Cisco Firewall :: ASA 5510 / Multiple VLANs Behind Single Firewall Segment?

Feb 5, 2012

I need to create a firewalled segment that not only separates hosts from general population, but also from each other.  The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible.  1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts and 2 - hosts
Firewall DMZ Interface - 3 - hosts and 

This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).

View 1 Replies


Cisco Firewall :: SSM-4GE Firewall Has 5 DMZ Segments And Specific Segment For Internet Traffic

May 23, 2013

I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?

View 6 Replies View Related

Cisco Wireless :: 1142n - Multiple Vlans With Single SSID

Oct 12, 2011

I have two 1142n LWP ap converted into standalone, as client doesn't have any controller there. They just want to extend their network via wireless.
L3 switch (trunk port gig 1/48) -----> connected to AP1
L3 switch (trunk port 2/48) -----------> connected to AP2
client is looking for 3 vlans on the floor ( users might multiple vlans might associated same AP ). They have a dedicated DHCP/DNS server and he will be configuring 3 vlans on L3 switch with correct ip helper address on SVI interfaces.
I'm i allowed to created 3 SSID's on 1142n standalone AP ?
What would the various optiosn to achieve this requirement ? Is there any simplest way to achieve this ? Do i need to go for 802.1x ? I remember client told their users are authenticating by using AD for wired network. This is their first request for wireless environment

View 2 Replies View Related

Cisco Wireless :: 4500 - Single WLAN To Multiple VLANs

Feb 27, 2013

I read from this forum some discussion about the WLC VLAN Select feature. [URL]. I see that you can use this feature to have multiple VLANS (interfaces) to map to the same WLAN (SSID).
What I try to learn is under what scenarios would people need to have mutliple vlan mapped to single SSID?
In my environment, I have 50+ AP int he campus on 20+ Cisco 4500 switches.  I have single WLAN and it is mapped to one subnet.  All wireless users would be on that subnets, whereas wired users are on 20+ subnets of their own.

View 6 Replies View Related

Cisco Firewall :: 5550 Migrate From Multiple Context To Single

Aug 12, 2012

I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2).  Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed.  I would like to now migrate to single mode before I go about patching them to the latest software.

View 4 Replies View Related

Cisco Firewall :: 2121 / How To Nat Multiple FTP Local Servers From One Single IP

Apr 24, 2013

I have a FTP server at my local network and i have natted the private IP with my Public IP using default FTP Port ( 21) , now i have created Diffrent FTP Account in my server using port 2121 and i am able to login using the private IP with port 2121 , now i want to nat with my public IP with port 2121 and i failed,

1) 125.x.x.x --------- 10.10.1.x : 21 ( Able to access from external network)
2) 125.x.x.x ---------- 10.10.1.x : 2121 ( not able to login from external network and able to login internally )

View 7 Replies View Related

Cisco Firewall :: NAT - Multiple Ports Translated To Single Port - ASA 8.4

May 21, 2013

We are migrating from a nother brand to an ASA Cluster running 8.4.5
We have a web-server on an inside interface listening on a non standard port - 20111. We have created a static NAT translating the public ip to the private, so If I do http://public-ip:20111 it works. (we are using a seperate public IP for this service only).
Now I need to create a NAT rule that will forward requests on BOTH port 80 and 443 to the same private ip and the same port number (20111)
The Private address is and the "public" (I've replaced it in this example) is I have managed to create a NAT that will translate 443 to 20111:
object network nat (Private-DMZ,Outside) static service tcp 20111 https

But if I try to add another rule like:  nat (Private-DMZ,Outside) static service tcp 20111 http It will simply replace the first one.
Is it possible to redirect both 80 and 443 from outside to the same port number and same IP on the inside?

View 1 Replies View Related

Cisco Firewall :: ASA 5550 - Migrate From Multiple Context To Single

Jun 13, 2012

I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2).  Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed.  I would like to now migrate to single mode before I go about patching them to the latest software. 

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - How To Implement NAT On Multiple Internal VLANs (DMZ)

Apr 4, 2011

I've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it. 

 I want to use PAT on the outside interface.
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
configure NAT for this scenario. I've got only 1 external public IP address.

View 1 Replies View Related

Cisco Switching/Routing :: 3750 - Configuring Multiple VLANs For Single Port

Apr 11, 2012

I would like to configure a 3750 switch port to be able to use two vlans. I know you can do this with a voice and data vlan, but what about two data vlans ? Say I have two devices, one on a 10 subnet and the other on a 172 subnet, but i only have one wall jack for both devices to plug into. So I use a mini switch to connect both devices and connect the switch to the wall jack; and of course this all leads back to one switch port. When I go to enter the switchport access vlan 172 cmd, how would I also make it so the device on the 10 subnet could route out ?

View 9 Replies View Related

Cisco Switching/Routing :: ASA-5525 - Connecting Multiple Switches To Single Firewall?

May 28, 2012

Could I configure and connect 3 Dell switches to an ASA-5525 Firewall which has got 8 interfaces.

View 7 Replies View Related

Cisco Firewall :: 6513 - FWSM Multiple Security Zones On Single Context

Nov 7, 2012

My corporate internal network is currently fire walled by an FWSM module on a 6513 switch.  We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN.  Is it possible to support fire walling between these zones within a single security context?  The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license.  We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Single Address NAT From VPN

Jan 17, 2012

We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of attempts to request a resource from then the request would go via the VPN to our firewall and then get NATed to before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from destined for should get NATed at our firewall to before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.

View 4 Replies View Related

Cisco Firewall :: Multiple WAN IPs Routed To Separate Internal VLANs On ASA 5505

May 25, 2011

I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to and IP 2 X.X.X.2 routed to I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.

View 1 Replies View Related

Cisco Firewall :: HP Procurve 5412zl Switch / Multiple VLANs And Gateways?

Feb 9, 2013

We have a HP Procurve 5412zl switch as our default  gateway for all our VLANs from there the traffic will be going to a  Cisco ASA 5515 and then to a Cisco 3800 Router then to our ISP.
We have yet to purchase the ASA but my question is  about my future configuration.  I will have the router of last resort on  the 5412zl setup to point to the ASA inside interface, how does that  work with multiple VLANs?  For instance the ASA inside interface would  be but traffic could come from another VLAN via the switch with  a 192.168.1.x address.  Would the ASA just pass it on to the router?   Or would it conside this spoofing and drop the packet?
Lastely, if we have WCCP set for the ASA's inside  interface, how would it handle the redirect for multiple VLANs ip addresses? Would I  use GRE for the redirect to my web filter?

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Always Allow Traffic On A Single Port

Feb 1, 2012

I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.
The inside IP for the ASA is
The outside IP for the ASA
Here is my current configuration:
: Saved
: Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012
ASA Version 8.2(5)


View 6 Replies View Related

Cisco Firewall :: ASA 5510 To Migrate Single Checkpoint

Dec 18, 2012

I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall.  The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap.  At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here.  The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that.  There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration.  A lot of it has to do with Checkpoint having no concept of interface security level while ASA does.  I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment.  The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic. 
My question is that can the ASA 5510 handle 1.5 million lines of configuration?  Are there any limitations on this?  I know there are limitations with FWSM but since I don't have an 5510 to test.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Traffic Shaping For Single IP?

Sep 8, 2011

I would like to know if there is a way to apply in the Cisco asa 5510 traffic shaping not for a interface but a single IP address.For example i would like to limit the bandwith for the IP address of my FTP server.

View 4 Replies View Related

Cisco Firewall :: Create Vlans In ASA 5510?

Oct 25, 2011

I need to be able to create vlans in my ASA 5510.
I can'T find anywhere to do this.
I've tried the "routers command" I know, like vlan databse and it does'nt work
Is there a way to "enable" vlan on a ASA 5510 ?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 How To Limit Icmp To Just Single Host

Nov 1, 2012

I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.

View 3 Replies View Related

Cisco Firewall :: 5510 Single Outside Public / Can PAT Out And NAT SMTP Server Back

Jul 30, 2012

I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...

1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) =
Public (outside) address =
Email server internal =
Internal private subnet for users =

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Time Range / Allow Single Port During Business Hours Only

Apr 1, 2012

I'm new to an ASA 5510 running 8.4(3) and am trying to figure out something regarding time ranges in ASDM. I simply want to allow a single port during business hours only (I'm not concerned about open sessions needing to be closed). So as an example I add a rule something like:
(RULE1 on the internal interface) SRC=INTERNAL DEST=ANY SERVICE=RDP ACTION=PERMIT with a time range set for weekdays 8:00-16:59. I did a test after 5pm on a weekday and was still allowed to do RDP to a server (from INTERNAL), and after using the packet trace tool saw it was still passing through due to a rule a couple lines down (rule 4) that allowed a port range that happened to include port 3389. So my question is if I specify an "allowed" time range and someone attempts access outside that time range, why doesn't it drop it right there? I guess I'm assuming that anything outside the "allowed" time range would be dropped but that doesn't seem to be the case. I'm also assuming the rule base is processed top to bottom.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 To Allow 2nd Network Segment Through Mpls

May 31, 2013

I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet. Office 1 has a fiber internet connection, and all traffic flows fine. Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud. both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine. when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else.  I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is the internal interfaces of the mpls are and

View 21 Replies View Related

Cisco Firewall :: Multiple Subnets On ASA 5510?

Mar 26, 2013

I have an ASA5510 that is connected to outside for WAN, inside for LAN (, and a iSCSI switch plugged into Ethernet 0/3 ( I can ping the Eth0/3 interface ( but I can't ping across that interface from WAN or LAN side.
ASA Version 9.1(1)
hostname ASA5510


View 7 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple V LAN's And ACLs

Feb 27, 2013

I'm having a bit of trouble determining the best way to do this... I have 12 V LAN's set up (sub interfaces on a redundant group of two NICs) on my ASA 5510.  On several of these, I want them to be able to access the internet but not access other V LAN's. 

By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great.  But if I create an ACL on the interface, this rule disappears.  I can restore internet access by adding an "any to any" or "(this interface's sub net) to any" rule, but this seems to imply that it allows access to any v LAN.  Do I have to create a set of "deny" rules for each V LAN, on each V LAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?

View 2 Replies View Related

Cisco Firewall :: Use Multiple ISP Connection To 5510?

Feb 7, 2013

i've two cisco asa5510 with 4 FastEthernet interfaces each.They are connected as below:


to three different ISP each of them! The 4rth interface of each of them, is connected to internal LAN network. Both Firewalls, offers VPN Services to ISP connections on Fa0/0
How can i achieve high availability for this scneario?is this possible to implement some HighAvailability and to offer the actual services to each of them, in case that the other firewall fail?What about using subintefaces? can i connect bothe ISP and Customers links on one or each of them, in case that firewall01 fails, all the services to be online on firewall02?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Same Vlan On Multiple Interface

Jan 13, 2013

Whether it is possible to have same vlan on multiple interface on ASA 5510 and higher models ?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - How To Assign Multiple Public IP Addresses

Dec 2, 2010

I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. ) and another I would like to NAT to an internal server (e.g > On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to and then create a static nat to translate to Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via, outbound PAT and the site-to-site VPN.

View 15 Replies View Related

Cisco Firewall :: 5510 - Multiple ASA Configs For Cold Spare

Oct 2, 2012

I have a few sites all running Cisco ASA 5510s. They all share the same asa (8.4(4)1) and asdm (6.4.9) version, but their configs differ significantly. I have a cold spare sitting in my office in the event we have a physical failure. Is there a quick and simple way I can load up multiple configs and then boot up the cold spare to then run the config from Site_A or Site_B?  Just looking for a quick solution rather than doing a full restore should something fail spectacularly.  Nice to say upon bootup, using confreg perhaps, to boot Site_A config rather than Site_C.

View 1 Replies View Related

Cisco Firewall :: Backup ASA 5510 Multiple Context Mode

Oct 19, 2011

I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.

In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?

Apr 8, 2011

can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Static Route Tracking

May 15, 2013

I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do

   route isp2  0 0  yy.yy.yy.yy  50
   route isp1  0 0  xx.xx.xx.xx  31  track 1
   route isp1  0 0  xx.xx.xx.xx  32  track 2
   route isp1  0 0  xx.xx.xx.xx  33  track 3

the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?

View 1 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved