I found a tricky task for our ASA 5505 firewall. I am not able to go internet when using DHCP but I can access by using fixed IP address in client PC.Same IP, Same Mask, Same DNS, Same Gateway. All the same but no hope. Any configuration i missed in firewall?
View 5 Replies
First time attempting to set up a 5505. Trying to replace a snapgear firewall and replicate the settings to the 5505.
View 12 Replies View RelatedI am using ASA 5505.Below are my sh run.I am not able to ping my gatway i.e 182.73.131.89
interface Ethernet0/0
description Internet Interface
switchport access vlan 61
!
interface Ethernet0/1
description office Internet
switchport access vlan 50
[code]....
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
I have setup 5505 ASA for Testing purposes. It has static route to layer 3 switch on outside interface that goes to the internet.
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
[Code].....
I'm unable to have any internet connection for my new setup.
here's the overview.
Current setup is
Internet -> Router -> PIX 501 -> Switch -> clients
Internet -> static ip given is 210.193.34.1 - 210.193.34.6
Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246
PIX 501 setting ->
IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as I'm unable to access it.
local ip is 192.168.1.1
Clients - > 192.168.1.0
Old setup is working fine and connected to internet. for the new setup, as i do not want any downtime for the old setup.
As you can see, there are two firewalls connected concurrently to the router. I've configured it this way.
Internet -> Router -> ASA 5505 -> Switch -> clients
ASA 5505 setting ->
IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?),
local ip/ Inside Interface is 192.168.2.1
Clients - > 192.168.2.0
some setup details.
security policy, NAT, set to default. routing is route outside 0.0.0.0 0.0.0.0 210193.34.6
I'm unable to access after a week of troubleshooting.
I'm using an ASA5505 with dhcpd.but i want to assign a specific IP address from the configured dhcp range to a specific PC.Is it possible to bind a specific ip to this particular PC's MAC address.
View 1 Replies View RelatedWell its in this line but do i have to type in a ip even if comcast is giving me a dhcp address?
route outside 0.0.0.0 0.0.0.0 any 1
=============================
hostname asa1
domain-name mydomain.com
enable password rwt5UQJihEq2/Qae encrypted
names
!
interface Vlan1
[code].....
I am opening a small branch office in another state and the equipment we purchased is as follows:
ASA5505
3560G.
We'll use a site to site vpn but just in case there's connectivity issues I'd like to use the ASA as DHCP. So far I have a scope defined in the ASA and if I plug a laptop directly in I get an applicable IP address. I trunked the port on the switch that goes to the ASA but not the one on the ASA itself (license restriction) The VLAN that I'm using for my PC's has an ip helper address that is assigned to the inside IP of the ASA.
I want to configure multiple DHCP pool on ASA. that I create like
int e0/2
no shut
interface Ethernet0/2.10vlan 10nameif inside10security-level 100ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2.20vlan 20 nameif inside20 security-level 100ip address 192.168.20.1 255.255.255.0
dhcpd address 192.168.10.10-192.168.10.254 inside10dhcpd dns x.x.x.x y.y.y.y interface inside10dhcpd enable inside10
dhcpd address 192.168.20.10-192.168.20.254 inside20dhcpd dns h.h.h.h z.z.z.z interface inside20dhcpd enable inside20
I have following query...
1. int e0/2 work as trunk port, is it? any special confiduration require other than dot1Q?
2. How can I configure inside interface? is it like,
access-group inside_access_in_1 in interface inside10
access-group inside_access_in_1 in interface inside10
3. How can I configure static NAT ?
4. How can i configured inside route?
5. How can I configured default NATing?
6. On which interface I access ASA? currently using inside interface.
Our company is planning to buy one of cisco ASA 55xx series.But there is still one question left about DHCP pool limitations.Here I found some information about licensing for DHCP on ASA 5505: [URL]In other words, we don't have any information about ASA 5510, which contains DCHP pool licensing.
View 9 Replies View RelatedI get the following message when appling "DHCPD ENABLE INSIDE"
DHCP: Interface 'INSIDE' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature
This is an ASA 5505 Running 8.2.
my 5505 running on version 8.2.5 doesn't seem to recogize the simple command "ip address dhcp setroute......"
ciscoasa(config-if)# ip address dhcp
^
ERROR: % Invalid Hostname
ciscoasa(config-if)# ip address ?
configure mode commands/options: Hostname or A.B.C.D Firewall's network interface address
I have a ASA 5505 that I have been using for a while, but a new ISP is trying to configure my service so that the outside interface has to be configured as DHCP to receive a reserved IP address, and then they will route a separate, non-contiguous block of addresses to that address.
Essentially, they have a DHCP reservation for 1.2.3.4 for my ASA, and then they have 10.2.3.16/28 as a separate block routed to me.
Obviously, I can do my static NAT translations using outside as the address, but I cannot get the separate block of addresses to route through the ASA. Is there a way to do this and get them to work? My ASA is running 7.2(2)
I want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
ASA 5505 IOS version: 8.3(1)
License: Security Plus
So here's what I think I should do to give email access only to a segment of addresses of my inside network.
1) Create a network object for 62 machines that will represent my dhcp clients.I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.
2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:
How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?
3) Create an ACL which will Deny my DHCP range to talk to the outside.
4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).
I am used to setting up access-lists on outside interfaces with ip addresses that are static. I have recently been given a site that is using a dyndns.org client for name to ip address resolution on an outside interface that is dhcp assigned. I created an access-list to open up ports 41794 and 41795 to an engineering application but everytime I try to connect from the outside I get a syn timeout. The application works when inside the lan. Basically I want to allow outside connections from anywhere on the outside to go to ports 41794 and 41795. I am running a Cisco ASA 5505 on version 7.2(4) Below is my conifg. what I may have misconfigured?
: Saved:ASA Version 7.2(4)!names!interface Vlan1 nameif inside security-level 100 ip address 172.31.2.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address dhcp setroute!interface Ethernet0/0 switchport access vlan 2!interface
[Code].....
Is there any way of showing the currently assigned ip address for an interface configured to use DHCP on an ASA 5505?
View 2 Replies View RelatedWe've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?
View 13 Replies View RelatedI am having a very strange issue with connecting new machines to reach the internet.We have a ASA 5505 which the previous tech configured the DHCP pool to 192.168.1.60 - 192.168.1.110
We ended up reaching our limit which I changed it to: 192.168.1.60 - 192.168.187
Then next day when I arrived to work, our DC was hung from windows updates. Once we got everything back up, every computer currently on the network can reach the internet/VPN tunnels etc. So (continuing with my day) I created a new server in a VM (Hyper-V)I can ping everything internally (even the router) 192.168.1.1, but I cannot resolve DNS. I have configured a static IP, tried Dynamic IP.I have looked for any ACL indicating to block outside the range of the old DHCP pool but no luck.On my local maching I can ping the DNS addresses, but just not on the new server.
My ASA 5505 has stopped giving out DHCP address to my machines.Everything was working fine and nothing has changed in the network. I've reloaded the firewall and clear all DHCP on the firewall I've even re-entered the cmd on the ASA.
I'm able to staticlly assigned address to the clients and all is way. When I do a DHCP debug on the ASA I don't see any events relating to the DHCP service apart from checking for lease expiry.
I've also tried to plug a machine straight into the ASA and no result. I finally did a packet capture and I am seeing the client machine sending out a DHCP discover packet and nothing else is responding.
My ASA config is:
dhcpd address 192.168.3.10-192.168.3.33 inside
dhcpd dns 8.8.4.4 interface inside
dhcpd option 3 ip 192.168.3.1 interface inside
dhcpd enable inside
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
I just tried to configure my ASA but unable to ping. My setup is as follows:
Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
[Code].....
I have a command line from ASA 5505 like below :
nat (inside) 0 access-list NO_NAT
The problem is I cannot see any matching ID of 0 at the (outside) like :
nat (outside) 0 xxxxxxxxxxxxx
Another problem is there is also no any access list with the name of NO_NAT.
I need another set of eyes on my config. I am trying to set up my router for a basic connection for the time being. I set my gig 0/0 port to dhcp I see traffic being sent and recieved but I can not ping 8.8.8.8. I am connected to a basic comcast modem from 0/0 I have also tried setting gig 0/0 to 100 full. I do have IP routing enabled. I believe I have my acl's configured correctly. I am wondering at this point if I need a static block of IP's from comcast.
hostname vpn-router-2901
username ****** password *****
enable secret *****
[Code].....
I have ASA 5505 and I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.
View 8 Replies View RelatedWe have a cisco asa 5505 on which we have setup a group VPN. The VPN connections from all cisco vpn clients works fine except one. The keep getting the below error
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. Connection Terminated".
Not sure why only one client won't be able to connect. The version we are using is 5.0.02 for VPN client.
I am unable to Telnet/SSH/RDP from my inside network to my DMZ. I am not sure where the problem lies, I am able to use VNC from the inside to the DMZ (ports 5800, 5900), and also establish connection on Ports (26700-26899). I have a computer connected directly to the DMZ and those services work to all networks on the DMZ.I have attached Logs of successful VNC connections, unsuccessful RDP and Telnet sessions, and the running config.
View 23 Replies View RelatedI configured a new Asa 5505 with Ios 8.44-1-k8.bin and when I installed the Asa the client's after about 1 hour were unable to ping or map drives to the Asa. I got the following error,%ASA-2-106007: Deny inbound UDP from XXXX to XXXX due to DNS Query. I added the command same-security-traffic permit intra-interface they were then able to ping the server and connect to the Internet, but still unable to map drives i could see the connections from the Pc's to the server in a show conn with was tcp port 445 with Saa? I reverted back to Ios 8.25 and everything works.
View 2 Replies View RelatedWhen I have a computer directly connected to the Cable Modem I get 9.84MB Down and 1MB Up. When I put it behind the ASA 5505 with policing on the interface, I only get 4MB Down and 660Kb Down.What I'm wanting to do is setup this up to enable my VoIP to have a higher priority and shave 128kon both the Up/Down for the VoIP traffic. I also want to make sure I don't exceed the inbound and outbound thresholds.I''m using a 5505 Security Plus?
View 3 Replies View RelatedI have 2 subnets bought from my provider 194.102.98.128/27 and 194.102.98.160/27.
From my provider a have the following setup:
IP Address: 86.120.151.66
Netmask: 255.255.255.128
Gateway: 86.120.151.1
DNS (1): 213.154.124.1
DNS (2): 193.231.252.1
My IPs are static routed by my provider thought 86.120.151.66 .
On the firewall I have the following set-up:
Outside Interface: 86.120.151.66/25 security level 0
DMZ interface: 194.102.98.129/27 security level 50
Inside Interface: 194.102.98.161/27 security level 100
0.0.0.0 0.0.0.0 [1/0] via 86.120.151.1, outside
Everything works perfectly except when I try to sent an email. The email gets sent (eventually), but afert a long waiting time, 45-60 sec. The connection is opened instally to the server but then just hangs there for 40-50 sec. The problem is that a have an aplication on a server that has to send confirmation emails, and that aplication is limited to a 30 sec timeout for conecting to the mail server, much less then the 45-60 sec that I have now. The mail server is hosted by a data center, it is not in my networks (location).
I have tried deleting the ESMTP inspection, that doesn't work. Pinging my mail server rezults in a average time of 20 ms. And when a do a tracert the hight value in a hop doesn't usually pass 80 ms, the average is 20-25 ms.
The problem is ONLY when sending emails. Everything else works perfect, including receiving emails from the same server.
My running config is:
hostname ASA-Adisys
domain-name Intern.ro
enable password 0./39zRW9yhKK/bO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
Remote LAN pool is configured as inside. Route is proper. I am able to open 443 port from the remote LAN pool on the ASA. That means, the port is open from the remote pool. No response if I try https on the browser.
View 11 Replies View RelatedI can connect to the network but doesn't connect to the internet. I have tried a lot of ipconfig cmd's /renew said "unable to connect to dhcp server" and others didnt work all out of ideas.
View 14 Replies View Related
