|
I currently have lab access to a CCNA lab for the evening through a class I took. Anyone care to hop on AIM and give me some suggestions for things to work on configuring and whatnot? It's really kinda pointless when I have a step by step guide in front of me, yaknow? AIM in profile if so.
|
#
¿
Feb 23, 2008 03:38
|
|
|
|
| # ¿ Apr 28, 2024 04:24 |
|
|
I am not a networking guy and never have been. That said, I've been tasked with setting up a couple of external sites with a hardware VPN to get them on our domain. I've got an ASA 5505 in hand, but that was already available. I've got a few cisco routers as well at my disposal, and some money. 1) Anyone want to handhold me through the process of setting up a quick proof of concept using the 5505 to be the client, and a 2811 as server for a remote access VPN? The 2811 is what I've got on hand, but I can get ahold of a 3000 series too. 2) Is this more trouble than it seems? What hardware should I be looking at for the VPN client? I've got money to spend if necessary. Basically, I dont know what I am doing but at least I know I dont know what I'm doing. Anyone care to direct me here? Goal is seamless VPN for a couple remote sites.
|
|
#
¿
Oct 12, 2011 20:24
|
|
|
jwh posted:For seamless VPN for a couple remote sites, I'd recommend either going entirely with ASAs or entirely with IOS based routers (like your 2800). Entirely ASAs is definitely an option. We have one central location (PMO office) and about 3 satellite offices. I want to put an ASA at each office, and have that seamlessly connect to us here. A skeletal config for a 2800 series router would be awesome. If nothing more for me to get a proof of concept up for management thats very touchy-feely. Also, can one ASA handle being the VPN server for 4-6 locations? If so, that works fine for me, too.
|
|
#
¿
Oct 12, 2011 21:06
|
|
|
ragzilla posted:ASA5510 at the head office, ASA5505s at branch (with appropriate license for number of users/MACs behind it). Can I get by with something cheaper than a 5510? I can probably get the PO pushed through, but its a bit spendier than I think management is going to want to see. 3 remote locations, 3 or so users per remote site. If 5510 is the way to go, then its the way to go.
|
|
#
¿
Oct 13, 2011 02:50
|
|
|
ragzilla posted:How many users at the head office? You can likely get away with a 5505 but if you have more than 25 users you'll need to purchase additional licensing for the 5505. About 50 users at the main office. There's no real infrastructure at the remote locations; just client machines at this time.
|
|
#
¿
Oct 13, 2011 02:57
|
|
|
ragzilla posted:If you have 50 users I'd assume you occasionally go over 50 MACs behind the firewall, so when pricing an ASA 5505 for the main office location make sure you're looking at the Unlimited version: ASA5505-UL-BUN-K9. Yeah, thats much more within our (my) budgetary goals. I assume I can get by with the 10 user licenses for the remote locations?
|
|
#
¿
Oct 13, 2011 03:02
|
|
|
And I'm back. So, where I'm fuzzy on setting up the ASA and handling routing. I've got an ASA 5505 acting as a VPN server. Its on the corporate office network, behind a 1:1 NAT rule, that permits all traffic. Internal Interface (vlan 1) is 192.168.1.0 Subnet Outside interface (vlan 2) is 172.19.80.0 subnet A device on the internal interface can communicate with all out subnets connected to the network. E.g. it can hit a 172.19.70.0 subnet fine. A device on the outside, can hit the 192.168.1.0 subnet fine However, if I have a client VPN in, it can only sorta communicate. It's connecting to the IP of the outside interface (172.19.80.29) and I've tried having the ASA dole out both 192.168.1.X IP addresses, and 192.168.100.X IP addresses. In this situation, I can hit devices connected to the internal interface (e.g. 192.168.1.2) but nothing connected outside. I assume this is because I'm dumb and the outside interface is acting as the VPN interface and thus everything dies. But I also dont know. Any suggestions?
|
|
#
¿
Oct 13, 2011 21:20
|
|
|
BelDin posted:As I have been made painfully aware over the years, the ASA is not a simple router and will not behave as such. You should need to add the CLI config item: You are my hero. Going to give that a whirl tomorrow. Sounds like the solution!
|
|
#
¿
Oct 14, 2011 04:32
|
|
|
I'm walking into a new job, mainly in a Windows Administrator role, but I've been informed I'm going to get stuck with a bit of networking too, namely to support the domain I'm to stand up and administer. The situation: Site A - Cisco ASA5505 Site B - Cisco ASA5505 Right now, theyre independent sites that they use a Cisco VPN client to connect from their corporate office; over the internet. They want the sites (including Site C, their corporate office) all on one contiguous domain via VPN. Question) Will a third ASA 5505 at Site C enable me to do a mesh VPN between the three sites? How complicated is the configuration? I dont want to particularly do any traffic filtering. Relatively low traffic between all 3 sites. Just trying to point my nose in the right path. Walked fucked around with this message at 20:20 on Dec 6, 2011 |
|
#
¿
Dec 6, 2011 20:18
|
|
|
Harry Totterbottom posted:Set up site-to-site ipsec tunnels between each office using the wizard in the ASDM. Make sure you match your crypto-map and have a trusted cert if you don't use a passphrase. Yeah; just making sure - an ASA 5505 can handle multiple site-to-site links on one device, right? It's not two-way only, right? Beyond that, I've setup remote access on a couple ASAs so I'm not terribly worried about the configuration process as long as its similar. Just making sure we're hitting the hardware requirements.
|
|
#
¿
Dec 6, 2011 21:09
|
|
|
Thats all I needed to know. Thanks. Just trying to do some prep-reading. Seems actually pretty painless for what they need/want.
|
|
#
¿
Dec 6, 2011 22:47
|
|
|
Tremblay posted:Hope each site uses discrete/unique subnets! Thank gently caress for this. Basically 2 of the three sites havent been configured in any meaningful way yet. So I should have flexibility on it. Also I just got some of their technical documentation (hooray already having a clearance and all my information assurance training done) as well as their projected timelines. I'm good to go. I'm looking at a 1-2 year window to get VPN configured and a domain stood up. 
|
|
#
¿
Dec 7, 2011 14:22
|
|
|
jbusbysack posted:2 years for an AD domain and two site to site VPNs is considered the performance metric? Wow. I'm really, really hoping someone is giving me wrong information. Granted, the task-list is much longer and has many other tasks as well. So we'll see. Money's too good regardless.
|
|
#
¿
Dec 7, 2011 19:24
|
|
|
I'm not a cisco guy by trade; but need to configure a site-to-site VPN connection here at work; between two 5510s with mismatched ASA versions. (7.0 and 8.4) I'm a bit tied up with a million and one things to do and got the go-ahead to hire someone to handle the configuration for me rather than spend a ton of time to handle it. Does anyone here do any freelance cisco work on the side? Feel free to PM me and I can give you a better rundown; probably less than an hour of actual work and I can get you whatever access is required to configure.
|
|
#
¿
Oct 9, 2012 16:52
|
|
|
Langolas posted:Would upgrading the 7.0 ASA be an option? I'm familiar with both and may be willing to help/teach depending on your time frame. I would be using you to brush up on some site to site vpn It is an option, however not an immediate one - we have a lot of restrictions on outage windows; and I've got one booked to upgrade the 7.0 ...at the end of November, best case. The VPN doesnt have a specific timetable at all attached, just trying to get it a bit sooner than that if remotely possible.
|
|
#
¿
Oct 9, 2012 17:22
|
|
|
I'm ripping out all our ASA5510s on December 4. Hell yes. Can't wait for them to be gone
|
|
#
¿
Oct 30, 2015 20:19
|
|
|
So networking isnt my forte (or focus area); but something I obviously interface with periodically. We have a switch that my junior admin setup the other day and asked for assistance today while I was on-site with him.. Ports 1-23 - VLAN2 (untagged) Ports 24, 48 - VLAN1 (native, untagged) Ports 24-27 - VLAN3 (untagged) He asked me to give it a look today, and I only had a minute to peek at it - not thoroughly troubleshoot with him.. Basically, hosts on VLAN2 cannot communicate; for example, plugged into port 3 and 9, on the same subnet - no dice Similarly, hosts on VLAN3 cannot communicate, same idea. VLAN1 for switch management works just fine on Port 24 and 48. Resetting the VLAN configuration to have the whole switch native to VLAN1 in default config and hosts can talk as they should (but the switch isnt segregated the way he wants, obviously) Any tips I can toss him? I am in the middle of rebuilding a portion of our virtualization environmentwith a tight deadline so I dont have a ton of time to hand-hold; I'm merely looking for thoughts or tips I can toss at him on this.
|
|
#
¿
Nov 4, 2015 23:26
|
|
|
|
| # ¿ Apr 28, 2024 04:24 |
|
|
Thanks Ants posted:Is it a Cisco switch or not? I've seen switches from some manufacturers let you specify the untagged VLAN as well as the PVID per port for reasons I have no idea about, and if they didn't match then no traffic would pass. I would assume the guy hasn't created a private VLAN so that can probably be ruled out, but it might be worth a look. Oops, no - not Cisco. I'll have him take a look; thanks
|
|
#
¿
Nov 5, 2015 00:35
|
|