Cisco WAN :: 5520 User VPN Through Secondary Internet
Dec 18, 2011
We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.
We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the 172.31.14.0/24 range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).
Both the ASA and the router connect to each other (via the VPLS) on the internal subnet 10.255.255.0/24.
-The ASA is 10.255.255.1
-The router is 10.255.255.100
Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one). ip route 0.0.0.0 0.0.0.0 Dialer1
We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to: ip route 0.0.0.0 0.0.0.0 10.255.255.1Then it works as expected.
The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.
What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).
View 3 Replies
ADVERTISEMENT
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Oct 8, 2011
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
View 2 Replies
View Related
Nov 24, 2012
We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies
View Related
Apr 12, 2011
I have a pair of ASA5520s in active/active failover - this works fine. Both primary and secondary ASAs are running 8.2(2) code.I have a 30-day temp 50 seat SSL license that I applied to the primary. I then started having problems with L2L tunnels.
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side. However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
I believe this results from the differences between the two licenses. When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity. Note license differences. Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.
[code]...
View 3 Replies
View Related
Nov 8, 2012
I have a working DMVPN solution. I am trying to stand up a secondary DMVPN hub at our disaster recovery site. We are trying to deply to a Dual HUB SIngle DMVPN solution. The HUB2 DMVPN router has an INSIDE trusted interface and has an OUTSIDE UNTRUSTED interface.
The inside is 10.248.11.X...the Untrust/public is 192.168.93.11 which is connected to our DMZ 3 on the ASA 5520.....then I am trying to NAT the 192.168.93.11 to an outside public IP 199.248.30.X....just not working...have had 2 tickets open with Cisco this week and they still are unable to resolve. I am sure it is the ASA5520 is not configured correctly.
View 1 Replies
View Related
Apr 10, 2012
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
View Related
Jul 30, 2009
We have 2 ASA5520's running SSL VPN, we would like to allow users to create their own bookmarks but so have been unable to find out how
View 1 Replies
View Related
Mar 2, 2011
We are using the ASA 5520 as Firewall and VPN gateway for remote access by employees and vendors. Is there a way to view a history of VPN user logins? We used to have (or we still have but no longer using it) th CVPN 3005. This device keeps log files of all activities. I miss having this capability in the ASA 5520.
View 4 Replies
View Related
Aug 10, 2012
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
View 7 Replies
View Related
Feb 6, 2013
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
View 3 Replies
View Related
Jun 16, 2012
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies
View Related
Jul 7, 2012
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
View 1 Replies
View Related
Jan 30, 2013
I have two routers on my local network:
1. ADSL Wi-Fi router provided by my ISP. This is the primary router for my network which is connected to the internet. Router IP: 192.168.1.1 (DHCP enabled)
2. TP-Link wireless router which is connected to the primary router through its LAN port (not WAN) with its DHCP turned off. So I'm using this router ONLY to extend the network to another area. This is a 3G enabled router. Router IP: 192.168.1.2
There are two different wireless SSIDs but basically only ONE network (all the PCs connected through any of the two routers are on the same subnet and have same IP range i.e. 192.168.1.x). I want to use the 3G internet connection through the secondary router when the ADSL connection is down. Whenever the ADSL connection is down, I would just connect the 3G-USB to the secondary router, all the computers on the network should connect to the internet while skipping their route through the primary router WITHOUT CHANGING ANY SETTINGS. Is it possible? Do I need to modify the routing tables? Or is it possible by configuring the DHCP server to assign the primary DNS address as 192.168.1.1 and secondary DNS address as 192.168.1.2?
View 11 Replies
View Related
Jan 30, 2013
1. ADSL Wi-Fi router provided by my ISP. This is the primary router for my network which is connected to the internet. Router IP: 192.168.1.1 (DHCP enabled) 2. TP-Link wireless router which is connected to the primary router through its LAN port (not WAN) with its DHCP turned off. So I'm using this router ONLY to extend the network to another area. This is a 3G enabled router. Router IP: 192.168.1.2There are two different wireless SSIDs but basically only ONE network (all the PCs connected through any of the two routers are on the samesubnet and have same IP range i.e. 192.168.1.x). I want to use the 3G internet connection through the secondary router when the ADSL connection is down. Whenever the ADSL connection is down, I would just connect the 3G-USB to the secondary router, all the computers on the network should connect to the internet while skipping their route through the primary router WITHOUT CHANGING ANY SETTINGS. Is it possible? Do I need to modify the routing tables? Or is it
View 4 Replies
View Related
Aug 21, 2011
I have a set up for cable modem internet i would like to share with a laptop.Its a Motorola surfboard cable modem hooked up to my IBM P4 computer through a USB cable. The Ethernet port out of the modem is NOT operational.The IBM computer gets the internet fine in this configuration. I would like to use a SRX200 WiFi router to connect a laptop to my internet using ICS and leaving the IBM computer and router on when i do this.I opened properties on the USB connection and clicked share internet connection.This then set up my Ethernet port to 192.168.0.1.I now want to connect the SRX 200 to the Ethernet port. Its IP is 192.168.1.1.so, do i connect the computers Ethernet port to one the routers Ethernet ports instead of the wan port?Do i turn off the routers DHCP? Do i have to change the routers IP address to make this work? Will i have to assign fixed IP's to my client to make it work?
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Nov 21, 2012
Is it configurable to allow wifi user to user traffic on WLC 5508?
View 4 Replies
View Related
Apr 22, 2011
On one of my computers one user cannot connect to Internet. The following message appears: �The Proxy Server is refusing connections. Firefox is configured to use a proxy server that is refusing connections. Check your proxy settings to make sure that they are correct.Changing users to another account and there is no problem connecting.This computer currently has an unresponsive keboard. The above changes and connections are accomplished using only the mouse.Runs on Windows XPHave posted the following thread in hardware:The keyboard on one of my computers is totally non responsive. The following message appears: �Windows cannot start this hardware device because its configuration information (in the registry)
View 3 Replies
View Related
Aug 4, 2011
As per topology attached herewith, i have 2 ISPs, ISP1 and ISP2. And i have one Cisco 1841 Router with only 2 Ethernet interfaces.My Lan subnet is 192.168.1.0.My puspose is, i want to configure both ISP1 and ISP2 and my Lan Network on router, without adding any extra interaface. I also want to configure a nat so that Lan user can go to internet. I wabt to do this using 2 Interfaces.
View 17 Replies
View Related
Sep 9, 2011
I cant connect to internet but other user can. We use the same laptop but my internet connection was cut off whereas my son's internet connection on the same computer is working fine. I have used cable as well with no success. Obviously there is nothing wrong with the router or cable or wireless but there must be something wrong with my user settings. My son is using the same computer and can connect fine to internet as another user.
View 2 Replies
View Related
Jan 11, 2012
I have a wired adsl connection in location A. i know the user name and password. I want to connect to internet in location B but location B is very far from the location A.is it possible to use the same user name and password to connect to the internet.
View 2 Replies
View Related
Jul 9, 2011
I am unable to connect to the internet using my user ID,but when I login to the guest account I can successfully connect.I am using windows vista and Mozilla Firefox as my browser.
View 2 Replies
View Related
Jul 31, 2012
We're planning to ope a coffee house for teens at my church. We want the internet to be accessible to them but want to restrict what sites they can access so homework, games, etc. can be accessed but not the stuff rated for violent, rrisky behaviors.
View 1 Replies
View Related
Mar 2, 2012
How to restrict internet particular user account in pc
View 1 Replies
View Related
Oct 10, 2011
We had setup a wired/wireless LAN using Cisco 881W router for one of our client. Wired lan works OK but we have issues with wireless. Users on wireless LAN can connect to the wireless network, but cannot browse the Internet. The wifi network does not give out an ip address to the client so client cannot get to the default gateway and Internet. Not sure what part of config does not work.
##### sh runn #####
881WiFi#sh run
Building configuration...
[Code].....
View 10 Replies
View Related
Sep 9, 2011
We recently switched from Centennial aircard to Verizon aircard (USB760) for our laptop. We have two user accounts on our windows 7 pc. With Centennial we could switch between user accounts without closing sierra wireless manager but when I switch to another user now, a message comes up saying vzaccess manager running in another account and we cannot use the internet until we have shut it down in the account it is running in - which is a pain. I have tried right clicking vzaccess manager in all programs and it does not have a share option. I also went to properties under vzaccess manager and found a setting to share and set it up but it still will not share
View 2 Replies
View Related
Nov 2, 2011
I have 2 desktops and a laptop accessing a wireless Motorola modem using roadrunner broadband. My desktop/Vista and laptop/Windows 7 are working fine. My older desktop with XP has a wireless card and shows that the wireless is connected with great signal strength but won't access Internet Explorer. I keep getting an error message. I have tried re-setting up the wireless and shutting down the machine ,etc. I have seen a few older posts that suggest downloading some software, etc
View 1 Replies
View Related
Feb 27, 2011
I have a laptop with 2 user account (one for me - administrator and the other for my eleven year old son). Connection is wireless. Until a few months ago everything was working fine and then the problems started: my son could no longer connect on the internet with Explorer and Google Chrome but I managed to connect it via Firefox. And it worked until yesterday. As of yesterday he can no longer connect to the internet even with Firefox. I tried again as an administrator to reinstall Google Chrome, but the icon is shown only on my user account. I took a completely new browser - Opera, but fails to connect. When I go to Diagnose & Repair connection problems - shows no problems. On my account everything is working properly. OS is Windows Vista Home Premium
View 2 Replies
View Related
Aug 2, 2011
While I was at school there was a system in place where by you had to enter a user name and password to access the internet. Every student had a data limit like 3GB per month for example. I remember it had something to do with a proxy. I would like to recreate this system on my office LAN as some staff members have been downloading a lot slowing down the (very expensive) Internet connection. Limiting each users data will discourage large downloads.
View 1 Replies
View Related
Jul 14, 2011
how can I configure a Catalyst 3750, which interface is patched on the ISP router (internet uplink bandwidth = 20Mbps with) to allow all active users are sharing the bandwidth (either 5, 50, 100, user simultaneously..in internet surfing. right now it's like when a user starts a larger download that it uses the bulk of the bandwidth, and other users can reach all remaining extremely slow access times.
View 3 Replies
View Related
Jun 4, 2011
here is my situation:
home users ------ internet ------ ASA 5510----- CORP LAN
we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them. my question is : "How to enforce home user internet traffic to VPN tunnel ?" we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN. but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel. so far , i did what i know :
1. remove "split tunnle" from group-policy
2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510
but i don't get that why it doesn't work.
View 9 Replies
View Related
