Cisco Firewall :: 5520 - Two Private To One Public Email NAT Going

Nov 8, 2011

How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.

View 1 Replies


Cisco Firewall :: Map Public IP To Private In DMZ In ASA 5510?

Jul 22, 2012

I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and  another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.

View 9 Replies View Related

Cisco Firewall :: 5510 NAT Public Ip To Private

Sep 5, 2012

We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.

View 7 Replies View Related

Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
      public wan
       ASA-- public dmz
      private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies View Related

Cisco Firewall :: Using VLANs With ASA5505 For Private And Public Internet Access

Oct 2, 2012

I am trying to provide internet access to public and private SSID's on Cisco AP541n using VLAN's connected directly to ASA5505.  VLAN1 is inside interface (private) and VLAN12 is wlan interface (public SSID). The AP541n is plugged into switch port 0/7 on an ASA 5505.Port 0/7 is configured as trunk mode.  I have internet access when connected to private SSID but no internet access when connected to public SSID. why I can't access internet on public SSID? 
logging class ip history emergencies
mtu inside 1500
mtu outside 1500


View 5 Replies View Related

Cisco Firewall :: Cannot Get RDP And Email Out Through ASA 5510 5520

Jul 24, 2012

I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is, external address is RDP server is internal address, external Our internet gateway is
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Static mappings (again from config):
static (inside,outside) netmask
static (inside,outside) netmask
Original access list:
access-list outside_access_in extended permit tcp host eq smtp
access-list outside_access_in extended permit tcp host host


View 6 Replies View Related

Cisco Firewall :: ASA 5520 Email Alert Configuration

Apr 26, 2010

I am trying to setup email alert on our ASA 5520 so that i can receive emails to my exchange account below is the configuration [code] The smtp server is in our internal network.first i am not able to ping as ping is blocked.i did this confgi like two days before..but ca see alerts and error messages through asdm but no mail is  coming in.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - IPSec Tunnel Without Private Network

Apr 11, 2013

I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. If so, what configuration options should I consider?

View 5 Replies View Related

Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP: are two servers inside the network with the private IP's: for DB Server, and for Web Server.I did Static NAT to  and to I access DB Server( it's working OK but when I access Web Server( there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(

interface GigabitEthernet0/1nameif insideip address 100no shutdown
interface GigabitEthernet0/0nameif outsideip address


View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (, one IP valid ( have the Global NAT (all users LAN) and server FTP, but i need that IP is used for VCSe, and the IP is used for other server FTP.

View 5 Replies View Related

Cisco Firewall :: Changing ISP / Updating The Public IPs On ASA 5520

Jun 11, 2013

We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN.  We are changing ISPs soon and we will be getting a new block of public IPs   where do I even start to plan the migration and how?  Can I overlap somehow and do a slow migration or must I do it in one big swoop?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 8.6 Allow Publishing To Only One Range Of Public IP

Apr 19, 2013

Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Second IP Range On Public Interface For NATing

Jul 9, 2012

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Host 300+ Secure Websites Using Couple Of Public IPs

Jun 22, 2011

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

View 1 Replies View Related

Cisco :: Possible To Use 1 Private IP Through VPN And Same Mapped With Public IP?

Aug 25, 2011

Is it possible to use 1 private IP through VPN and same private IP mapped with Public IP? For example is configured in VPN tunnel. i m able to ssh on both ends. ( VPN phase 1 and phase 2 gets completed)But when i map with some public IP problem starts. when i try ssh i see public IP in my destination firewall logs. IPSEC: Received an ESP packet xx.xx.xx.xx "mapped public IP". The decapsulated inner packet doesn't match the negotiated policy in the SA, The packet specifies its destination as

View 2 Replies View Related

Cisco Firewall :: Mask DMZ Servers From Private Servers And LAN ASA 5520

Jun 11, 2013

We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: (This is a future deployment)
LAN Segment:
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: But when a PC from the LAN wants to reach the FTP server it should points to its old IP: This way the PC sends a packet to the ( the ASA recieves the packet and translate it to the ( and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.

View 6 Replies View Related

Cisco WAN :: ASA5505 Converting Private To Public IP For VPN

Aug 18, 2011

We have a VPN router(ASA5505) which connects to the client, B. IP address for one si 195.xx.xx.xx and for B it is 14.xx.xx.xx. Both can extablish a IPSEC VPN nicely.Now, B throws a condition that the IP coming thru the VPN has to be PUblic. They want it as such so that they can be routed across the VPN tunnel.It still can because the firewall does not do NAT.

View 5 Replies View Related

Cisco VPN :: ASA5505 VPN Private Network With IP Public

May 19, 2011

My partner imposes that i create a VPN connexion with CISCO ASA5505 and send requests by public IP  on my private network.Is it possible to create NAT rules with this possibility?

View 2 Replies View Related

Cisco 504s - Public And Private IPs On Same Router

Feb 18, 2012

I have been tasked to install the first "hosted & managed" network setup at work. I've actually been tasked to clean this up, since one of the other engineers on my team botched the install. Here's my issue:

A small business customer ordered 4 VoIP phones/numbers, a T1 circuit, and a managed firewall service from my company. We provided them with Cisco 504s, T1 router with two Ethernet ports, a Layer 2 switch for their phones, and a Fortigate firewall to manage their network. They also wanted us to install & configure their Linksys wireless router for net access on their laptops and i Pads. The higher ups decided that V LANs were not an option, and they wanted to have the Voice and data on two separate Ethernet interfaces.

Here's the problem: In the initial work order our T1 router (an Adtran900 series - a reverse engineered Cisco OS) will connect the VoIP phones to the F0/0 interface (using the layer 2 switch) and act as the DHCP server, using Private IP adressing. In order to perform this, the first engineer enacted the Adtran's firewall, configured NAT, and setup an IP policy to allow the phones to communicate (allow any any basically). On the F0/1 interface, the firewall is connected. The Firewall is given a Public IP using the F0/1 address as the default gateway, and performs NAT to their internal data network. The problem is that outbound traffic works fine, and inbound/outbound works on the F0/0 interface where the phones are connected and the Adtran is performing NAT - but I cannot get access the firewall from the outside world. I know the issue has to do with the firewall on the Adtran router, and it trying to block inbound attempts to the public IP block assigned to the second interface. I attempted setup firewall rules to allow all traffic to that sub net and interface, but it did not work. As soon as I disabled the firewall feature on the main router, voila! - the Fortigate firewall was accessible from the outside world. But, this disabled their phones from working, as this disabled NAT for the private IPs for the phones.

Ideally I could use the switch and setup V LANs to segment the voice/data traffic, but that option was denied. I think the way we're doing this is over-complicated, but this is the desired configuration from my boss. He doesn't really understand V LANs and Firewall rules too well, so he wants the two interfaces approach. To make things even more complicated and redundant, I'll need to setup 1-to-1 NAT rules in the Fortinet firewall to allow access to the /29 we have allotted the client for their connections to Ford/GM/& Chrysler. I can't think of an efficient way to make this work - every scenario I come up with hits a roadblock. I've attached a network diagram so this can make some sense. The IPs have been changed.

View 6 Replies View Related

Cisco WAN :: 64530 - Migrating BGP Private ASN To Public

Oct 9, 2012

I have two link on two edge routes from same ISP for Active/Standby. I am using the private AS and ISP provided IPs, now i got own Public IPs and AS number. I want to publish my IPs and migrate the AS number from private to Public.  But currently i do not want migrate my device IPs. just want to  publish network and ASN.
current config is :-
Router 1 
router bgp 64530
no synchronization
bgp log-neighbor-changes


View 12 Replies View Related

How Can A Public Ip Be Traced Back To Private Ip

Mar 1, 2012

How can a public ip be traced back to private ip. for instance if the ip is it is traced as

I thought it could be VPN but then u still need a public facing ip , or can it be the fact that the public ip is router to nat and from nat to internet but then 10 range will need to be converted back to public which does not happen as from the private it moves to the next router which is an isp device and not clients one?

View 1 Replies View Related

Cisco Firewall :: FWSM 4.0 Email Server Cannot Connect To Email Gateway

Aug 8, 2012

I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall. [code]
1. How FWSM create xlate table like that? I mean it look like NAT0 for but it doesn't has any nat rule for on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.

View 1 Replies View Related

Cisco WAN :: 1941W-A/K9 / Static PAT / 2 Public IPs To Single Private One?

Apr 16, 2013

I have a customer who wants to do a static mapping in order to prevent any downtime for one of his public web servers. Any good example to follow? FYI, the edge device is:

CISCO1941W-A/K9 (configured as a zone based firewall)C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(1)T

View 1 Replies View Related

Cisco WAN :: 1941 Cannot Translate Private To Public IP Address Using NAT

May 4, 2012

I have 5 workstations with 2 servers but the backup server (black) is shut down intentionally.I have 1 cisco gigabit unmanaged 8 port switch and 1 cisco 1941 vpn router.The cisco 1941 vpn router is configured for IPVPN connection to other branches.

1. Configure NAT to enable the 5 workstations to be connected to the internet thru the router to the ISP.
2. Configure NAT to enable the server to be accessed from outside using the public IP address provided by the ISP. [code]


1. I can ping other pc on network.
2. When I typed in the ISP's public ip address on the browser, i got into the modem user interface for configuration.
I still can't connect to the internet. When i do tracert, it stops on the hop and didnt continue. This shouldn't be the case since i want to connect using the GE0/1 outside port for the internet.

View 6 Replies View Related

Cisco VPN :: Private-to-Public IP NAT Through IPSEC VPN On 3000 Concentrator

Jul 27, 2011

We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons.  We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel.  Im using a Cisco 3000 concentrator. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 881 SSH Login Using Only Public / Private Key Levels

Mar 10, 2013

I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges.
Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.

View 7 Replies View Related

Set Up A Public And Private Password On Single Router?

Jan 9, 2013

is it possible to set up a public and private password on a single router so that the public connection can be dissabled without having to turn off the private one?

I have some unruly housemates that like to try to take advantage and i only have one cat5 cable and that is already connected to a computer. i have 4 other devices that i use my wifi on and i want to be able to use them without letting my roomies use my connection. and only allow them to use the web during the day.

View 3 Replies View Related

Connecting Two Routers To Have Private And Public Wifi?

Apr 2, 2012

I just moved into an apartment where the internet is being provided to me via wifi (open). The landlord doesn't have a private network, he is with me. What I'm was curious about is if it is possible for me to use a second router to create a secured network for all my devices? My thought would look like this: ISP>Landlords Router>wireless>MyRouter. I know you can have private and public wifi but the two routers have to be connected. I haven't talked to him about the fact that he needs to secure his router mainly because we never cross paths.

View 6 Replies View Related

How To Change Windows 7 From Private To Public Network

Jul 25, 2011

I have an existing network with several computers running Vista and XP. My new computer has Windows7. The WIN 7 computer can access the router and the internet. But it is invisible to the rest of the network. It is currently set up as "private network". I think it should be "public network". How / where can I change it ?

View 1 Replies View Related

Linux Server With Two Static Ip - Public / Private

Dec 14, 2011

Is there a simple way to have a web server have both a static public ip (I have a block of static IP's) and an static private ip (ex I am running a web project management application....

View 4 Replies View Related

EA4500 / How To Keep Office LAN Private From Public WLAN

Jul 22, 2013

I handle the network at a small business; it's not my primary job but one that I am in charge of. My boss owns a house next to the office that he use as a general meeting area and as a guest house for friends and family. The house is close enough to the office that our office WLAN covers most of the house.

Our office router (Cisco Linksys EA4500) supports a "guest" network, which is okay for people that pop in for meetings, but not so great for family and friends that may stay for several days or a week. The guest profile times out, and they have to reconnect. I have no way to set the timeout period for the guest profile. But mainly, there are several "dead spots" in the wifi coverage in the house.

There is an Ethernet cable running from the office to the house that is not currently being used. Optimally, I would just use the spare Ethernet cable to setup a seperate WLAN in the house. But I don't know how to do it so that the guests cannot get access to our office network.

I would like to leave the office network hardware and configuration unchanged if at all possible. I am open to purchasing something, and even flashing it with DD-WRT if needed. I just need a configuration that keeps the office network private.

View 1 Replies View Related

Cisco :: Dealing With Security When Merging Private And Public Networks?

Jul 18, 2011

We have a private network, multiple vlans etc. for our domain users/employees across several amenities. We also have a Public network, that we have managed by a 3rd party for guests/conference rooms/attendees.Private network is all static ips, mac restricted port security, as strict as possible from a security and PCI Compliance standpoint. The public network is all DHCP with hundreds of users. Having them physically separate has always been the best option. Separate switches, server, and I even have the uplinks separated on a 3825 router. However, unfortunately it seems as though that luxury is coming to an end.One of the meetings that is taking place is going to be at one of our outer amenities so I've got to push that "public" network through my network, over my backhaul to the other side.

My suggestion was to create a new vlan on the switches with the shortest path possible to get where it needs to go. This way the traffic never goes through our ASA, and it has a small footprint on our network, it plugs into the switch access port with the dedicated vlan at the entry point into our network, and leaves from an access port on the other end. To me that seems to be the best/most secure way to handle it. We're also in the process of rolling out Public Wifi through the entire property and since we'll want to push both Public and Private vlans over it....merging the two networks to a point is only inevitable. Especially since it will be going through a controller and the property covers a good 7000 acres.

A good IDS/IPS...other than already having port security on every port, I'd definitely like to know if somebody inadvertently cross connects the two networks and it starts flooding whatever vlan access port it's plugged in to with dhcp...especially since a lot of the laptop users on the domain are set to DHCP first with a static in the alternate for working at the office and remote.

View 2 Replies View Related

Cisco Switches :: Setting Up Public / Private Vlans On Sg300-52?

Mar 25, 2013

How to setup 3 SG300-52 (in L2 mode) as per this diagram:Port 1 on all switches should be able to talk to each other and access the blob at the right.The ports 25 on the other hand should only be able to talk among themselves in their own private vlan. They are to carry sensitive traffic. So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666 with the intent of segratating vlan 10 from vlan 78. My attempts so far have failed. ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following cli output (excerpts of the startup config):
vlan database
vlan 10,78,666
interface vlan 1
ip address


Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove the access links to the blob they can! Obviously, at that point port gi1 lose access.Is such a topology feasable or even advisable?

View 7 Replies View Related

Copyrights 2005-15, All rights reserved