Cisco VPN :: Tunnel Between ASA5510 And Pix Router Allows All Traffic?
Oct 1, 2011
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
View 5 Replies
ADVERTISEMENT
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Nov 10, 2007
I have set-up a Linksys BEFVP41 VPN router at home (192.168.1.1 / 255.255.255.0)
View 7 Replies
View Related
Oct 28, 2011
I have recently purchased a E4200 i have flashed it with the latest Firmware 1.0.03 and Hard Reset the Router so the Media issue was resolved i was having. After upgrading the firmware to the latest version my Nortel VPN IPSEC Client no longer will work. The tunnel is connected and it passes traffic for about 15 seconds then nothing. The connection remains connected but no traffic passes cant ping across tunnel. I have checked all the settings and VPN - IPSEC - Passthru is enabled. I have put the client in DMZ mode and tried that same thing.
View 7 Replies
View Related
Dec 26, 2011
Our internet connection changed and so did our public IP addresses, I'm trying to re-establish our VPN tunnel with our client, but we haven't be able to get the connection back up even though only 2 IP addresses have changed. Below is my ASA 5510 config file Our WAN from the ISP is: 65.xx.xxx.104/30 and our LAN is: 67.xxx.xxx.128/27, I'm trying to use: 65.xx.xxx.106 as the endpoint and 67.xxx.xxx.130 as the host via the tunnel.
View 5 Replies
View Related
Feb 12, 2012
Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface. So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.
View 0 Replies
View Related
May 20, 2013
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies
View Related
Apr 26, 2012
I have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
View 2 Replies
View Related
Sep 21, 2011
I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. This same tunnel had NO issues prior to the 8.2.4 upgrade.
I thought about trying to disable "inspect FTP,. I am running FTP passive mode on the ASA so I don't believe "inspect FTP" is required.
View 2 Replies
View Related
Feb 7, 2012
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
View 27 Replies
View Related
Dec 3, 2012
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
View 4 Replies
View Related
Mar 28, 2010
I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured. My remote users can access inside LAN servers as well as the Internet from their remote location. What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet? Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall. This will allow the same security as if they were sitting in the office.
View 4 Replies
View Related
Apr 17, 2013
Although this is not a common issue, we have experienced occasions where our internet utilization has been maxed out (slowing everyone else down). Utilizing some features in the ASA, such as Top Usage Stats, along with PRTG monitoring, have always tracked the culprit down to being a single user -- be it someone downloading movies to a portable device, or downloading ISO's. (And for some strange reason it seems to always be a wireless user.) We are using an ASA 5510 for our firewall, and I was wondering if its possible to prevent a single client from consuming a disproportionally large percentage of our internet bandwidth? If the ASA 5510 doesn't have the ability to do this on it's own, are there any recommendations for add-on solutions?
View 1 Replies
View Related
Sep 18, 2011
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
View 1 Replies
View Related
Jul 4, 2011
ASA5510 configuration, I would like to know if it is possible (and how) to forward traffic received on WAN port of the first ASA to the server in LAN on the other side of VPN tunnel:
Internet (IP 85.128.50.x) – ASA5510 (192.168.1.x) – VPN tunnel – ASA5510 – LAN (172.16.71.x)
I need to have IP 85.128.50.50 redirected to 172.16.71.15 through VPN?
View 1 Replies
View Related
Sep 12, 2012
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
View 14 Replies
View Related
Nov 15, 2011
Currently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies
View Related
May 30, 2012
I have ASA5510. It's include security plus license.I want to traffic shape to 200Mbps. But , I checked a CCO.CCO said that a shaping limit is 154400000. "Enables traffic shaping, where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. "It's mean shaping limit 154400000 ?Can I shape to 200Mbps ?
View 2 Replies
View Related
Sep 2, 2012
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
View 2 Replies
View Related
Apr 9, 2012
I would like to connect a second ISP link to our ASA 5510 to solely serve http traffic from our organization's employees (ie. web surfing). We currently have all employee traffic and two site-to-site VPN tunnels connecting to the internet from this firewall. I want to keep the tunnels as currently configured on the existing connection and split out http/https traffic from our staff onto a less costly link.
View 1 Replies
View Related
Nov 7, 2012
I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?
View 1 Replies
View Related
May 2, 2013
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
View 10 Replies
View Related
Jun 25, 2012
I have a asa 5510 with 8.x software and I want to reserve (i mean RESERVE not PRIORITIZE) traffic based on protocol, like if I have a 10Mbit I want to :
- give 3 Mb for smtp
- give 5 Mb to http/s whatever
- 2 Mb for other stuff.
Of course QOS won't do that, can you do that with ASA?
View 1 Replies
View Related
Nov 6, 2012
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 Replies
View Related
Jan 23, 2012
i have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 Replies
View Related
Nov 5, 2012
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
View 5 Replies
View Related
Aug 8, 2012
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
View 7 Replies
View Related
Mar 13, 2012
is it possible to tunnel all TCP traffic to UDP under port 137?
View 1 Replies
View Related
Mar 1, 2011
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies
View Related
Dec 15, 2011
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
View 19 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
Jul 8, 2012
Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
[code]...
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.
View 19 Replies
View Related
