Cisco Firewall :: 5510 - Duplicate IP Address With ASA Inside Interface
Apr 5, 2012
We've had issues with our Exchange 2010 server (running on ESXi 4.1) since its default gateway was changed to our new ASA 5510. They manifested as frequent Outlook client connection dropouts or as IP address conflicts whenever Exchange was rebooted. The temporary fix was to disable the Exchange server NIC, bounce the ASA and enable the server's NIC again. We saw poor performance from Exchange after a while again, but after some research and testing I realised that disabling proxyarp on the inside interface fixed the problem permanently.
However I've now realised that the client VPN no longer routes properly because proxyarp is disabled on the inside interface, so I still have a problem.
View 10 Replies
ADVERTISEMENT
Apr 13, 2013
I ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
View 5 Replies
View Related
Feb 5, 2012
i have here a ASA 5510 sec k9.
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
But my Config doesn't work. And I have no Plan why .....
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
ciscoasa(config)# exit
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)
[Code].....
View 2 Replies
View Related
Apr 4, 2012
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
[code]....
View 4 Replies
View Related
Jun 28, 2012
we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is 199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface access the NAT'd IP which is assigned to the server
LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server).This is an ASA 5510 with 8.4.
View 10 Replies
View Related
Jan 3, 2012
so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
Code...
View 10 Replies
View Related
Mar 8, 2011
I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.I have added the followings in ASA5510. [code]
View 8 Replies
View Related
Feb 28, 2013
My internal network consists of Catalyst 3750 switches segmented into different VLANs. There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510. However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510. I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN.
The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface. I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet.
Here is my config that pertains to this setup:
interface Ethernet0/0description Outside Interfacenameif Outsidesecurity-level 0ip address 76.47.10.x 255.255.255.224 rip send version 1rip receive version 1!interface Ethernet0/1description Inside Interfacenameif Insidesecurity-level 100ip address 192.168.17.1 255.255.255.0 rip send version 1rip receive version 1!interface Ethernet0/3description Wifi Guest Accessnameif DMZ2security-level 50ip address 192.168.60.1 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255
I've tried the following commands below but no dice.
same-security-traffic permit intra-interface
static (inside, inside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255
View 3 Replies
View Related
May 10, 2012
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies
View Related
Jul 13, 2011
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies
View Related
Dec 25, 2012
We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP. The addresses are not contiguous. Is there a way to configure an interface on the ASA to handle both sets of public address pools? If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool? Then just NAT/PAT to my heart's content? At that point I would want both to route to our inside network. So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network... Right now the outside interface is configured with our first set of IP addresses. We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool. Hence the question. I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?
View 4 Replies
View Related
Jul 17, 2012
I am having peculiar issue in my setup. I recently replaced my ASA 5505 (8.2.1) with ASA 5510 (8.4.3). Everything works fine for a while suddenly I see some of the servers will not be reachable from the LAN all the servers gateway is my switch. If I check on my Dell switch the particular server's arp entry on the connected port is same as ASA physicall MAC. If im reverting to 5505 ASA everything goes smooth without any issue.
View 6 Replies
View Related
Sep 19, 2012
I have recently installed an ASA5510 at a site in South Africa to connect via VPN to a site in the UK (ASA5520). The VPN comes up fine with the 5520 in the UK, however, I can not connect to the inside interface over the VPN, but can access it from the internal LAN. All other hosts on the LAN are accessible over the VPN.
The 5510 also has another VPN to another site in SA and the 2nd site cannot ping the interface either.
View 10 Replies
View Related
Nov 12, 2012
We have a 5510 and I have a second ISP setup for a backup link. We have 4 ports connected to 4 different internal subnets. I want to force one of the ports to use the backup ISP link at all times. I'm having a little problem with where I need to make the changes in my ASA.
Interface "outside" is my main ISP
Interface "building3" is my backup ISP.
I want to force the "Guest" network to use the "building3" link for all traffic. Here's a snippet of my config
global (outside) 10 interface
global (building3) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
[URL]
Do I need to change the global pool or create a new one? I have a couple free public IP addresess on the building3 subnet I can use for a pool.
View 2 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Nov 8, 2011
I'm seeing a TON of traffic in my ASA logs (via ASDM) indicating the following:"Duplicate TCP SYN from inside: (valid internal address of one of our laptops)/50164 to inside: (address on our other subnet, still trying to trace it)/9100 with different initial sequence number"This looks like an attack to me, likely someone's downloaded something they shouldn't have and got an infected laptop. Why it's trying to "call home" to something inside our network is what puzzles me, though.Is there any VALID reason I would see these sort of messages in my log?
View 3 Replies
View Related
Feb 19, 2012
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Jan 17, 2013
I am trying to upgrade a Cisco ASA over an IPSEC VPN tunnel. My FTP server is on the remote side of the VPN tunnel but I am initiating connections from the inside interface of the firewall. I am currently managing the Firewall over the VPN via it's inside interface (using the management-access inside) command. When I try and update via FTP, the connection is going straight out the outside interface (and not across the VPN tunnel) I have tried upgrading via TFTP but it keeps stopping randomly with (unspecified error) I normally upgrade via FTP though but it's not working in this instance. Essentially what I am asking, is is there an equivalent command for FTP that there is for TFTP: tftp-server interface ip anyconnect I need the connections to originate from the inside interface so they traverse the VPN. I am running 7.2.3?
View 2 Replies
View Related
May 9, 2011
I have deployed a read only domain controller in our DMZ as part of a domain-related project. That machine needs to be able to reach domain controllers on our internal network. To do so, it should traverse our ASA 5510, going from the DMZ Interface (security level set to 60) to the Inside Interface (security level set to 99).
I've created an ACL as following (alerting hostnames in the example):
access-list dmz_access_in extended permit ip host dmz.rodc.domain.local object-group int-domain-controllers
I've read in various spots that you have to create a NAT when traversing security levels, going from a less trusted interface (DMZ) to a more trusted one (internal.) Since this link will carry domain traffic, we do not want to create a real translation. Thus, I created a stand-in NAT that points to its own IP as follows:
static (dmz,inside) dmz.rodc.domain.local dmz.rodc.domain.local netmask 255.255.255.255
Long story short, the connection fails. I'm able to access other hosts in the DMZ and on another interface configured with the same security level (which I've explicitly allowed), but trying to go from the less-trusted DMZ to the more-trusted internal fails.
View 12 Replies
View Related
May 10, 2011
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies
View Related
Apr 23, 2012
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
View 3 Replies
View Related
Jun 7, 2013
I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.
View 7 Replies
View Related
Apr 24, 2012
the inside interface on our primary ASA seemed to "hang". It dropped all the packets it received. Because the interface didnt go down, failover didn't happen. Device's info;
-Cisco Adaptive Security Appliance Software Version 8.2(3)
-Device Manager Version 6.3(3)
-Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
-Internal ATA Compact Flash, 256MB
-BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
I attached a capture picture shows that traffic didnt go to the roof when the issue happened. Why the interface would "freeze" randomly?
View 1 Replies
View Related
Dec 12, 2011
I have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
View 4 Replies
View Related
Mar 7, 2012
I'm trying to NAT SIP registration from OUTSIDE interface to Inside interface on ASA
View 1 Replies
View Related
May 13, 2013
I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, (Slow access with ASA to a web server, but fast with PIX to the same web server)?
P.S. Addresses in attached picture config are not real, but I know what they translate to.
View 4 Replies
View Related
Mar 5, 2011
configure ASA 5510 as below
inside users should communicate with Hosts on the DMZ Zone and at the same time they should go for internet towards outside interface
ASA with 8.3(1)
default security levels
attached is the digram for your reference need communicate form inside to DMZ
View 1 Replies
View Related
Nov 18, 2011
One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
-Host IP on inside network - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl
View 5 Replies
View Related
Mar 31, 2013
I have a PIX 515e running version 7.2(4).I have 2 interfaces - DMZ3 (sec lvl 50) and LAB (sec lvl 100) behind the pix. There is also the OUTSIDE interface (sec lvl 0) which connects to the internet.In DMZ3 I have a webserver - x.x.124.217/24 (host is NATed via static command to public IP)In LAB I have a server - x.x.1.203/24 (entire range is NATed via NAT/Global statements to public IP)The server in LAB needs to access a webserver in DMZ3. From the internet both of these hosts have public addresses that are NATed into the inside addresses. I can reach the webserver from the internet, but not from the LAB interface.I think I have to add a static command so that the LAB host can access the DMZ3 host without accessing the internet.
View 3 Replies
View Related
Oct 13, 2012
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
View 4 Replies
View Related
May 6, 2012
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
View 5 Replies
View Related
Mar 29, 2011
I have inherited an ASA 5520. In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP. I am trying to understand the purpose of this route or why a route would be setup this way.
Example Static Route:
Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)
View 2 Replies
View Related
