Cisco Firewall :: ASA 5505 - Outside Can't DHPC As Router Use Same Range
Dec 15, 2011
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC. (Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside". So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection. (Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
View 9 Replies
ADVERTISEMENT
May 31, 2011
I've an ASA 5505 as my gateway for my internet at home. I've one public IP, so I use Port Address translatetion for my internal clients.
Now i wanna setup a FTP server, on a internal client. I will use Filezilla FTP server. I'm running the FTP server in passive mode, since the FTP server would be behind my ASA firewall/nat device.
I need 50 ports for the passive mode to be running.
I will use port range 50000-50050. I can easy make a firewall rule (access-list) that permit that port range.
But how do I PAT(NAT) a port-range on the ASA device? I can only figure out how to NAT one port at the time.
View 2 Replies
View Related
Feb 21, 2013
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies
View Related
Mar 11, 2011
I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1). The outside interface is configured with a single static address. I have a few services port forwarded sucessfully to three different servers on the inside network.
I need to make a media proxy on a SIP server available to the outside. It requires a large range of forwarded UDP ports for the media channels.
I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP. I entered a range of ports for the real port and the mapped port using the syntax 60000-60999. ASDM accepted it, but the NAT rule list displays "Any" in the service column. When I apply the change, I get the following error:
nat (inside,outside) static interface service tcp 60000-60999 60000-60999
^
ERROR: % Invalid input detected at '^' marker.
How do I forward a large range of UDP ports from the outside interface to a single server on my inside network? I'd like to use ASDM, but I can switch to the CLI if that works better.
View 3 Replies
View Related
Nov 7, 2011
trying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks 2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
View 1 Replies
View Related
Feb 7, 2013
: Saved
: Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013
ASA Version 8.4(4)1
host name cisco asa
enable password xxxxx encrypted
password xxxxx encrypted
names
interface Ethernet0/0
switch port access v lan 100
interface Ethernet0/1
interface Ethernet0/2
[code]...
View 2 Replies
View Related
Jan 7, 2013
After getting hacked I want to limit terminal server/ remote desktop to only my computer. (although I may need to let other net in later)
In other words I want only computers from my home ip range (lets say my ISP gives me at home something in 28.28.XX.0) to be let in to the router at work and then to port 3389.
In the work ASA 5505 softwareVersion 7.2(4) I now have:
access-list outside_in extended permit tcp any interface outside eq 3389
static (inside, outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
acces-group outside_in in interface outside
View 3 Replies
View Related
Sep 27, 2012
I recently installed 2 wlc 5508 with the latest software 7.3.101.0. I am not able to activate the Internal DHPC Server. The following message appears: "Error in setting dhcp scop leasetime".
View 5 Replies
View Related
Feb 12, 2013
I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below.
50.200.2.2
50.200.2.3 secondary
50.200.2.4 secondary
50.200.2.5 secondary
I wan to allow ports 80 to 90 on 50.200.2.3 for my webserver (192.168.10.50)
View 5 Replies
View Related
May 21, 2011
I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening.
View 3 Replies
View Related
Mar 19, 2013
I am trying to troubleshoot an ASA5505 connectivity issue. My initial tests are to ping the Internet router from the ASA This is failing and also a sh arp only shows internal addresses.
I have to go to site to check this out to confirm the following.
1: Should I be able to ping the Internet router from the ASA?
2: Do I need to permit any icmp to do this?
3: Should a sh arp show the address of the internet router?
I tried entering the command permit icmp any outside
However I got the error route already exists 0.0.0.0/0.0.0.0
View 2 Replies
View Related
Jul 19, 2011
I have an ASA 5505 with the typical inside/outside interfaces. I also have a DMZ that I've named remote for all of my ISP VLAN'd remote offices to connect. I've set the security levels on both the inside and remote interfaces to 100. From remote 192.168.71.0 network I can ping to the remote interface on my ASA, 12.230.129.66/8, but can't ping anything on the inside network, 192.168.1.0, or the web. From my ASA I can ping the router directly attached to the remote interface, 12.233.136.162/8. From my inside 192.168.1.0 network I can hit the web fine, but cant ping the remote router 12.233.136.162 or the remote network..
I dont' know if I missing something with routing, or with the two interfaces w/ same security...or what?
Here's my config. I've also attached an awesomely bad network map.
Result of the command: "wr t"
: Saved:ASA Version 8.2(5) !hostname ciscoasadomain-name wec.wnetenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2switchport access vlan 3!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip [Code]...
View 6 Replies
View Related
Oct 21, 2012
My client is asking can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505 which is now running in Router Mode.I have tried to search the document and also tried the ASDM in the Cisco ASA 5505 but could not see any way to do the ACL by MAC address.At the same time how to find out that by using command line the ASA 5505 able to run MAC ACL in router mode?
View 2 Replies
View Related
Oct 21, 2011
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
View 1 Replies
View Related
Mar 15, 2011
Have a customer who has two ISPs right now and only using one through a basic SOHO router. Looking to upgrade to something that supports dual WAN and allows connections from outside in on both WAN ports. There are 25-30 inside hosts.Requirements: Allow incoming connections on BOTH WAN ports to a single inside host
-This is a web app that needs as close to 100% uptime as possible
-Round robin DNS is set up
-Failover for internal people should one of the ISPs go down
Looking at either an ASA 5505 with Security Plus or an 891 Integrated Service Router.
View 1 Replies
View Related
Nov 14, 2011
I have a wireless Airport Extreme on Vlan3. My problem is that I can't get internet access from a wireless client which connects to the Airport which is on the DMZ. From my laptop which is connected to the Airport, I can ping the 5505. That's as far as I get.
asa5505(config)# sh running-config
: Saved
:
ASA Version 8.4(2)
!
hostname asa5505
enable password ArKd0aXL.wihdyE3 encrypted
passwd ArKd0aXL.wihdyE3 encrypted
names
[code]....
View 6 Replies
View Related
Oct 30, 2012
I need to open port range 554 - 558 to a DVR on the internal network. Also, I need to NAT one of my public IP's to the DVR. How is this accomplished in 8.4? I was able to do it in an older version ASA software.
View 3 Replies
View Related
Nov 8, 2011
I am having to NAT an IP range on our ASA 5520 as a remote VPN has the same IP range. The NAT is done, but for the source access list on our ASA do I need to use our natted IP range or the non-natted IP range?
View 1 Replies
View Related
Oct 25, 2012
Shopping for a new home router/firewall. Trying to decide between a Cisco ASA 5505 or a juniper equivalent. What are everyone's thoughts?
View 16 Replies
View Related
Dec 23, 2011
Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working. I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following: ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server.Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong. My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server. [code]
View 31 Replies
View Related
Feb 27, 2013
I've done this in the past for specific host entries with no problem, but I can't figure out how to do this for an entire subnet. I need something along the lines of the following:
access-list OKC2DAL extended permit ip 192.168.1.0 255.255.255.0 192.168.107.0 255.255.255.0
static (inside,outside) 192.168.99.0 access-list OKC2DAL netmask 255.255.255.0
I see netmask as an option, but the ASA states "invalid option netmask." The ASA is running 8.2(2). OKC-PIX(config)# static (inside,outside) 192.168.99.0 access-l OKC2DAL ?
configure mode commands/options:
<0-65535> The maximum number of simultaneous tcp connections the local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time
specified by the timeout conn command
[code].....
View 2 Replies
View Related
Dec 5, 2012
I have a network with multiple servers behind a PIX with 6.3 on it. I have one public IP address, and I'm using NAT. I'm currently trying to port my Exchange server to a cloud host, and the vendor is requiring I open up a wide range of ports for MAPI, basically ports 1024 on. What would be the command to forward all of the trafic cominto/from that broad range? if I could simply route all trafic to and from their two IP addresses to my email server, that would accomplish the same end goal.
View 3 Replies
View Related
Jan 4, 2012
I have a ASA 5510 device. I have been asked to block Ip range for India from accessing set of servers. Total Subnets: 34,675,968.I really don't want to create a two mile long access list with all these subnets.
View 2 Replies
View Related
Apr 3, 2011
Just wondering if it’s possible to add a time-range for certain url filter policies on a cisco 1941?
View 1 Replies
View Related
May 22, 2012
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
View 15 Replies
View Related
Mar 26, 2013
I just bought a Cisco ASA5505. I'm trying to opening a port range through CLI, but it doesn't seem to be working.
Background:I have an FTP Server running behind the firewall and need to allow port ranges 30000-30100 for data connections. I have been using FTP through the command prompt and its working. However, I cannot use it through the FileZilla client as it fails to query the directories. I have the ASA forwarding to port 1125 from 21 in passive mode.
Access-List:
access-list Outside_Access_In line 3 extended permit tcp any any eq ftp-data (hitcnt=0) 0xfa8ed43d
access-list Outside_Access_In line 4 extended permit tcp any any eq ftp (hitcnt=17)
[Code].....
View 14 Replies
View Related
Apr 19, 2013
Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.
View 2 Replies
View Related
May 8, 2011
I need to open the following ports on a pix:
-tcp 3230 to 3235
-udp 3230 to 3253
How do I open the ports?
View 2 Replies
View Related
May 22, 2012
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
View 1 Replies
View Related
Nov 10, 2011
I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work?
View 6 Replies
View Related
Jun 1, 2011
I have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. [Code] ......
View 8 Replies
View Related
Feb 19, 2013
I need to NAT a port range spanning from TCP and UDP 50,000 to 59,999 from inside global address 58.96.x.x on loopback2 to an inside local address of 192.168.5.5.Currently all the existing NAT translations are 1-to-1 that map inside global addresses on a wide span of Loopbacks and a Dialer Interface to inside local addresses on few subnets which are fine.I'm using an 1811 with an ADVIPSERVICESK9-M image, version 12.4(6)TS
View 1 Replies
View Related
Mar 17, 2011
Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?
View 2 Replies
View Related
