Cisco Firewall :: 5520 Connect Two Overlapping IP Address Sites
Dec 13, 2012
I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
2- Any sample config for ASA 5520 for this type of network?
Our IPS has given us a second range of IPs as we were running out. Unfortunately, they can only give us two non overlapping range. I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges. This is not a failover scenario -- and I need outward facing servers on both ranges. It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans. As there are two subnet there are two gateways. How do I keep the traffic on track?
how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below). I'm able to ping from host1 to 18.104.22.168 (host 2) and it works, as does pinging from host 2 to 22.214.171.124 (host 1). The issue I'm having now is that I've replaced that router with another ASA (second configuration below). Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well. I'm only seeing issues when using two ASAs. I've verified that ICMP and telnet are permited inbound on the ASAs as well. I even tried seperating the final host with another router (third configuration).
For some reason there are some sites that I cannot access websites from inside interface.One such example is lxer.com where I am receiving this message in the browser:The connection has timed out The server at www.lxer.com is taking too long to respond.This has "suddenly" happened, and so I am wondering what others have done when such things has happened. My outside has a dhcp-IP, and I have noticed that this address had changed, so I corrected this in my router settings.ASA version is 5505
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ. In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ. My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
i am working on a project with 2 security ASA's 5520 with Microsoft ISA/TMG-2010 Server having 2 DSL's my question is regarding the designing issue where should i connect the 2 DSL's using ISA/TMG-2010..
I had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.
MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway 126.96.36.199 with subnet mask 255.255.255.240 after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.
I have 10.10.10.10 in 2 VRFs (lite) on 2 different VLANs What i would like to achieve:- if i connect to 172.16.7.125 in the global VRF then translate it to VRF1 10.10.10.10 destination address.- if i connect to 172.16.3.162 in the global VRF then translate it to VRF2 10.10.10.10 destination address IMHO the solution is quite simple:ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1 ip nat outside source static 10.10.10.10 188.8.131.52 vrf VRF2 However the router thinks something else:
IMHO this configuration should be valid. The global VRF has two IPs (172.16.7.125 and 172.16.3.162) while the 2 other VRFs work happily with the two identical 10.10.10.10 destinations as they should. The two translations should be easily distinguished as these are from two different VRFs.Either i am missing something or it is a problem in IOS.
I'm trying to connect two operlapping networks via IPsec.
Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
I've been having problems for the past couple of weeks trying to connect to some websites. It is only SOME, not all websites. It will either say that it is taking too long to connect or that the website is experiencing problems.
i've had my netgear wireless router for about a year now.i went to facebook and i recieved a message on a red and black screen t hat said this site has been blocked by netgear fire wall. i've never changed any of my setting since i got this router so i'm not sure why all of a sudden certain sites have been blocked.. i've tried logging into my account to try to change my settings using my default username and password but it keeps saying that i dont have access.
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
Can't connect to sites such as this GamersFirst Forums -> International APB Reloaded Forums, unless I use a proxy site.Nor does connecting to the game works, either. But it works for my friends, apparently.I checked the router settings, no go. Turn the firewall and Norton on and off, and still the same. I even tried accessing on my sister's computer which is also connected to the same router, and it connects. Only my computer doesn't connect to some certain sites.
I have a laptop that works perfectly fine when plugged into a network cable, but the wifi refuses to work. It pulls an ip, and everything looks good when I run ipconfig/all, but it can't even ping the router. All other computers on the network are working fine. I've flushed dns, set static IP and DNS, uninstalled/reinstall device, updated drivers, bios, and firmware, and even created a backup image of the computer and reloaded the os using the recovery partition. The event log doesn't tell me anything, and there are no flags in the device manager. I'm at a complete and total loss. I cannot figure this one out.The laptop is a Compaq Presario CQ50-142US. Vista 32bit OS. Everything was working perfectly fine before it got a virus. I ran through the standard procedures of AVG, Malwarebytes, TDSSKiller, and even resorted to Combofix, but somewhere along the line the wifi dropped off and will not come back.I even double checked the HOSTS file and IE proxy settings to ensure I wasn't crazy; although I know those should've affected the wired connect too.My last step is to either replace the wifi chip (which I don't think is the problem), or wipe it and load the os from scratch, but I don't have an oem disc since it has the recovery partition.
I can't access some sites, loading times are endless and they look totally strange when I can access them (No images and so on). Sites are completely random, some examples are GamersLegacy.it - Starcraft 2, Diablo 3, Dota2, World of Warcraft, League of Legends, Inferno eSports - Homepage (videogames forum)FINECO: Conto, Investimenti, Trading, Prestiti e Mutui - Banca diretta, online o con promotore (bank) Sigma Draconis
1) Cleaned laptop with Ad-aware and Malwarebytes, found 2 issues but didn't fix the problem.
2) Closed firewall, nothing either.
3) Canghed/flushed DNS, tried both openDNS and GoogleDNS, nothing.
4) She CAN access those sites, she has same connection to the router (via wireless) and she has same OS (Windows Seven). I think that means it's my problem, not a router one.
5) Tried to lower MTU settings in my wireless connection as I read that could be the problem, nothing new here.
6) Here comes the tricky part. I tried to access those sites via proxy (Ninja Cloak | Fast, free, anonymous web browsing with NinjaCloak.com) and they actually work!
I have dir655 Hardware Ver B1 Firmware Version: 2.10NA.Comcast Motorola cable modem surfboard SB5101. The problem started happening a couple of days ago. When my computer is hooked up to the cable model directly, i am able to connect to outlook.com just fine but when i go through my router, it can't connect to the site. I played with MTU (lower it by 10) all the way to 1300 but it didn't work.The problem started happening all the sudden without any changes in the cable modem, router or my computer.
I also tried cloning MAC address from my pc but didn't work.I also tried turn off both modem and router, wait 2 minutes, start modem, wait for all lights to come up and start the router.Sites i can't connect are: outlook.com, starcraft2, Comcast, eBay, Facebook.One thing that i noticed weird is that i am able to connect to cnn.com using IE9 just fine but ping shows: [code]
I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?
I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.
I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits), as well a a WInXP box. All of these are connected to the same switch, which is connected to the inside port of my PIX 515.
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that matter - will not go through the PIX (from inside to wan). I have verified this by first, using wireshark to watch the packets being sent out from the client box, then by using the trace function in the PIX to see that the packets ARE arriving at the inside interface, but ARE NOT sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP box, all works: in the PIX trace, I see the packets arrive at the inside interface, and leave the wan interace. And access to these sites are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
I have been using this PIX for about 10 years now, with the same configuration (except IP addresses). Only in the last several months has this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something else. I don't have any support license, and have not been able to get any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2) Cisco PIX Device Manager Version 2.0(2)
I have problem of Site to Site connectivity I have 2 sites (Site 1' public ip. 115.119.120.X, local ips are 192.168.1.0, & Site 2' public ip 115.119.187.X, local ips are 192.168.2.0)Both sires are having different locations & using routers are Maipu 800.At present both sites are running with internet (each router are configured for DHCP, NATING & DNS for intenet)guide my with complete config, both local systems has to communicate...My preperance is existing routers & If it is nessary to change the routers, what will be the config.
In my LAN, I have always been used an Aironet 1250 for internal use and always work fine. Now, I added a 3com AP but both AP are not correct. When I turned off the AIRONET 1250, the 3COM AP settings works fine. When both are turn on, the 3COM AP loses connectivity all the time.I have heard about the overlapping channels in 802.11b/g networks.
I have an ASA5510, and site-to-site VPN with several remote clients. I have to add another client but their network range overlaps an existing tunnel. Both are using 172.16.0.0/16. I would like to 1-to-1 NAT them as 172.17.0.0/16.
Is it possible to perform the NAT on my device, post-decryption, or is it necessary that I have them perform the NAT at their end?
I'm having problems connecting to certain sites on the internet through one computer. I can connect ok on other computers going through the same home network. On the one computer that is having problems I can connect to the site but then when I click on a link I get unable to connect then I can reload the page and some times it connects to the page. So as I am browsing through the site almost every time I click on a link I get unable to connect and have to keep reloading the page.