Loadbalancing ASA VPN and firewall failover issue

Is it is possible to setup 2 ASA 5520 in active monitoring of the State and still take advantage of load balancing VPN or each of the ASA must be independent to use the VPN load balancing?

Thank you

Please rate if this can help

Tags: Cisco Security

Similar Questions

  • RVL200 - SSL VPN and firewall rules

    Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen.  I have the basics of the VPN set up in config, but now move the firewall rules.  We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic.  This leads to my questions:

    (1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?

    (2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?

    (3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?

    (4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?

    Here are some other details:

    • The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
    • All hosts on this network have a static IP address on a single subnet.
    • The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
    • DHCP has been disabled on the RVL200
    • Authentication to the device will use a local database.
    • There is no such thing as no DNS server on the local network
    • The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
    • Several database of local users accounts were created to facilitate the SSL VPN access.

    I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft.  Any help will be greatly appreciated.

    aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.

    Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.

    Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.

    Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.

    It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.

    'Transfer' of the GRE is configured with PPTP passthrough option.

    'Transfer' of the ESP is configured with IPSec passthrough option.

  • Client VPN and WinXP compatibility issue

    I have the Cisco VPN client installed on my WinXP SP2 for VPN access occasionally to our or networks to do. Suddenly I lost the ability to ping or against opening a TCP/UDP on my PC in LAN connection last week. All communications initiated FROM my PC worked fine. I did a lot of experiments and found that the issue is a Cisco VPN Windows service. As soon as the service, everything is OK. Some updates of Windows came last week and I thing that some of them is not interoperable with the Cisco VPN client. The client is 4.8.01.0300.

    Does anyone have the same experience or a solution without stopping the service manual?

    Have you tried to disable the Stateful Firewall VPN Client in the menu Options too?

  • Remote access ASA, VPN and NAT

    Hello

    I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

    There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

    I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

    Here are all the relevant config:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
    Within 1500 MTU
    Outside 1500 MTU
    IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
    IP verify reverse path to the outside interface
    IP audit info alarm drop action
    IP audit attack alarm drop action
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    Global interface (2 inside)
    Global 1 interface (outside)
    NAT (inside) 0-list of access vpn
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 2 192.168.47.0 255.255.255.0 outside
    static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
    public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

    I can post more of the configuration if necessary.

    Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

    1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

    So, how I do right NAT VPN traffic so it can access the Internet?

    A few things that needs to be changed:

    (1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

    This ACL:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

    Should be changed to:

    extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

    (2) you don't need statement "overall (inside) 2. Here's what to be configured:

    no nat (outside) 2 192.168.47.0 255.255.255.0 outside

    no global interface (2 inside)

    NAT (outside) 1 192.168.47.0 255.255.255.0

    (3) and finally, you must activate the following allow traffic back on the external interface:

    permit same-security-traffic intra-interface

    And don't forget to clear xlate after the changes described above and connect to your VPN.

    Hope that helps.

  • VPN and firewall box

    Hello

    I have a site to another using VTI VPN.

    I tried to configure my fw by sector to decline to ping on my WAN IP, but when I applied it, my VPN is down.

    Could someone advise me how to do?

    Here is my config:

    type of class-card inspect entire game inside-outside-class
    https protocol game
    http protocol game
    dns protocol game
    match icmp Protocol
    tcp protocol match
    udp Protocol game
    type of class-card inspect all outside-Self-class match

    match the name of group-access ICMPReply

    Access-group name ISAKMP

    type of class-card inspect any VPN-Interior-class match
    match icmp Protocol
    tcp protocol match
    udp Protocol game
    http protocol game
    ssh protocol game
    https protocol game
    sip protocol game
    type of class-card inspect entire game inside-VPN-class
    match icmp Protocol
    tcp protocol match
    udp Protocol game
    http protocol game
    https protocol game
    ssh protocol game
    sip protocol game

    type of policy-card inspect the inside-outside-policy
    class type inspect inside-outside-Class
    inspect
    class class by default
    type of policy-card inspect VPN-Interior-policy
    class type inspect VPN-Interior-class
    inspect
    class class by default
    type of policy-card inspect the Interior-VPN-policy
    class type inspect the Interior-VPN-class
    inspect
    class class by default

    type of policy-card inspect outside-Self-policy
    class type inspect outside-Self-class
    inspect
    class class by default

    area inside security
    security of the outside area
    the security VPN zone

    zone-pair security starting source of domestic destination outdoors
    type of service-strategy inspect the inside-outside-policy
    VPN-In source destination inside VPN security zone-pair
    type of service-strategy inspect VPN-Interior-policy
    zone-pair security VPN-source inside VPN destination
    type of service-strategy inspect the Interior-VPN-policy

    auto-Out security of the zone-pair source outside the car destination
    type of service-strategy inspect outside-Self-policy

    Interface Tunnel100

    the Member's area VPN security

    Source of Dialer0 tunnel

    Interface Dialer0

    security of the outside Member area

    Interface Vlan1

    security of the inside members area

    ISAKMP extended IP access list
    allow udp any any eq isakmp
    allow a whole ahp
    allow an esp
    permit any any eq non500-isakmp udp

    ICMPReply extended IP access list
    allow all all host unreachable icmp

    Thank you

    Thank you, so the phase 1 is on the rise, however, phase 2 is not.

    I guess this works if you remove the ZBFW?

    Can you enable logging and check if there is no ZBFW error message?

    Also, you disable the tunnel after the configuration of ZBFW?

    clear the isa cry his

    Claire crying its

    Configuration seems correct.

  • AnyConnect VPN and LAN access

    When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

    Right?

    After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

    Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

    Thank you

    Frank

    Hello

    Yes, by default, all traffic will be sent through the tunnel.

    If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

  • ASA Vpn load balancing and failover

    Hi all.

    We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

    Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

    Thank you

    Daniele

    Hi Daniele,

    You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

    Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

    ASA1 (active FO) - ASA2 (TF Standby)

    (VPN virtual master)

    |

    |

    |

    |

    (Backup VPN device)

    ASA3 (active FO) - ASA4 (TF Standby)

    Kind regards

    Wajih

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.

    I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.

    The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.

    now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.

    The firewall is asa 5510 worm 9.1

    Any suggestions please.

    Hello

    You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.

    The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN

    Please go through this post and it will guide you how to set up the u turn on the SAA.
    https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASA

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100918-ASA-sslvpn-00.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Help with a VPN tunnel between ASA 5510 and Juniper SSG20

    Hello

    We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

    After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

    Main branch
    1.1.1.2                                 1.1.1.1
    -----                                               -----------
    192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
    -----                                               -----------
    192.168.8.254 192.168.1.254

    According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

    Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

    It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

    Help is very appreciated.

    Thank you

    1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

    SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

    You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

    management-private access

    To initiate the ping of the private interface ASA:

    ping 192.168.1.254 private

    2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

    Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

    Hope that helps.

  • Device behind a Firewall other, ASA VPN

    I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

    Topology:

    Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

    ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

    On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

    Configured on the VPN / ASA, ASA standard SSL Remote Access.

    When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

    Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

    Thanks in advance,
    Bob

    Can share you your NAT and routing configuration? Of these two ASAs

  • VPN site to Site ASA 5510 and 871 w / dynamic IP

    What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?

    My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.

    Any suggestions or pointers would be * very * appreciated.

    -Adam

    This can help but it does not show ASDM.

    http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  • l2l ASA vpn issues

    Hi all

    I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

    I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

    Here is my configuration

    ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

    (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

    I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

    However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

    any ideas why this is?

    I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

    I guess it's the work of crypto card

    Am I wrong?

    Hello

    Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

    Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

    In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

    If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

    If you indeed filter VPN, you may be able to track him down with the following commands

    See the tunnel-group race

    Check if a "group policy" is defined then the command

    See establishing group policy enforcement

    This output should list the name of the ACL filter VPN if its game

    Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

    ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • Cisco asa 5505 and centos VPN server connection

    Hi all

    Please I want to set up a VPN between Cisco asa 5505 and centos server.

    Here's my senerio

    -------------------------

    ASA 5505

    Public IP 155.155.155.2

    Local NETWORK: 192.168.6.X

    CentOS Server

    ------------------

    Public ip address: 155.155.155.6

    Thank you guys

    Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

    If the remote access, here are the sample configuration:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

  • Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

    Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

    I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

    You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

    -Jason

Maybe you are looking for

  • Is there a parameter (such as automatic backup) I forgot?

    Thunderbird V31.1.1 sometimes the same email appears several times in the "Drafts" folder long once it has been sent, they for the most part all the same time "created."

  • Tabs with ads keep opening randomly

    everytime I open fire Fox, a random tab opens about every 20 seconds,every day on a different site. yesterday, it was a site of games today, it was this: https://www.lotterymaster.com/free-Lottery/11?offer_id=102 & aff_id = 54 & SourceId = 355 & Crea

  • Toshiba HD-1CMOS SDI - HD camcoder on optical fiber

    Hello, I have 1CMOS-HD camcoder, now I need to transfer signals hd - sdi over fiber with this extension of fiber 3 g - sdi, so I'm curious is this compatible with the HD-1CMOS camcorder device.

  • Cannot display the log of FAXES

    I have an HP Officejet 7310 all-in-one wired to a computor of Windows Vista 32-bit.  After sending a fax, I checked the log of faxes.  It displays fine, but did not reflect my recent fax.  Later, I tried to view the log of faxes, but when I click to

  • Cleaning the disk with DiskPart

    Recently I came across a problem with Windows 7, which has been resolved, as a temporary solution, by reinstalling Windows without formatting. This was done in order not to lose personal data. Everything works fine now, and I was able to recover and