Dual ISP on ASA VPN question.

Similar Messages

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

  Dear community,
  quite frequently I am now receiving the following error message in my ASA 5502's log:
  Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  The VPN Clients (in the last case: A linux vpnc) disconnect with message
     vpnc[7736]: connection terminated by dead peer detection
  The ASA reports for that <some_ip> at around the same time:
  Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested    
  A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
     1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
         crippled (I d suppose this happens during rekeying) ?
     2) Any idea where to look for the cause of this
            WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
            SW related (vpnc bug)?
  Thanks in advance for any pointer...
  Joachim

  Yes.  You need to eliminate the things I've said to eliminate with the other side.  Ensure your configs are matching exactly.  They probably are, whatever, just make sure of it because it's easy.  You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
  The more info you can have just one person responsible for the better.  What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
  If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
  If you're seeing them come in his interface and never come back out, you know where to look.
  Set your caps to a single host to single host if need be, and generate traffic accordingly.
  You need to narrow down where NOT to look so that you know where TO look.  I would say then, and only then, do you get the ISP involved.  Once you're sure the problem exists between his edge device and your edge device.
  I do exactly this for a living on a daily basis...day after day after day.  I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions.  I always start the exact same way...from the very bottom.

• VPN device with dual ISP, fail-over, and load balancing

  We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

  Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

• Yet Another ASA VPN Licensing Question :)

  I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
  1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
  2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
  Thanks!

  It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
  Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
  If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

• VPN Question (match interesting traffic)

  Dear guys
  A vpn question  see below text diagram
  inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
                              ipsec vpn tunnel                          ipsec vpn tunnel
  we have configured interesting traffic on ASA-2 for each other on 2 side.
  we can ping asa-2 inside network from asa-3 and asa-1  but Why ASA-3 inside can not access ASA-1 inside network ?

  Hi Yun,
  Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
  Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
  Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
  Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment.  See example below.
  only an example, you change it to fit your network segment.
  object-group network ASA1-inside
    network-object 192.168.100.0 255.255.255.0
  object-group network ASA3-inside
    network-object 192.168.200.0 255.255.255.0
  access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
  access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
  nat (outside) 0 access-list nonat-outside
  Please let me know, how this coming along.
  thanks
  Rizwan Rafeek

• Performance Routing (PfR) with single router, dual ISP and load balancing

  It looks like PfR can do this but I have only found information about this feature which will start using ISP2 once ISP1 reaches 75% usage. But this is not load balancing.
  Can we accomplish load balancing utilizing a single router with dual ISPs using this PfR feature? 
  Or do we have to use another feature?
  thank you in advance

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I'm rusty using OER/PfR, but I recall it could load balance two links on same router.  The issue, I also recall, if doing BGP, OER/PfR has to detect a load imbalance, and there's a certain difference allowance, and OER/PfR takes some time to decide, so depending on actual traffic, it might not be obvious it's working.  If doing BGP, there's a hidden command (which I don't recall is) that will load balance the two links on the same router; then you use OER/PfR to dynamically refine the balance load.

• How-To: Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination

  Greetings to everyone,
  I'd like to share a recent article we published that covers the differences between Single and Dual Tier DMVPN deployments. The article aims to help engineers understand the differences at the IPSec VPN level and its termination on the HUB router.
  Those interested can following the link below to read up on this hot topic:
  Firewall.cx - Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination
  Topics Covered (Diagram included for every scenario):
  - Single Tier Headend, How IPSec Tunnel mode terminate on Hub
  - Single Tier Headend, How mGRE Tunnels terminate on Hub
  - Dual Tier Headend, How IPSec Tunnel mode terminate on Frontend Router
  - Dual Tier Headend, How mGRE Tunnels terminate on Hub
  - Links to similar articles that will surely interest
  Feedback is always welcome.
  Thanks,
  Chris.

  You might be running a bug, try to check the Cisco Bug Toolkit for a bug (Or Cisco TAC).
  Also try to capture the debug as the why the VPN is failing. Since EIGRP packets flow continuously the tunnel should not go down.
  Regards
  Farrukh

• Cisco ASA 5505 Dual-ISP Backup VPN

  I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing.  The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
  My first thought was to add the following crypto map to the configuration below:
  crypto map outside_map 2 match address outside_1_cryptomap
  crypto map outside_map 2 set peer 9.3.21.13
  crypto map outside_map 2 set transform-set ESP-DES-MD5
  crypto map outside_map interface backupisp -->but this would break the current tunnel.
  NYASA# sh run
  : Saved
  ASA Version 7.2(4)
  hostname NYASA
  domain-name girls.org
  enable password CHwdJ2WMUcjxIIm8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 9.17.5.8 255.255.255.240
  interface Vlan3
  description Backup ISP
  nameif backupisp
  security-level 0
  ip address 6.27.9.5 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended permit icmp any any source-quench
  access-list outside_access_in extended permit icmp any any unreachable
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit icmp any any
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
  access-list 150 extended permit ip any host 10.1.2.27
  access-list 150 extended permit ip host 10.1.2.27 any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backupisp 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (backupisp) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
  route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 10.1.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 10
  type echo protocol ipIcmpEcho 4.2.2.2 interface outside
  num-packets 3
  timeout 1000
  frequency 3
  sla monitor schedule 10 life forever start-time now
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 9.3.21.13
  crypto map outside_map 1 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  track 1 rtr 10 reachability
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
  tunnel-group 9.4.21.13 type ipsec-l2l
  tunnel-group 9.4.21.13 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
  : end
  NYASA#
  Thanks in advance.

  In that case is the PIX who needs two peers (to the ASA).
  The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
  crypto map outside_map interface backupisp -->but this would break the current tunnel.
  The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
  Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
  Federico.

• ASA 5510 vpn question

  Hi all,
  I have 1 ISP link terminated on ASA 5510. Can i configure both easy vpn and site to site vpn on that interface ?

  Hi,
  Do you mean that you would use the ASA5510 as a Easy VPN Server (where clients would connect to) and also build L2L VPN connections from the ASA5510 to other sites?
  If that is what you mean then I think that should be possible.
  - Jouni

• Asa vpn ip question

  Hi all,
  I feel like this is a dumb question, but I can't seem to find the documentation fitting my scenario on cisco. I can setup VPN without any problems. My issue though is that, all the configuration examples rely on the outside interface IP as the "PEER IP" in L2L or target IP in RA. Is there any special configuration needed to use a public IP other that my outside interface?
  Example:
  outside interface (ASA) ip 1.1.1.1
  L2L vpn ip 1.1.1.2
  RA vpn ip 1.1.1.3
  Gateway ip 1.1.1.4
  I want to use 1.1.1.2 and 1.1.1.3 in my ASA configuration instead of using the outside interface, but im unsure as to where I define this parameter.....
  Any suggestions using this example?
  Tia,
  Fred

  Fred, you are right in stating all docs pertaining to l2l vpn points to outside interface as it is the most commonly setup scenario. I am not aware you could do what you are trying to do using a different IP as your vpn termination point instead of the actual IP address of the interface, if there is a was Im willing to learn it.
  You could however, not that I have tried it but will see if I could simulate this at some point in future would be to have three outside subinterfaces one sub for L2l 1.1.1.2 end termination point, one sub RA 1.1.1.3 and your outside physical with 1.1.1.1 . This is Just a thought , perhaps we could see some other comments.
  Rgds
  Jorge

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• Cisco ASA -VPN Ping Question

  Hey guys, I have a Cisco ASA 5505 8.4 I have a Remote Access VPN up and working...for the most part. When I VPN in I would like to be able to access our Mitel phone manager which is just a internal IP you put in the browser. Here is the issue when I am connected I can't ping the address of 10.0.0.250. But I can ping my other servers 10.0.0.2 and 10.0.0.3. Why can I ping some address but not others.
  Thanks
  Nick

  Hi,
  Are you saying that the ASA replaced the previous device that acted as the default gateway for the phone system? And also the IP address was changed and this was not taken into consideration on the phone systems network configurations?
  This would indicate that the problem is with the phone system having the old gateway IP address configured and it doesnt know where to forward the traffic that is coming from a different network (for which it would require the correct default gateway)
  If the internal network that can ping and access the phone system means the hosts that are on the same internal network with the phone system (10.0.0.x) then this is expected as the default gateway is not needed between the hosts in the same network as they communicate directly.
  So would be the problem now simply be with the default gateway IP set on the phone system.
  - Jouni

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• Question on WCCP and ASA/VPN

  Hello i have this simple scenario.
  -ASA as an EZVPN server.
  -WSA in my local lan (inside interface)
  -remote vpn users connecting to the ASA.
  When a user connects via VPN to my ASA, and i want to do some web filtering to them using the WSA... How would i accomplish it if i dont want to use explicit proxy? 
  Can i use WCCP on the outside interface of the ASA and redirect web traffic to the WSA which is across my inside ASA interface? 
  Need to know if WCCP redirection from one ASA interface to another is supported.
  Thanks in advanced!
  Emilio

  Hi
  Please have a look at the following link:
  http://my.safaribooksonline.com/1587052091/copyrightpg?cid=2008-ciscopress-pp-widget-book&searchtextbox=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&query=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&searchmode=simple&searchview=summary&portal=ciscopress#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTE1ODcwNTIwOTElMkZjaDE2JnF1ZXJ5PUNpc2NvJTIwQVNBJTNBJTIwQWxsLWluLU9uZSUyMEZpcmV3YWxsJTJDJTIwSVBTJTJDJTIwYW5kJTIwVlBOJTIwQWRhcHRpdmUlMjBTZWN1cml0eSUyMEFwcGxpYW5jZQ==