Cisco :: ASA Same Source And Destination

Jul 24, 2011

I have a situation which requires some non best practice stuff to be done. There is a box behind an ASA that has a lot of code that references public DNS names and therefore needs access to itself and a number of other boxes on the same subnet via the public DNS names (that obviously resolve to public IPs). This traffic is dropped on some pretty fundamental ASA characteristics.I know this isn't really ideal, and it should be handled by DNS nstead, but I'm in somewhat of a bind and need to know if the ASA can allow this traffic.I figure I could match the traffic and exempt it from state-checking and that would probably work, but it's not a very graceful solution.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: How To Translate Both Source And Destination In ASA 8.2

Apr 16, 2012

I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
 
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54
2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address
3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well

How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?

View 1 Replies View Related

Cisco Firewall :: Log Shows Wrong Source / Destination ASA 8.3

May 25, 2011

The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
 
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
 
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
 
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!

View 3 Replies View Related

Cisco Firewall :: NAT Source And Destination Addresses On ASA5520 Running 7.2(5)?

Apr 22, 2013

Is it possible to NAT source & destination addresses (twice nat) on an ASA5520 running 7.2(5)?

View 4 Replies View Related

Cisco Switching/Routing :: 3750 - Tagging Traffic By IP Source And Destination?

Dec 2, 2012

I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup.  All i want to do is just tag traffic at different DCSP values via source and destination IPs.  We do not have a need to be priortizing traffic on out internal switches.  We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
 
Our environments is primarily 3750s in all offices.

View 6 Replies View Related

Cisco Application :: 4710 - Bypass Traffic With Source And Destination From Loadbalancing

Jul 30, 2012

I have a requirement to  bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
 
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .

View 1 Replies View Related

Cisco Switching/Routing :: Monitor Traffic Between Multiple Source To Destination Ports On Nexus 7k?

Nov 5, 2012

i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?

View 3 Replies View Related

Cisco Switching/Routing :: Nexus 5010 - Capture From Source To Destination Port On Same Switch

May 19, 2013

Basically I am trying to use Wireshark to do a packet capture on a Nexus 5010. I want to do a monitor session on on the switch so I can capture from a source port to a destination port on the same switch. I can configure the source port but when I go to configure the destination port I get "ERROR: Eth102/1/4: Configuration not allowed on fex interface". I have tried to reconfigure this port as a switchport but "switchport mode access" command does not take. I don't want to make any changes to any other ports but this one.

View 1 Replies View Related

Cisco Switching/Routing :: ERSPAN Source On Nexus 5548 And Destination On Catalyst 6500

Aug 9, 2012

I'm trying to get ERSPAN working with an ERSPAN source on a Nexus 5548 and the ERSPAN destination on a Catalyst 6500.
 
The configuration on the Nexus is as follows:
 
[...]
interface loopback0
ip address 192.168.2.133/32

[Code].....
 
If I do a netdr capture I can see ERSPAN traffic sourced from the Nexus reaching the C6500, but there doesn't appear to be anything sent out the ERSPAN destination inerface (Gi4/6) and there's nothing being received by the probe connected to that interface. I know the traffic seen with netdr is definitely the ERSPAN traffic sourced from the Nexus as I've changed the TTL and DSCP values within the monitor session on the Nexus and can see those changes reflected on the C6500 netdr capture. The attached is a screen grab of the show netdr capture started with debug netdr capture soure-ip-address 192.168.2.133.
 
When I look at the interface I see it shown as up/down (monitoring), but no output or counters clocking up. If I run a local SPAN session on the C6500 it works fine.
 
I've tried changing the destination IP address from that assigned to the C6500 Loopback interface to an IP address assigned to a physical interface, but that still doens't work.
 
The hardware in the C6500 is WS-SUP720-BASE Hw version 3.2 with WS-F6K-PFC3B Hw version 2.4. The IOS version is 12.2(33)SXI6.

View 2 Replies View Related

Cisco Switching/Routing :: 6513 Monitor Session Source Vlan And Lost Packets At Destination

Feb 20, 2012

We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX  facing our servers.  Additionally, we have a 4Gbps portchannel trunk interconnecting the switches.    We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success.  We mirrored the VLAN using tx, rx, and both.  When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?

View 2 Replies View Related

Cisco :: No Valid Route For Destination?

Feb 27, 2013

I configured dns on the router on this command ip name-server 4.2.2.2when i tried to ping www.google.com showing no valid routeTranslating "www.google.com"...domain server (4.2.2.2) [OK]Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2800:3F0:4001:807::1013, timeout is 2 seconds:

View 9 Replies View Related

Cisco :: How To Use Route-map To Change Destination IP

Aug 2, 2012

a) one router with two ethernet interfaces (LANs) and a serial interface. The serial interface is connected to the internet, dynamic nat is used for hosts in the two lans. A web server has a private address of 172.168.50.10 and it is being translated to the internet with serial's interface 68.32.x.x (public ip) with static nat. Clients in the internet type the public address to access the web server.

b)Problem: clients inside the LANs cannot access the web server by typing the public address, they use the server's private address instead, this create a problem with DNS static entries in the HOSTS file in the OS. It is a test server and is only available to authenticated users (lock and key ACLs), so no need to make a real DNS record. The entry in the HOSTS file points to the public address.

c)Question: how can a create a route map to change the public address in the HOST file to the private address of the test web server everytime a user in the LANs type the domain name.

View 6 Replies View Related

Cisco WAN :: Why Is Destination An RFC1918 Address

Mar 13, 2012

Here is a snippet from "show ip cache flow", from a border router of our network; [code] To clarify, Gi0/3 faces our customers, Fa1/0 faces a transit provider. These results have come from configuring "ip flow egress" on Fa1/0, facing the transit provider. 1.2.3.4 is a static IP we have assigned a customer. I know this customer has a firewall terminating this connection so I want to understand the cache flow results on this route. Why is the destination address an RFC1918 address? Is it possible that the customers firewall is trying to connect to these addresses, the flow gets as far as this border router, and drops? I assume that to be false, and only successfully initiated flows are recorded?
 
Also, looking at those figures it's IP protocol 0x11 which is UDP (17) and source port 62023 to destination port 161. 161 is SNMP? Without asking the customer what they are doing I suppose I can never know at that level, but I'm really more interested in why these flows are showing at all, when 192.168.1.0/24 isn't in this routers FIB?

View 2 Replies View Related

Cisco VPN :: ASA 5510 - NAT Destination Address Through VPN?

Feb 25, 2012

I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
 
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
 
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
 access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1
access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
 
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.

**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.

View 1 Replies View Related

Cisco Security :: ASA 8.4.1 Destination Address NAT?

Jul 15, 2012

i have a situation where i have a deployed asa5505 running 8.4.1.The client has an existing mail server that is located on their lan and has Port Nat's configured for the normal mail ports,  25,110,993,587 etc.
 
This works fine for mail inbound and for any user popping mail off the server externally or visiting the webmail interface from outside the network.However when users inside the LAN try to connect through the ASA back inbound to the IP on the External Interface of the ASA they are unable to do so.
 
One solution i came up with is Split DNS.   and well this works it rely's on the users not changing their dns servers.I was wondering if it's possible to do some sort of NAT that rewrites traffic destined for the above ports on the external IP to the Internal LAN Ip instead.

View 1 Replies View Related

How Hosts Find Their Destination

Mar 4, 2011

I have several Cisco switches connecting our network. Switch N connects to the gateway, Switches Y & Z connect to some hosts. Switch N connects to Y and Y connects to Z. Assume our gateway IP is a Class B address with a netmask of 255.255.254.0 and all the hosts attached on switches Y & Z have static IP addresses assigned to them. This gateway connects to the internet.In addition to this IP address, some of the hosts also have a second IP address assigned to the same NIC. This IP is Class A (10.0.###.###) and have a netmask of 255.255.0.0 A second gateway address is not defined.

The hosts that have 2 IP's bound to their nic, use the 10. address to communicate with each other. (Programs running on the hosts are specifically configured to use 10. address).I have several questions regarding this setup:

1) Assume Host has only 1 IP (Class B) - if the destination is on the same network, does the host system send the packet to the gateway first to find the destination on the network or does the host send a "where are u" packet to the broadcast address to find the destination?

2) Assume Host as 2 IPs (Class A & B) - if the destination is a 10. address, how does the host go about finding it?

Since there is no Gateway defined for the Class A address, does the host simply send out a packet to the broadcast address for the Class A network? or does it go to the gateway defined in the Class B network as it was defined first (i'm assuming primary connection)

3) Assume Switch N's connection to Switch Y is disabled - how will this affect communication between hosts on Switches Y & Z that have a 10. IP trying to share data with each other, using the 10. Address. If the answer is this should not affect it, what additional circumstances are required that may cause the systems with a 10. address to be unable to communicate when the connection from Switch Y to N is terminated?]

View 3 Replies View Related

Cisco WAN :: 7206 - Cannot See Packets Being Accounted If Destination IP Down

Jun 17, 2013

One of end costumers is trying to configure IP Accounting on 7206 running version 12.4(4)XD8,The issue we are having is that while the physical interface is up (the sub interface is part of a metro line which is directly connected) we dont see packets being accounted if the destination IP is down.

View 2 Replies View Related

Cisco Firewall :: ASA 8.2 - Destination NAT With Specific Origin

Jun 11, 2013

I need configure destination NAT in my ASA 8.2 version only for a specific origin.
 
Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need Nat the IP 172.17.3.150 to 10.96.202.10 only for
10.84.25.0/24 network.
 
How i can configure this in  8.2 version?

View 2 Replies View Related

Broadband :: Reply 192.168.1.1 Destination Net Unreachable?

May 12, 2012

i have my 9 computers 1 prolink modem/router h5200 and tplink switch...for 3 months my connection is quite good..but in the 4th month its starting to Reply 192.168.1.1 Destination net Unreachable..i called up a technician from the network..He changed my modem/router with the same model and it runs for an hour... 5-6 hrs..the problem starts again it begins to ping Reply 192.168.1.1 Destination net Unreachable...b4 my TCP/IP i configured it automatically but now i try to put it manually...my modem/router starts with 192.168.1.1 my first unit starts in 192.168.1.2 and so on.

View 1 Replies View Related

Test A Destination Port If It Blocked Or Not By My ISP

Aug 3, 2011

Test a destination port if it blocked or not by my ISP

View 8 Replies View Related

Cisco VPN :: 5510 - Multiple L2L Ipsec To Same Destination (ip Address)

Jan 23, 2012

im lookin to establish a a multiple L2L ips  tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?

View 6 Replies View Related

Cisco Routers :: RV180 Cannot Set Static Route With Destination To All IPs

Apr 2, 2013

I have Cisco RV180. I can not set static route with destination to all IPs (0.0.0.0/0.0.0.0). It always shows errors. It asked me to input non zero number. I can do this on Cisco RV042 without any problem.

View 3 Replies View Related

Cisco VPN :: AES256 / 3 DMVPN Tunnel With Different Encryption To The Same Destination?

Apr 25, 2013

i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.

crypto keyring preshared
  pre-shared-key address x.x.x.x key ....ncvnbxcnbLsaYiKtxc4ex4U99Tn...
  pre-shared-key address x.x.x.x key ....qerqwerJLsaYiKtxc4ex4U99Tn...
  pre-shared-key address 0.0.0.0 0.0.0.0 key ....JLsaYiKtxewrc4ex4U99Tn...

[code]....

View 4 Replies View Related

Cisco WAN :: 1941 / NAT Translation Based On Destination Network?

Feb 12, 2013

1. the LAN network (multiple subnets) needs to access server 1(outside)  - NAT translation works fine no issues

2. a subnet from the LAN e.g SUB-TEST currently acceses server1 but I need to change it  to access TESTserver 2 (outside) instead (temporarily)
 
I dont want to change the original setup .I am trying to implement NAT on the local router such that

-  any traffic from SUB-TEST that enters the inside interface and is going to Server1 then change the destination and NAT it to TESTServer 2

-  all other LAN traffic is allowed to go to server 1.

i am using a 1941 router for this

View 1 Replies View Related

Servers :: Destination Host Unreachable - Using Windows XP?

Dec 16, 2011

Im running 10 units of computers, anyhow my server has no internet connection, the other 9 units has net connection,when i ping the diagnosis is destination host unreachable.I'm using windows XP.

View 1 Replies View Related

Thomson TG585 - Destination Host Unreachable

Dec 15, 2012

My old router recently died and my ISP was kind enough to offer this Thomson one free. But ever since I got it, my PCs cant see each other on the homegroup. They can all get onto the internet - and by using programs like Dropbox or Teamviewer I can share info from one to the other- but I'd like to get my homegroup working again, Both my PCs are running Win 7, connecting wirelessly to the network. When trying to tracert from one to the other it gives this message: Tracing route to GLaptop.lan [192.168.1.79] over a maximum of 30 hops: 1 GDesktop.lan [192.168.1.82] reports: Destination host unreachable. The problem persists when firewalls on both PCs are disabled, and I've attempted to delete the homegroup on both PCs and re-create it.

View 5 Replies View Related

Get Details Of Any Destination Location Through Google Earth

Mar 31, 2011

how to get details of any destination location through google earth?

View 4 Replies View Related

Destination Host Unreachable - Can't Connect To Internet

May 11, 2012

My internet connection started to disconnect after an office mate used my PC. I thought it was just the cables but it's not. I pinged my ip address and its okay (sent=4; received=4). But when i ping Yahoo! and other websites, it said that "Destination host unreachable" (sent=4;received=0;lost=4;100% loss). What should I do to make my connection okay? I didn't ask assistance from our IT personnel bcoz they said if i want to reconnect/reinstall connection, I have to get an approved request from our bosses. And I don't like being asked bcoz they are like tyrant bosses.

View 2 Replies View Related

Query A File Has Successfully Been Copied To Destination?

Jan 28, 2013

I wanted to know how, if there are any script which will send an alert once a file has reached a destination over an TCP network.

View 3 Replies View Related

Cisco Switching/Routing :: Destination Port Protocol Is Down In 3750

Jun 18, 2012

I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.switch(config)#monitor session 1 source interface gigabitethernet1/0/1switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1

View 8 Replies View Related

Cisco WAN :: Configure ERSPAN On ASR1006 - Not Getting Any Traffic On Destination Port?

Mar 18, 2012

When trying to configure ERSPAN on a ASR1006, I'm not getting any traffic on the destination port. ERSPAN flavour is LOCAL SPAN, as described in:
 
[URL]
 
Configuration used, is the following:
 
monitor session 1 type erspan-source
no shut
source interface GigabitEthernet0/0/2
destination
erspan-id 10
ip address 10.10.10.1

[code].....
 
Apparently everything is configured in the proper way, however I’m not getting any traffic in the destination port. Also I’ve noticed the following in the details from ‘Session 1’:
 
Destination IP Address : 10.10.10.1

how to configure Local SPAN using ERSPAN?

View 2 Replies View Related

Cisco Switching/Routing :: Destination Host Unreachable 2400

Jun 8, 2012

My company has a Cisco IAD 2400 which is handling our phones and the internet (from Service Provider). We are adding a second router, a Cisco 1921, to our network,I think I have everything set up correctly. One department is using the 192.168.2.0/27 subnet. I can ping each computer within that subnet. Also, within this subnet, I can ping the router interface at 192.168.2.1. I can ping 192.168.1.2 successfully as well. This is the interface on the 1921 that goes to the 2400. However, if I try to ping 192.168.1.1 (interface on 2400), I get "Reply From 192.168.1.236: Destination Host Unreachable" I get the same thing if I ping 8.8.8.8.Within the 1921, I can ping 192.168.1.1 and 74.125.224.72 (random google ip) successfully.

View 1 Replies View Related

Cisco VPN :: ASA5505 Random Destination Port And Implicit Rule

May 4, 2012

I have an ASA5505 that I am setting up behind another firewall. The external firewall has all ports forwarded to the ASA which is fine as I can see the traffic getting to the ASA in the log. However when the traffic trys to return to it's destination the ASA assigns a random port number. For example for VPN the source port is 443 but when the ASA trys to go back to the public IP addess it is using port 52857 which is obviously blocked on the external firewall. The Packet Tracer also says the the traffic is blocked by an implicit rule on the ASA which denys all ip traffic however I can't delete this rule and as I test I have created another rule allowing all IP traffic.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved