Cisco Firewall :: ASA 5510 Vlan Cannot Reach Wan

May 27, 2012

i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.
  
Here my ASA settings :
 
Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.

: Saved
:
ASA Version 8.2(1)
!

[Code].....

View 8 Replies


ADVERTISEMENT

Cisco Firewall :: Cannot Get 5510 ASA To Reach Internet Traffic

Nov 30, 2012

I have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
 
 Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24 
 
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Anyconnect Client Can't Reach Inside Network

Jan 2, 2012

So, I've set up Anyconnect client access to an ASA-5510.
 
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients.  I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
 
fw1# show nameif
Interface                Name                     Security
Ethernet0/0.205          SECURE                  90

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA 5510 - Static VLAN NAT

Mar 9, 2012

One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
  
                                Internet for everything else
                                                   |
                                                   |
Inside ------------------------> ASA 5510 -----------------> Voice router  ------>  outside to public phone server only
10.10.1.0/20                         10.10.1.7/320               172.16.20.1/24
Voice------------------------->
172.16.20.0/24               172.16.20.254/24
 
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
 
So I think I need the following static but I get the error below:
 
static (Inside,Voice) interface 10.10.0.0 net mask 255.255.240.0
WARNING: All traffic destined to the IP address of the Voice interface is being redirected.
WARNING: Users will not be able to access any service enabled on the Voice interface.
ERROR: Invalid net mask with interface option

[Code] .......

View 5 Replies View Related

Cisco Firewall :: Create VLan On ASA 5510 (8.2)?

Feb 25, 2013

User want to create on 5 network , 100.x , 200.x , 210.x , 250.x , 220.x .at the ASA5510, no enough port for 5 network.So I want to create 4 vlans on eth 0/3. I can create vlan but i cannot run this command " switchport mode trunk"   " "switchport trunk allowed vlan list" how can be done for that?

Actually i want to use like thisASA5510-----4 vlans on eth 0/3------switch----vlan200,vlan210,vlan250,vlan220.

View 1 Replies View Related

Cisco Switches :: 3560X - Cannot Reach Management Vlan

Mar 12, 2013

In one of my client location I have deployed one Cisco 3560X (core switch) and one SG-200-18 (access switch). I’ve configured three vlans (vlan 2, vlan 3 and management vlan 1), relevant trunking and I’ve connected two pc to the access switch to vlan 2 and 3 respectively. So far everything (including inter-vlan communication) works fine, except that I couldn’t reach the vlan 1 (management vlan) devices (access switch and core switch) from any pc which is connected to either vlan 2 or 3.
 
I’ve configured the “port VLAN membership” settings in SG-300 as follows,
 
Interface                             mode                    Administrative vlans                      Operational vlans
 GE 2                                       Access                                  2UP    

[Code].....

View 4 Replies View Related

Cisco Firewall :: ASA 5510 Cannot Create A Interface VLAN

Mar 23, 2013

May I know the reason why we cannot create interface vlan on Cisco ASA 5510?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Same Vlan On Multiple Interface

Jan 13, 2013

Whether it is possible to have same vlan on multiple interface on ASA 5510 and higher models ?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 And 3750 VLAN Routing?

Dec 14, 2011

I am working on the exact same configuration as noted here [URL] that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
 
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
 
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
  
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
 
My goal is to leave the default gateway for each dmz on the ASA so I don't have to modify other areas of the ASA config.

View 1 Replies View Related

Cisco Switching/Routing :: Hosts Can't Reach Each Other In Same VLAN In 3560G

Nov 19, 2012

We have recently started as Internet service provider in an open metropolitan.
 
We use a Cisco 3560G Layer 3 switch, where we have all our vlan where we have konfiguerat ex. Switch (config) # interface vlan 150, an interface for each VLAN capabilities such as int vlan 1 - 10/10 int vlan 2 to 30/10, int vlan 3 100/10 and so on.
Our int vlan is configured as follows:

dhcp relay information trusted
ip address <x.x.x.x> <x.x.x.x>
ip helper-address <x.x.x.x> 
Ports (ex. int Gigabit Ethernet 0/1) are configured as follows:
description Uplink
switchport access vlan x

[Code].....
 
Now the problem; we have a customer in ex. vlan 3 who needs to access a server provided by another customer in the same vlan (vlan 3), and access to each other in the same vlan is not possible. You can access the server from any other vlan, but when it comes to access to another host in the same vlan, you will not reach it.

We suspect that the energy company has configured with pvlan isolated. If we use the command ip local-proxy-arp on each vlan, it works to reach each other, but it seems that our 3560 becomes overloaded when ip local-proxy-arp is enabled and it streaming and use IP telephony it doesn't work. The response time at ping is longer and the loss of packets increase with ip local-proxy-arp enabled. The other operators in the metropolitan also uses Cisco 3560G so the hardware should be sufficient.

We have also tried to add no split-horizon, but it made no difference. How do we get around this without negative consequences? Probably need something that makes you allow to send out the same interface that it came from, because it works as long as you are in another vlan.

View 1 Replies View Related

Cisco Switches :: SGE2010p / Configure Vlan To Reach Few Subnet?

Jun 9, 2010

Just got a new SGE2010P layer 3 switch. I'm trying to configure Vlan to reach a few subnet. I have the original 192.168.1.0/24 as vlan1. I want to reach our WiFi subnet 192.168.10.0/24. The WIFI router is directly connected.  It's new for me as the previous Job i was sorking with a ws-3750-48.
 
i did from console  change my switch to layer 3 mode... ( i want it as the DGW for each Vlan)from the web interface, i create a vlan4 for our WIFI Next i go to ipv4 to add an IP address to vlan 4 like 192.168.10.254 /24 As soon as I apply the IP the switch stop responding, Ping request time out..  i need to reboot the switch..

View 2 Replies View Related

Cisco Firewall :: VLAN Tagging To ISP Through ASA 5510 To Remote Site

Oct 25, 2012

we have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.
 
Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with same-security-traffic permit inter-interface configured.
 
Config:
 
!
interface Ethernet0/0
speed 100
no nameif

[Code]....

View 11 Replies View Related

Cisco Firewall :: Unable To Create VLAN Interfaces In ASA 5510

Nov 13, 2011

Unable to create VLAN interfaces in ASA 5510

View 1 Replies View Related

Cisco Switching/Routing :: ASA 5520 - Unable To Reach VLan System While Connecting From VPN

May 27, 2013

I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , I have a different vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , I am not much familiar with Routing . i am using ASA 5520 firewall .

View 11 Replies View Related

Cisco Firewall :: Pass Management VLAN Traffic Through ASA 5510 In Transparent

Mar 10, 2013

We have a small cisco 1800 series workgroup router that seperates our network from the outside world.  The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0.  fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3).  These sub-interfaces correspond to a desktop and server vlan on our network.  The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network.  The firewall was set up between the router and switch 1 in transparent, multi-context mode.  There are 2 security contexts, 1 for the desktop vlan and 1 for the server.  Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.

View 2 Replies View Related

Cisco VPN :: 5510 Anyconnect Unable To Reach Internal Networks

Sep 18, 2012

I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from  anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.

View 5 Replies View Related

Cisco Switching/Routing :: ASA 5510 / Subnets Unable To Reach Outside?

Feb 18, 2012

I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues.

Here's my config:
 
ASA Version 8.4(3)
!
hostname gw
domain-name internal.mycompany.com
enable password asdf encrypted

[code].....

View 6 Replies View Related

Cisco VPN :: Configured Remote-access VPN On ASA 5510 - Cannot Reach Network

Mar 14, 2011

I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration [code]The vpn goes up and I get an ip address, but it's impossible to reach the internal network. [code]

View 9 Replies View Related

Cisco :: 5510 - Can't Reach (ping / Telent) To ASA While On AnyConnect VPN Connection

Jan 4, 2012

I am simulating Anyconnect VPN connection in the lab.I have an issue while configuring Anyconnect VPN on ASA5510.
 
I can have a successfull anyconnect connection but i can't ping my firewall Interface IPs while i am in the connection.
 
ASA 5510
 
Outside IP: 192.168.1.1/24
PC connected to Outside Interface: 192.168.1.10/24
 
Inside IP:10.10.10.1/24
PC connected to Inside Interface: 10.10.10.100/24
 
Pool : 10.20.20.11 - 10.20.20.50 /24
 
I have a successful VPN connection & the PC connected to the outside Interface gets an IP address  from the assigned pool (10.20.20.11 with default gateway of 10.20.20.1).But i can't reach (ping/telent) to the ASA while I am on the anyconnect VPN connection.
 
I beleive it is mostly due to NAT/Routing issue..

View 10 Replies View Related

Cisco Firewall :: ASA 5505 - Can't Reach FTP Site While Inside Firewall?

Feb 26, 2011

I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
 
Here is our current confguration:
 
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp

[code]....

View 6 Replies View Related

Cisco Firewall :: 5520 Cannot Able To Reach Internet Access

Mar 6, 2012

I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:
 
-access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any
-access-group OUT out interface outside
 
i added ports like www or 443 and it is not working to Internet access a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Reach Local LAN And Internet From VPN Clients

Apr 11, 2011

I'm having trouble setting up local LAN (reach inside network when VPN connected) and Internet access (reach internet when VPN connected) for my VPN CLients when they are connected to my VPN, They can connect, no problem there, but I can't reach any resources when connected. My pings time out, both to my inside network and to public ip adresses, the only thing I'm able to ping is my ASA (172.16.30.1), and I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).
 
Here's my config
 
ASA Version 8.0(3) !hostname KardesASAdomain-name default.domain.invalidenable password XXXX encryptednames!interface Vlan1 nameif inside security-level 100 ip address 172.16.30.1 255.255.255.0 !interface Vlan10

[Code]....

View 14 Replies View Related

Cisco Routers :: VLAN To VLAN Firewall Rules Support Missing On RV180?

Jan 12, 2013

How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to  implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See [URL]) and that was supposedly added to a beta release of the RV220W firmware (See  [URL])?

View 1 Replies View Related

Cisco Firewall :: 6509 / FWSM VLAN Configuration Mismatch And Some VLAN Deleted

Aug 12, 2012

We  have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level.  All VLAN Gateways are configured in context level.
 
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During  migration of devices from one Dc to a new DC  we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC  and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
 
During the activity ( Primary switch movement )We powered off the Primary switch  and mean time before shifting into new Data center  We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
 
Later  we had moved  Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE  and  primary device was not responding and devices  went off network and immediatly we  removed the VSL link and brought up  primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original  VLAN  ip 10.200.112.1 has become  10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
 
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.

View 1 Replies View Related

Cisco VPN :: ASA 5510 - New VLan Not Accessible?

Apr 7, 2011

Cisco ASA 5510 with static routes.  I created a new internal vlan and added the correct route to the ASA.  Internally the vlan is fully accessible but when I connect to the VPN I cannot communicate with systems on it.
 
The dynamic access policy and associated ACL are fine. A system associated with this policy but not on the new vlan is accessible thru this policy.

View 4 Replies View Related

Cisco Wireless :: Setup VLAN On ASA 5510?

Apr 18, 2013

I am looking to set-up an isolated WLAN for the users in my organization and how to proceed What I have is the following
 
Cisco 5508 Wireless LAN controller
Cisco Catalyst 3750 24 port (not sure what exact model)
Cisco AIR-AP1131AG-A-K9 POE Access Point
Cisco ASA 5510
 
Currently what I would like to do is to setup a VLAN on the Cisco ASA 5510, connect the Catalyst to the VLAN and connect the 5508 Wireless LAN to the Catalyst via Fibre. From there on in - I would connect each AP to the Catalyst? The proposed scenario is that the VLAN would be in a DMZ and have direct access to the Internet without any filtering and users would connect their devices to the AP and get a DHCP address and be able to surf with freedom?The problem is - I am unsure as of where to start. I have been certified Cisco in 2001, however I havent started to use my skills until now.The Vlan would be the following: 192.168.20.X

View 4 Replies View Related

Cisco Switching/Routing :: 3560 - SW VLAN Reachability ASA 5510

Jan 16, 2013

Topology: 3560 <-access-mode-link-> ASA5510 - Internet,3560 has 3 VLANs and 3 corresponding SVIs (default-gateways for VLANs),Just configured RAS VPN on ASA5510 and successfully made connection,Now, from RAS VPN (IPSEC) client workstation CLI, can ping all 3560 SVIs,CANNOT PING host devices plugged into switchports.

View 1 Replies View Related

Cisco Switching/Routing :: ASA 5510 VLAN Route Between Sub Int And Physical Port

Nov 13, 2012

Firewall: ASA 5510
Switch: Linksys SRW2048
Physical topology: PC - > VLAN99 - > SRW2048 - trunk - > ASA5510
Switch Setup:

I've been tasked with breaking up a network that has run out of IP's, and have decided to use VLANs to accomplish this. I have to use an ASA5510 to accomplish all the routing between hosts in different VLANs.Port 48 is trunked to the ASA eth0/0 interface, with VLAN 99 and VLAN 20 tagging packets, VLAN 1 Untagged. Hosts hooked up to appropriate ports on Switch.

View 2 Replies View Related

Cisco Switching/Routing :: Using ASA-5510 To Route VLAN WLAN Connection

May 28, 2012

I am a complete newbie to Cisco equipment. So far I've been able to figure out how to do most of what I needed by using the ASDM but I have run into something that is a little more complicated that just opening a port. We currently have a connection to our remote site. This site has a T1 internet connection. Our connection is a site to site VPN with an ASA-5510 on this end and a ASA-5505 on the other.
 
We are upgrading this connection to a 75mbit hybrid microwave/fiber link. The provider is going to hand it off to us as an untagged VLAN. We made the decision to route all of the remote site's internet access through this location as to avoid having to split off part of the bandwidth of this link to dedicate to internet access.........

View 23 Replies View Related

Cisco Switching/Routing :: 2960S / 2911 / ASA 5510 - VLAN Can't Get To Internet

Sep 24, 2012

Have multiple Catalyst 2960S switches, Cisco 2911 router and ASA 5510 firewall.
 
On the router have subinterfaces created for the VLAN's Int FA0.0/41 for wirless VLAN setup with IP 10.10.41.100 Int FA0.0/60 for new Voice VLAN setup with IP 10.10.60.100 Internal network is 10.10.10.0/24 and LAN IP of router is 10.10.10.100 Have default route setup to push traffic from the router to the firewall ip route 0.0.0.0 0.0.0.0 10.10.10.251
 
On the firewall have added the new VLAN 10 (10.10.60.0) to the network object-group Have configured route inside command route 10.10.60.0 255.255.255.0 10.10.10.100 1 Have also added the NAT command nat (inside) 1 10.10.60.0 255.255.255.0
 
On the 2960 I have my laptop connected to port 45 and I have it configured as follows switchport mode access switchport access vlan 10
 
I assign my computer a static IP address of 10.10.60.84/255.255.255.0/10.10.60.100 with 10.10.10.11 as DNS server.  When I do this, I can ping anything on the 10.10.60.0 network, I can ping anythign on the LAN 10.10.10.0 network.  I am able to connect MSN messenger, I am able to do NSLOOKUP and get outside IP addresses to resolve. I am unable to browse the Internet though.  I am not sure where the problem is at though.  It doesn't make sense to me, as it is setup the same way as VLAN 41 which is the wireless network, and when users connect to that, they get out to the Internet with no issues. 

View 15 Replies View Related

Cisco Firewall :: Add New Vlan In Existing Firewall Group In 6500?

Jan 19, 2013

I want to add new vlan in existing firewall group in 6500. I am confused if it will add new vlan or overwrite.. I am using ASASM module with 6500.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Creating Interface Vlan In Firewall

May 3, 2011

I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall

Feb 26, 2013

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
 
HQ-ASA-01# show  running-config
: Saved
:

[Code]......

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved