multi home VPN is possible on different WAN/IP

Similar Questions

• Multi-site VPN problem

  Greetings,

  I practice implementation of VPN and it seems to have fallen on a small issue that solution eludes me.  Everything works in my current topology with the exception of a multi-site vpn.  I have 3 ASA, which is outside the interface is connected via a switch.  The inside interface is connected to a local area network that contains a workstation on each subnet.  I'm trying to set up a solution where I can have all 3 ASA related between them via a VPN.  The question I have is when I raise a single tunnel, scathing from a workstation behind the ASA, I can't set up a second tunnel scathing from a different network.  To explain that better, here is an explanation:

  ASA #1

  outdoors: 10.0.1.1/24

  inside: 192.168.0.1/24

  workstation: 192.168.0.100

  ASA #2

  outside: 10.0.1.2/24

  inside: 192.168.1.1/24

  workstation: 192.168.1.100

  ASA #3

  outside: 10.0.1.3/24

  inside: 192.168.2.1/24

  workstation: 192.168.2.100

  If I ping 192.168.0.100 192.168.1.100, the tunnel opens very well and I get answers.  If I can try and ping 192.168.0.100 192.168.2.100, does not open the tunnel to 192.168.2.0.  If I clear all its on ASA #1 and then ping 192.168.0.100 192.168.2.100, the tunnel opens very well and I get a response.  Then I try and ping 192.168.0.100 192.168.1.100 and the same thing happens, no tunnel and no response.  When I enabled logging on ASA #1 seems that it sends the ping for the different network on the tunnel open instead of opening a new tunnel to the correct network.  Can someone tell me what is happening here and if I just missed something simple with routing?  Or is it maybe a problem with VPN?

  Craig,

  You have default route badly configured on all the ASA. Here's what you have configured

  ASA1

  Route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  It's sendning the package for outside inside IP address. Here's what you need to do on the ASA

  ASA1

  No route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.2

  ASA2

  No route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.1

  ASA3

  No route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.1

  Also delete icmp access list crypto that you allowed to what IP is the same access list. IP covers both the ICMP.

  Kindly let me know change default allows traffic.

  Kind regards

  Bad Boy

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• SSL VPN, is possible for the failing show the "untrusted site" warning when connecting

  SSL VPN, is possible for the not display the warning "untrusted site" when connecting. I trust 3rd cert left installed on the SAA. Is it possible, when I connect to it via the Web for the not give users the below page and just go to the connection. If they hit to continue it works but we are looking for a way to remove this error.

  There is a problem with this Web site's secure certificate.

  The security certificate presented by this website was not issued by an approved certification authority.

  A site address different Web issued the security certificate presented by this website.

  Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

  We recommend that you close this webpage and do not make this Web site.

  Click here to close this webpage.

  Continue to this website (not recommended).

  More information

  Hi Jason,

  Follow these steps:

  1-no ssl trustpoint outside ssl.axisbu.com.trustpoint

  2 - webvpn

  no activation outside

  output

  3 - ssl trustpoint outside ASDM_TrustPoint3

  4 - webpvn

  allow outside

  It seems that he does not have the right certificate, probably the self-signed is stuck, please follow the steps and let me know.

  Thank you.

  Portu.

• ____2. I have Windows Vista Home edition is possible with Windows XP prof sp2 Remote Desktop connection? __othervise how?

  • I can't share internet and file simultaneously? If I share internet file sharing and disappear on the other PC if I share folder and run I can't share internet...
  • 2. I have Windows Vista Home edition is possible with Windows XP prof sp2 Remote Desktop connection?
  • othervise how?

  Remote Desktop connection is not available in Vista Home: http://www.howtogeek.com/howto/windows-vista/turn-on-remote-desktop-in-windows-vista/.

  I need more info on how your network is configured to answer the question on the other.  How is the computer connected to the internet?  It connects wireless or cable to the router or modem or through ICS from another computer or what?  How do you change between the sharing of internet connection currently?  What happens when you try to enable both connections at the same time (or do not have two connections)?

  Thank you.  The answers above, I can be able to understand the problem, because right now I really don't know how you setup and I need as much information as you can provide about it.

  Good luck!

  Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

• ASA 5520: SSL VPN by using a different IP address that the ASA public IP address

  Hi guys,.

  I'm trying to configure an SSL VPN on a Cisco ASA5520.

  Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.

  I don't not want to use a different port so to keep life easy for users.

  I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?

  Thank you

  Dario

  Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.

  The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.

• Site2site two vpn "Server" for two different ISPS

  Hello. I have two lines of two different ISPS. Both are 4 / 4 Mbit/s leased lines. I want to create a vpn site-to site with a few points of end for each of them. I have ASA 5540 firewall as a VPN endpoint on my network. My question is. I have two different VPN? Can I create two outside interfaces and use each one for each ISP one here to create my VPN? I first thought of contexts, but I abandoned em as soon as I saw that there's no VPN with contexts.

  Thanks in advance.

  Simple topology is

  VPN - RTR - ASAOut1 VPN1ISP

  -ASAOut2 VPN2ISP

  Hello

  I understand that you need create a tunnel between ASA 1 and 2 of the ASA with an ISP and the other tunnel on ASA 2 other ASA 2 ISPS.

  It is possible as long as you take care of the delivery. For the remote access clients it will end interface ehich has the default gateway.

• ASA 5510 VPN multiple tunnels through different interfaces

  Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?

  We have 2 public interfaces on our ASA connected to 2 different suppliers.

  We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.

  We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).

  I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel.  If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.

  If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.

  What Miss me?

  Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)

  permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0

  NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice

  card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map

  card crypto PUBLIC_B_map 10 set counterpart x.x.x.x

  card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1

  PUBLIC_B_map PUBLIC_B crypto map interface

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  IKEv1 pre-shared-key *.

  Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

  If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.

  What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP.  There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.

  Any ideas?

  Hello

  I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection

  You could try adding add the following configuration

  card crypto PUBLIC_B_map 10 the value reverse-road

  This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.

  If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.

  The route to the remote VPN peer through the ISP B does not to my knowledge.

  I would like to know if it works for you.

  It may be useful

  -Jouni

• VPN L2L as a backup WAN

  Hello world

  I have a client that has the topology illustrated in the image below (also attached as a file). As you can see there ISP two, one for the Internet Service and another for RE service. Also, there are 3 remote locations who also with ISP-2 WAN connections and each of them has an Internet connection with various Internet service providers.

  The ASA is currently working as a VPN server for remote teleworkers through IPsec Tunnels using the cisco VPN Client.

  The customer (and me too) wants to know if is it possible to save the WAN connection using 2 Lan Lan VPN tunnels? This way, if the Wan ISP - 2 is not the L2L VPN connection is automatically established and branches will have access to services throughout the Tunnel.

  Can you help me with some information that a configuration guides? Please

  

  Thanks in advance.

  José Manuel Cortés Hurtado

  Yes, you can complete the vpn on your router internet if possible. The key to this application is on the routing. It means finding a point where you can control where the traffic should be forwarded. Then use the routing with SLA followed by control when the floating road must be added inot the routing table. If you can provide the news in detail on how the routing is set up at the main office, I can take a look.

  Regarding the Branch Office, if there are two routers already for a connection WAN and internet respectively, are there any other device of layer 3 behind them to make routing? a diagram of a typical branch office topology and routing configuration information will be useful.

• See 4.5 - is possible PCoIP of WAN?

  I've been digging around, but I have not found a conclusive answer.  Please forgive me if it has actually been answered somewhere else.

  In my setup, View Client sits on my Windows 7 home, and the display manager is located at my friend's House. The two houses are connected to the Internet via ADSL. HTTPS port is open instead of my friend and port-forward to the view manager. In this case, is possible PCoIP? I heard that it is only possible with VPN, but I tried with OpenVPN and PCoIP still does not work.

  Customer 192.168.0.10 <-> Broadband Router <-INET-> Broadband Router <-> View Manager 192.168.0.20

  We had great success with PCoIP with material Cisco ASA and the CiscoVPN client access. Simply open the ports as per suggested and it should work. If not check your logs on your firewall and see what stop.

  EDIT

  Of course, our facility is run off of a company. I don't know if you have the option to have the configuration mentioned above, but I just wanted to direct because it works through VPN :).

  Post edited by: Jagar

• Tunnel VPN RV-042 for Dual WAN Failover backup function

  We have customers with dual WAN failover scenarios with site-to-site VPN tunnels.

  In the past, the VPN tunnel backup feature has been available in the RV-082.

  One of the new RV-042 firmware versions have the function of backup Tunnel VPN available?

  The feature is supported on the RV042 V3 hardware.

• VPN ipsec active on both WAN ports?

  Hi guys, we VPN works on WAN1 and we WAN2 as a failover.  IF WAN1 breaks down, then we can vpn to ip of backup.

  Is it possible to have active VPN on the two networks at the same time?  Then users can choose to use WAN2, if they think that the main connection WAN1 is too slow?

  Thank you

  Hello

  If it's a C2S, then it is not possible according to my knowledge... because the traffic is going to come back with the route by default... option... so it would be impossible in my opinion... If it's a S2S, then you have a static route to do with...

  Concerning

  Knockaert

• ASA VPN with ISE and different backends WBS for authentication

  Hello

  I have an AAA-problem I hope to have a few problems help.

  The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

  BACKGROUND:

  I'll try to give you a brief picture of the scenario, this is what I currently have.

  A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

  (1) certificate (on chip card)

  (2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

  (3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

  The choice corresponds to different groups of profiles/Tunnel connection.

  Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

  THE PROBLEM:

  The problem occurs when I try to put in the ISE in the mixture.

  What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

  Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

  For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

  WHAT WE CALL:

  At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

  QUESTION:

  The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

  I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

  Best regards

  / Mattias

  I think you can hit the following problem:

  CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

  This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

  Workaround

  Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

• multi-site VPN with just the cisco vpn client

  Hello everyone

  Please I need your help.

  We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

  My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

  It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

  Michael

  Please note all useful posts

• Several languages in multi-folio App - not possible?

  Hello

  We want to create a multi folio App with leaflets in both languages.

  Which is the right way to do it?

  Y at - it an option to have an application that gets the right language folio by detecting the language of the camera?

  THX!

  A way to do this would be to create different editions of the same folio for different languages and use of filters library.

• Multi-Maison or no multi home; That is the question

  Hi all

  This isn't technically an ESX question, but it's a question that arises for us due to how it is easy to add additional network cards (and thus the network connections) for virtual machines hosted on our ESX boxes. I'm curious to hear the views of others on the issue.

  Heart - when you have a virtual machine that requires access to several VLANs, do you tend to add additional network cards to the virtual machine that connects them directly to these VLANs, or did you just a NETWORK card and route traffic for VLANs via a router/firewall?

  A VirtualCenter to virtualized server is a perfect example: at the very least this needs access to your local network a LAN VLAN (for administrator access to the VC, to speak with the domain controllers), and VIRTUAL management (to talk to the ESX host) etc. As a general rule, would people connect a NETWORK adapter in the virtual VC machine to one of these two VLANs and access the other VLAN via a router/firewall, or would connect you two network adapters on the computer virtual VC, one in each of VLAN?

  Curious to know how others deal with it - thank you.

  See you soon,.

  Matt Kilham

  Hello

  From a security point of view, you would add no additional network cards in different VLANS. If you do, basically ignore you the router/firewall. It of a securityrisk if the box "breaks" or routing is on accidental. I always put VMs in the VLAN they belong (DMZ, inside, OUTSIDE, regardless of SERVERS) and to determine what can the VLAN ACL and can not do to other virtual local networks and internet. Sometimes I drill smaller holes, like when an application server is outside and inside SQL. I then punch a hole from the application server for SQL server (based on IP addresses) and only opening 1433/tcp.

  Of course, there are a few exceptions. One is an ISA Server. This server is using generally two or three network cards in some segments, since it IS the router/firewall. I use an ISA Server, who has earned two VLAN to its own. So my router determines what input and output (port level), ISA can do the rest (www split on headers, proxy, etc.).

  Another exception, I have at home (sick I know), which is my download WHAT VM is in one VLAN different than the file server. So my VM download a big file, and then I move to the file server. My router has however limited the performance (around 5-6 MB/s), so I gave to the download area a second NETWORK adapter in the same VLAN as the server files (shame on me), now it copies +-30 MB/sec...

  Visit my blog at http://erikzandboer.wordpress.com