Cisco Firewall :: 5520 Change Of Subnets
May 19, 2013
i have a asa 5520 that is working with three zones DMZ, inside and outside.
my DMZ is for all my branches and it had a /24 subnet my inside had a /24 subnet and all was fine i could talk to branches and they could talk to me. i also had all the branchess accessing internet via the ASA which is at HO. i changed the subnets from /24 to /21 and broke everything
below is the configs for the asa
!
interface GigabitEthernet0/0
nameif outside
[Code].....
View 4 Replies
ADVERTISEMENT
May 26, 2013
Site A:
ASA5520
VLAN data subnet 172.16.10.x/24
VLAN Voice subnet 10.0.0.x/24
Site B:
ASA5505 Base license
VLAN data subnet 192.168.10.x/24
VLAN Voice (restr) subnet 10.0.1.0/24
The callmanager is located on site A and needs to sent out DHCP-offers to site B through the VPN so the IP-phones can register to the callmanager. I got the VPN up and running for the data-subnet but i can't get traffic through the voice-subnet/VLAN.
Can the ASA's do the job or do I need to route traffic before the ASA's on both sides and sent it through the tunnel, configured both subnets as interesting traffic? Ofcourse the last situation I need to upgrade the license for the 5505 to gain more VLAN's.
View 4 Replies
View Related
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
Oct 30, 2011
our company is going to change its´ ISP. The External Isp are going to obviously change too. We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible. In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-to Site VPN, Remote Access Webvpn, ACLs and also routing. I have looked up some information in this community and still I am not sure about the steps to be made so to reach our goal.
I have read that changing only the "names" from the old IP Range to the new Ip range would not really make the change. The old Ip range will still be configured in the features using the external Ip address. Therefore we have to first delete all the information (in the running config) connected to these Variables and then re insert them. My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out during the deleting and inserting procedure.
How we could make this change with a low percentage of "copy and paste failures"? I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout? Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12).
View 4 Replies
View Related
Aug 15, 2012
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies
View Related
Jun 18, 2012
I am coming to this forum because TAC and several CCIEs are having trouble finding me a solution to my problem.
I have Two 5520s each running 841 connected in two different data centers with two different internet providers. I have 100+ 5505s that have the capability to connect to either 5520 via EZVPN to either 5520. Up to now there has not been a need for a 5505 connected to one 5520 to talk to another 5505 on the other 5520. Each 5505 accesses network resources as in any enterprise network. Our company recently started telecommuting and I have been giving 5505s and a VOIP phone out to people. What was discovered is, if you are on one 5505 connected to a 5520 and the other 5505 is connected to the other 5520 the audio in voip does not work. If both the 5505s are connected to the same 5520 than everything works fine. Conversely a 5505 on one 5520 cannot ping a 5505 on the other 5520. 5505s on the same 5520 can ping each other no problem.
My problem: All 5505's are configured for a 172.18.xxx.xxx 255.255.255.224 subnet. This subnet is not used anywhere else. So I have a 100 Class "C" subnets carved up into 255.255.255.224 networks. If I look at a specific route for a subnet on one 5520 I see it pointed to the outside interface via RRI. I can look for the route in the 5520s connected CORE switch and I see the route pointed to the 5520. We have a fiber connection to the CORE in the other data center. The route is in this CORE switch as well. When I look for the route in the 5520 connected to this core it is not there. I have all other routes visible but not this particular route which should show on the inside interface. All I show on the 5520 are the 5505s connected to this ASA. So the 5520 is not processing the RRI subnets from the other 5520 and vise versa. Thats why a 5505 on one 5520 cannot ping a 5505 on the other 5520. I only see 172.18.0.0/27 on the outside interface of both 5520s. I do not see any 172.18.0.0/27 on the inside interface on either.
I have had numerous TAC cases open on this and no one seems to either understand my problem or have a solution for me. My local sales rep CCIE says the problem looks like a bug in 841 (which I am running) and that the ASA is not processing RRI from eigrp which I am running as well. The whole network is running the same instance of EIGRP including the 5520's.
My questions:
1) Is it possible the 5520 is not allowing 172.18.0.0/27 on both the outside and inside interface? Even though all subnets are masked proper the ASA maybe thinks it is being spoofed? I have not been able to confirm this using the real time log.
2) Could this really be a bug? I have looked at all the release notes and have not found anything resembling my problem. TAC has not recommended that I upgrade or downgrade my IOS.
View 6 Replies
View Related
Nov 25, 2011
Our IPS has given us a second range of IPs as we were running out. Unfortunately, they can only give us two non overlapping range. I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges. This is not a failover scenario -- and I need outward facing servers on both ranges. It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans. As there are two subnet there are two gateways. How do I keep the traffic on track?
View 4 Replies
View Related
Apr 9, 2012
I am struggling on a problem for over 2 weeks despite of various researches.
We have a Cisco router, then an ASA 5520 8.4(3).
The private interface of the ASA is connected to a switch, and so on connected to one interface of the router.
The private interface is as following : 129.88.63.253 255.255.248.0 (/21) =>
It is in the 129.88.56.0/21 subnet
Here is the part of the router config we are interested in :
!
interface Vlan32
ip address 129.88.63.254 255.255.248.0 (this is the tunnel default gateway configured on the ASA - 129.88.56.0/21 subnet)
ip address 129.88.71.254 255.255.255.0 secondary
ip address 129.88.75.254 255.255.252.0 secondary
ip access-group CVPN-depuis-129.88.56 in
ip access-group CVPN-vers-129.88.56 out
ip verify unicast source reachable-via rx allow-default
no ip redirects
mls rp ip
!
On the ASA, there is currently one default route for the tunneled traffic :
route Private 0.0.0.0 0.0.0.0 129.88.63.254 tunneled
As you can see, it's on the same subnet as the primary IP address of interface Vlan32 on the router.
The scenario is as following :
- we can connect to the VPN with the appropriate alias (LDAP connection), then we get an IP address in the defined range (it's a local ASA pool)
- the pool is : 129.88.71.0/24
- but, once we are connected, we can't do anything, because it seems like we don't have any network access
View 9 Replies
View Related
Jun 19, 2011
my local site has Cisco 2811 router connecting locally to ASA 5520. Remote site A has Draytek Vigor2950. I have working vpn between local subnet 10.0.0.0/24 and remote site A 10.100.6.0/24. I have remote sites B (10.100.7.0/24) and C (10.100.8.0/24). I would like to route traffic from local site to remote sites B and C via the local-to-remote A vpn. On Draytek routers B and C, I have added to subnet 10.0.0.0/24 to the remote network profile list. On local router, I route traffic for subnets 10.100.7.x and 10.100.8.x to the ASA. On ASA I have added these subnets to the profile for local-to-remoteA vpn.But the vpn will not establish when I attempt to ping from local to remote B or C.
View 5 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Jun 23, 2011
NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.
object network obj-Inside-sub1
subnet 1.1.1.0 255.255.255.0subnet 2.2.2.0 255.255.0.0subnet 3.3.3.0 255.255.0.0nat (inside,outside) dynamic 199.246.5.2
View 5 Replies
View Related
Aug 31, 2011
i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.
New:
IP-adresses: 87.1.1.194 - 87.1.1.254
Default gateway: 87.1.1.193
Subnetmask: 255.255.255.192
Old:
IP-adresses: 200.1.1.34 - 200.1.1.46
Default gateway: 200.1.1.33
Subnetmask: 255.255.255.240
Config:
route wan 0.0.0.0 0.0.0.0 200.1.1.33 1
And statics like:
static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255
View 22 Replies
View Related
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
May 17, 2012
Having trouble with a couple items. First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch? I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet. I have setup static routing on the ASA [
route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5]. The inside interface is on the 10.30.1.x/24 subnet. My host is on the 10.10.96.x/21 subnet. From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212. I can however ping 10.30.1.1 from 10.10.96.212.
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall. I'm doing this in order to transition to the ASA. I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once. Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2). So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall?
View 2 Replies
View Related
May 23, 2011
I have an existing pair of PIX 515E that has two interfaces. One connected to the public internet via my ISP and one internal.
I recently ran out of IP's and had the ISP route an additional block to public IP of my firewall. This isn't working for some reason and I'm trying to figure out why.
The "ip address outside XXX" command defines the outside address and I don't see any way to add a secondary sub net.
I tried just adding a rule to the firewall for one of the IP's in the new subnet, but I can't seem to get traffic to pass though the device.
View 1 Replies
View Related
May 25, 2012
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
View 7 Replies
View Related
Jan 5, 2012
I am new to Cisco products. We have currently got a Netgear FVX538 running in front of a few servers. We currently have 2 ranges of IP addresses provided to us on 2 separate subnets. We configured the netgear box with the first IP addresses of each subnet as the IP address of each of the primary and secondary LANs. This then allowed us to set the gateway addresses of servers on the network to either of those 2 addresses, depending on it's range.
This all worked fine - except for the fact that the Netgear box is incredibly flakey, so we decided to get a Cisco box.
We have gone for the SA520, which I have been trying to configure this afternoon. Unfortunately I am now having concerns as to whether it is possible to configure 2 separate subnets internally on this box in the same way we have done with the netgear box. ie - classical routing, one incoming WAN interface with multiple subnets?
View 5 Replies
View Related
May 27, 2013
ASA 5585-x10, ver 9.1. I have about 10 public sub nets that will be used for NAT translation on the outside interface. These sub nets are different from the sub net the outside interface. Is there a way to advertise these routes using OSPF from the ASA?
I tried to redistribute a static route, but can't make the destination router an interface that is on the ASA. I don't own or control the upstream router.
View 1 Replies
View Related
Apr 9, 2013
We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
For example :
Bridge group 1:
inside1 and outside1 -------> 192.168.1.0/24
inside2 and outside2 -------> 192.168.2.0/24
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to 192.168.1.0/24, the inside1 and outside1, the other pair not work. If the BVI set 192.168.2.0/24, then only inside2 and outside2 work.
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?
View 1 Replies
View Related
Sep 16, 2012
I have an ASA which is managing internet access from mutiple VLANs configured on a 3560 switch. I want to be able to limit the 100MB internet connection on the ASA on a per subnet (VLAN) basis for the multiple subnets configured on the switch..
so for example
VLAN10 - 10.0.10.0 - limit to 5MB
VLAN20 - 10.0.20.0 - limit to 10MB
VLAN30 - 10.0.30.0 - limit to 3MB
View 7 Replies
View Related
Jul 10, 2012
Not really a big problem, but not knowing the answer is killing me. This is what I have:
Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2
The problem is when one of the hosts trys to reach the inside interface of the remote ASA. E.g. Host 1 trying to ping ASA5510 inside interface. Again Host 1 and 2 have the same subnet address of 10.1.1.0/24. I have configured the ASA 5505 to do the the NAT translations.
[code]...
View 3 Replies
View Related
Aug 19, 2012
I have a customer that wants to change their Nortel 5520 switches to a Cisco solution, and I wanted to ask what would be a good solution for this customer. presently they have 4 48 port PoE and 2 24 port PoE stackable 5520, and they are interested in redundant power supplies for the switches. I was thinking that the 3750 is good for this site.
View 4 Replies
View Related
Jan 27, 2013
I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.
View 1 Replies
View Related
Jun 3, 2013
We are using an ASA 5520, running 8.4(3). We have users running the AnyConnect Secure Mobility Client 3.1.02026. I have the AnyConnect connection profile configured to authenticate users using LDAP over SSL. I enabled the password management and am able to get password change prompts to appear in the AnyConnect client. However, new passwords are rejected and changing passwords through that prompt does not work. I'm not sure what the cause of the problem is, since LDAP over SSL is enabled and working, which is required for the password management feature
View 9 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Mar 15, 2012
How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
