Support for ASA5506X to VPN3020 VPN Tunnel

Hello

our client uses an old VPN3020 hub in their headquarters and several ASA 5505 in branches which maintain VPN tunnels to the hub. As the 5505 is EoS since 2013 they are seeking another feature for the new branches that will be able to work with the 3020. We wonder if ASA 5506 X would be a support. I couldn't find any reference that specifies this configuration being supported. If not, what would be an alternative care? (.. .and replacing the VPN3k is not an option ;-))

Thanks & best regards Frank.

The VPN3k uses IPsec IKEv1, which is supported by the ASA 5506.

The ASA 5505 is not yet EOS and also not EOL. For sure the 5506-X is a much better platform, but keeping a safety device (3 k) that * is * EOL and saw no updates for the years connected to the internet does not seem a really brilliant idea... ;-)

Tags: Cisco Security

Similar Questions

  • 2 for the same destination vpn tunnels

    Hi all

    It is posibble on my asa to create 2 stay for the same destination device vpn tunnels?

    see you soon

    Carl

    You can not have 2 vpn tunnels going to the same destination device.

    However, you can have card crypto with counterpart set going 2 ip addresses of peers.

    Example:

    map mymap 30 set peer 1.1.1.1 crypto 2.2.2.2

  • VPN tunnel cascade w / SW NSA FWs

    Hello

    I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

    As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

    My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

    What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

    Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

    What do you think?

    Thanks in advance for your help.

    Hello

    My comments below:

    If you route indeed all traffic from A to B, the following must fill.

    1. remove the tunnel A C

    Ok.

    2. site B will have A subnet that is defined as a local resource for C

    Do you mean this by local resource?

    3 C is going to have A subnet defined as remote resource

    Ok.

    If you route any traffic from A to B, the following must fill.

    First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

    1. define the C subnet as a remote resource on Site A

    Yes, like a remote network for the A - B VPN tunnel.

    2. tunnel of site B to A will need to subnet C defined as local resource

    Ok.

    3. tunnel of site B and C will need subnet defined as local resource

    Ok.

    4. the site will need to subnet C has defined as remote resource

    Yes.

    I'll do a test soon with 3 sites and see how it goes.

  • NAT, ASA, 2 neworks and a VPN tunnel

    Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.

    Something like this:

    new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses

    It is possible to add the new policy, but sometimes it can conflict with the former.

  • VPN tunnel interface causes

    Hello
    Can someone tell me various reasons/causes for the interface of VPN tunnel drops?

    Thahkyou
    Kind regards.
    Aateek singh

    Depends on your type of encapsulation. The most common:

    -GRE: source down, not routable destination, GRE KeepAlive interface has failed.

    -VTI: source interface down, not routable destination, security associations IPsec are not upward.

  • RV016 split support VPN tunnel?

    I read a rumor that the RV016 does not support split VPN tunnels.

    See here:

    http://www.SmallNetBuilder.com/lanwan/lanwan-reviews/31525-Cisco-RV082-and-RV016-v3-VPN-routers-reviewed

    My understanding is that on my router RV042 VPN tunnels will send internet traffic to the local gateway and send the traffic through the VPN tunnel only if they are intended for the remote subnet.  It is my understanding of the "split tunnel".

    Is it not true with the RV016?

    Your understanding on split tunnel is correct. RV016 behaves like RV042 in this regard.

  • RVI042 - max # of supported gw to gw vpn tunnels?

    What is the number taken gw to gw vpn tunnels max supported? What would you recommend for the remote router - MD1 / 1 phone? Modem cable, most likely.

    RV042 supports 50 Gw-2-Gw tunnels. With respect to the remote sites, you might consider WRV210 for its Wi - Fi, VPN and a lower cost. However, in a site remote using RV042 provides an option for redundant internet connection.

  • Windows 7 x 64 support for Client VPN with SBL/PLAP

    Is it now or will it be a customer VPN Windows 7 x 64 support prior to logon Access Provider (PLAP) that replaces start them before logon (SBL)?  I understand that connect any client supports it, but the customer needs customer VPN (IPSec) rather than any connection (SSL) because of their current license on the SAA.  They have little license for SSL.

    It is possible with AnyConnect, however, there is currently no functionality SBL/PLAP for the traditional IPSec VPN on Windows 7 client. There is an improvement for this feature request, but it has not been applied and so I can't give you an idea on whether she will ever be supported, see CSCse47544.

    -heather

  • Question of access list for Cisco 1710 performing the 3DES VPN tunnel

    I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

    For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

    My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

    Any input or assistance would be greatly appreciated.

    Map Test 11 ipsec-isakmp crypto

    ..

    match address 120

    Interface Ethernet0

    ..

    card crypto Test

    IP nat inside source overload map route sheep interface Ethernet0

    access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 allow ip 192.168.100.0 0.0.0.255 any

    sheep allowed 10 route map

    corresponds to the IP 130

    He would go through the interface e0 to the Internet in clear text without going above the tunnel

    Jean Marc

  • Apply an ACL for a VPN tunnel

    Hello

    My PIX is currently configured to allow all traffic IPSEC enter my network (sysopt permit-ipsec connection). I would like to change that so that I can define what traffic is permitted (and off).

    My installation is simple (IMO). I only have the value default outside & inside interfaces. I guess I can control "outbound VPN traffic" in an incoming ACL inside interface.

    But how can I control what traffic is allowed when entering the VPN tunnel? I don't have any interface to apply this since it is a VPN tunnel.

    And I can't apply to the external interface, I think that, given that traffic arriving on this interface is ESP traffic, so encrypted and of course, I want to be able to define what is allowed in based on what looks like the decrypted packet.

    Any thoughts anyone?

    Thank you and best regards,

    Kevin

    IPSEC traffic is decrypted before going through the outdoor LCD. When you browse the ACL, the Source address and destination correspond to the real IPs. So to accomplish what you want is easy, just remove the sysopt permit-ipsec connection and change your external LCD, using the real IP as Source and Destination addresses.

    For example, you have a vpn lan2lan with your inside network 10.10.10.0 24 and a remote control inside the 172.20.0.0/16 network and you want to give to this network access to a web server to the 10.10.10.33 just add a line

    acl_out permit tcp 172.20.0.0 access list 255.255.0.0 host 10.10.10.33 eq 80

    Access-group acl_out in interface outside

    acl_out will end up with a mixture of address public and private Source and it is ok, the PIX don't care.

  • SSH keys are protected by a password that is supported for SSH tunnels?

    Using SQL Developer 4.1 I get an error if I try to connect a SSH Tunnel using a private key that is protected by a password.

    com.jcraft.jsch.JSchException: privatekey: aes256-cbc is not available [B@2ef5d584
      at com.jcraft.jsch.KeyPair.load(KeyPair.java:654)
      at oracle.dbtools.raptor.ssh.RaptorFileIdentity.createIdentity(RaptorFileIdentity.java:26)
      at oracle.dbtools.raptor.ssh.RaptorIdentityRepository.getRepository(RaptorIdentityRepository.java:32)
    
    

    2015-06-24_13-19-45.png

    I don't see anywhere to enter the password; is it supported?

    Thank you.

    As Jeff said, pass phrases are supported. While your keyfile may require a password, is not what we shifted upward.

    Instead, the problem is that the developer SQL does not support aes256-cbc. We don't specify as an algorithm of encryption supported by trying to open the SSH connection. If the key cannot be used. It is a bug, please add support for additional cryptographic algorithms beyond the default value OF THE used by ssh-keygen and other key generating default tools.

    In the meantime, if you have a control on the generation of keys, you can try using a different encryption algorithm but preserving the password requirement. The only solution would be to create the tunnel outside the SQL Developer and then manually create connections that run through the tunnel.

    -John

    SQL development team

  • VPN tunnel for initiation of the static method to the dynamic side

    Hello

    In the case of site to site VPN between static IP (ASA) and dynamic IP (Linksys AG241), would it be possible to open the VPN tunnel by the static side? How can I configure it? Could you please advice?

    Thank you very much

    Nitass

    Nitass, I'm sure that you can not start session with ASA, which is on the side of the VPN server.

  • Keep Site to Site VPN Tunnel active for monitoring

    Hi all

    I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

    My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

    Help, please...

    Thank you

    Mikael

    TARGET_GP group policy attributes

    VPN-idle-timeout no

  • 3500 x vpn tunnel

    I need to establish a vpn connection between my office and a computer over the internet, allowing access to the internal of the outside lan. I have a problem with my router and I am looking for a new.

    Can I use x 3500 to establish a pptp vpn tunnel or it can work only as vpn passthrough?

    This modem/router supports VPN passthrough for IPSec, PPTP and L2TP only. Try VPN Linksys Gigabit routers like the series of the LRT.

  • RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

    Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

    In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

    Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

    System log
    Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
     
    Time
    Type of event Message
    2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
    2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
    2 sep 03:36:02 2009 VPN Log Main Mode initiator
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
    2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
    2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
    2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
    2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
    2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
    2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

    PFS - off on tada and linksys router does not support the samsung lol! connected!

Maybe you are looking for

  • How to Balance White

    A few images of the toilet show it is decidedly yellow. It should be white. I select the pictures of the toilet, on the timeline, and then click the color Balance icon in the Viewer. A menu appears and I click on the White Balance. I move the cursor

  • Need SD Card reader Driver for my Satellite A200-21dts

    HelloI would like to get the Texas Instruments divrer to my laptop SD card reader.My laptop is Toshiba Satellite A200-21dts. Thank you

  • Acer Aspire One ZG5 - Wifi limited connectivity sudden

    It's an old netbook, but it worked great for years talk WPA/WPA2-PSK to various Dlink routers. Now it suddenly does not connect, but it will connect if I set the wireless to a network open without password. Otherwise, there will always need to acqire

  • I can't get the Zeen to work properly.

    I have the HP Photosmart C510 e station. Windows 7 64 bit Connection problem... There was a problem connecting to the internet. Please try again. I can't make it work even if it is in fact connected. I can't find a market is there a? The weather on t

  • WSUS issue error 800 b 0001 code found in Windows update of the client.

    We used WSUS server 08 to Headquarters for a few months without any problems.  Initially, all our machines HQ & branches are pointed to it.   Recently, we configure WSUS in the branches which is the server WSUS downstream headquarters.  We have creat