Cisco :: Dynamic Routing Over Internet Using ASA 5505 / 5510?
Apr 16, 2011
There are three different sites, two are composed of Multilayer switches cisco 3560 and 3570 as core switches (a 3560 in one site and a 3570 in another site), the last site doesn't have any routers just a 2950 switch. Each site has two asa 5505 as firewalls. Two Internet connexions are connected to every site, one on every firewall. One Internet line is used to connect the different sites together using VPN crypted with IPsec and the other line is just for Internet access. The line that is used to interconnect sites contains voice and data traffic.At the moment all the routes are static routes, the network isn't too big for now and counts not more than 20 subnets.But it is evolving, and I want to use dynamic routing, EIGRP to be more accurate. I've looked into it and I'm not sure how to make it work. The VPNs active on the ASAs don't support dynamic routing, so I thought about GRE tunnels but the ASAs don't seem to allow it either.
View 11 Replies
ADVERTISEMENT
Nov 21, 2012
I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following: Internal hosts assigned a DHCP address are blocked from the internet Internal hosts with a static IP are permitted access to internet All internal hosts can communicate regardless of state
Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet. What sort of steps would I need to do to configure this? New access lists. For the record, the dhcp addresses are in the range of 10.100.31.64-10.100.31.95. VPN users are assigned an address from 10.100.31.220-10.100.31.240 and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP (10.100.31.5 should be just as valid as 10.100.31.100).
View 10 Replies
View Related
Jul 4, 2011
We just purchased a company with multiple sites using Sonicwall's and Dynamic assigned external IP's. I am running a ASA 5510 with a outside Static.
I have done lots of S2S with both ends static but never a Dynamic to static.
what the commands are to set the ASA to accept dynamic VPN tunnels.
View 8 Replies
View Related
Mar 17, 2013
My dynamic ASA is trying to use a Cradle point 4G connection to a head end ASA-5510. The remote end with the Cradle point 4G is not even initiating the tunnel! I need another set of eyes. it was initiating the tunnel last week but not completing the connection. Now its not doing anything. i am going backwards. Below is my remote ASA config.
ASA5510(config)# sh run
: Saved
ASA Version 8.2(2)
host name ASA5510
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]...
I have a laptop directly attached to the inside interface. The PC and ASA can ping each other. The test interface is the one I am trying to use. Does my default route need to point to 192.168.0.1? Or is the remote peer correct? I thought the remote peer was correct? The 4G modem is like a pass-thru device. If I connect my laptop to it I can get out to the internet.
View 3 Replies
View Related
Sep 25, 2011
am in the progess of replacing a Zyxel USG 300 to a Cisoa ASA 5510.In the Zyxel I have some Site to Site, where the peer is a dyndns.org adresse, becourse the peer is a dynamic ip-adress.
I have maybe 10 site to site´s where the peer is a dynamic with a dyndns.org adress, and the presharedkey is diffrent at each tunnel.How can i make this configuration at the ASA 5510?
View 1 Replies
View Related
Feb 8, 2011
My SIP trunk provider uses a SonicWall Pro 3060, I need to initiate a IPSec VPN tunnel from an ASA 5505 (ASA1) for SIP traffic to a PBX connected on ASA1's inside.ASA1 should also connect a VPN to ASA2, ASA2 has a fixed IP I have not been able to figure out how to initiate the tunnel from the ASA1 to the Sonicwall due to the dynamic IP.
View 3 Replies
View Related
Aug 22, 2011
Trying to connect a 5505 with a dynamic address on 8.3(2) to a static IP'd asa (5510 on 8.2(1) with a DefaultL2LGroup and dynamic maps already created.
Inside networks:
Local (5505) 192.168.100.0 /24
Remote (5510) 10.100.1.0 /24
Configuration on 5505
isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp enable outside access-list 100 extended permit ip 192.168.100.0 255.255.255.0 10.100.1.0 255.255.255.0nat (inside,any) 0 access-list 100tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key *****crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco crypto map dyn-map interface outside
View 1 Replies
View Related
Mar 2, 2012
I updated the configuration per your response below... It still doesn't work. See my new config files below.
make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
[code].....
View 5 Replies
View Related
Mar 29, 2011
We have an ISP connection that is connected via an ethernet interface on a 5510 ASA. We are allotted 10Mbps. I have currently have the interface set to 10Mbps Full. However we want to upgrade the connection to 25Mbps. I know I can set the port speed to 100Mbps and then set a shape/police statement and shape down to 25Mbps.
Management wants to be able to call the ISP and arbitrarily adjust that speed up temporarily at any time without any user/admin intervention on our side. I can simply leave the port at 100Mbps i.e. no shape statement on my side however I will run into problems with large amounts drops, overruns, retransmissions, etc due to the ISP shaping the connection speed during normal operations. However they then could then adjust the speed at any time without needing me.
I do not know the best way to make this work. Is there some sort of dynamic/smart shaper in the ASA or another cisco device?
View 2 Replies
View Related
May 22, 2012
I'd like to connect through a VPN the HQ office to a Branch using two ASAs.I have a 5520 in the HQ and 5505 in the Branch Office.My problem is in the Branch office where I have a dynamic IP (ADSL).
I couldn't find a example this kind of configuration.
View 7 Replies
View Related
May 26, 2011
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
View 12 Replies
View Related
Jun 5, 2012
some recommendations for product selection and overall infrastructure setup for our datacenter: We have an old, legacy setup, and are looking to replace equipment, improve performance, enhance security, and implement hardware redundancy (if cost effective).
1) We now have (2) IP blocks from our provider, and need to support both (because we have mailers on older IPs with a good reputation rating).
2) We have (2) aged Sonicwalls, one for each IP block, each connects to multiple internal subnets (some internal subnets need connectivity to eachother, some don't).
3) We have (mostly) public facing web servers (Linux/Apache), as well as database servers (with no external access).
Questions-
1) Should we implement a Cisco ASA 5520 w/ or w/o SSM modules for the new IP block (for webservers)?
1a) Should we implement a Cisco ASA 5510 or 5505 for the existing IP block (for mailers)?
1b) Or, can we have multiple public IP blocks connected to a single ASA 5520 (or 2 ASA's w/ failover)?
2) Can we connect both firewalls (5520 and 5510/5505) to a single Catalyst 3550 (or similar) using VLANs, and have 6 - 10 VLANs for webserver subnets, with ACLs controlling which subnets/servers can connect to eachother?
2a) Should we implement a second Catalyst 3550 (or similar) for redundancy (webservers have multiple network cards).
3) From our provider, we only have (1) dmark which both IP blocks connect through. Currently we have a switch connected to the dmark in order to 'splice' the connection, and have both existing firewalls connected. Is there a better approach to this?
4) We would like to implement SSL-VPN, and possibly site to site IPSec VPN, but only if there will not be significant performance degredation.
5) Other thoughts/recommendations for new features, enhanced security, or redundancy?
View 1 Replies
View Related
Jun 1, 2011
I have ASA 5510 and public FTP server from my local network to external IP address, with static nat translation. All works, but I need request to ftp come from internal ASA interface (need use gateway different ASA). How configured ASA for forwarding request?
View 4 Replies
View Related
Feb 18, 2013
How to get DynDNS or some other public dynamic DNS services on the Internet working on ASA 5505?
View 2 Replies
View Related
Apr 17, 2011
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output:
object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0
"sh run nat" output:
object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface
"sh run access-list" output:
access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
View 6 Replies
View Related
Dec 14, 2011
I have one ASA 5510, a primary ISP (cable, the single public IP lives on the ASA), and a backup ISP (ADSL, separate router that hosts its single public IP). I use IP tracking to detect link down on the primary. When I pull the plug on the cable modem and go to "Route monitoring", I can see the ASA's default route is now the backup ISP default route.That conforms with [URL] Pings to 8.8.8.8 fail however, and when I do a packet trace the ASA complains about the dynamic nat rule that still points to the primary ISP's interface.Only when I change the existing dynamic NAT rule (on my inside interface) to use the backup ISP's pool (which is a single 192.168.x.y address) , does 8.8.8.8 reply to my pings. So it kinda works but it's not full auto . I can't add a second dynamic nat rule on the same inside interface, nor can I select 2 IP pools in a single dynamic nat rule.
View 4 Replies
View Related
May 21, 2011
I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening.
View 3 Replies
View Related
Sep 6, 2011
I have an ASA5505 running which is on a static IP. I have just got an SRP527W for a remote worker and want to create a site-to-site VPN into the ASA. I have a number of other router of non-cisco brand which just all dial-in and connect no problem.
On other routers I have been abloe to specify the DDNS hostname in the VPN setup so that the ASA can identify it. I'm not sure how I setup the SRP527 to connect to the ASA.
View 3 Replies
View Related
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
View 1 Replies
View Related
Nov 7, 2012
I have some sites already connected with ASA 5505 site to site VPN with both end static IP. Normally, all traffic can come across without any problem. Even I used "management-access inside" for both ASA.Now I have a new office with only ADSL pppoe connection. I used easy VPN to connect from Site B:remote dynamic IP site to SiteA:static IP with similar example of this: [URL]
All my 5505 ASA are running 8.4(4)1
Site A - Static IP
Site B - dynamic IP with pppoe connection.
After EasyVPN connected, i do not know how do I remote manangment from site A lan to site B 5505 ASA?
View 6 Replies
View Related
Aug 11, 2012
I have a Cisco ASA 5505 that has been configured to act as a router as well. I have configured 3 VLANS that have access to the internet. For some reason the "InsideWifi" and the "Guest" VLANS have very slow internet speeds and sometime web pages wont finish loading properly. The "Inside" VLAN gets the speeds that are expected. The DNS server does reside on the "Inside" VLAN. Is there anything wrong with my configuration that would cause the internet speeds on the other VLANS to be slow? My config is attached.
View 6 Replies
View Related
Mar 30, 2012
i have a problem with ASA 5510 version 8.2(1),i have a mac os x 10.6.8 dns server when the asa is online and i want to use the internet my internet is very slaw it neede about 1.5 min to open yahoo.com and the asa log viewer shows too many drops, i have only the rule allow any tcp/udp domain.
View 1 Replies
View Related
Jul 2, 2012
We need to connect from an external computer connected by cisco-vpn-client to one internal server that is behind an ASA 5505 config with Easy VPN. The VPN connection with the client to our 5520 firewall is fine, but when I try to connect to the server on the LAN, FW log says:
Routing failed to locate next hop for TCP from Internet:172.17.1.215/1108 to Lan_Interna:172.33.0.50/3389
Attached image.
View 22 Replies
View Related
May 29, 2012
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 8.8.8.8, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
View 2 Replies
View Related
Sep 24, 2012
Have multiple Catalyst 2960S switches, Cisco 2911 router and ASA 5510 firewall.
On the router have subinterfaces created for the VLAN's Int FA0.0/41 for wirless VLAN setup with IP 10.10.41.100 Int FA0.0/60 for new Voice VLAN setup with IP 10.10.60.100 Internal network is 10.10.10.0/24 and LAN IP of router is 10.10.10.100 Have default route setup to push traffic from the router to the firewall ip route 0.0.0.0 0.0.0.0 10.10.10.251
On the firewall have added the new VLAN 10 (10.10.60.0) to the network object-group Have configured route inside command route 10.10.60.0 255.255.255.0 10.10.10.100 1 Have also added the NAT command nat (inside) 1 10.10.60.0 255.255.255.0
On the 2960 I have my laptop connected to port 45 and I have it configured as follows switchport mode access switchport access vlan 10
I assign my computer a static IP address of 10.10.60.84/255.255.255.0/10.10.60.100 with 10.10.10.11 as DNS server. When I do this, I can ping anything on the 10.10.60.0 network, I can ping anythign on the LAN 10.10.10.0 network. I am able to connect MSN messenger, I am able to do NSLOOKUP and get outside IP addresses to resolve. I am unable to browse the Internet though. I am not sure where the problem is at though. It doesn't make sense to me, as it is setup the same way as VLAN 41 which is the wireless network, and when users connect to that, they get out to the Internet with no issues.
View 15 Replies
View Related
Jul 24, 2012
how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other. Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls).
View 5 Replies
View Related
Feb 16, 2011
If this is the wrong thread for this pasted config, I am sorry. Let me know and I will delete it and move it else where. I just cannot seem to connect my Cisco 2651xm router to the internet from my PC. Here is the output of my config. I have Cox Cable Internet and my IP address is Dynamic but it has lukily stayed "static" if you will since I can remember am plugging in my laptop via straight-through to 2950 switch port fa0/2 and fa0/1 is connected via staright through calbe to router fa0/0. I told my PC to "obtain IP address automatically" since I made my router a DHCP server, but still no internet. I can however, ping the ISP 24.253.136.243, my default-gatewat on the router, 192.168.0.1, and I made a the vative vlan 192.168.0.2 and I can ping all interfaces fine and packets are being sent and received[CODE]
View 19 Replies
View Related
May 29, 2012
Overview Firewall is ASA 5510 running 8.4(9)Core network at Head Office uses OSPFStatic routes on ASA are redistributed into OSPFStatic routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferredCore network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPFBranch Office WAN uses BGP - Routes are redistributed into OSPFThe routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is downBackup BO router (.253) only contains a default route to internetUnder normal operation, traffic to/from BO uses Local Branch Office WANIf local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
View 7 Replies
View Related
Jun 29, 2012
do internet cafes use static ip or dynamic ip address. Also what would be the benefit if they used a static ip address.
View 1 Replies
View Related
Jan 10, 2012
Does ASA 5540 support BGP routing protocol to be configured on it??
I'm talking about the latest versions.
View 3 Replies
View Related
Apr 4, 2012
I'm trying to get a tunnel to come up between a 5510 and a 5505. I currently have a vpn tunnel up and running from the 5510 to another remote site. [code]
View 2 Replies
View Related
Sep 10, 2012
How to setup dynamic dns for Cisco 2621xm ? What IOS support Dynamic Dns?
View 3 Replies
View Related
Feb 19, 2013
connected DSL directly to 2900 series router , but as DSL public IP is not static (dynamic) its difficult to access Router when out of home, any other means to access router without static IP
View 2 Replies
View Related
