Cisco Firewall :: 5520 Connect Two Overlapping IP Address Sites

Dec 13, 2012

I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?

2- Any sample config for ASA 5520 for this type of network?

View 3 Replies


Cisco WAN :: How To Handle Non-overlapping Subnets With ASA 5520

Nov 25, 2011

Our IPS has given us a second range of IPs as we were running out.  Unfortunately, they can only give us two non overlapping range.  I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges.  This is not a failover scenario -- and I need outward facing servers on both ranges.  It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans.  As there are two subnet there are two gateways.  How do I keep the traffic on track?

View 4 Replies View Related

Cisco Firewall :: ASA 8.3 NAT Overlapping Networks?

Apr 18, 2011

how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below).  I'm able to ping from host1 to (host 2) and it works, as does pinging from host 2 to (host 1).  The issue I'm having now is that I've replaced that router with another ASA (second configuration below).  Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well.  I'm only seeing issues when using two ASAs.  I've verified that ICMP and telnet are permited inbound on the ASAs as well.  I even tried seperating the final host with another router (third configuration).

Initial configuration:
Host 1 --------------------------- Router -------------------------- ASA--------------------------- Router ---------------------- Host 2                    e0:                 in:               e1:   
NAT:            e1:               out:               e0:             NAT:


View 1 Replies View Related

Cisco Firewall :: 5505 / Can't Connect To All Sites Outside From Inside

Dec 20, 2012

For some reason there are some sites that I cannot access websites from inside interface.One such example is where I am receiving this message in the browser:The connection has timed out   The server at is taking too long to respond.This has "suddenly" happened, and so I am wondering what others have done when such things has happened. My outside has a dhcp-IP, and I have noticed that this address had changed, so I corrected this in my router settings.ASA version is 5505
These are my settings:

: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password 123412321 encrypted
passwd 1231231 encrypted


View 4 Replies View Related

Cisco Firewall :: MAC Address Filtering In ASA 5520?

Jul 25, 2008

CAn we filter MAC address in LAN using ASA 5520 , whats the method ?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 No Address Available For SVC Connection

Oct 7, 2012

We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.

View 23 Replies View Related

Cisco Firewall :: 5520 Static NAT And Same IP Address For Two Interfaces

May 28, 2012

We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where would be the same public IP address.
-static (inside,Outside)  access-list inside_nat_static_1
-static (production,Outside)  access-list production_nat_static_1

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Address Translation And Port Forwarding

Oct 31, 2011

I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ.  In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ.  My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.

View 10 Replies View Related

Cisco Firewall :: ASA 5520 - Permit Traffic To Inside Via MAC - Address?

Apr 6, 2011

I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?  I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.  I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.

View 2 Replies View Related

Cisco Firewall :: 5520 - Multiple Global IP Address Range On ASA Outside I/f

Mar 17, 2011

Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?

View 2 Replies View Related

Cisco VPN :: ASA 5520 / Access To DMZ From Remote Sites Over S2S VPN?

Nov 10, 2011

We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN ( and our DMZ ( network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A ( and site B ( have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?

View 6 Replies View Related

Cisco Firewall :: 5520 - Object-group With Network-object Containing IP Address Range

Apr 7, 2013

Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object-group mode commands/options:
A.B.C.D  Enter an IPv4 network mask
sh run ob id test
object-group network test
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.

View 5 Replies View Related

Cisco Firewall :: 5520 - Where To Connect 2 DSL Using ISA / TMG-2010

Apr 4, 2011

i am working on a project with 2 security ASA's 5520 with Microsoft ISA/TMG-2010 Server having 2 DSL's my question is regarding the designing issue where should i connect the 2 DSL's using ISA/TMG-2010..

View 1 Replies View Related

Cisco WAN :: 5520 - Connect Router To Passive Firewall?

Jan 28, 2013

I had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.

View 3 Replies View Related

Cisco :: Overlapping IP Ranges?

Jun 1, 2012

I am trying to trouble-shoot / map out a large network with a freaking butt load of over lapping IP addresses

View 8 Replies View Related

Protocols / Routing :: Unable To Access Any Sites Except Google Sites

Jul 8, 2012

MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway with subnet mask after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.

View 2 Replies View Related

Cisco Switching/Routing :: / Outside NAT With Overlapping IPs In VRFs?

Apr 7, 2013

I have in 2 VRFs (lite) on 2 different VLANs What i would like to achieve:- if i connect to in the global VRF then translate it to VRF1 destination address.- if i connect to in the global VRF then translate it to VRF2 destination address  IMHO the solution is quite simple:ip nat outside source static vrf VRF1 ip nat outside source static vrf VRF2 However the router thinks something else:

R1(config)# ip nat outside source static vrf VRF1
R1(config)# ip nat outside source static vrf VRF2% already mapped ( ->
IMHO this configuration should be valid. The global VRF has two IPs ( and while the 2 other VRFs work happily with the two identical destinations as they should. The two translations should be easily distinguished as these are from two different VRFs.Either i am missing something or it is a problem in IOS.
IOS is 12.4(25f)
HW is 3845

View 1 Replies View Related

Cisco VPN :: ASA 5510 / LAN-to-LAN IPsec VPN With Overlapping Networks?

Feb 14, 2012

I'm trying to connect two operlapping networks via IPsec.

Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use, and inside networks. is directly connected to ASA (as vlan10), and are routed.Site_B use Linux box and networks,, and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as, and Site_A will see networks in Site_B as Site_A is allowed to access only in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in I'd like to, for example, ssh from host in Site_B to host in Site_A using as destination ip address (and it should be translated to on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
static (companyname,outside) access-list fake_nat_outbound
which results in:
WARNING: real-address conflict with existing static
  TCP companyname: to outside:x.x.x.178/443 netmask
WARNING: real-address conflict with existing static
  TCP companyname: to outside:x.x.x.178/25 netmask
WARNING: real-address conflict with existing static


View 2 Replies View Related

Way To Connect Two Sites

Nov 29, 2012

my situation is that i have to connect 2 site which are 1km apart our data speed requirement is not so high 64kbps is enough so i heard this kind of setup is it best

View 3 Replies View Related

Can't Connect To Some Sites

Oct 13, 2011

I've been having problems for the past couple of weeks trying to connect to some websites. It is only SOME, not all websites. It will either say that it is taking too long to connect or that the website is experiencing problems.

View 9 Replies View Related

Sites Blocked By Netgear Firewall

Aug 26, 2012

i've had my netgear wireless router for about a year now.i went to facebook and i recieved a message on a red and black screen t hat said this site has been blocked by netgear fire wall. i've never changed any of my setting since i got this router so i'm not sure why all of a sudden certain sites have been blocked.. i've tried logging into my account to try to change my settings using my default username and password but it keeps saying that i dont have access.

View 5 Replies View Related

Cisco VPN :: ASA 5510 / VPN Client With Overlapping Private Networks?

Jun 6, 2012

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?

View 25 Replies View Related

Can't Connect To Certain Sites Programs?

May 20, 2011

Can't connect to sites such as this GamersFirst Forums -> International APB Reloaded Forums, unless I use a proxy site.Nor does connecting to the game works, either. But it works for my friends, apparently.I checked the router settings, no go. Turn the firewall and Norton on and off, and still the same. I even tried accessing on my sister's computer which is also connected to the same router, and it connects. Only my computer doesn't connect to some certain sites.

View 3 Replies View Related

Has IP - Cannot Ping / Connect To Sites

Feb 17, 2013

I have a laptop that works perfectly fine when plugged into a network cable, but the wifi refuses to work. It pulls an ip, and everything looks good when I run ipconfig/all, but it can't even ping the router. All other computers on the network are working fine. I've flushed dns, set static IP and DNS, uninstalled/reinstall device, updated drivers, bios, and firmware, and even created a backup image of the computer and reloaded the os using the recovery partition. The event log doesn't tell me anything, and there are no flags in the device manager. I'm at a complete and total loss. I cannot figure this one out.The laptop is a Compaq Presario CQ50-142US. Vista 32bit OS. Everything was working perfectly fine before it got a virus. I ran through the standard procedures of AVG, Malwarebytes, TDSSKiller, and even resorted to Combofix, but somewhere along the line the wifi dropped off and will not come back.I even double checked the HOSTS file and IE proxy settings to ensure I wasn't crazy; although I know those should've affected the wired connect too.My last step is to either replace the wifi chip (which I don't think is the problem), or wipe it and load the os from scratch, but I don't have an oem disc since it has the recovery partition.

View 14 Replies View Related

Can Connect To Some Sites Only Via Proxy

Jul 20, 2012

I can't access some sites, loading times are endless and they look totally strange when I can access them (No images and so on). Sites are completely random, some examples are - Starcraft 2, Diablo 3, Dota2, World of Warcraft, League of Legends, Inferno eSports - Homepage (videogames forum)FINECO: Conto, Investimenti, Trading, Prestiti e Mutui - Banca diretta, online o con promotore (bank) Sigma Draconis

1) Cleaned laptop with Ad-aware and Malwarebytes, found 2 issues but didn't fix the problem.

2) Closed firewall, nothing either.

3) Canghed/flushed DNS, tried both openDNS and GoogleDNS, nothing.

4) She CAN access those sites, she has same connection to the router (via wireless) and she has same OS (Windows Seven). I think that means it's my problem, not a router one.

5) Tried to lower MTU settings in my wireless connection as I read that could be the problem, nothing new here.

6) Here comes the tricky part. I tried to access those sites via proxy (Ninja Cloak | Fast, free, anonymous web browsing with and they actually work!

View 3 Replies View Related

D-Link DIR-655 :: Can't Connect To Certain Sites

Dec 3, 2012

I have dir655 Hardware Ver B1 Firmware Version: 2.10NA.Comcast Motorola cable modem surfboard SB5101. The problem started happening a couple of days ago. When my computer is hooked up to the cable model directly, i am able to connect to just fine but when i go through my router, it can't connect to the site. I played with MTU (lower it by 10) all the way to 1300 but it didn't work.The problem started happening all the sudden without any changes in the cable modem, router or my computer.

I also tried cloning MAC address from my pc but didn't work.I also tried turn off both modem and router, wait 2 minutes, start modem, wait for all lights to come up and start the router.Sites i can't connect are:, starcraft2, Comcast, eBay, Facebook.One thing that i noticed weird is that i am able to connect to using IE9 just fine but ping shows: [code]

View 8 Replies View Related

Cisco Firewall :: How To Access Folder Between Two Sites - ASA5505

Oct 27, 2011

I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?

View 12 Replies View Related

Cisco Firewall :: 2800 / Implement Backup Between Two Sites

Sep 13, 2011

I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn  .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.

View 7 Replies View Related

Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
For a few sites ( happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies View Related

Cisco WAN :: Maipu 800 / How To Connect 2 Sites With Different Subnets

May 27, 2013

I have problem of Site to Site connectivity  I have 2 sites (Site 1' public ip. 115.119.120.X, local ips are, & Site 2' public ip 115.119.187.X, local ips are sires are having different locations & using routers are Maipu 800.At present both sites are running with internet (each router are configured for DHCP, NATING & DNS for intenet)guide my with complete config, both local systems has to communicate...My preperance is existing routers & If it is nessary to change the routers, what will be the config.

View 1 Replies View Related

Cisco :: Aironet 1250 Overlapping Channels / COM-AP Loses Connectivity

Jan 13, 2012

In my LAN, I have always been used an Aironet 1250 for internal use and always work fine. Now, I added a 3com AP but both AP are not correct. When I turned off the AIRONET 1250, the 3COM AP settings works fine. When both are turn on, the 3COM AP loses connectivity all the time.I have heard about the overlapping channels in 802.11b/g networks.

View 8 Replies View Related

Cisco WAN :: ASA5510 - Multiple L2L VPN With Overlapping Remote Network Ranges?

Feb 4, 2013

I have an ASA5510, and site-to-site VPN with several remote clients. I have to add another client but their network range overlaps an existing tunnel. Both are using I would like to 1-to-1 NAT them as
Is it possible to perform the NAT on my device, post-decryption, or is it necessary that I have them perform the NAT at their end?

View 2 Replies View Related

Unable To Connect To Certain Sites On The Internet?

Mar 14, 2013

I'm having problems connecting to certain sites on the internet through one computer. I can connect ok on other computers going through the same home network. On the one computer that is having problems I can connect to the site but then when I click on a link I get unable to connect then I can reload the page and some times it connects to the page. So as I am browsing through the site almost every time I click on a link I get unable to connect and have to keep reloading the page.

View 5 Replies View Related

Copyrights 2005-15, All rights reserved