Cisco WAN :: ASA5510 Routing Through IPSEC Tunnel
May 20, 2013
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies
ADVERTISEMENT
Apr 26, 2012
I have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
View 2 Replies
View Related
Mar 7, 2013
I have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.I can see the tunnel is up but there is no traffic.This comes out the show crypto ipsec sa
interface: Dialer1
Crypto map tag: CMAP_AVW, local addr 10.10.10.89
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
current_peer 20.20.20.161 port 500
[code]....
View 3 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Oct 26, 2011
what license do I need to create a IPSEC tunnel? I have an ASR 1001, running? [code]
View 2 Replies
View Related
Nov 20, 2011
I want to establish GRE over IPsec tunnel between four branch offices and head office. At branch offices, I have 1841 router with Advanced Security software. At head office, I have a ASA5510 7.2 as frontend with one public IP addres and 1841 router behind it in private address space. Since ASA is not supporting GRE tunnels, can ASA be endpoint for GRE over IPsec? If not, can ASA pass this tunnel to the 1841 router behind it, so 1841 would be logical tunnel endpoint? What should I pay attention? Should both ASA and every 1841 support NAT-T, or just ASA?
View 1 Replies
View Related
Dec 26, 2011
Our internet connection changed and so did our public IP addresses, I'm trying to re-establish our VPN tunnel with our client, but we haven't be able to get the connection back up even though only 2 IP addresses have changed. Below is my ASA 5510 config file Our WAN from the ISP is: 65.xx.xxx.104/30 and our LAN is: 67.xxx.xxx.128/27, I'm trying to use: 65.xx.xxx.106 as the endpoint and 67.xxx.xxx.130 as the host via the tunnel.
View 5 Replies
View Related
Jul 25, 2011
I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
View 2 Replies
View Related
Mar 19, 2012
I have a 5510 running 8.42 code with multiple site to site tunnels coming into it. Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly. That being said I think the ASA side is good. I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA. When I ping from the E0 interface I get the following debug output and nothing else. I've made a lot of changes to no avail in getting closer to a successful configuration. [code]
View 1 Replies
View Related
Mar 18, 2012
i want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end
View 1 Replies
View Related
Jan 3, 2013
I have the need to configure a backup VPN, I have remote branches with cisco 800 routers that make a VPN to an ASA5510 in the main offices, but as a DRP I want to have a backup VPN to another site. I dont know if it is a failover configuration or backup VPN, how to start investigating.
View 2 Replies
View Related
Feb 12, 2012
Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface. So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.
View 0 Replies
View Related
Oct 1, 2011
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
View 5 Replies
View Related
Feb 29, 2012
I configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients
* Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5)
!
hostname xxxx
domain-name xxxx
[Code].....
View 7 Replies
View Related
Oct 19, 2011
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
View 1 Replies
View Related
Sep 21, 2011
I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. This same tunnel had NO issues prior to the 8.2.4 upgrade.
I thought about trying to disable "inspect FTP,. I am running FTP passive mode on the ASA so I don't believe "inspect FTP" is required.
View 2 Replies
View Related
Oct 19, 2011
I've a question about VPN IPSEC on ASA5510
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?
View 1 Replies
View Related
May 13, 2013
How to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.
View 20 Replies
View Related
May 2, 2013
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
View 10 Replies
View Related
Nov 15, 2011
I want to configure a remote VPN for our clients on Cisco ASA 5510 using Dyn DNS as I dont have static IP address.
View 9 Replies
View Related
May 4, 2011
how to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
View 4 Replies
View Related
Mar 9, 2011
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
View 2 Replies
View Related
May 4, 2011
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
[Code].....
View 3 Replies
View Related
Aug 8, 2012
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
View 7 Replies
View Related
Mar 24, 2011
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
View 7 Replies
View Related
Oct 29, 2012
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
[Code].....
View 1 Replies
View Related
Feb 7, 2012
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
View 27 Replies
View Related
Dec 3, 2012
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
View 4 Replies
View Related
Feb 21, 2013
I recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?
View 6 Replies
View Related
Nov 24, 2011
I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).
View 7 Replies
View Related
Aug 8, 2011
i am just installing my ASA 5510 and i want to configure it for remote access VPN IPSEC client.i use this doc : URl,When i start the connexion, the Client uses the first address of the pool and not the dedicated address ?,i have forget something ?
View 2 Replies
View Related
May 5, 2010
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
View 20 Replies
View Related