Cisco Firewall :: ASA 5505 And LAN To LAN Routing?
			Jan 5, 2012
				I am just about to buy ASA 5505. I need outside interface with Public interface that can NAT to two internal (priv)( networks. Can I have two inside interfaces, like192.168.1.0 and 10.2.0.0 that can talk to each other? Can I do it without vlans? Reason why, I would need to reconfog my current switches. On cisco web they saying that: "With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN" - but I need two inside netwroks be able talk to each other.
	
	View 10 Replies
  
    
		
ADVERTISEMENT
    	
    	
        Apr 8, 2013
        I am new to the ASA so I am not completely familiar with it's ins and outs but here is the situation.I have a VPN connection that my company uses regularly.  I have the VPN Pool on 192.168.18.0/25 and my Internal network at 192.168.16.0/24. My problem is that I have my phone system on 192.168.16. 254 and the only way to see it is if I change the pool to be within the same IP range as my internal network. The catch is that if I do this then that is the ONLY IP that is available to that VPN connection. Is there a way to make the 192.168.16.254 available to 192.168.18.0/25?
	View 7 Replies
    View Related
  
    
	
    	
    	
        Apr 20, 2011
        I have Cisco ASA 5505 Firewall with security plus license. I want to Configure 3 different subnet for inside network 10.1.x.x, 10.2.x.x and 10.3.x.x So any  PC from 10.1.x.x should be able to ping 10.2.x.x So my question is that possible with ASA?? If yes than how can i configure on ASA 5505, as  i know on 5510 we can configure sub interface and do intervlan routing.
	View 4 Replies
    View Related
  
    
	
    	
    	
        Dec 5, 2012
        I have an ASA 5505 and I have the three regular vlans, outside, inside and dmz. The best would be only have outside and inside and skip dmz, but without explenation there is not possible to have more then two clients in whats now dmz because of a mac filter on third party device.
 
So as security is concerned dmz and inside is equal, one to one and there should be full access between them. I ran the wizard and said that the only way traffic not should be possible to flow is from dmz to outside.
 
In the NAT rules the onle rule is
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
 
But traffic from one way or the other dmz to inside, og inside to dmz it says in log
 
3Dec 06 201215:38:39305006172.17.6.1053portmap translation creation failed for udp src inside:192.168.6.102/49358 dst dmz:172.17.6.10/53  From documentation I have an image with network drawing from documentation. What do I have to do allow traffic btween inside and dmz, both ways.
	View 3 Replies
    View Related
  
    
	
    	
    	
        Aug 11, 2012
        I have a Cisco ASA 5505 that has been configured to act as a router as  well.  I have configured 3 VLANS that have access to the internet.  For  some reason the "InsideWifi" and the "Guest" VLANS have very slow  internet speeds and sometime web pages wont finish loading properly.   The "Inside" VLAN gets the speeds that are expected. The DNS server  does reside on the "Inside" VLAN. Is there anything wrong with my  configuration that would cause the internet speeds on the other VLANS to  be slow?  My config is attached.
	View 6 Replies
    View Related
  
    
	
    	
    	
        Feb 18, 2013
        I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
 
1. Outside
2. DMZ
3. ServerNet1
4. Inside
 
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.  [code]
	View 13 Replies
    View Related
  
    
	
    	
    	
        Aug 15, 2011
        CISCO ASA 5505
 
Interfaces: 
 
OUTSIDE - 194.50.90.221   255.255.255.0 / security level 0
DMZ - 192.168.12.254   255.255.255.0 / security level 25
INSIDE - 192.168.0.6     255.255.255.0 / security level 50
 
Now, if I want to ping from the DMZ to INSIDE, I get an error message "no translation group found for icmp src DMZ: ...... dst: INSIDE...."
 
I fixed is by adding "NAT 0" onto the INSIDE interface so that packets originating from "INSIDE" that are destined for "DMZ" do not get NAT'd.
 
Now my question is, becasue these are all directly connected networks, how come the firewall does not route the packets, but tries to NAT them instead.
	View 6 Replies
    View Related
  
    
	
    	
    	
        Jul 8, 2012
        Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work.  Ive read that it can work and Ive read that it cant work. How to get this to work on my asa 5505. 
 
Here is my setup
 
Cable Modem ---> ASA (eth0/0)  
(eth0/2) -->unmanaged switch for LAN connectivity
(eth0/3) --> Access point for wireless LAN connectivty
 
My config is attached
 
What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)
 
Whats strange is I can RDP between the two vlans but I cant ping or anything else.
	View 20 Replies
    View Related
  
    
	
    	
    	
        May 4, 2011
        I'm new to Cisco equipment much more familiar w/ Sonicwall w/ that said......I have a 5505 w/ Security Plus licensing
 
I have set up multiple VLANs as follows
 
VLAN 1 inside - still setup as 192.168.1.1 (will not be using this for our lan)
VLAN2 - outside 
VLAN100 - LAN 10.1.1.1/24 
[Code]....
If I do add all the VLANs above I understand I will probably have to make a trunk port since I only have 5 usable interfaces
	View 12 Replies
    View Related
  
    
	
    	
    	
        Jan 4, 2012
        ASA 5505 vlans routing & access-list?
	View 4 Replies
    View Related
  
    
	
    	
    	
        Dec 4, 2012
        We are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site. 
 
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
 
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC.  I added the static route there and was able to ping, so something in the ASA seems to be preventing it.  
 
I also can't seem to get the ASA at the remote site to ping 10.1.10.1.  I've tried adding the static route there in hopes it would forward it through the VPN tunnel.
	View 1 Replies
    View Related
  
    
	
    	
    	
        Sep 7, 2011
        How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
 
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Apr 24, 2012
        We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510.  One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover.  I have configured a number of isr's for this and i know it works good.  
	View 1 Replies
    View Related
  
    
	
    	
    	
        Feb 19, 2012
        I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Aug 23, 2011
        setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address   Network Mask  BTnet NTE Router LAN Address
       
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
	View 21 Replies
    View Related
  
    
	
    	
    	
        Feb 27, 2013
        I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
	View 5 Replies
    View Related
  
    
	
    	
    	
        Dec 22, 2011
        Trying to set up a asa 5505 in transparent firewall mode. I cannot set the management ip address:
 
ciscoasa> enable
Password: 
ciscoasa# config term
[Code].....
	View 7 Replies
    View Related
  
    
	
    	
    	
        May 3, 2011
        I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
	View 4 Replies
    View Related
  
    
	
    	
    	
        May 28, 2012
        I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
	View 4 Replies
    View Related
  
    
	
    	
    	
        Feb 26, 2011
        I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
 
Here is our current confguration:
 
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp 
[code]....
	View 6 Replies
    View Related
  
    
	
    	
    	
        Nov 21, 2012
        New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
 
-Single static public IP:  16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
 
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.   Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?  [code]
	View 11 Replies
    View Related
  
    
	
    	
    	
        Apr 27, 2011
        I'm integrating a Cisco ASA5505 with a Websense proxy. I have a configuration setup where we have four routers which are used for Internet access. There are two VLAN's - Guest and Private. What I would like to achieve is making the use of available bandwidth by load distribution via GLBP, and filtering users web traffic. Two routers will be used for a GLBP group in one VLAN, and the other two routers will be used for GLBP in another VLAN.The users are connected to a Cisco 2960 switch and are in their respective VLAN's. I'm planning a 802.1q trunk to a Cisco ASA from the 2960 switch, carrying both VLAN's.What I would like to know is if there is a CSC module (or similar) which has Websense installed on it, and if it is possible to setup the ASA5505 in transparent mode to filter the traffic in this way? Hopefully this would allow multiple users to take advantage of the additional bandwidth, and not be restricted by using a traditional proxy setup which where all web traffic would be originating from a single MAC address.
	View 1 Replies
    View Related
  
    
	
    	
    	
        Apr 30, 2012
        I have an issue with my firewall,each time i configured a trunk port in the firewall and connect a sw 2960S with a trunk port also, all the interfaces in the Firewall go down ( virutal intertaces, inside, outside , dmz) , also another switch 3750 that is connected to another port in the firewall( access port only) it start to a new negotiation of spanning tree.What could be causing this problem? the firewall didnt sedn bdpdu i think the IOS of the firewall its a 8.2
	View 3 Replies
    View Related
  
    
	
    	
    	
        Jun 12, 2012
        we are planning on connecting a new aquired company to ours soon?We will connect the remote site to the HQ via a D3. I've been told we will need to have a firewall between them and us for a time. I was thinking of terminating the D3 connection at the remote site of 80 users. Can I use the asr as a firewall as well, to protect the HQ from the Remote site - or should I use a seperate appliance?I was thinking of a asa5505 but, am concerned with bandwidth limitations of the box? 
	View 1 Replies
    View Related
  
    
	
    	
    	
        Sep 11, 2007
        I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.
	View 5 Replies
    View Related
  
    
	
    	
    	
        Nov 11, 2011
        When I upgrade the ios on switches, I just create int vlan1 assign it an ip and subnet, then tftp to my pc that is plugged into the switchport using the download-sw command.
 
I am not sure how to do this on the asa.  Do I just plug my pc into port 0 which the documentation says is mapped to vlan 1 with and ip of 192.168.1.1? I tried this by making my pc's ip 192.168.1.2 but am unable to ping the asa.  Do I have to change the security level or anything?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Mar 18, 2011
        I’ve been using a Cisco ASA 5505 Security Plus bundle for two years now without any problems. My previous Internet Service Provider was routing the external IP I was leasing directly through to my internal network without NAT which my ASA 5505 was working well with. Thus, I had configured my 5505 to provide NAT to my inside network which includes two subnets one for my workstations and internal "private" resources and a DMZ to provide access to my webserver, email server and two domain name servers; but restrict access to my internal; resources. i recently changed my ISP to Verizon FiOS (which is providing me with 25 Mb bandwidth at a fraction of the cost of my old T1) which is set up to provide 5 Static externally facing IP numbers for my email, webserver and name servers;. The problem is the Verizon router doesn’t support my use of the ASA Appliance (at least not the way it is currently configured. Verizon recommend I purchase a business class router and use it in place of the one they provided with my installation. With this in mind, I bought a Cisco RVS4000. I have configured it to use the primary external IP number and have internet access; however, the new router is providing NAT addressing which the ASA is in conflict with (they are both using the same NAT IP range). I'm assuming the ASA 5505 is expecting to have access to the external IP addressed (since that is what it was getting before) and NOT NAT address. How to configure the new router to either provide access to the five static external “real world” IP to my Cisco ASA Firewall. However, I just need to get my ASA 5505 back in the loop and would prefer to do this rather than go back to the Verizon router combined with a low end firewall. So, my questions are: Does the ASA 5505 expect real world External IP numbers? Or can it work with NAT addresses being fed to it from the router?  And, if so, how do I configure the access rules and other items which are currently mapping to external numbers? 
	View 27 Replies
    View Related
  
    
	
    	
    	
        Sep 21, 2012
        I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be 192.168.0.1 - this is connected to local switch. The client PCs use 192.168.0.1 as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of 192.168.0.254.
	View 3 Replies
    View Related
  
    
	
    	
    	
        Jan 6, 2013
        when i am booting ASA firewall i am getting the following error.
<0>Kernel panic - not syncing: Attempted to kill init! and it stops and will not work. check below the whole log file
 
how can i solve this issue?
 
Log file:
Evaluating BIOS Options ...Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.
Launching BootLoader...Boot configuration file contains 1 entry.
[Code]...
	View 1 Replies
    View Related
  
    
	
    	
    	
        Dec 19, 2012
        Over the course of the past three days, our ASA 5505 firewall has shut down twice.  I looked through the Field Notices and it looks like this was a problem identified several years ago that was resolved for units built after June 1, 2007.  The serial number on our unit is not in the "effected" range. 
	View 1 Replies
    View Related
  
    
	
    	
    	
        Feb 15, 2013
        We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 & 192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" . 
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. [code]
	View 20 Replies
    View Related
  
    
	
    	
    	
        Feb 18, 2013
        I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505. Our ASA has a public IP of 2.1. 2.14/30 assigned to it's outside interface.The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29. 
 
1. How can I assign this seperate public IP block to the ASA? Is it even possible?
2. If not possible, what would other options be?
3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
	View 4 Replies
    View Related
  
    
	
    	
    	
        Apr 24, 2011
        My company purchased a Cisco ASA 5505 firewall from our phone company, who installed and configured it but will no longer support it.
 
The first thing you should probably know is that I make no claims to know anything about Cisco equipment.  My primary job is a Web developer, so I can work with Linux boxes, and usually fix them, but this thing is a Mystery to me.
 
The Quick Start guide url... says I can use ASDM if I go to url... When I try this with either Firefox or MSIE 8, the connection times out and I can't get to ASDM (which I was able to find instructions for)I am able to telnet in to the firewall, but have no clue how to use the Cisco CLI.
 
I was able to locate a 3800 page manual online, but since my primary function is actually production, and I need to produce products for our customers, I don't have much time to read and work through the manual to find what I need to know.All I have is the firewall itself.  No printed manual, or software CD as mentioned on most of the online stores I can buy the device from.
 
Howto get ASDM working, or instructions on how to open up Port 23 so I can NAT it to 192.0.0.112 ?Just in case it is important, when the phone company installed our firewall config, we had them NAT port 80 to one server and 443 to another, so if these will affect what needs to be done, I can provide more information.
	View 1 Replies
    View Related