Cisco Firewall :: ASA 5510 Two Public IP Subnets?
Aug 31, 2011
i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.
New:
IP-adresses: 87.1.1.194 - 87.1.1.254
Default gateway: 87.1.1.193
Subnetmask: 255.255.255.192
Old:
IP-adresses: 200.1.1.34 - 200.1.1.46
Default gateway: 200.1.1.33
Subnetmask: 255.255.255.240
Config:
route wan 0.0.0.0 0.0.0.0 200.1.1.33 1
And statics like:
static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255
View 22 Replies
ADVERTISEMENT
May 27, 2013
ASA 5585-x10, ver 9.1. I have about 10 public sub nets that will be used for NAT translation on the outside interface. These sub nets are different from the sub net the outside interface. Is there a way to advertise these routes using OSPF from the ASA?
I tried to redistribute a static route, but can't make the destination router an interface that is on the ASA. I don't own or control the upstream router.
View 1 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
May 17, 2012
Having trouble with a couple items. First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch? I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet. I have setup static routing on the ASA [
route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5]. The inside interface is on the 10.30.1.x/24 subnet. My host is on the 10.10.96.x/21 subnet. From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212. I can however ping 10.30.1.1 from 10.10.96.212.
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall. I'm doing this in order to transition to the ASA. I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once. Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2). So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall?
View 2 Replies
View Related
Mar 16, 2011
we have hosted voip and would like have our internet as back for their router. We gave them public static ip so they can configure that in their router. How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.
View 4 Replies
View Related
Jul 22, 2012
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
View 9 Replies
View Related
Sep 5, 2012
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
View 7 Replies
View Related
Mar 3, 2013
I have DMZ n/w 192.166.0.0/24 on which i have nated on public ip
-private ip : 192.16.0.201 (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2
View 13 Replies
View Related
Oct 17, 2011
We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from 172.16.3.251 to 1.1.1.1 we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside
172.16.3.251 /37166 dst outside:1.1.1.1/23
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?
View 13 Replies
View Related
May 7, 2012
I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?
View 1 Replies
View Related
Mar 2, 2012
I've currently got my ASA (5505) serving a /28 public subnet. I've ran out of IPs, so my DC has issued me an additional /24 subnet that they have routed to my ASA. What needs to be done on my ASA so be able to use these new addresses? I've been trying to search and not been able to find a good answer (some say I shouldn't have to do anything, everything else references NATing, which I currently don't do and would rather not do).The servers I assign these to, I'd like them to have the public ip assigned directly to them.
View 5 Replies
View Related
Feb 19, 2013
Im having problems with google saying we generate to much traffic to [URL]
I need to know which machines on the inside are talking so much with google. Can this be done via ASA 5510? do i need a third party program for this?
View 1 Replies
View Related
Feb 5, 2012
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
View 6 Replies
View Related
Apr 13, 2013
I have a few devices that the manufacturer told us we have to set with a public IP (No Natting) We have Internet ->ASA5510-> Switch 3550 with 3 vlans. Up to now we have always use Natting to configure internet access to specific devices. I heard setting up a witch with one VLAN connected to the internet and all other internals is a bad idea. that was the only Idea we had.
View 3 Replies
View Related
Sep 18, 2012
I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
Interfaces
ETH0/0 = outside = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15
[Code]....
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
View 5 Replies
View Related
Feb 5, 2012
We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.
But, we can't access the ASA by it's public IP.
DSL Modem → RV082 router → Switch → LAN
(69.x.x.x) ↑ (192.168.0.0)
Cisco ASA 5510
(outside: 64.x.x.x, inside: 192.168.0.172)
View 16 Replies
View Related
Dec 2, 2010
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
View 15 Replies
View Related
Mar 12, 2012
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
Here are some configurations on the ASA:
static (INSIDE,Outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
[code].....
Outside with 4.4.4.4 as the public ip traffic gets NAT'd do dynamically Inside with 10.1.1.x network on it.The ASA is running 8.2
View 2 Replies
View Related
May 10, 2012
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
View 10 Replies
View Related
Sep 11, 2012
I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?
View 2 Replies
View Related
Mar 15, 2011
Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.
View 9 Replies
View Related
Feb 20, 2012
Is it possible to have multiple public IP addresses that are from different subnets going through one router? I have been told that this is not possible with most routers and that I would have to spend a lot of money on a router to be able to do it. I am still not totally clear on what defines a subnet even after reading up on them. What I am trying to achieve:
-My office has 10 computers.
-All would be connected to one router.
-My internet service provider has provided me with 10 public IP addresses, that are all very varied (which I asked for)
View 3 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Jul 30, 2012
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8
View 1 Replies
View Related
Oct 12, 2011
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
View 3 Replies
View Related
Sep 4, 2012
I am working on a task of redirecting any unmatched http traffic to Symantec public transparent proxy through Cisco ASA. For the definition of uncatched http traffic, we have inbound squid servers for deploying IE proxy pac and redirect the http traffic to Symantec public transpraent proxy, however we can't deploy IE proxy pac to mobile device and non-support web browers.Since we have some application using IE proxy setting for direct http communication with external domains, the current symantec policy addes those domains in the exception list so that they are not redirect to Symantec public transparent proxy server.
-For the platform - Cisco ASA 5510 ASA 8.4(4)1
-For the solution, I have the following two nat rules
View 10 Replies
View Related
Aug 15, 2012
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies
View Related
Sep 13, 2011
I am working on a Cisco 5510 with multiple interfaces and requirements. I have experience with Cisco IOS, but not too much with the ASAs. I seem to be getting a bit confused on the NATing and ACLs on a firewall that was started by another employee, who is no longer here. With my current config I can get the firewall in place (we are currently using an older PIX) and most basic functions work except for two key things: 1) communication from the finance interface to the inside interface. The finance subnet has some restrictions that you will see in the ACL- we are trying to limit connections to the those systems, but they need to be able access an e-mail server on the inside. 2) communication from the DMZ interface to the inside interface. Maybe related to the first problem?
View 2 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
Feb 18, 2012
I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues.
Here's my config:
ASA Version 8.4(3)
!
hostname gw
domain-name internal.mycompany.com
enable password asdf encrypted
[code].....
View 6 Replies
View Related
Apr 7, 2013
My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup? Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.
This is what my current OUTSIDE interface looks like.
interface Ethernet0/0
duplex full
nameif OUTSIDE
security-level 0
ip address PUBLICIP1 255.255.255.224
!
View 7 Replies
View Related
Jul 30, 2012
I am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.
We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.
With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.
I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.
View 6 Replies
View Related
