Cisco WAN :: ASA5505 - SSL VPN Not Working
Jun 16, 2011
I have ASA 5505 with outside interface IP 206.206.206.5 I configured the SSL vpn on this but still i am getting page can not be displaed when opening https://206.206.206.5 from broadband.
Below is the related configuration in ASA. What needs to be done in order to able to connect SSL vpn.
group-policy GroupPolicy1 internalgroup-policy GroupPolicy1 attributesvpn-tunnel-protocol IPSec l2tp-ipsecwebvpn functions url-entry file-access file-entry file-browsing
tunnel-group DefaultWEBVPNGroup general-attributesdefault-group-policy GroupPolicy1tunnel-group DefaultWEBVPNGroup webvpn-attributesnbns-server 10.10.10.11 timeout 2 retry 2
policy-map type inspect http Http_inspect_policyparameters protocol-violation action drop-connectionclass BlockDomainClass resetpolicy-map global-policyclass global-class inspect dns inspect esmtp inspect ftp inspect netbios inspect rsh inspect rtsp inspect snmp inspect sqlnet inspect tftp inspect xdmcp inspect icmppolicy-map inside-policyclass HTTPTrafic inspect http Http_inspect_policy!service-policy global-policy global
webvpnenable outsideurl-list nuk001 "abc002" cifs://10.10.10.1 1
View 2 Replies
ADVERTISEMENT
Mar 8, 2011
I would like to configure a cisco ASA5505 IPSEC VPN. I used the wizard and tried to connect to the outside .. does not work .. The network is configured in this manner: - ADSL router with public address and internal address 192.168.2.1 -> firewall interface inside and outside 192.168.2.2 192.168.3.1 (my network is 192.168.3.0). I used a VPN to the pools ranging from 192.168.4.1 to 192.168.4.100.
INTERNET ----- ROUTER ------ ASA5505 -------LAN
What should I change? there could be problems between the router and firewall?
View 6 Replies
View Related
Dec 12, 2012
, I have ipsec vpn setup on an asa5505 at one of my office locations but when I try to log in to the vpn with the vpn client it just dont work but I have a Linux laptop with vpnc loaded and that connects just fine no problems there ? by the way on my windows system i Have vpn client 5.0.07 asa5505 8.0.(4) asdm 6.1.(3)
View 5 Replies
View Related
Jul 20, 2011
I installed on 2 different PCs (Win7 64-bit) the Cisco VPN Client 5.0.07 with the same VPN profile for 2 different users. We use an ASA5505 (8.0(5) sec plus license) as the VPN end point for the clients. The VPN Clients can connect simultaneously to the ASA, they receive the split tunnel infos but only ONE client can ping the internal network ip range. The other one has no access to the internal resources! When they separately try to connect, there is no problem. Each of them can reach the internal net.On other 2 PCs (Win 7 32-bit) the clients have no problem reaching the internal net (simultaneously connect).
View 0 Replies
View Related
Mar 29, 2012
I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520. I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505. I get no internet access. Have been trying to troubleshoot this for days.Hee are soe specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:
vpnclient server **.***.***.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup dbernstein-5505 password *****
vpnclient username dbernstein password *****
vpnclient ipsec-over-tcp port 10000
vpnclient enable
and the downloaded dynamic policy:
Current Server : 12.***.163.**
Primary DNS : ***.160.***.39
Default Domain : cisco.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : ***.160.***.0/255.255.255.0
Backup Servers : None
View 9 Replies
View Related
Aug 23, 2011
I am trying to get a Cisco ASA5505 to get onto the internet using PPPOE through a Netgear DG384 ADSL router. I have the Netgear in Modem only mode - if you put it in Router mode internet access works fine. When I change it to Modem mode, the error I get on the ASA is PADI timeout. Looking through the config I think I am missing a Global NAT??Also not 100% on the best way to set the IP - we have a static IP from the ISP. Do you set the interface to use DHCP and get this address or set it statically? Then do you put the setroute option or put in a static? [code]
View 5 Replies
View Related
Dec 4, 2012
Short version is we cannot communicate between our subnets.We have a Cisco ASA 5505 we are using for our network router. We have a Netgear L3 switch behind that with 10 vlans. Each VLAN is on its own subnet. (10.0.10.x/24, 10.0.11.x/24, etc)We have PAT for each subnet to our outside interface. Each subnet NATs out properly currently.I have NAT exemption enabled for 2 of the subnets (eventually I will need all, but am just testing at the moment). I have tried multiple ways for the NAT exemption to allow all traffic from our inside VLANS. At this point in time I am trying to get "Engineering" to communicate with all hosts on "AuthUser". I can ping some hosts, but not as many as if I am directly on the interface. I can reach a port 80 service, but not 443. I cannot access anything via hostname or NetBIOS.What am I missing to allow higher security level interfaces to fully communicate with lower security level interfaces?
View 0 Replies
View Related
Dec 29, 2011
We care currently using an ASA5505 as our firewall and redirecting web traffic to a S160 Iron port. Recently the web filter stopped working and the only way to get filtering again is to reset the redirection.
1. Is there any available log information to find out about the WCCP process and maybe way it stops?
2. Are there keep alive packets or anything of that natural between the ASA and Ironport?
View 1 Replies
View Related
Apr 6, 2012
I'm not able to access my Slingbox from the outside. I've set up port forwarding on port 5001 to allow outside connections in, but port forwarding isn't working. Am I missing something?
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network Slingbox
host 10.10.10.254
object-group protocol TCPUDP
[code].....
View 13 Replies
View Related
Feb 19, 2013
I have a cisco ASA5505 configured in transparent mode. This evening we attempted to plug a couple of new servers in but they simply didnt work, despite our test server working absolutely fine. The server IP's are all in a network object group (the same as the test server) and they're all using the same ACLs etc. I'm relatively new to configuring cisco equipment.
the only thing I can think of is a static route I had to add to get the managemet IP to work might be causing problems.route outside 0.0.0.0 0.0.0.0 XX.XXX.132.1 1(IP addresses obfuscated- servers are all in the same range so assume XX.XXX is the same across all IP's).
View 7 Replies
View Related
May 9, 2013
I have noticed a problem recently that our Remote Access VPN will randomly stop working. I will be able to connect and enter my Username+Password and it says Connected, but I cannot ping Remote Resources. If I check VPN Client Statistics, it shows Many Packets Sent/Encrypted, but None Received. It seems this problem affects all devices at once, but leaves the L2L tunnels intact.
It seems to randomly start working for a while, and everything seems fine until it stops working again. I verified that it is not a firewall problem, and it occurs on multiple ISPs and computers.
We also have 2 Static L2L Tunnels, and 1 Dynamic L2L Tunnel all of which operate flawlessly. All sites/remote users use split tunneling.
Below is the config, I just added the keepalives on the RA Tunnel to see if it would work, I haven't noticed any difference yet.
ASA Version 8.0(2)
!
hostname HQ-ASA5505
domain-name xxxxx.local
[Code]....
View 3 Replies
View Related
Dec 30, 2011
I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working. [code]
View 3 Replies
View Related
Aug 9, 2011
he IPSec tunnels do not form and I notice the error: 3Aug 09 201105:13:26IP = 39.188.41.188, Error processing payload: Payload ID: 1 Reading up on this it looks like it might be an IKE problem but I'm struggling to find the cause (the new 8.4 commands not useful).
The setup is as follows:-
Head Office
PIX515e v6.3(4)
LAN IP 10.0.160.254/24
Branch Office
ASA5505 v8.4(1)
LAN IP 192.168.47.254/24
View 3 Replies
View Related
Oct 6, 2012
I have configured Site to site and the VPN tunnel is up. But the ACL's are not working.
View 11 Replies
View Related
Sep 18, 2012
We have 2 ASA's that connect to a 2811, but for some reason, the 2nd ASA wont connect anymore. Debuging ipsec or isakmp on the 2811 doesn't come up with any messages.
External IP's still correct, and the sites can ping each other.
Only debug on ASA for crypto isakmp comes up with messages (ipsec doesn't give any messages).
ASDM says:
Removing peer from peer table failed, no match!
Error: Unable to remove PeerTblEntry
I found some info on the above error messages, but those links didn't quite useful.
Below is fromt he debug on the ASA:
Sep 18 22:06:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:09 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:10 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Sep 18 22:06:13 [IKEv1]: IP = 64.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Sep 18 22:06:16 [IKEv1]: IP = 64.X.X.X, IKE_DECODE RESENDING Message [code]...
View 11 Replies
View Related
May 9, 2011
XP Home edition, went to tools can't find working off line or working online to make sure off line is not checked so I can get on line DSL Verizon , Wireless router, wireless switch in on, on the cpu
View 1 Replies
View Related
Feb 15, 2013
ASUS Notebook G60Vx Series
Windows 7 Home Premium 64-bit
Intel(R) WiFi Link 5100 AGN
A few days ago my internet suddenly stopped working. I plugged in the ethernet cord and everything worked fine. Checking the properties in the device manager showed the device was working properly, I also tried resetting it to make sure it was enabled but it did not work.
Upon troubleshooting, the "Windows Network Diagnostic" said the problems was that the Wireless adapter was not turned on. Using the switch on the front of the laptop as well as the function keys does nothing. Usually a graphic pops up showing if the WiFi is on or off, changinging transparent to show the WiFi is disabled. Now when I turn the switch on it always appears transparent, effectively going from off to off
So I know the computer reads both the function keys and the switch on the front but both methods never actually turns the adapter on. I just finished a system restore and nothing has changed
View 1 Replies
View Related
Jul 20, 2012
i have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
View 3 Replies
View Related
Jan 22, 2011
We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.The ASA5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.
When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop. I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either. Im running ASA Version 8.2(1) and ASDM Version 6.2(1)Once I get the static IP set and working properly, I can tackle moving the port configs.
View 10 Replies
View Related
Jun 17, 2012
Can I have two IPSec tunnels over two different Internet links to two different destination?
View 1 Replies
View Related
Aug 22, 2012
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router. Our responsibility is to just to make sure the tunnel comes up.
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp(code )
View 2 Replies
View Related
Jan 19, 2012
am not sure if it is different on the 8.2 or if I am missing something. I can connect to the vpn but cannot get to the inside computers. I can ping them from the ASA but not from the vpn client.
View 17 Replies
View Related
Jun 26, 2012
We have multiple servers on the DMZ (192.168.2.0/24) but they cannot access any resources in the Inside, by default. We would like to open up a Syslog server from the Inside (10.1.1.5) to the DMZ servers, so we can collect system log from the servers.
View 2 Replies
View Related
Nov 17, 2011
I have an ASA 5505 with the Security License running 8.4 and 6.4.5 software, I have a fully working VPN solution on there using a ISP IP - works fine. My boss wants to split the lines/bandwidth to another ISP we have coming into the office. So what I want to acheieve if possible is this Say my current isp is 5.5.5.5, my internal network is 192.168.2.x and my other ISP is 6.6.6.6 - is it possible to use the ASA to accept VPN clients from both ISP's and use the internal network?
View 2 Replies
View Related
Jan 17, 2012
I have 4 remote sites that are using a ASA as thir firewall / router. I'm setting up a full mesh VPN between all the sites. One of the sites have a UC500 and the other sites access that UC over the VPN tunnels. I would like to set up some basic QoS for the VOIP traffic
The site that has the UC will have multiple vpn tunnles coming in from the remote sites. How will I do QoS with voice traffic on that site?
View 11 Replies
View Related
Jul 8, 2012
I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both. I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA. Specifically, can't figure out how to set the pre-shared key. On the Cisco 800 it's:That doesn't seem to work on the ASA. Here is my current config on the Cisco 800. [code]
View 9 Replies
View Related
Jun 17, 2011
I need to create second VPN in same ASA5505, it has already a VPN to one of our clients. So it alredy have a transformset,cryptomap,policy.Now i need to create new one. i like to create a seperate transformset and crypto map for this 2nd VPN with a new name to identfy very easily.But i have doubt like may it will affect the current VPN? because it has another VPN with another tranformset and cryptomap.......
1) will it affect the current VPN?
2) do i need to create a seperate tranformset and cryptomap? or with same tranformset and cryptomap with different number.....if it possible to create multiple cryptomap then i would like that to create.....
View 2 Replies
View Related
Sep 25, 2012
My company purchased a PAK for ASA5505-SEC-PL a while back. I found it unopened and need to know if it can be used, without activating it on an ASA. I opened up a case with the Cisco TAC, provided them the PAK serial number and got the following responses from 2 different individuals:
1.Since the product was covered under warranty and then expired this means that the activation key was used before.
2. This PAK number is expired since (Warranty End Date 21-Feb-2009).
I responded that I am not interested in warranty information but I just want to know if the PAK can be used. Just because the warranty expired, does that REALLY mean the PAK can no longer be used? That doesnt make sense to me. Isn't there a tool on Cisco's website to put in the PAK S/N to see if it is available, has been used, and if so, when?
View 2 Replies
View Related
Aug 6, 2012
I have 2 x ASA 5505's , I would like one to sit at my office behind an ADSL router with a static IP address, and be configured as a Server. I would like the other to connect to an ADSL router with a dynamic IP address, and be configured as a Client.
This must be a plug & play setup, so that when the 5505 client is plugged into ANY broadband router, it automatically creates a VPN tunnel to the 5505 server. Incase it's relevant... the purpose of this link will be to stream video data back to my office from remote locations. We have "played" around with the ASDM, EasyVPN and wizzards and still cannot get this to work!
View 3 Replies
View Related
Jul 3, 2012
i exported config file from asa5505. i changed this file and i imported in my asa5510. can you tell me that config file allright
View 1 Replies
View Related
Dec 14, 2011
I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
View 3 Replies
View Related
Nov 10, 2011
I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office. Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
View 18 Replies
View Related
Nov 29, 2011
Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?
View 2 Replies
View Related
