Security / Firewalls :: Cisco - Unable To Configure Site-to-site Vpn
Sep 14, 2012
I am configuring Site-to-Site VPN with another company. I already make a couple of tunnels but with this one I have a problem. They I already using on their side my local network 192.168.10.0/24 (server is 192.168.10.10) so we need to use imaginary network 172.16.0.5 as server address. Now I need to do NAT 172.16.0.5 to 192.168.10.10 but I am not so good in that.
View 1 Replies
ADVERTISEMENT
Mar 24, 2013
Is it true that the FCC is investigating the Pogo game site because of poor security? Is Java the cause of this problem?I'm very leery of getting on the Pogo site because I've been told that my computer could get a virus and crash.
View 1 Replies
View Related
Nov 6, 2012
I have a scenario whereby I need to add a second VPN tunnel to a Cisco ASA, however its peer address will be on the outside2 interface on the remote firewall.
we have ASA1-HQ 5505
Inside address - 172.16.20.0
Outside1 - 1.1.1.1
Outside 2 - 2.2.2.1
ASA2-DC 5510
Inside Address- 172.16.30.0
Outside1 - 3.3.3.1
Outside2 - 4.4.4.1
There is currently a VPN tunnel between 1.1.1.1 and 3.3.3.1. I need to add a 2nd VPN tunnel utilising outside2 addresses 2.2.2.1 & 4.4.4.1 respectively.
I have labbed this out, however i cannot get traffic going down to the 2nd VPN tunnel. I have created the following routes on each firewall
ASA1-HQ
Outside1 0.0.0.0 0.0.0.0 1.1.1.2 (metric 1) (Next hop for outside1 interface)
Outside2 4.4.4.1 255.255.255.255 2.2.2.2 (metric 1) Peer address of 2nd vpn tunnel)
ASA2-DC
Outside1 0.0.0.0 0.0.0.0 3.3.3.2 (metric 1) (Next hop for outside1 interface)
Outside2 2.2.2.1 255.255.255.255 4.4.4.2 (metric 1) Peer address of 2nd vpn tunnel)
I have tried adjusting the Crypto map Priority values however this has made no difference. One theory I have is the local addresses potentially would need to be on a separate network in order for traffic to traverse the 2nd VPN tunnel.
the crypto maps i have created are:
ASA1-HQ
Outside1 (Priority10) S 172.16.20.0 /24 D 172.16.30.0/24 Protect ESP-3DES-SHA Peer 3.3.3.1 (Nat T Enabled)
Outside2 (Priority 1) S 172.16.20.50 /32 D 172.16.30.50/32 Protect ESP-3DES-SHA Peer 4.4.4.1 (Nat T Enabled)
ASA2-DC
Outside1 (Priority10) S 172.16.30.0 /24 D 172.16.20.0/24 Protect ESP-3DES-SHA Peer 1.1.1.1 (Nat T Enabled)
Outside2 (Priority1) S 172.16.30.50 /32 D 172.16.20.50/32 Protect ESP-3DES-SHA Peer 2.2.2.1 (Nat T Enabled)
Is what I am attempting feasible?
View 6 Replies
View Related
Sep 12, 2011
I configurated Ipsec vpn at asa 5510. my inside ip 192.168.10.156my public ip: 85.x.x.xmy peer ip : 62.x.x.x
the project is that:
the remote site want the interesting traffic like that:
source ip 172.16.1.104 can access destination ip 10.0.154.27
My inside ip is 192.168.10.0/0 and i can not to change it 172.16.1.0/24 and i can not to add this ip at my network.
View 3 Replies
View Related
Nov 13, 2011
our customer unfortunately uses a Watchguard.Finally we could establish a site-to-site vpn connection.To test if the connection re-establish again, we cleared our vpn session by "clear crypto isakmp <session id>" and after that "clear crypto sa <ip address of the peer>"After that, the session is down on our site, but the watchguard keeps the Phase I still up, either the deleting messages from our cisco are visible in the watchguard log files.Watchguard helpdesk told us, that the messages are only seen as a deletion message for Phase II, therefore Watchguard keeps Phase I up and running.Here you could see the cisco 7206 log messages aftre the clear commands:
: Nov 10 13:22:06.508 MEZ: IPSEC(delete_sa): deleting SA,
2011-11-10 13:22:06 Local7.Debug 649460013: : (sa) sa_dest= <local peer>, sa_proto= 50,
2011-11-10 13:22:06 Local7.Debug 649460014: : sa_spi= 0xEB0AE65A(3943360090),
2011-11-10 13:22:06 Local7.Debug 649460015: : sa_trans= esp-aes 192 esp-sha-hmac , sa_conn_id= 669,
2011-11-10 13:22:06 Local7.Debug 649460016: : (identity) local= <peer>, remote= <peer>
[code]....
In my opinion, it looks ok and we do not have problems with other VPN devices with this kind of tests.what could be done that the watchguard deletes Phase I, too? Or that an explicit Phase I deletion message is created and sent by our cisco 7206?
View 3 Replies
View Related
Dec 12, 2012
I have tried Cisco presales but got bounced - go Cisco !So, i have a small customer who requires a single device which will provide .....
1/ Leased Line connection @ 10mb
2/ ADSL failover onbox (so configurable from CLI, unlike the 860’s which I see only have one ‘active’ wan port)
3/ IOS based
4/ integrated 4 ports (min) switch
5/ site to site VPN
6/ up to 10 x SSLVPN remote users
I did pitch in with ASA5505 with external ADSL router but he is “space-constrained”.It worries me when Cisco doc's say only one WAN port is 'active' - since it doesn't say the second port automatically comes up if the first goes down so I can't take a gamble on that being the case.
View 3 Replies
View Related
Nov 21, 2012
I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?
View 10 Replies
View Related
Jun 28, 2012
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
View 3 Replies
View Related
Dec 29, 2012
Is there a way to set up a Site-to-site VPN between RV042 & Cisco 2911? I "googled" this and obtained a document, but it is not regarding Cisco 2911: [URL]
Routers are needed to setup it successfully. I have tried on both routers several configuration steps, no success...
View 3 Replies
View Related
Mar 18, 2013
sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure. my is use that i dont know to how to configure nonat. i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
View 2 Replies
View Related
Aug 22, 2011
I need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address (192.168.89.1) as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address 192.168.89.1, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.
View 2 Replies
View Related
Jun 16, 2011
I want to configure QoS for voice traffic over a site-to-site VPN tunnel. I have a Cisco 851 router on the branch end and a Cisco 1800 router at the HQ. The setup is an Avaya Gateway located at the HQ and the idea is that the phones at the branch office are connected over the VPN tunnel to the gateway at the HQ.
I have a 1MB internet link at the HQ from a service provider and 256kbps internet link (from a different service provider) at the branch office. The branch office has just 3 users.
View 12 Replies
View Related
May 13, 2012
I have a couple of ASAs 5505 (HQ & Branch) running version 8.2(4). They are configured with a Site-to-Site VPN over a single WAN link: [code]
I want to enable sla monitor on one of the devices in order to know the real status of my unique link because the interfaces sometimes don't go down, so I don't have any real statistic of failures.
All the information is related to dual ISP links failover. Is there any extra-consideration for my single link scenario?I already have a static route route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 so I think I have to overwrite it with something like this route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 track 1. Is this correct?If so, when I overwrite it, will the S2S VPN go down and will it go up automatically?
View 1 Replies
View Related
Jun 21, 2012
i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line "crypto map outside_map interface outside (for VPN client)", but when I configure the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection. [code]
View 36 Replies
View Related
Dec 26, 2010
We having 2 nos 1941 routers we need configure site to site vpn on this routers send the configurations . 1st side having server and 2nd site we having 10 users. 2 side users wants to access trough vpn in that server .any IOS required are defualt IOS is enof on 1941 k9 Router.
View 3 Replies
View Related
Dec 13, 2010
I'm trying to configure a Site-to-Site VPN in a Cisco ASA 5505 firewall which is behind an ISP router (Cisco 800 Series) configured in routing mode (not bridging) and with a static nat of all the ports to the firewall (avoiding bridging mode of the router). [code]
View 12 Replies
View Related
Jun 9, 2013
I have ASA 5555-x and configurated site to site vpn. Now that our side wants to receive multicast messages from the other side. In this case i know that i must configurate gre tunnel on router. because asa is not supported gre tunnel. i have also router 2811. I know that we need to add a cisco router behind the firewall in order to receive multicast messages.
configurate site to site vpn on asa and gre tunnel configuration on router.
View 6 Replies
View Related
Jul 12, 2012
I am trying to set up a site to site ipsec connection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.
View 4 Replies
View Related
Apr 3, 2013
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
View 9 Replies
View Related
Jan 16, 2013
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
Feb 23, 2012
I am try to setup my office network to able to connect to one of my customer HQ via site to site VPN. I am using Cisco 1841 router to do the job.
The problem that I am facing now is no able to connect my other PC in office to the remote site.
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.x.x.x 175.x.x.x QM_IDLE 1001 ACTIVE(code)
View 9 Replies
View Related
Sep 30, 2012
I have a dynamic VPN site to site between ASA 5510 vs C880 with segment 172.23.191.0/25 for ASA side and some host in C880 side (e.g. 128.1.100.211, 128.1.115.181, 128.1.104.212) . The VPN is up, but only have communication with a host (128.1.115.181).
In the logs appears the next message when I try communication for all aother IP in the policy map configuration: IKE Initioator unable to find policy: Intf Inside, Src: 172.23.191.87, Dst: 128.1.115.182..ONLY WHEN I PINGING FROM SOME HOST IN C880 SIDE (e.g. 128.1.100.211) the communication is successfull.
What happen with this VPN, because I need to pinging from C880 IP host to ASA segment for establish communication?
View 7 Replies
View Related
Jan 5, 2012
i am trying to configure a site to site VPN with one of my remote offices.
I have used the ADSM Wizard to go through the steps, and i have added the necessary access rules. However, when i try and do a packet tracei get the following error (ad-drop) Flow is denied by configured rule. (see screen shot below)
View 5 Replies
View Related
Mar 5, 2012
I am unable to ping any device on the internal lan from the opposite side of the tunnel. However, the tunnel connects successfully. I have the firewall disabled on both routers. Site A is using 192.168.3.1 and Site B is using 192.168.4.1. Any thoughts on why I cant ping one router from the other?
View 4 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Jun 17, 2012
We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?
View 1 Replies
View Related
Jun 13, 2012
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
!
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!
version 12.4
no service pad
[code]....
View 1 Replies
View Related
Oct 11, 2011
cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
View 11 Replies
View Related
Feb 7, 2011
I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.
View 3 Replies
View Related
Mar 6, 2011
i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?
View 1 Replies
View Related
Jan 27, 2012
i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?
View 2 Replies
View Related
Jun 8, 2011
I am trying think of a better way to provide redundancy on some internally protected networks. We maintain our own WAN/backbone between our primary site and backup site. Is it possible to have two Cisco ASA 5550s in setup for failover at completely different sites as long the networks connected are available?
View 3 Replies
View Related
May 30, 2013
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
View 9 Replies
View Related