ASA vpn with a public ip address different addresses

Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?

This thing can be done with other cisco devices (for example, a 2800 series router?)

Thank you very much

Who are you looking to

1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.

I would use the backup ISP for this function.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.

You can set several counterparts by using cryptographic cards to provide redundancy

http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080450b73.html#wp1042941

Tags: Cisco Security

Similar Questions

  • ASA 5510 VPN - using a public IP address for the local network

    Hello, I have a problem which is probably very simple, but I can't seem to understand.

    I set up a site IPsec connection to another with a company, something I've done many times before without a problem. I use ASDM to configure this, because it is quick and painless, usually.

    We have one number of other site-to-site currently configured connections and works very well on this ASA, these are configured with the "Protected network - LAN" configured with the IP private of hosts within our network, we want to make available through the separate tunnels. This includes the configuration setting on our ASA for each connection to "guests aside ASA exempt from NAT.

    With this new link, however, the company asked us to use a public IP address for the host that we want to achieve through the tunnel. I don't know why, but they demand it. So I added a NAT rule for inside the host and set up the connection with the public IP address under "Local network". During the test to try to reach a host to their side, the tunnel didn't even try to open.

    What is the method here? I don't see where I'm wrong. I'm guessing that the 'host side ASA exempt from NAT' does not require for this, how if the ASA would know which internal host is the public IP address.

    Any ideas?

    Hi Leo,

    The steps are:

    1. Add the policy rule NAT for the specific host.

    2 - define the IP NAT as your LOCAL NETWORK address in the encryption settings.

    3 make sure that there is no rule NAT exempt for this host to the specific destination.

    What happens if you run a package tracer?

    Thank you.

  • Configure the router WRT54G with the PUBLIC IP address and use the DHCP protocol for internal computers

    Hello

    I have a service online Internet with 5 public IP addresses.

    The router and the AP are connected to a switch.

    I would like to set up a WRT54G Router with a public IP address and use DHCP (with private ip address) for the computers that will connect to the AP.

    That the AP is connected to the switch, it is possible that the other wired computers that are connected to the same switch can get an IP from the DHCP?

    Thanks in advance

    In this case, the routing is automatic.

    WRT54G configuration:

    WAN:

    Internet connection: static IP address

    IP address: 180.X. X 170

    Subnet mask: 255.255.255.248

    Gateway: 180.x.x.x (Ex: 180.x.x.1)

    DNS: servers your ISP DNS

    LAN:

    The IP address of the router: 10.10.10.1

    DHCP range: 10.10.10.100 of-online 10.10.10.200

  • EBS 12i on Cloud server with the public IP address but no DMZ

    Hello

    I installed Oracle EBS in a server (such as AWS EC2) cloud with a public IP address. I'm simply looking for personal learning and knowledge about security risks. As there is no given production safety is not serious at this point.

    Also, I don't mean to enter the configurations of the DMZ at the moment.

    I am able to access APPS internally under the server on port 8000 with URL http://<server:8000>/OA_HTML/AppsLogin. but I'm unable to access the URL above on internet.


    The environment is EBS 12.2.0 on Oracle Linux 5.11.


    I tried the options following, but so far without success.

    1. I tried to completely disable the Linux and SELinux firewall on the server. I have also authorized above URL in my personal office. So the 8000 port is not blocked anywhere.

    2, I followed this note to try to set it up on port 80, but still without success-> configuration Oracle E-Business Suite Release 12 on Amazon Cloud Infrastructure (Doc ID 1205963.1). But you should know that mine isn't on AWS EC2 but similar model.

    So simple question is how can I access front-end EBS on internet (DMZ) using port 8000? I do need to update httpd.conf of EBS Webtier (besides point 2 above)?

    Any help will be greatly appreciated. Thank you.

    See you soon!

    Gray

    Hello

    I discovered that I was using the CDN was blocking port 8000. So when I bypassed the CDN, then I could manage to access the URL with the port 8000.

    Thanks a lot for your help on this one.

    Concerning

    Gray

  • VPN site to Site on firewall with no public IP address

    Dear all,

    I have a VPN from Site to Site configuration requirement with accommodation, I have my internet connection on the router termintaed and got only a single public ip address. My ASA is behind this router with no public IP (attached chart). This router will not support VPN and I need to configure VPN on the firewall.

    192.168.20.0/24 is the network between the router and firewall. 192.168.10.0/24 is inside the network. (attached diagram have the most details)

    Please advice the configuration to achieve this...

    Thanks in advance...

    Mikael

    If the router cisco so the configuration would be:

    IP nat inside source static udp 192.168.20.2 500 500 extensible interface

    IP nat inside source static udp 192.168.20.2 interface 4500 4500 extensible

  • ASA VPN with certificates

    I'm after abit of consultation.

    I have an ASA 5510 in my hub, static public IP address.

    Then I have an ASA 5505 like my talk, with a dynamic IP address.

    I used a dynamic encryption with PSK card and everything seems functional.

    One of my concerns are that I was forced to use aggressive mode to make it work. I am well aware of the security risks.

    I seek to use certificates in read in aggressive mode.

    If I use an internal Windows certificate authority, what will happen with the revocations.

    If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?

    Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?

    Answer online

    If I use an internal Windows certificate authority, what will happen with the revocations.

    < if="" you="" enable="" revocation="" check,="" you="" have="" to="" make="" your="" internal="" server="" accessiable="" to="" the="" remote="">

    Otherwise you can disable revocation checking.

    If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?

    Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?

    < it="" is="" controled="" by="" ca="" server="" which="" issue="" the="" certificate="" to="">

  • EX90 two autonomous with the public IP address can make video calls among them self on the Internet or not?

    Dear expert;

    I am very new to VCS and TP Cisco.

    We implement now presence Cisco TV with VCS - C, VCS-E TMS, TCS, MCUS and endpoints with Jabber in a single edit.

    and in another configuration CUCM 10.5, UCCX 10.5 IM & P, Jabber with some 10 officers.

    Now the question is in our building on the 2nd floor we have an EX90 and on the 5th floor an EX90 and on local network, we can make video calls using the IP address.

    In the same way is it possible to make a video call between 2 devices EX90 (both have public IP) present in a location different in the same city on the Internet without the participation of VCS - C and VCS-E.

    It's the client request :)

    Concerning

    Paiva

    Yes, but leaving these systems outside in nature with public IP addresses, leaving you are vulnerable to a number of questions. See for example http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

    https://supportforums.Cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

    https://supportforums.Cisco.com/discussion/12340591/nuisance-h323-calls-SX20

    The offers above with H.323 calls, in addition to this, you will encounter similar problems using SIP where the systems will be analyzed by tools such as SIPVicious

    /Jens

    Please note the answers and mark questions as "answered" as appropriate

  • ASA VPN with Fortgate

    Hello people!

    I still have the problem with VPN... Laughing out loud

    I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    But if I ask the other peer to change in Group 2, the msg in the SAA is:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

    Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    The show isakmp his:

    9 counterpart IKE: 179.124.32.181
    Type: user role: answering machine
    Generate a new key: no State: MM_WAIT_MSG3

    I have delete and creat VPN 3 x and the same error occurs.

    Everyone has seen this kind of problem?

    Is it using Fortigate version 5 by chance?

    I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

    The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

    Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

    Try on the side of the ASA:

    debug crypto isakmp 7
    You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

  • ASA VPN with ISE and different backends WBS for authentication

    Hello

    I have an AAA-problem I hope to have a few problems help.

    The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

    BACKGROUND:

    I'll try to give you a brief picture of the scenario, this is what I currently have.

    A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

    (1) certificate (on chip card)

    (2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

    (3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

    The choice corresponds to different groups of profiles/Tunnel connection.

    Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

    THE PROBLEM:

    The problem occurs when I try to put in the ISE in the mixture.

    What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

    Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

    For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

    WHAT WE CALL:

    At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

    QUESTION:

    The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

    I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

    Best regards

    / Mattias

    I think you can hit the following problem:

    CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

    This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

    Workaround

    Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

  • What is VPN works with broad public IP address?

    Hello

    If I use the public broad IP (for example 100.100.x.x) for my business network, and I intend to use VPN to connect to my remote desktop. Which will display a problem? Will it be any impact?

    My concern is that I could send Cliaa IP addresses of the internet that could cause a conflict. Can anyone clear my doubts about this.

    Thank you!!!

    Hello

    If you are going to do a VPN Lan to Lan (site-to-site) tunnel n/b, your remote and your office, it won't cause any problems if you have (routable) addresses to public IP configured on your home LAN to your office, because by default the IPSec Tunnel mode is used when configuring LAN LAN tunnels, tunnel mode adds an extra header routable This header has the IP source and destination based on your local and remote IKE peer IP addresses instead of your IPs inside, your interior IPs remain hidden within the header of the tunnel, no matter what they contain IP addresses.

    If its possible without impact.

    Thank you

    AFAQ

  • 3 RV320 VPN with a local IP address

    Hello..

    I have 3 RV320 routers, I try to connect by VPN all routers together, the problem is I have a server on a single router 192.168.1.200 and I need to connect the terminals to the other routers on the internet...

    any suggestion?

    Connect VPN tunnels between all 3 units.  Please keep in mind that subnets are different.  Get close to the tunnel.  Ping 192.168.1.200 at two remote sites to verify connectivity.  Try the terminals.

  • ACCESS SITE OF COMPUTER-IN-SAME-N/W WITH ITS PUBLIC IP ADDRESS

    My site is hosted on the port 8084 on my laptop. The internet address of my laptop is 116.202.21.218.
    On the browser of the computer laptop while dealing with *: 8084 I can access my Web site.
    My laptop is connected to my laptop over wi - fi with ip 192.168.137.70.
    Web page if the address of the site Web in the mobile browser is written as 192.168.137.1: 8084.
    but 116.202.21.218:8084 does not work on the mobile browser. I use the dial-up connection and I made the card settings
    This wi - fi network can use the internet connection through the network.
    116.202.21.218 is a 192.168.137.70 with TCP (MICROSOFT N/W MONITOR) but the client sends signals SYN again and again.
    I want my site consulted by my mobile browser. How?
    I need help. Thanking in advance...

    Hi Hriskesh,

    I suggest you to post the question on the link below. This is the link from Technet Support for Windows 7.

    http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

    Feel free to write us if you have any further questions. We will help you to come.

  • If a PC with a DHCP server is connected via VPN, with her serve IP addresses on the tunnel?

    Situation: we have a few portable computers test Ubuntu running DHCP servers.  We need get the updates and other changes in corporate network sometimes.  Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.

    Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.

    Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?

    Thanks for reading.

    N ° DHCP uses layer 2 broadcasts to disseminate IP addresses.  Because your clients are connected via VPN, there is no contiguity of layer 2.  The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.

  • Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

    Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

    Thank you

    GM

    Hello

    Please check the config below:

    HUBS:

    crypto ISAKMP policy 1

     BA 3des
    md5 hash
    preshared authentication
    Group 2
    life 86400
    crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
    Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
    TUN1 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    TUN2 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    Create your strategy to Phase 2
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
    crypto dynamic-map HUB_TUN 10

    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN1
    !
    crypto dynamic-map HUB_TUN 11
    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN2
    Now apply the card encryption to your WAN interface
    gi0/1 interface
    card crypto S2STUN
    Now configure on your remote routers
    Remote router 1
    crypto ISAKMP policy 1
    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB
    Remote router 2
    crypto ISAKMP policy 1

    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB

    HTH.
    Evaluate the useful ticket.
    Kind regards
    Terence

  • ASA - s2s vpn with dynamic ip - Dungeon tunnel upward

    Hi guys,.

    We want to set up a vpn between our central asa5520, and a new branch office asa5505 with dynamic public ip address.

    This type of configuration is supported, but the tunnel can only be initiated from the asa distance (the asa central do not know how to reach the asa remote).

    prove that on this vpn also transit traffic voice, we must always maintain the tunnel.

    A solution would be to have a kind of continuous ping from the remote office to the central office... is more 'professional' wat to reach our goal?

    Thank you.

    Try, 'management-access to the inside' of the asa and ping

Maybe you are looking for