust configuration/setup available for L2L tunnels. For one my encryption is limited to 3DES.
But I'm wondering if I'm missing something in the config. I have to set up L2L tunnels to two other firewalls. One firewall has 3 discontiguous networks, and the other has 2. I have 5 tunnels setup, is this the only way? What I would like to see is 2 tunnels, one for each remote firewall, but then each tunnel would have access to the appropriate networks (like on the ASA side), is there anyway to do this? Perhaps a command line util for this unit?
My other issue relates to the tunnel-groups I have set up on my ASA's, and I would like to use appropriate names...however I can't seem to find a way to enable this to happen on the 4400N side....what I mean is I need a way to create either a "keyword identifier" or a "firewall identifier" on the 4400N and I don't see an appropriate field in the web interface.
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
View 1 Replies View RelatedThe company I work for uses a Cisco ASA 5510 router. We currently have an IPsec VPN set up and useres connect through the Ciso VPN client using group authentication, then they are prompted for a username and password, and use the same username/password they log on to thier work computers with. Some of the users have recently got Samsung Galaxy 10.1 tablets and would like to connect to the VPN using those tablets, but I can't figure out how to get the tablets to work. I've tried the anyconnect app for the andriod market as well as creating a VPN connection from the Tablet's settings page, but no luck either way. Perhaps I'm not entering a setting right? Has any one had any luck getting andriod tablets to connect to a Cisoc VPN?
View 1 Replies View RelatedI've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS. [code]
View 2 Replies View RelatedWe have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
[code]...
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies View Related