Cisco Firewall :: ASA 5505 - Setting Up 2 LAN Networks And 2 WAN Connections?
May 16, 2013
I have an ASA 5505 with Security Bundle license.
I am able to create 2 LAN networks (192.168.9.0 and 172.16.9.0) Vlan1 and Vlan12 respectively. I also setup 2 outside interfaces (outside1 and outside2).
Network 1 (192.168.9.0 - VLAN1) has no issues going out via Outside1, however I can't get Network 2 (172.16.9.0 - VLAN 12) to go thru outside2.
I put in a static route (route outside 172.16.9.0 255.255.255.0 x.x.x.x), the x.x.x.x is the default gateway of my ISP.
I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and ISP2) and two networks (network 1 and network 2). My customer need that clients in the network 1 connect to Internet with ISP1 and clients in the network 2 connect with ISP2. If a failure occurs in ISP1 (just an example) the network 1 clients connect with ISP2.
1. I currently have a Comcast Business Class Gateway, Cisco 2100 Series WLAN Controller and a Cisco ASA 5505 all connected together to supply LAN and WLAN internet connections on my network.
2. I also have a Card Access Security System on it owns network. It currently does not have internet access.
I would like to put my security system on the internet so that I can support it remotely. To do this, it has to be on a firewalled internet connection.Can I put the two networks on my ASA 5505 and keep them seperate? I don't want to provide a path into the Security System through my current LAN & WLAN. But I do need a frewalled internet connection on my Security System. I am trying to avoid purchasing a seperate firewall.
I'm using asa 5505 with 8.4(2) and have the following problem.I have 2 Networks. each Network has it's own externel Internet-Ip and also Mail-Server. [code]
Now I want a communication between the two Mailservers with their external Ip-Address.I did a static NAT from ipnt any to int any or also from int routed to int routed, but nothing worked.Packet tracer showed at NAT-Lookup where the externel adress of the second Mailserver is passed: Info Static translate Network1 to Network1
But it should show a translation from network1 to network1-external.Due to Security reasons, I cannot paste the whole config.Under 8.0 I did the same configuration with Policy-Nat and it worked.
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
We have a user who needs to access a vpn from his MAC through an ASA 5505. The user is getting an IP via DHCP and the outside interface of the ASA gets it's address via DHCP as well. The user states that when he is home or anywhere else but behind the ASA it connects fine, but once the ASA is added it times out. He is able to get to the internet from the machine without any issues. Looking over the config on the firewall it isn't set to deny any traffic and there is a global set on the interface and it is nat the inside interface. There is no global policy in place so I was considering implementing the following:
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside 2. DMZ 3. ServerNet1 4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it. [code]
We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.
The main office network is 192.168.0.0 (Gateway of 192.168.0.1)
At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.
There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:
1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
I just installed a new ASA 5505 for an office with three internal subnets. The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own. How do I configure the ASA to allow all traffic between these three inside networks?
I am trying to set up a DMZ on my Cisco ASA 5505, so that the wireless clients are connected behind the DMZ, the LAN clients are connected behind the inside interface and both groups of clients can get to the Internet. I have been able to configure the ASA for both wireless and LAN, but the wireless clients still cannot get to the Internet. The LAN clients can get to the Internet. I do not want the wireless clients and the LAN clients to be able to be able to communicate with each other. What commands do I need to run in order to allow the wireless clients to access the Internet?
How do I monitor connections to the DMZ port on our ASA 5505 (via ASDM 5.2)? We have a WAP connected to it and it's intermittently dropping connections.
A client has an ASA 5505 with a base license. The version information and configuration is attached. In 8 hours, sometimes less and infrequently more, it becomes inaccessible. All connections are dropped and the only way to access the device is through a console connection. The WAN interface (VLAN 3) is connected to Verizon FIOS. The interface was set to 100 MBps and full duplex, but I just changed it to auto on both the speed and duplex to see what would happen. The LAN interface (VLAN 1) is also set to 100 MBps and full duplex It has not been changed.
The last time it happened logging was running, but nothing in the log indicated a problem. In fact, the last log entry was a couple of hours before the lockup (there's little or no traffic on the ASA while the problem is being diagnosed).
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
We are trying to setup our ASA 5505 to do port forwarding to multiple internal servers and have run into some issues. A little background on what we are trying to do.
We have 1 static external IP. Internally we have one exsisting server (10.1.1.184) that has port 80 forwarded to it and another exsisting server (10.1.1.185) that has port 443 forwarded to it. Both of these servers are serving seperate web apps to our employees who of course use them offsite. We have now added an additional server (10.1.1.186) that needs to use both ports 80 and 443. Is there any way to set it up so that these ports can be forwarded to all the servers that need them? Also, how would this work as far knowing what traffic will need to go to which server even though it is using the same port?
The equipment is: ASA 5505ASA Version 7.2(4)ASDM Version 5.2(4) I appologize in advance if what I'm trying to do is difficult/impossible. I inherted the ASA 5505 at this location and I was not here when it was initially installed. In fact no one on staff was here when it was initially installed. I did manage to find the passwords to it though. I'm not at all familiar with the ASA 5505 or Cisco secuirty appliances in general.
I am having a problem trying to figure out how to add a new ASA 5505 to an existing network. My current network is:Cable Modem > Linksys > 48 port switch With multiple hosts residing on the 192.168.0.x network.Now i know that the ASA comes default with 192.168.1.1 on the inside interface and i want to change that to 192.168.0.1. I have tried to do this thru ASDM using the wizard and manually. Once i hit ok for it to write the config, it gives me an error that it didnt take. I then lose connection to the ASA and have to hard boot it to get it back.I am trying to do this without my external connection connected and i have a laptop connected to the ASA on port 0/2 with an IP address of 192.168.1.75.Do i need to connect my internet connection to it first and then run the wizard? I was hoping to get it configured for my existing network before i plugged in the internet connection to limit my downtime.This ASA came with 6.4.1 ASDM and 8.2 OS installed. i was able to upgrade the ASDM to 7.X but when i go to update the OS to 9.1, i get an error that i am not registered to use cryptographic software. Dont know where i need to register to get it?
I have an ASA 5505 that I was updating from frimware 8.04 to 8.41. Anyway, I went through the update procedure half-asleep and accidentally deleted the boot image right after I installed it (I used the CLI and put in the command del asa8*.bin then just hit enter a bunch of times, which of course means I deleted the old firmware too).
So now whenever I power up the ASA, I get the "Could not find boot file" error. Is there a guide somewhere that tells me how can upload another boot image to the ASA and set the ASA to boot it from teh ROMMON prompt?
When I check available Wi-Fi networks it says "No connections are available. All of our other computers work so I dont know what the problem is. When I check device manager for the adapter it says my adapter is enabled so I dont know what the problem is. How can I get it to recognize my wi-fi?
I have and office that the cable modem tends to go down on the weekend. Can i setup my asa to support a second provider so that if the one connection is slow for some reason, my users could connect to the second provider instead? they would both be used at the same time most the time.
My laptop has suddenly stopped connecting wirelessly. Just fine with ethernet though. My Wireless adapter is enabled and showing fine in Device Manager and has the latest driver. Wireless Zero Configuration is enabled in services. I tried simply disabling and then re-enabling the wireless adapter but still no luck. I tried selecting the repair option for the wireless adapter and I get the exclamation in yellow triangle deal. I checked to see if I was having issues with firewall and that's not it either. When I click "View Available Wireless Networks" the dozen or so networks that use to appear are gone. I power cycled and reset my modem with no luck. I've also did an ipconfig /release and ipconfig /renew in CMD but nothing changed. I have not changed any wireless settings for my NIC or modem/router and don't understand what else I can do.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Documents and SettingsJohn>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : john-433101c601 Primary Dns Suffix . . . . . . . :
I would like to set up two separate networks from one internet connection(modem), with the goal being to have a public network(Network A) that would have a small server on it, and then having a second secured network(Network B) that would have my personal computers on it. And both networks having connection to the internet. (The idea being that if the server somehow became compromised that my personal computers and their data would be safe)I have done some research and found that many people claim this can be done with just two or three routers, but none of them go into any detail about how to configure the routers. Below are the physical setups of the two options that I have come up with in my research, which if either would you recommend? And how would I configure each of the routers?
-------------- Modem/router 1 (Network A public) --Internet-in WAN port --port 1 to WAN of router 2-------------l --port 2 server
I'm asked to think of a solution to make in an existing LAN connected by switches (connected to each other) to make another network availible.atm we have a network with 192.168.110.0 and we are short on IP adresses because of a large DHCP pool from wireless clients and a growing network with static IP addresses.So basicly what i want to accomplish is an extra network 192.168.111.0 in the existing LAN and all computers have to be able to communicate to each other and all computers have to be able to connect to the internet using gateway 192.168.110.1 (direct or trough route tables). For future growth an extra LAN 192.168.112.0 with not perse internet access for only VOIP, but that is on the side and is not a priority, because I can set up that network on the same switches easy without having them to be able to connect to the computers and servers in the network. (correct me if I am wrong)
What I found out browsing the internet is that a layer 3 switch may provide the solution, but I can't make out of the technical specs if thats going to work when both LAN's computers will be connected on the same switches.Also I found a lot of solutions with setting up a server with 2 NIC's and setting up routes on that server. But since we have a very large amount of network traffic with large graphical files, having 2 nics to route all that trafic doesn't seem like a desirable solution for my purpose.
I'm new at this stuff and very stumped. I have one WAP with multiple SSIDs that support VLAN ID (for a private and guest wireless network) and a managed switch that supports tag or port based VLAN ID. How do I set up the switch so that the networks are separate, but can still reach their own routers to get on the Internet? In case details are necessary, the WAP is a Cisco Aironet 1130AG and the switch is a Netgear FS750T2
In my home, I have broadband internet connection, which is Time Warner Cable. I also have an Apple Airport Extreme that shares my internet throughout all of my computers. My current set up runs perfectly but the problem is, I have other devices in my home that require a WEP security key. My Airport Extreme is running on WPA but I don't want to lower it's security to WEP just for those devices. What I'm trying to do is create another separate network which has a WEP security key (Linksys WRT54G). So ultimately, I would like to set up two networks, one is the Airport Extreme and the other Linksys, which both run under the same WAN address provided by Time Warner Cable.
We have a two separate businesses in the same building who will both need access to shared resources and the same internet connection. They will need to remain on separate subnets and cannot communicate directly to each other. The current switch is a Cisco ESW-520-48P and we are looking at purchasing an SG-300-20P for the new business moving in. Heres how we envisage setting it up:
ESW-520 will host Company A's network. Workstations, servers etcSG-300 will have two VLANS. VLAN1 will host all Company B's network. Workstations, servers etc. VLAN2 will host the shared resources such as printers. The internet gateway is a UNIX based system with 3 NICS. 2 NICS are taken up by ADSL connections while the other NIC is the LAN, which would connect to VLAN2 on the SG-300. We would like to define which ADSL connection to route through depending on which subnet traffic is originating. The ESW-520 will need access to the shared resources and internet gateway on VLAN2 on the SG-300.
setting up networks with multiple locations and multiple wireless points.For example: My sisters' home has here modem in her main computer room, it has a Belkin router hooked to the modem. Then a line goes from there to my nephew's room where I tried to expand their network by adding another router. I really just wanted an access point, but they don't seem to sell these as much as they used to. Anyway, I had it working, but it was two different networks, NETWORK1 and NETWORK2. So they had to swap networks when moving around the house. what would be the best hardware setup to provide both sides of the house with some Hardwired access as well as wifi access? Right now, we have two routers, a DIR615 (or something like that) and a Cisco E1000, and again hardwire going from the main computer room to my nephew's room.Also, in my house, I have lots of stuff... I have an Actiontec Router from FIOS, feeding a small hub as well as a switch in my main room. Which then feeds a Ps3, Wii, laptop, Denon reciever, and Access Point... and also feeds my Apple TimeCapsule, which also feeds my printer. My wireless devices range from cameras, iphones/ipads, and a wifi unit (I forget what it's called, but it connects my DVR wirelessly to my network, and the DVR itself doesn't have wifi).
my question about my setup is, should everything be on one network... as in let the ActionTec handle most of the duties and use switchers and accesspoints to extend the network. Should everything be on the same wireless network and channels? Like if I used my access point to extend, do I want the same settings as my main wireless router, and would that be the same for the Apple Airport Extreme?Also, does having all these wireless networks going create any kind of hinderance on my performance. For example, the PS3 has some sort of wifi in it... it produces a SSID, but I never connect to it. Should I make sure that's off? And in my main room, should I go with just the AirPort extreme over using it and the Wireless Access point.
I currently have one wireless router in my house. Of course its hooked up the the modem, but i also have it hooked up directly to my desktop considering the router is on the desk where my computer is.I recently moved to a new house.One of the rooms has a huge brick wall in it, unfortunately the computer is in that room.AND, its on the far left side of the house, so the other side of the wall barely gets any signal (Enough to work, but it bounces and only gets about 2 Megabytes Per Second, which is awful, because the router sends out 20 megabytes per second due to our internet plan.) Now, my room is all the way on the far right side of the house, in my room, i get barely any connection at all, 20% is normal in my room. I have my Playstation 3 in my room, so I had to wire an ethernet cable from the wireless router, up through the attic, to my PS3. I can now get 20 MBPS while playing video games. While that is great, i still don't have a wireless connection back there.
What i want to know is, can i plug in another wireless router to the ethernet cable in my room, sending out another signal. So basically, im plugging up a wireless router to another wireless router, and want them to both send out internet.I plan on getting a gaming laptop in December and will be playing it most of the time in my room. I need to know if this is possible, and if it is, how do i do it?First off, let me state that moving the computer or router in front of the brick wall is completely out of question.Also, know a lot of stuff about computers, but know almost nothing about networking.