Cisco Firewall :: ASA 5510 - Static Route By Interface Or Destination

Sep 21, 2011

Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.
  
I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.
  
All interfaces are on the same security level of 100 except Outside which is 0.
  
Office 1 Interfaces ASA 5510
 
 
VLAN  1               vOffice1Data       10.40.1.0/24
VLAN  3               vOffice1Video     10.40.2.0/24
VLAN 5                vInterOffice       10.40.5.0/24     (QOS  connection Between Offices)

[Code]....

At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.

View 2 Replies


ADVERTISEMENT

Cisco Routers :: RV180 Cannot Set Static Route With Destination To All IPs

Apr 2, 2013

I have Cisco RV180. I can not set static route with destination to all IPs (0.0.0.0/0.0.0.0). It always shows errors. It asked me to input non zero number. I can do this on Cisco RV042 without any problem.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Static Route To Inside Interface

Mar 29, 2011

I have inherited an ASA 5520.  In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP.  I am trying to understand the purpose of this route or why a route would be setup this way.

Example Static Route:
Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Static Route Tracking

May 15, 2013

I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do

   route isp2  0 0  yy.yy.yy.yy  50
   route isp1  0 0  xx.xx.xx.xx  31  track 1
   route isp1  0 0  xx.xx.xx.xx  32  track 2
   route isp1  0 0  xx.xx.xx.xx  33  track 3

the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?

View 1 Replies View Related

Cisco Firewall :: Route To Same Interface On ASA 5510?

Sep 14, 2011

I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100.  In this URL, [URL], ASA is able to do that.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 Static To Indirect Subnet / Return Traffic Without Default Route NAT?

Aug 12, 2012

I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
 
 What I have is this:  
 
Internet<----->ASA<-->router<-->4507(layer3)
|                           |
|                           |-Vlan1

[Code]......

View 1 Replies View Related

Cisco Firewall :: 5510 Trace-route / Antispoofing On Not Default Route

Jun 24, 2011

I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
 
I have ICMP inspection and icmp-error inspection enabled.

View 1 Replies View Related

Cisco Firewall :: ASA5505 / 5510 - Prioritize Traffic Based On Destination IP?

Sep 25, 2012

we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?

View 3 Replies View Related

Cisco Firewall :: ASA5520 - Static Route Shows A-172.24.0.0 Or A-192.168.176.0

Jul 14, 2012

We use ASDM 6.2 to manage our Cisco ASA 5520 running ASA Software Version 8.2 (1). I just noticed that some static routes have "A-" when you view the static routes with ASDM e.g. A-172.24.0.0 or A-192.168.176.0 (pls see attached print screen). I haven't seen this before and dont know what it means.

View 4 Replies View Related

Cisco :: No Valid Route For Destination?

Feb 27, 2013

I configured dns on the router on this command ip name-server 4.2.2.2when i tried to ping www.google.com showing no valid routeTranslating "www.google.com"...domain server (4.2.2.2) [OK]Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2800:3F0:4001:807::1013, timeout is 2 seconds:

View 9 Replies View Related

Cisco :: How To Use Route-map To Change Destination IP

Aug 2, 2012

a) one router with two ethernet interfaces (LANs) and a serial interface. The serial interface is connected to the internet, dynamic nat is used for hosts in the two lans. A web server has a private address of 172.168.50.10 and it is being translated to the internet with serial's interface 68.32.x.x (public ip) with static nat. Clients in the internet type the public address to access the web server.

b)Problem: clients inside the LANs cannot access the web server by typing the public address, they use the server's private address instead, this create a problem with DNS static entries in the HOSTS file in the OS. It is a test server and is only available to authenticated users (lock and key ACLs), so no need to make a real DNS record. The entry in the HOSTS file points to the public address.

c)Question: how can a create a route map to change the public address in the HOST file to the private address of the test web server everytime a user in the LANs type the domain name.

View 6 Replies View Related

Cisco WAN :: Routing / Ping Between Two Nexus 5000 - No Route To Destination

Jan 23, 2013

I have 2 nexus 5000 switches configured with a trunk linking the two how can i do the follwoing
 
BOX 2
 
vrf context management
  ip route 0.0.0.0/0 192.162.88.9
 
BOX 2
 
vrf context management
  ip route 0.0.0.0/0 192.168.88.10
 
1. ping between the two boxes, i set up static route's but when i ping i get the error "NO ROUTE TO DESTINATION"
 2. routing between the two

View 1 Replies View Related

Cisco Firewall :: NAT Route For Remote VPN On ASA 5510

Nov 15, 2011

I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes

View 37 Replies View Related

Cisco Firewall :: Trace Route Between Two ASA 5505 And 5510

Oct 15, 2012

We have a ASA 5505 and a 5510, that we are using site to site.I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces.when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.

View 12 Replies View Related

Cisco Firewall :: Slow Intervlan Routing On Asa 5510 Route

Jul 21, 2011

In the restructuration of my company network we install due ASA 5510 in failover for the management of internal network and DMZ. We configure the ASA in routed mode, we create the sub interface for server, client and dmz subnet and we connect the firewall ti the network. Everything works very good except the intervlan routin. If i try to send or receive a file in every protocol, ftp, http, smb o if i try to conne with rdp or vns to an host in a different vlan the connection goes very very slow. I particular a ftp connection between two host goes ti 15kb/s. I check all cable and port for some error on duplex ro speed, end all the uplink are 1gb and the single client connection 100Mb. I know that the main purpose of the ASA is not doing routing stuff but this behavior is very strange.

View 1 Replies View Related

Cisco Firewall :: ASA 6.1 Deny IP Spoof From (global) To (Static NAT) On Outside Interface

Jun 2, 2013

I'm receiving an error when trying to access a web server behind from one subinterface to another subinterface on an ASA access the public IP.  I'm getting the following:
 
Global Static NAT Deny IP spoof from (61.X.X.X) to 201.X.X.X on interface Outside     
 
Traffic dies at the firewall stating that the traffic is spoofed from the Global address (61.) to the static (201.) address.  Both bound to the outside interface. When I create a static NAT on the firewall there is no problem; however when I'm patting against the firewall to the public IP I get the denies. 

View 3 Replies View Related

Cisco Firewall :: ASA 8.3(2) / PAT Interface Address With Static NAT Port Translation?

Aug 22, 2011

I have an 8.3(2) ASA with a single outside IP.  Dynamic PAT translates inside addresses to the outside interface address.  I would like to use static NAT with port translation to access an inside syslog server.  I got an error when I tried using the outside interface address.  Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network.  10.10.1.10 is the outside interface IP.)
 
object network inside-net
  subnet 192.168.1.0 255.255.255.0
  nat (inside, outside) dynamic interface
 object network SYSLOG_SERVER
  host 192.168.1.50
  nat (inside,outside) static 10.10.1.10 service tcp ssh ssh

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Static VLAN NAT

Mar 9, 2012

One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
  
                                Internet for everything else
                                                   |
                                                   |
Inside ------------------------> ASA 5510 -----------------> Voice router  ------>  outside to public phone server only
10.10.1.0/20                         10.10.1.7/320               172.16.20.1/24
Voice------------------------->
172.16.20.0/24               172.16.20.254/24
 
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
 
So I think I need the following static but I get the error below:
 
static (Inside,Voice) interface 10.10.0.0 net mask 255.255.240.0
WARNING: All traffic destined to the IP address of the Voice interface is being redirected.
WARNING: Users will not be able to access any service enabled on the Voice interface.
ERROR: Invalid net mask with interface option

[Code] .......

View 5 Replies View Related

Cisco Firewall :: Static Nat On ASA 5510 IOS Version 8.2

Feb 19, 2012

have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
 
static (inside,outside) 196.68.99.x 192.168.1.x netmask 255.255.255.255
access-list inbound extended permit tcp any host 196.68.99.x eq 225
accesslist outbound extended permit host 192.168.1.x host 196.68.99.x

View 9 Replies View Related

Cisco Firewall :: 5510 - Convert Static NAT To PAT

May 27, 2013

I have an issue, of two parts. The first part I believe I have figured out, just the second part I am unsure of. I have an ASA 5510, currently, there is a mailserver that is static NAT'ed to one of my ISP routed IPs (not the IP of my main Dynamic PAT/Outside interface).  I need to convert this over to PAT for ports 25,80,443, etc  (standard ports).  I know I need to remove the static NAT statement and add in the PAT statements, but I need traffic from that machine to continue to go out the IP assigned to it by the static NAT.
E.G.
 
1.1.1.1 <- main public IP on outside interface, everything gets internet through this IP
1.1.1.2 <-> 10.10.10.10 static NAT to mailserver, secured with ACLs
 
I need to enable the mailserver to continue to appear to the world as living on 1.1.1.2, due to MX records and rDNS settings, etc...

The terminology for this setup escapes me at the moment. 

View 2 Replies View Related

Cisco Firewall :: 2800 Routers / ASA 5510 Cannot Ping Via Route Inside?

Mar 3, 2013

I recently added a business cable modem to relieve some of the congestion I was getting on my T1 for our MPLS network.  There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffic coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well.  Internet setup was cake.  The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks.  I have one MPLS with AT&T and one MPLS with EarthLink.  My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS.  I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.
 
Here's the topology I'm working with
 
Internet
|
Cable Modem
|
ASA 5510 10.52.120.23

[Code].....

View 8 Replies View Related

Cisco Firewall :: ASA5580 One Inside Source Address Static Nat To Two Outside Interface

May 10, 2012

customer has a server which located in inside interace.    and an outside interface connected to ISPA.    cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.

View 3 Replies View Related

Cisco Firewall :: ASA5580 / One Inside Source Address Static Nat To Two Outside Interface?

Jul 13, 2011

i have a problem  customer has a server which located in inside interace.  and an outside interface connected to ISPA.  cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address.    the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580.  i want use route-map on static nat, but it will not satisfy customer's request.

View 6 Replies View Related

Cisco Firewall :: ASA5510 Static Routes For Management Interface Not Working

Mar 30, 2011

We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
 
e0/0 = outside
e0/1 = inside
m0/0 = management
 
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
 
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
 
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
 
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
 
route management 10.72.211.0 255.255.255.0 10.72.232.94 10   <------------- this works
 
route management 10.72.211.79 255.255.255.255 10.72.232.94 10   <------------- this works too
 
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
 
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
 
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
 
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Static NAT For Outside Access Not Working?

Sep 19, 2011

I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
 
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
 
4    Sep 20 2011    16:20:33        fw_outside_ip    62678    outside_host    2001    Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]
 
When I try to use the packet tracer to simulate the outside traffic, I get the following
 
5    Sep 20 2011    16:17:41        inside_host    2001            Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure
 
I've got over my NAT statement and access rule and can't find anything wrong with either.
 
Here are the pertinent NAT and access rule...
 
static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask 255.255.255.255
 
access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001

View 5 Replies View Related

Cisco Firewall :: 5510 8.3 (1) Static Nat For Web Servers And FTP Server As Well

Sep 13, 2011

I got the charge of a ASA 5510 running with 8.3(1) version.Found that this is simple config with Patting for inside host and couple of Static Nat for web servers and FTP server as well.
 
There is lots of other configuration being done,I assume for the purpose of just R&D by the previous administrator.I need to understand if the following Nat statements holding any relevance?
 
Where we are running Only  NETWORK_OBJ_192.168.0.0/23 subnet at inside and there is no other subnet defined in rest of the statements.i.e 10.0.0.0/27 and 192.168.1.128/27 doesn't exist at all.

View 1 Replies View Related

Cisco Switching/Routing :: 877W - Multiple Static Routes / Same Destination Dialer0 And Vlan1?

Jun 10, 2013

Is there any way to have my Cisco 877W Router alter from using one static route to another static route when another router on the network is reporting destination host unreachable?
 
Router 1 (192.168.2.253)
Dialer0 -> ppoe to internet
Vlan1 -> local 192.168.2.0/24
 Router 2 (192.168.2.254)
Dialer0 -> ppoe to managed VPN (172.16.28.1)
Vlan1 -> local 192.168.2.0/24
 
Router 2 is connected to another network through a managed VPN and that network also has internet access. I want to be able to have two routes to the internet on Router 2. And when Router 1 internet goes down packets get routed through the VPN instead.
 
I currently have on Router 2
 
ip route 0.0.0.0 0.0.0.0 192.168.2.253
ip route 10.0.0.0 255.255.255.0 Dialer0
ip route 0.0.0.0 0.0.0.0 172.16.28.5 250
 
Which does nothing when Router 1 has its Dialer0 interface shutdown, or goes offline completely.I suspect I could reverse the setup and have everything routed through the VPN by default and then if / when Dialer0 interface goes down it would switch to using Router 2, but if the problem is in the remote network and interface Dialer0 stays up, it would probably do the same thing... nothing.All devices mentioned are Cisco 877W routers with ADSL and a bunch of fast ethernet interfaces.

View 2 Replies View Related

Cisco Firewall :: Asa 5520 / Configure Two Static Nat Statements From Inside To Outside And Backup Interface?

Oct 16, 2011

I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.

object network obj-10.1.1.254
host 10.1.1.254
object network obj-10.1.1.254
nat (inside,outside) static 172.25.10.3
 
I want to also use nat (inside,backup) static 172.25.10.3

View 3 Replies View Related

Cisco Firewall :: Unable To Reserve Port 443 For Static PAT In Asa 5510

Jul 15, 2011

This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.no http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.

View 1 Replies View Related

Cisco Firewall :: 5510 - Static NAT Required But Outside NAT Pool Already Exhausted

Mar 10, 2012

I  got a project where I have to provide NATTED addresses to cutomers for  the internal servers and I found out that the outside address range /27  already in use. We are using 5510 with ver 8.1. We cant use PAT here.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Static Map - Outbound Flows Through Global Address

Nov 30, 2011

I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
 
Here are what I believe to be the relevant configs.
 
interface Ethernet0/0
description New 6mb circuit
speed 100

[Code]....

So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.

View 2 Replies View Related

Cisco VPN :: ASA 5510 - NAT Destination Address Through VPN?

Feb 25, 2012

I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
 
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
 
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
 access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1
access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
 
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.

**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.

View 1 Replies View Related

Cisco Firewall :: Unable To See Interface On ASA 5510 Firewall?

Jul 29, 2012

I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
 
Below is the output.
ciscoasa# sh int ip br Interface                  IP-Address      OK? Method Status                Protocol Ethernet0/0                x.x.x.x           YES CONFIG up                    up Ethernet0/1                x.x.x.x           YES CONFIG up                    up Ethernet0/2                unassigned      YES unset  administratively down down Internal-Control0/0        127.0.1.1       YES unset  up                    up Internal-Data0/0           unassigned      YES unset  up                    up Management0/0              192.168.1.1     YES CONFIG up                    up

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved