ASA 5550 VPN question

Similar Questions

• Multi frame ASA SSL VPN Question

  Hello

  We have a pair of firewalls, we do multiple contexts on clients.  We have recently updated their and have been using the newly Anyconnect customer support.  This all works fine but I feel I'm missing something.  If the customer does not have the anyconnect client already how do get?  Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?

  Any information would be helpful.

  Chris L.

  Hi Chris,

  The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.

  There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:

  https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• ASA Cisco VPN question

  Hi Mokhalil82,

  It's pretty weird that the ASA will show phases 1 and 2 upward and the Watchguard show that phase 1 is not.

  It is possible that the tunnel will appear next to the ASA but gets terminated in the same instant that thus we see the phase 1 and 2 momentarily upward.
  Would you be able to share the outputs debug?

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages

  Thanks for the update, Mokhalil82

  For the last time, to simultaneously debug both sides and share issues, I think we can dig with that information.
  In addition, if we can capture packet as well, that will be useful.

  Make sure that the date and time is correct on both sides.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Acesss ASA VPN question

  Hi, I was able to migrate my clients off the VPN concentrator 3030 and on the ASA 5520 VPN. The problem I have is now the ASA sees these clients VPN from my external interface and they can get of the demilitarized zone, because I did the specific NAT and rules for inside. Is there a way to make the VPN client network seems like it comes from inside network?

  You are welcome Daniel.

  Don't forget to write down the message and choose "solved my problem" which was helpful and solved your problem.

  Concerning

• Write syslog to ASA 5505 VPN tunnel on syslog server?

  Hello

  Is it possible to let the ASA 5505 write syslog messages to a syslog server on the core network where the ASA 5550 is? (on the ipsec tunnel?)

  I tried this. The tunnel is up, but I get the message from routing could not locate the next hop for the NP (ASA 5505 ip) udp inside: (ip of the syslog server).

  THX,

  Marc

  MJonkers,

  I would suggest that you configure inside interface as the interface for management access. Include IP and IP address NAT syslog server interface inside 0 ACL and ACL crypto.

  You can order the "access management" when you want to run an ASA inside of interface through the VPN 7.2 below command reference:

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa72/command/reference/m_72.html#wp1780826

  I am running the VPN configuration on 8.2 and querying SNMP works.

  I hope this helps.

  Thank you

• ASA 5505 VPN sessions maximum 25?

  Hello friend´s

  The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:

  Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?

  Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?

  I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?

  Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.

  Kind regards!

  Hi Alex,

  The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.

  To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.

  Find the official documentation for the ASA5505 on the following link:

  http://www.Cisco.com/c/en/us/products/collateral/security/ASA-5500-series-next-generation-firewalls/datasheet-C78-733510.html

  Rate if helps.

  -Randy-

• GANYMEDE for ASA 5550

  Hello

  How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.

  Thank you.

  Hi Gavin,

  Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x  yyy   [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL   [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL    [same as above but for ssh session] aaa authorization exec authentication-server    [this enables exec authorization for the telnet and ssh sessions.] 
  aaa authentication http console TEST LOCAL [for HTTP]
  order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.]  On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.
  
  You can find more details: -.
  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
  The GBA, you need to add ASA as device under config network with Protocol Ganymede.
  Thank you
  Vinay
  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
  		   

• ASA 5550 inspect necessary for h323 and SIP?

  Is it necessary to have "inspect h323 h225", "inspect h323 ras", and "sip inspect" active on an ASA 5550? We have a VCSC, deployment of telepresence vcse... just wondering if with these permits, if there is no possibility of causing packet loss to public or external codecs the inspection process. We have a 250 MB, Internet connection... General average use runs approximately 180 MB. Twice a week or two, we get loss of packages are essential to some of the external codecs... I was wondering if by disabling the inspection process, so who would speed things a bit or other problems.

  Thank you for your response.

  Charlie

  Hello

  If your VCSE is not behind a NAT on its way to the internet, you can go one disable any SIP/h.323 inspection mechanism, once this may cause some problems and it is not at all in your case.

  Communication between the control VCS and motorway, it is strongly recommended not having NAT of VCS Control to VCS Expressway, once that VCS control is not in a position to address NAT inside SIP/H3232 messages, and you may not use any mechanism of inspection/ALG SIP / h.323 in this way once he can cause problems because the communication uses a non-standard protocol The sanction of cisco.

  Problem of packet loss, however, is not much related to inspection firewall features. You tell him you have enough bandwidth in your link to the appeal, but you should also ask, the remote side has bandwidth enough to host the call? Packet loss can occur in any part of the whole path of the call, then you should analyze the path of the entire network, end to end. Also, the links internet it is not possible to apply QoS (normally), so you really do not guarantee that your traffic is be prioritized by your service provider and the remote site.

  Concerning

  Paulo Souza

  My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio

• ASA 5520 VPN licenses

  Community support,

  I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.

  We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).

  Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)

  Licensing seems quite complicated, so here's my question:

  -What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices

  Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?

  Thank you

  John

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited perpetual
  VLAN maximum: 150 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active/active perpetual
  VPN - A: enabled perpetual
  VPN-3DES-AES: activated perpetual
  Security contexts: 2 perpetual
  GTP/GPRS: Disabled perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: Disabled perpetual
  Counterparts in other VPNS: 750 perpetual
  Total VPN counterparts: 750 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: disabled perpetual
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual

  This platform includes an ASA 5520 VPN Plus license.

  Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.

  You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.

  In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.

  HTH

  Rick

• ASA for vpn only

  Hello

  I would like to configure the ASA for vpn only. By default, ASA allows traffic from the interface of high security to low security interface. I want to stop it. Is it possible to do without resorting to access lists.

  Thank you

  John

  Define interfaces for the same level of security and make sure that you do not have same-security-traffic permits inter-interface enabled.
  

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807fc191.shtml

  Hope that helps.

• DHCP relay for users (ASA) SSL VPN

  I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:

  dhcprelay Server 10.100.2.101 on the inside

  dhcprelay activate vpn

  dhcprelay setroute vpn

  and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.

  You try to assign the IP address to the SSL vpn client using the DHCP server?

  If so, you don't need these commands contained in your message.

  Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.

  Here is an example of Ipsec client. Setup must be the same.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

• VPN with ASA 5500 VPN with PIX 515E vs

  I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

  Craig

  According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

  On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

  HTH

  Rick

• ASA 5520 - VPN users have no internet.

  Hello

  We just migrated a Pix 515 and an ASA 5520 VPN concentrator.  The firewall part works fine, but we have some problem with our remote VPN.

  Everything inside network is accessible when you use VPN remote but there is no access to our perimeter network or the internet.  I don't know there's only something simple you need that I'm missing, and hoping someone can shed some light on what is needed to allow the VPN tunnel back outdoors and in our DMZ.

  The ASA is running 8.2 (2) 9 and ASDM 6.2 (1).

  See you soon,.

  Rob

  From the 172.16.68.0/24 you can PING 10.10.10.1 correct?

  The 10.10.10.0/24 you can PING 172.16.68.1 correct?

  I'm having a hard time find now how this tunnel is up since you have PFS
  activated on the SAA, but not on the PIX.

  Federico.

• OSX 10.11.3 can't VPN via AnyConnect 3.1.14018 iPhone6 ASA 5550 Verizon hotspot

  I did a lot of research on this, found similar questions, but not this exact one.

  I have a Mac OSX 10.11.3 using Cisco AnyConnect 3.1.14018.  It can VPN to our ASA version sw 8.2 (5) 55 perfectly fine on any LAN or Wifi.  He cannot complete a VPN connection using an iPhone to Verizon 6 running the latest iOS via mobile access point.  The VPN itself requires a certificate and a name of user and password (from the AD authentication).

  During the attempt, on Mac, we get the error: client VPN could not check the IP forwarding table changes. A VPN connection can be established.

  The connection can be established in other hotspots, Android on Verizon, IOS on AT & T, no problem.  IOS on Verizon?  Nope.  No luck with Verizon to support.

  The only thing that stands in the firewall log when the connection attempt fails: group user IP <123.45.123.234>transmitting large package 1456 (line 1399).

  Any ideas?

  Thank you!

  Please try to disable IPv.6 from the MAC interface