Cisco Firewall :: ASA 5505 Loss On Configuring Twice NAT
Mar 30, 2012
There seems to be a large number of the subject queries in one form or another. Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products. I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.
What I would like to suggest to the experts, is to include far more ADSM web gui examples and discussion for manual nat. The tools are all there - in the nat rules editing page, the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing). What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries. In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics. With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. At the very least I and others like me will get better edumecated. I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands. In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .I have added the packet tracing jpegs for further context. There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic. What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).
View 2 Replies
ADVERTISEMENT
Jun 6, 2011
I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.
What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.
View 2 Replies
View Related
Sep 21, 2012
I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be 192.168.0.1 - this is connected to local switch. The client PCs use 192.168.0.1 as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of 192.168.0.254.
View 3 Replies
View Related
Apr 19, 2011
I have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B.
Below is the my connectivity:
Site-A IPSec VPN Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.
View 4 Replies
View Related
May 11, 2011
I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
View 2 Replies
View Related
Jan 24, 2012
I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).
View 6 Replies
View Related
Jun 10, 2012
I need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]
View 8 Replies
View Related
Sep 23, 2012
I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.
View 2 Replies
View Related
Apr 8, 2012
configuring the Cisco ASA 5505 device to access my both WAN and LAN ip. LAN ip i need to configure it for web servers to face the internet.
View 11 Replies
View Related
Feb 19, 2013
Im trying to configure remote access VPN on ASA5505. I configured it as local CA server, installed digital certificate on remote station and everything looks fine as far as i can see. I'm using cisco VPN client 5.0 on remote station. when i initiate VPN session it fails while trying to connect. Looks like im missing some configuration but i cannot figure out what it is. Currently i have firewall configured to use group authentication and everything works fine. I want to switch it to use certificate authentication, and if possible, confiure firewall to use main mode instead of aggressive mode for better security.
View 4 Replies
View Related
Apr 19, 2013
I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack) This is how I setup my remote access:
Code:
ssh 0.0.0.0 0.0.0.0 outside
View 8 Replies
View Related
Jan 23, 2013
I'm almost afraid to post since my stuff is so OLD! I have a 350 Series PCI Wireless LAN Adapter in my old WinXP, not wireless-ready Compaq.I live off the grid, no landlines and have been using a Franklin CDU680 USB air card to connect to the Internet. The air card doesn't like my Compaq - occasionally crashes it. I thought to put the air card in a router to solve the problem and communicate with the router using the Cisco 350. Bought a Cradle Point router from my ISP and plugged in the Franklin. Then spent the next 5 days trying to get the Cisco 350 to associate with the router.I now have a profile with the router's SSID in it that according to the ACU's status report is associated with that SSID. Problem is that there is no Internet connection.
View 4 Replies
View Related
May 2, 2011
I’m configuring a L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA.
Master# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname Master
domain-name service.local
[code]....
View 2 Replies
View Related
Apr 18, 2011
I just recently purchased a Cisco ASA 5505 ASA ver 8.2. I run a teamspeak server/ssh/dns and domain on the same server on the network. Before I switched to the asa, I have a regular DGL-4100 that ran with no issues. I have noticed that the connections are very unstable and disconnect frequently and when they do they take 1 to 5 minutes to be able to reconnect. I have done some cisco IOS but am fairly new to this. [code]
View 4 Replies
View Related
Aug 28, 2012
Recent incountered an issue with our elastix pbx and packet loss. Noticed this morning that when I turn on the firewall on our RV082, packet loss begins around the level 3 servers I see in my traceroute, and then slow spread out to all hops. When I turn the firewall back off, all hops have no packet loss or less than 1%. The weird part is, previously, I had the firewall enabled, and never had this issue.
View 2 Replies
View Related
May 11, 2013
We have Cisco router 2800 router which is directly connected to ASA 5510, till now there was no issue every thing was working fine, but from past 2 day's we are facing a problem, when we try to ping to any outside public IP their is a intermittent packet loss & same issue to the remote office through IPSec tunnel, We are able to reach our ISP router from outside whithout any issue & there is no packet Loss, if we try to reach the ASA their is a intermittent packet loss.
View 5 Replies
View Related
Dec 26, 2012
configuring NAT on intranet firewall. here is the my topology:
DMZ Network - - - - - - - - - External Firewall - - - - - - - - - Internet
|
|
|
Internal Network - - - - - - - - - Internal Firewall
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network
2) Both ASA's are running OS Version 9.0(1)
3) ACL used permit IP any any, on both (i.e inside and outside)
NAT configuration on Internal Firewall (Identity NAT)
object network MGMT-SRV-INSIDE subnet 10.10.10.0 255.255.255.192
object network MGMT-SRV-identity
subnet10.10.10.0 255.255.255.192
object network MGMT-SRV-INSIDE nat (Inside,Outside) static MGMT-SRV-identity
[code]....
View 1 Replies
View Related
Oct 17, 2012
ASA is configured with the VPN site to site using the wizard, created the Public IP of contivity, local and remote LAN . I attached the configuration. In contivity have the following settings: Not able to communicate both subnets.Do I need to configure IP subnets and published in the contivity as was done in the ASA?
View 3 Replies
View Related
Apr 14, 2012
Lately I encountered random Internet connection issues?My router is a Netgear Wireless ADSL Firewall Modem Router DG834 (Firmware V1.05.0) and my ISP, isn't the most reliable regarding bandwidth... All clients (max 3 at the same time) connect wireless.The problem is that the last few weeks my connections is very unstable, all clients lose the internet connection until you restart the router manually.I can't even connect to the webinterface (192.168.0.1), during the downtimes.
View 4 Replies
View Related
Sep 26, 2011
We have a requirement where we need to enable a dynamic NAT from DMZ-1 to Inside, I gave the command below, but for some reason it does not work.nat (DMZ-2,Inside) source dynamic any interface,NOTE: The access-list is permitting all the traffic from DMZ-1 and Inside (for test)
View 1 Replies
View Related
Jun 3, 2013
We have a Cisco ASA 5505 at our CORP location, which I have configured the Site2Site VPN to our COLO with a Juniper SRX220h, the site to site works fine, but when users access the Cisco VPN client from home, they cant ping or SSH through the Site2Site. Contacted JTAC and they said its not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday last week) of searching the Internet for over 6hrs a day, and trying different examples of other users. The VPN client show the secured route to 10.1.0.0. [code]
View 19 Replies
View Related
May 15, 2012
I'm having an issue configuring NAT on an ASA running 8.3. 've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
object network obj_any-18
subnet 0.0.0.0 0.0.0.0
object network obj_any-18
nat (inside,dmz1.005) dynamic interface
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
What would be the best way to configure the return traffic from the DMZ to the Inside.
View 12 Replies
View Related
Mar 29, 2013
I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
View 4 Replies
View Related
May 14, 2011
I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.
View 2 Replies
View Related
Jun 20, 2011
I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?
View 3 Replies
View Related
Dec 5, 2012
want to know the command for configuring NAT on My ASA5505.
Local IP - 192.168.1.0/241
Public IP - 182.73.109.118 255.255.255.252
View 4 Replies
View Related
Nov 20, 2011
We have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7) where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7
View 1 Replies
View Related
Oct 16, 2012
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
View 1 Replies
View Related
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
View Related
Aug 19, 2012
I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (192.168.1.0/24)
- incoming ssh port 2202 goes to node 192.168.1.2
- incoming ssh port 2203 goes to node 192.168.1.3
- handle incoming https (443) requests
- handle incoming www (80) requests
- cannot see Network-B or Network-C
Network-B (10.0.0.0/16)
- ssh to nodes on Network-A
- incoming ssh port 22 goes to node 10.0.0.20
Network-C (192.168.2.0/24)
- ssh to nodes on Network-A
- incoming ssh port 2210 goes to node 192.168.2.2
ASA-5510
- sends logging to syslog node 192.168.1.3 on Network-A
- there are DNS and NTP servers located outside
View 1 Replies
View Related
Jan 13, 2013
To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:
Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
View 8 Replies
View Related
Aug 19, 2012
I need to configure Site-to-Site VPN (PSK) between two offices. Both offices have ASA 5505 firewall. Office 2 ASA is going to be behind NAT router (ISP) and it's not possible to turn NAT off. There is still a static IP address. Office 1 has a static public IP address and this IP is directly configured to ASA. I'm very unfamiliar with ASA. From my understanding the NAT won't be a problem when the VPN connection is started from the device that sits behind the NAT router?
View 3 Replies
View Related
Aug 21, 2011
I am having some issues configuring two ASA's for Site to Site. When I do a L2Lsite2# show crypto isakmp sa
There are no isakmp sas L2Lsite2# show crypto ipsec sa
There are no ipsec sas
If I am on side L2Lsite1 I cannot ping 192.168.3.1 Will repost configs later.
View 14 Replies
View Related
