Cisco :: ASA 5510 - Not Routing Internally
Oct 8, 2011
I have an ASA 5510 with its inside network connected to 10.102.247.0/24, interface 10.102.247.1. With the inside network i have got a router 10.102.247.42 routing to 172.16.30.64/255.255.255.240. The hosts in the network 10.102.247.0/24 have got as default gateway the asa 10.102.247.1.
Now the issue is that the hosts 10.102.247.0/24 cannot ping the hosts in the 172.16.30.64 network, only the ASA interface 10.102.247.1. I have added on the ASA route inside 172.16.30.64 255.255.255.240 10.102.247.42
i have added
same-security-traffic permit intra - interface
But nothing, I have tested one host in the 10.102.247.0/24 by adding a static route 172.16.30.64/255.255.255.240 to 10.102.247.42 and it is working fine.
So the ASA is not routing internally, Is there anything i can do, maybe NAT issue, nat(inside, inside) 10.102.247.0 10.102.247.0 net mask 255.255.255.0
View 1 Replies
ADVERTISEMENT
Mar 15, 2011
Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.
View 9 Replies
View Related
Aug 26, 2012
I've finally set up our RV220W to serve our office network, using the following environment:The WAN is set to a public IP (static configuration), while the internal network consists of two VLANs.VLAN 1 is connected to the cabled network and one wireless SSID, where DHCP is served by our Windows SBS server (192.168.15.x), and this VLAN is used only for our own office. VLAN 2 is connected to a second wireless SSID, where DHCP is served by the RV220W itself (192.168.17.x), and this VLAN is used for guests and visitors to our office.
On a regular basis, we need to use a mobile device to access a test page from a development server on VLAN 1, and the router is configured to redirect connections on a specific port on the public IP to our development server.For VLAN 1, I solved this by overriding DNS for the hostname of this test page to use the local IP for the development server.However, for VLAN 2, there is no way to access this test page.
Is there any way I can configure the router to either redirect these connections, or override the internal DNS so the test page on the development server can be reached also from VLAN 2 (the guest/visitor network)?
View 5 Replies
View Related
Sep 17, 2012
Accessing exteral address internally.
I have a mail server, with external access which works fine for external access thorugh our router (a 1941). I have a laptop which connects to a wireless network that is inside our router. When attempting to navigate to the webmail or use outlook, it cannot connect.
The laptop is configured to access the mail through the external path as it would be offsite occasionally.
I think the problem seems to be that the traffic is not leaving the router to come back internally. The laptop can ping the external address ok.
I read about something called hairpinning - is this what i need to be looking at?
View 3 Replies
View Related
Aug 13, 2012
what happens internally when no shut command is given on the interface of router.The router interface goes up. How? What happen internally on the interface of the router?
View 8 Replies
View Related
Sep 30, 2011
I found that the domain name was hosted at enom.com and the email was gmail. The web servers are both Media Temple servers.we updated the settings on the new server using google's instructions. However, it is still not working properly. So, to be as clear as possible, here is the specifics:
Email from the outside works fine, Email internal to external works fine, email internally (from one emplyee to another internally) will bounce giving a 550 error. After researching this error, I found that several people have had this issue, however, the majority of the fixes didn't work.
View 3 Replies
View Related
Jul 26, 2012
ISP: comcast
Router: DIR-655
Hardware Version: B1
Firmware Version: 2.04NA
Currently, I have a machine attached to the router that has a webserver and ssh (fedora linux). The ports are successfully forwarded (in this case, tcp 80, and tcp 22), and from outside of my network I can connect. Also, I use dyndns.com to provide a domain name, instead of using my IP. The dyndns account is NOT managed by the router.The server I am trying to connect to has a reserved IP address.My problem is that from inside of my network, using the dyndns domain name, I cannot connect to my site.
View 10 Replies
View Related
Oct 6, 2011
A couple of users on my network complain about timeouts. They access the same server which runs a SQL server. People from outside world can access it without a problem but internally it keeps timing out. I have also noticed that VoIP phones have a delay internally. So if i pickup my phone and dial an extension the other person can't hear me sometimes but i can hear him.
I have experienced the VoIP problem but have never had any time outs on my machine. I tried packet capture on a couple of computers but i cant see anything out of the ordinary. Alot of ARP, some STP which i think shouldn't reach the machines, dropbox traffic etc.
View 2 Replies
View Related
May 10, 2012
i got an ea2700 and i cant get the external to work internally which i need for server tests now this has worked before on every other router i had without any editing done but this one doest allow that so what can i do to make it work with this router?
View 9 Replies
View Related
Jul 1, 2012
I am working on adding a mapping to our external address for our mail server - let's call it mail.example.com
I would like to be able to access mail.example.com internally for our user's smartphones - if they access our company WiFi they are not able to get mail using the mail.example.com as the server name in their phone setups. However, once they leave the office and use any other WiFi it works fine. Also, I am unable to ping that address from any internal device. I believe also this is the reason Exchange accounts do not work on our site to site VPN connections.
I have a ASA 5520 and work primarily in the ASDM 6.4 to do configurations in the main office and have 5510 in our site to site connections.
View 6 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Oct 6, 2012
I have mobile users using air cards that connect to the network with a VPN product called Net Motion. Our firewall is a ASA 5510. Once connected to the Net Motion VPN server the user will get a DHCP address from our network. In the past we could not get the VPN tunnel to complete since our layer 3 switch (3750G IP services) has 3 egress points and the egress point that we needed the VPN traffic to go out of is not the default gateway. To solve this we had the air card carrier set switch our air cards to static IP addresses and using route statements for the public IP addresses and access lists we got it to work.
The problem with this is that every new air card we provision needs a static IP address. My question is would policy based routing work in this scenario? The problem has been that the VPN tunnel was not able to complete the negotitaion phase as the traffic came into the switch and was trying to go out the default gateway. The VPN client wont get an internal IP address until the VPN tunnel is created.
I would like to get away from using static IP addresses.
View 1 Replies
View Related
Mar 25, 2012
I have an environment where i have two nexus 7010 switches, along with 2 nexus 5510's. I need to run OSPF as a layer 3 routing protocol between the vpc peer links. I have 1 link being used as a keep alive link, and 3 other links being used as a VpC link.
1) Is it best to configure a separate Vpc VLAN i.e 1010
2) Is it best to configure a vrf context keep-alive
3) just have the management address as the peer ip's.
View 2 Replies
View Related
Feb 23, 2012
I have an ASA 5510 being fed by ACS for authentication and groups.I have several VPN groups, and I'm trying to determine how the local routes on the VPN client are created. I know it's based on the vpn group becuase clients with different policies get different routes when they login. I know I should know this as I've setup groups before but for some reason this section of my brain wasnt backed up.
View 4 Replies
View Related
Mar 6, 2013
Headquarters has an ASA 5510 (8.2.5) and each of the branch offices has an ASA 5505 (8.2.5).
Currently, internet traffic from the branch offices is routed straight out to the internet, while traffic destined for HQ is encrypted over the the VPN tunnel.
We use a Websense v10000 G2 to filter web traffic for our HQ site and the branch offices use Websense Hybrid filtering (a pac file in their browser - cloud based filtering).
One change we are considering making is to route ALL traffic from the branch offices through our Headquarters to they can also be filtered by the v10000 G2, rather than using the Hybrid Filtering. The Branch Offices typically have 6Mbps/768Kbps DSL connections.
What are there negative consequences of routing all traffic through our HQ? HQ has enough bandwidth to accommodate the increased traffic from the branch offices but I was wondering how the branch offices would be affected? Originally I was thinking that the Branch Office download speeds would essentially be limited to the speeds of their upload speeds because all traffic would be getting sent up to the Branch Office. After thinking about his more though, I don't think this would actually be the case. You would lose a little bit of speed due to the encryption, but it shouldn't be that drastic, correct?
Also, what configuration changes would be neccesary to achieve this? Here is the NAT/Route configuration of one of my branch offices:
crypto map CDEOVPN 35 match address CDEO
crypto map CDEOVPN 35 set peer 24.XX.XX.251
crypto map CDEOVPN 35 set transform-set Main
crypto map CDEOVPN interface outside
access-list CDEO extended permit ip 10.124.0.0 255.255.0.0 10.0.0.0 255.0.0.0access-list NoNAT extended permit ip 10.124.0.0 255.255.0.0 10.0.0.0 255.0.0.0
global (outside) 1 interfacenat (inside) 0 access-list NoNATnat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 71.X.X.51 1
I considered changing the the CDEO access-list to access-list CDEO extended permit ip 10.124.0.0 255.255.0.0 0.0.0.0 0.0.0.0 but I was afraid that maybe the VPN tunnel wouldn't be able to be established without first adding a deny statement so that traffic destined for the Public IP of our HQ ASA wouldn't try to go over the tunnel? Would any changes be neccessary to my NAT rules?
View 3 Replies
View Related
Oct 6, 2011
I have a Catalyst L3 switch. I have 3 Vlans setup.This L3 switch is acting as my internal router for my 3 different subnets.
VLAN 2 - 10.10.10.1 - eth0/1
VLAN3 - 192.168.202.1 - eth0/2
VLAN4 - 192.168.200.1 - eth0/3
Within subnet 192.168.200.0, I have a firewall gateway of 192.168.200.254. There are 5 vpn tunnels going though this firewall.
192.168.102.0
192.168.103.0
192.168.104.0
192.168.105.0
192.168.106.0
These tunnel subnets have a default gateway of 192.168.200.254.How can I configure them within my L3 switch?
Example: A server within my 10.10.10.0 subnets wants to get to the tunnel 192.168.102.0 - how is the routing handled? I assume I need to have routes setup in my L3 switch, I am just nt sure how I should create them? I would like to use a routing protocol like OSPF. I have an ASA 5510 that acts as the gateway for the 192.168.202.0 network. The others are sonicwalls which do not support routing protocols, so I would keep their static routes.
View 33 Replies
View Related
Mar 26, 2013
I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
sh run
: Saved
:
ASA Version 8.0(4)
[Code].....
View 7 Replies
View Related
Mar 26, 2013
I have a WAN interface and 2 LAN interface. I need both the LAN be able to access a server outside the network via the WAN (outside) interface. I am using a ASA 5510 firewall instead of a router, because I don't have a router. It looks simple enough but it does not work. I ping from the a PC (172.16.22.8) connected to LAN (inside) Network to 10.10.10.1 which is the WAN local interface also did not work. But from the ASA Firewall, I could ping my LAN (inside) PC. I followed a config i get from this forum. However, it did not work. Below my config.
interface Ethernet0/0
nameif outside
security-level 0
[Code]....
View 5 Replies
View Related
Aug 10, 2012
I have found multiple solutions to this question for < 8.2 but no solutions for the new way the ASA does nat statments,Basically i have multiple VLAN's and i need 2 of them to communicate
inside - 192.168.1.0/24 ( security-level 100 )
voice - 192.168.100.0/24 ( security-level 100 )
Error i am getting is:
192.168.1.100 192.168.100.100
Deny inbound icmp src inside:192.168.1.100 dst Voice:192.168.100.100 (type 8, code 0)
[Code]....
They are not working, I have found multiple examples for the old style nat statements to resolve this issue but none on the new style.
View 2 Replies
View Related
Apr 16, 2011
There are three different sites, two are composed of Multilayer switches cisco 3560 and 3570 as core switches (a 3560 in one site and a 3570 in another site), the last site doesn't have any routers just a 2950 switch. Each site has two asa 5505 as firewalls. Two Internet connexions are connected to every site, one on every firewall. One Internet line is used to connect the different sites together using VPN crypted with IPsec and the other line is just for Internet access. The line that is used to interconnect sites contains voice and data traffic.At the moment all the routes are static routes, the network isn't too big for now and counts not more than 20 subnets.But it is evolving, and I want to use dynamic routing, EIGRP to be more accurate. I've looked into it and I'm not sure how to make it work. The VPNs active on the ASAs don't support dynamic routing, so I thought about GRE tunnels but the ASAs don't seem to allow it either.
View 11 Replies
View Related
Mar 30, 2012
i have a problem with ASA 5510 version 8.2(1),i have a mac os x 10.6.8 dns server when the asa is online and i want to use the internet my internet is very slaw it neede about 1.5 min to open yahoo.com and the asa log viewer shows too many drops, i have only the rule allow any tcp/udp domain.
View 1 Replies
View Related
Jan 11, 2012
Can i configure proxy on ASA 5510? i.e for internet use my user should be authenticate by ASA5510 and after successful authentication user should be allowed to access internet and futher is it possible to do bandwidth managment with ASA5510?
View 1 Replies
View Related
Dec 9, 2011
i'm currently deploying LMS 4.2.3 Demo version and i'm unable to discover my ASA 5510.how to discover my ASA to mange it in my Cisco Works 4.2.3.
View 35 Replies
View Related
Jul 2, 2012
Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1841
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
View 2 Replies
View Related
Mar 12, 2012
I work at a small company and have very limited experience with networking We have an ASA 5510 that connects out to our ISP. The inside interface is connected to a port on a Trendnet Switch (where all of our clients are connected as well)using 192.168.0.0/24 We also have a Linksys wireless router connected to one of the ports on the Trendnet in which it (wireless router) receives an IP via DHCP from the ASA. I know this isn't the best setup so I would like to connect the wireless router to one of the interfaces on the back of the ASA and have it able to communicate with the 192.168.0 network without any restrictions. Is this possible to setup? If so can it be done using the ASDM?
View 4 Replies
View Related
Sep 18, 2012
I have an ASA 5510. (ASA 8.0(4) ASDM 6.1(3) I have 2 internet connections (only 1 is currently active) Currently all internet and VPN traffic go over 1 interface. What I want , is to move general internet onto the new internet connection but keep VPN traffic on the old internet connection. I can get the internet working but as soon as i do the VPNs go down. VPNs are site to site vpns.
View 4 Replies
View Related
Jul 24, 2012
I have Cisco ASA 5510 series router which was handling by our one of our network admin who left without giving admin password. Now this is time to break the password . Since i don't know the admin password of the router , i don't how to handle few request. I am not a basically network admin guy to handle such things but i need to know how to break the password in order to do further requests. How to login router admin console without password or any chance to bring into default factory configuration.?
View 1 Replies
View Related
Nov 15, 2012
I am trying to reset the password of ASA 5510,it is entering in Rommon mode but after boot command i am getting following error.
View 3 Replies
View Related
Mar 27, 2012
I'm trying to set up a new ASA 5510. I have a pretty simple set up with one /24 on the inside NATed to a DHCP address on the outside. Everything on the inside works and I can ping the outside interface from external devices. No matter what I do I can't get anything internal to route across the border to the outside and back. To try and eliminate ACL issues as a possibility I added permit any any rules to the incoming access lists on the inside and outside interfaces. Here's the sh run.
: Saved
:
ASA Version 8.4(3)
!
hostname gateway
domain-name xxx.local
[code]....
View 7 Replies
View Related
May 17, 2012
Having trouble with a couple items. First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch? I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet. I have setup static routing on the ASA [
route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5]. The inside interface is on the 10.30.1.x/24 subnet. My host is on the 10.10.96.x/21 subnet. From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212. I can however ping 10.30.1.1 from 10.10.96.212.
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall. I'm doing this in order to transition to the ASA. I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once. Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2). So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall?
View 2 Replies
View Related
Dec 14, 2011
I am working on the exact same configuration as noted here [URL] that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
My goal is to leave the default gateway for each dmz on the ASA so I don't have to modify other areas of the ASA config.
View 1 Replies
View Related
Apr 16, 2013
I am having a problem getting my ASA to work properly. I attached a diagram for reference and most of the config is below. When I finally got it to route properly between 2 sub nets on the internal network, the NO NAT statement broke routing for the VPN Clients who rely on a NAT statement for the same sub net that is listed in NO NAT access list. I can get one of the 2 to work by replacing NAT statements but can't figure out a combination to allow routing for both the internal sub nets and the VPN clients to work.
It's been about 5 days of tweaking this thing just to get the internal routing to work correctly and when I finally did I broke VPN client access. To note, the VPN clients can still log in and get a session going, they just can't get anywhere once they are in. I also think there's a lot of stuff in this config that is not needed like a lot of the object groups, etc. but I am being very careful about removing anything. I took over support of this ASA after someone else put it in place and over this past weekend we moved it to a new building and new ISP and that is when I had to get it to route between sub nets. The main point of this move was to remove building 1's reliance on building 2 for Internet and outside email access in the event that building 2 is not available (it is close to water and this has happened more than once over the past year).
So that is why I can't go with the smartest option of just keeping the routes on the router in the other building. I also know the 1600s are ancient but they're all we have for now. I can provide those router configs also but they are VERY basic, all static routing. The IP for the Cisco router on the same sub net as the ASA is 192.168.42.254.
This is the statement that allows the routing to work between the 2 internal sub nets but breaks VPN clients: nat (INSIDE) 0 access-list NO NAT
This is the statement that allows the VPN clients to work but breaks the internal routing: nat (INSIDE) 0 access-list INSIDE_nat0_outbound
The rest of the config is below the diagram.
ASA Version 8.2(2)
host name Cisco asa
domain-name default.domain.invalid
enable password - encrypted
password - encrypted
names
dns-guard
[code]...
View 7 Replies
View Related
Jun 21, 2012
I use 3 interfaces on an ASA 5510. First interface is Lan, Second interface is Outside, Third interface is ADSL The Outside interface is used for VPN L2L and smtp traffic. (Leased line on router managed by ISP)The Adsl interface is used for Http traffic. (Adsl Cisco router) I use this configuration found on another forum subjet for routing.route outside 0.0.0.0 0.0.0.0 x.x.x.x 1route adsl 0.0.0.0 0.0.0.0 y.y.y.y 2 nat (inside) 1 0 0global (outside) 1 interfaceglobal (Adsl) 1 interface static (Adsl,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0 The problem is now I have an www intranet server on the VPN remote site. How i can exempt the http traffic to the intranet server routed through Adsl interface?
View 7 Replies
View Related
