Cisco VPN :: Setting Up LAN To LAN Between ASA 5520 And Juniper Device
May 16, 2011
i am setting up a LAN to LAN VPN between Cisco ASA 5520 and Juniper device. its my first time i am setting this up. What will be the peer device of my device that i need to give to the other person.. is this the outside address of my device ?
Also with the setup i have made i am getting the follwong error msg:
IKE Peer: 81.45.22.222 Type : L2L Role : responder Rekey : no State : MM_WAIT_MSG5
also i was getting Type: user intead of l2l - what does htis mean as well
View 8 Replies
ADVERTISEMENT
Jan 25, 2012
I have a ASA 5520 with a functional IPSEC VPN using the Cisco VPN client. This allows my remote users (Staff) using laptops to come in from anywhere on the Internet and tunnel in. Works great.Next, we need to stand up a VPN over a Juniper SSG5 so that when we have groups working outside of our network, they can tunnel back into our network. If they were going to be coming from a known, fixed IP, or even netblock, we'd probably use Route-based setup from a Juniper SSG5 into the ASA 5520. But they may very well be coming from any IP. I am thinking this leads us to Site-to-Site VPNs- it won't be Network Client access obviously, nor will it be Clientless (browser-based).
View 9 Replies
View Related
Feb 13, 2013
VPN tunnel between ASA 5520 ver 8.0(4) and a remote Juniper firewall keep tearing down during Phase 1 rekeying. After the rekeying process fails, manually pinging one of the remote hosts that are proteced behind the Juniper firewall,initates the tunnel renegoation and rebuilds the tunnel successfully.
When the tunnel is down, sh crypto isakmp sa shows no active SA for the remote peer. That indicates the PHASE 1 negotation had indeed failed.When the tunnel is working, sh crypto isakmp sa indicates an IKE role of Responder - always.Clearly that also means Phase 1 negotation works only one way, i.e. negotation initated by the remote Juniper unit only.
Interestingly, the Syslog server logged the following SNMP trap messages at the time rekeying Phase1.Note, Line#2 and #7 and wrapped to the next line for easy of reading.
Line#1: IP = Remote-Peer-IP-#, Starting phase 1 rekey
Line#2: IP = Remote-Peer-IP-#, IKE Initiator: Rekeying Phase 1, Intf outside,
IKE Peer Remote-Peer-IP-# local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
Line#3: IP = Remote-Peer-IP-#, constructing ISAKMP SA payload
[code]...
As I understand from the above syslog trap, the Responder ( the ASA unit this time) started Phase 1 rekey (Line #1). It prepare a message to be sent to IKE Initiator, that it is about to start rekeying Phase 1 (Line #2). Down on the next line, it indicated that the local Proxy, remote Proxy and Crypto map as N/A ( not avaiable).Why would the ASA unit send N/A message as shown in Line#2, is that normal?
View 3 Replies
View Related
Apr 22, 2012
I have a problem setting up a VPN between a local office and a head office some distance away.Here at our local office, we have a Cisco WRVS4400N Small Business device.At the head office they have a Cisco ASA Device.We need to set up a point-to-point VPN and I have no idea how to do this with these devices.To make matters worse, the resource I have at the other end in an unknown entity who also does not seem to have much experience with this.Is there any type of step-by-step guide to such a configuration?
View 5 Replies
View Related
Jun 10, 2013
We are setting up a vpn between a cisco RV082 and a checkpoint device. From the Cisco device we have set up (as remote IP) the public IP 85.xxx.xxx.xxx but when we try to start the tunnel the VPN log (from RV082) report the error "INVALID_ID_INFORMATION" as described below.
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: sending encrypted notification INVALID_ID_INFORMATION to 85.xxx.xxx.xxx:500
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: we require peer to have ID '85.xxx.xxx.xxx', but peer declares '10.yy.yy.yyy'
[code]....
The IP 10.yy.yy.yyy. reported in the log is the natted ip of the Checkpoint device.
View 3 Replies
View Related
Dec 10, 2012
How do I set up a Sagemcom 1704 modem for networking?
View 2 Replies
View Related
Jul 29, 2011
Just need to know where I can set a Max connect time so users dont camp on the ASA when they are not using it.
View 8 Replies
View Related
Aug 19, 2012
How can I setup the WLC to accept authentication based on the device itself and not a user?
View 7 Replies
View Related
Nov 16, 2012
I have added manually the cisco asa 5520 to lms 4.2 , because automatically the lms didn't discover it ,however when i tried to open the device using cisco.MessageCannot find applicable device package for 192.168.100.100This error could be due to one of the following:- The device package for this device type is not installed.- Device support for this device type is not available.- You are trying to open a component inside a device.To correct the problem, either install a device package for the device type, or open the parent device to manage the component.
View 1 Replies
View Related
Oct 8, 2012
we have two ASA5520-AIP40-K8 in our office and we purchase IPS service for one only, can we also update the signature of second device before purchasing additional IPS Services for second unit
View 1 Replies
View Related
May 23, 2011
I try to change password on the ASA 5520 device and its not getting changed.
FW(config)# enable password cisco1234(config)# end
After that I perform a write memory.
But somehow I relogin again the enable password still remain as the old enable password
version : 7.2(5)2.
View 5 Replies
View Related
Jan 26, 2012
I'll have to replace an old WS-C3550-24. Reasons for this: EOL/EOS & we'll need a NAT capable device...
As I understood, the only L3 catalyst that is able to perform NAT is a 6500? Is that correct? If the above is correct, it seems I can only replace the setup by using a router/ASA with a L2 switch. A router with high throughput (+/- 300Mbps) is hard to find, especially as NAT will require CPU resources...
So, my best (affordable price) solution is getting an ASA5520 (450Mbps FW throughput) and a L2 switch?
View 1 Replies
View Related
Mar 28, 2013
I installed Windows 8 on my Dell laptop and my bluetooth device doesn't work properly. When Windows 7 was installed and my laptop and my Samsung Galaxy S3 were paired I could play songs from my phone on my computer. But now it is not possible on Windows 8.
View 1 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Sep 1, 2011
I'm trying to enable LAG between WLC and a Juniper switch EX-4200 but it is not working.
In the lab i managed to enable LACP between Cisco 2960 and juniper EX-4200 and works with the atached configs that i found on juniper forum. Also LACP between Cisco 2960 and WLC works with te same config, but never between the WLC and Juniper. I've tried with passive mode and slow mode, always seems that juniper is not seeing the WLC BPDUs. I tried with WLC 4402 and 5508 both with 7.0 firmware.
View 4 Replies
View Related
May 29, 2013
I have set up an ACS 5.4 box and have some test devices connected to it.Cisco and Juniper, both working fine using TACACS I can connect to both using SSH or Telnet but my problem is the J-Web Juniper GUI I can access the J-web no problem with the root account. i can not seem to get it to work, no matter what I try. Here is my shell from the ACS box And the following Juniper configuration. I have tried binding the local-user-name attribute to both the remote and remoteadmin with no luck.
version 9.6R1.13;
system {
host-name Juniper-Firewall;
authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA
[code].....
View 17 Replies
View Related
Jan 10, 2011
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
View 2 Replies
View Related
Jun 25, 2012
Any known issues connecting an ASA to a Juniper switch?
We have a remote site where we have an ASA 5505 installed set up running EzVPN. We do not have not have control/access to the internet connection or the internal infrastructure. We basically have an office within their building. Our ASA has one of their external IP addresses and is connected to thier Juniper switch. Our pc's/printers are patched to another Juniper switch which is uplinked to our ASA. The issue we are having is that the connection is intermittently dropping where we cannot ping the pc's/printers at the remote site through the VPN tunnel but we are still able to ping the external IP address of our remote ASA. The strange thing is that we cannot manage the ASA via SSH or ASDM using the outside interface but can ping it when this occurs. For the most part the VPN tunnel does not drop when we check the sessions at the headend although it occasionally will.
View 6 Replies
View Related
May 30, 2011
I decided to switch away from my DIR-655 wireless router due to multiple issues and go with an Untangle box. Everything appears to be set up great... except when it comes to my VPN connection to work via Juniper VPN Client v. 6.5.0.15507. For some reason, the VPN connection keeps dropping every 3-5 minutes and I have to wait for it to either reconnect, or sometimes the client completely stops and I have to restart it.
View 16 Replies
View Related
Aug 1, 2012
I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.
View 2 Replies
View Related
May 24, 2011
I am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies
View Related
May 5, 2013
In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS 4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3 tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
A capture shows Auth Status: 0x11 (ERROR).
View 15 Replies
View Related
Apr 10, 2013
i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?
View 2 Replies
View Related
Oct 6, 2012
We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers. what configurations will be involved, on a logical basis.
View 11 Replies
View Related
May 21, 2011
Is there any problems expected in working with core switch of Juniper EX8208 with access switches of Nortel Baystack5520 / 380 / 425 and 325? Whether the VLAN, Multicasting, streaming, STP, SNMP, etc will work without any issues?
View 2 Replies
View Related
Sep 26, 2012
Is a CA/CS required to deploy 802.1x? Google searches is confusing me with multiple answers. Im currently trying to test without a CA/CS and im having no luck.
Lab
2008 R2 DC
2008 R2 NPS
Juniper EX4200
User Win 7 PC
This is for a wired connection
View 3 Replies
View Related
Apr 16, 2013
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.This is logs from Cisco:%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100 ,%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer.
View 3 Replies
View Related
Dec 20, 2009
Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase. There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)
View 6 Replies
View Related
Oct 10, 2012
We have a VPN established between the above devices (I don't have more info on the Juniper as it's a client site) The Juniper initiates the VPN and all is well, tunnel is up all ok but approx every 45 minutes the VPN drops.
the tunnel parameters are set to keep it alive for 8 hours but that doesn't work.
View 4 Replies
View Related
Jul 15, 2012
I am using 6500 with VPN Accelerator on this device. I have a dozen other VPN connections GRE and IPSEC to routers and ASA and other Juniper Firewalls.
They all work perfectly.The error I get is map_db_find_best did not find matching map (Never seen this error be for) [code]I can't put the whole config for security reasons.
View 5 Replies
View Related
Mar 27, 2011
Is it possible to set up a vpn tunnel on a 1721 router that uses the following ios:
c1700-y7-mz.124-13b.bin
I thought I had read somewhere that tunnels were not supported on the 1700s but wanted to make sure. If they are I would like to know if they are supported in the above ios.
View 2 Replies
View Related
Aug 25, 2012
I need to configure a new RV042 behind a SSG5 firewall. All VPN connections is client to gateway.
Firstly, i tried doing a direct connection(bypassing the firewall), the quickVpn status says connect but I can't even ping the rv. I suspect is due to client own ip is 192.168.1.x and the gateway ip is also 192.168.1.10. How do I resolve this such that users can connect anywhere without having to worry about clash of ip?
View 10 Replies
View Related
Oct 21, 2011
I wants to inegrate Juniper netscreen firewall in Tacacs Cisco Acs 5.1.As I go through Juniper KB which mentioned that I need to enable Netscreen Service in Cisco ACS 5.1. how to enable Netscreen service in Cisco Acs 5.1 and how I got Further to integrate Juniper Netscreen Device in Cisco cs 5.1
View 2 Replies
View Related
