Cisco Firewall :: ASA 5520 - How To Implement NAT On Multiple Internal VLANs (DMZ)

Apr 4, 2011

I've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it. 

 I want to use PAT on the outside interface.
 
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
 
configure NAT for this scenario. I've got only 1 external public IP address.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: Multiple WAN IPs Routed To Separate Internal VLANs On ASA 5505

May 25, 2011

I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to 192.168.1.0 and IP 2 X.X.X.2 routed to 192.168.2.0. I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.

View 1 Replies View Related

Cisco Switches :: SGE2010 / How To Implement Multiple VLANs

Jun 21, 2011

I have SGE2010 switches and I want to implement Multiple VLANs. Im a newbie and starting to study VLANS's.
 
I want to implement 5 VLAN's on my test lab network and here as follows:
 
192.168.1.x default
 192.168.2.x
 192.168.3.x
 192.168.20.x
 192.168.100.x
 
The .1 is exclusively for my test-lab servers.
 
The .2 is general test-lab Win-XP workstations.
 
The .3 is general test-lab Win7 worstations
 
The .20 is general test-lab production worstations
 
The .100 is for test-lab IP PHONES.

View 4 Replies View Related

Cisco VPN :: 5520 Multiple VLANs A Home Office To Different Locations / Same Subnet

Apr 1, 2013

I have a home office with multiple VLANS/subnets  I have many VPNs that connect only a specific subnet to a specific remote offfice.  On a 5520, can I create a S2S VPN to different remote offices that have the same IP scheme, but from different home office subnets?   For example at my home office let's say I have two independant, distinct VLAN/subnets:  192.168.140.0/24 and 192.168.150.0/24.  Can I create an S2S from the 140 subnet to a remote office with a 10.10.10.0 addressing scheme and another S2S from the 150 subnet to a totally different office also with a 10.10.10.0 scheme? 

View 1 Replies View Related

Cisco Firewall :: ASA 5510 / Multiple VLANs Behind Single Firewall Segment?

Feb 5, 2012

I need to create a firewalled segment that not only separates hosts from general population, but also from each other.  The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible.  1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
 
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9 

This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).

View 1 Replies View Related

Cisco Firewall :: Make Communication Between 2 Vlans On Firewall 5520 ASA 8.2

Jan 1, 2012

communication between 2 vlans.i have 2 vlans
 
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add    2.2.2.2 
 
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - SSH From Internal To DMZ Host

May 13, 2012

I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
 
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]

View 2 Replies View Related

Cisco Firewall :: HP Procurve 5412zl Switch / Multiple VLANs And Gateways?

Feb 9, 2013

We have a HP Procurve 5412zl switch as our default  gateway for all our VLANs from there the traffic will be going to a  Cisco ASA 5515 and then to a Cisco 3800 Router then to our ISP.
 
We have yet to purchase the ASA but my question is  about my future configuration.  I will have the router of last resort on  the 5412zl setup to point to the ASA inside interface, how does that  work with multiple VLANs?  For instance the ASA inside interface would  be 10.0.0.1 but traffic could come from another VLAN via the switch with  a 192.168.1.x address.  Would the ASA just pass it on to the router?   Or would it conside this spoofing and drop the packet?
 
Lastely, if we have WCCP set for the ASA's inside  interface, how would it handle the redirect for multiple VLANs ip addresses? Would I  use GRE for the redirect to my web filter?

View 4 Replies View Related

Cisco Firewall :: 5520 Can't Access Internal Web Server From Outside Network

Aug 23, 2011

I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.

View 9 Replies View Related

Cisco Firewall :: 5520 - ASA For Internet Edge And Internal Zones

Nov 8, 2011

Used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
 
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.

View 3 Replies View Related

Cisco Firewall :: ASA5505 Configure Port Forwarding To Multiple Internal IP Addresses

Jun 21, 2012

ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 168.87.3.4.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.

View 1 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - 106001 Syslog Events For Internal Hosts?

Jul 26, 2011

I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
 
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?

- What might be causing this?

- How can I turn it off!! (I guess that'd be fixed by point 2)

View 4 Replies View Related

Cisco Switches :: SG300 - Implement ACL To Permit Or Deny Access Between Vlans And Hosts

Mar 25, 2012

I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a  whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - Allowing Guest Wireless Network Access To Internal Subnets

Jan 23, 2012

We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520.  There are no routes for it to be allowed access to the internal subnets.  So it can only access the internet.  This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource.  Is that as clear as mud?
 
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require.  And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.

View 8 Replies View Related

Cisco WAN :: ASA 5520 - Implement With A New ISP

Jul 31, 2011

We are attempting to implement an ASA 5520 with a new ISP.  Based on the limited routing needs, I believe we can use it as the router as well. I am familiar enough with routers, but the ASA is obviously a different thing.
 
The setup looks like:
 
ASA Version 8.2(1) !
host name Cisco
 interface GigabitEthernet0/0description Internet name if Outsidesecurity-level 0ip address 69.XX.46.1 255.255.255.252 !interface GigabitEthernet0/1
description DMZnameif DMZsecurity-level 0ip address 69.XX.56.1 255.255.255.240
!interface GigabitEthernet0/2description Localnameif Insidesecurity-level 15ip address 10.0.XX.XXX 255.255.252.0
[Code] .....

1) Outside 0/0 connects to MRV from service provider (Public)
2) DMZ 0/1  connects to outside switch with servers (Public)
3) Inside 0/2 is LAN (Private)
 
A) Based on a completely default config and aside from setting the routes to send traffic from inside to outside, and outside to DMZ, what is the next step?
 
B) What should the interface security levels be, I am unsure what they should be or why...?
 
Based on the initial config with interfaces set as above, I cannot move traffic through.

View 5 Replies View Related

Cisco VPN :: ASA-5520 / How To Implement DAP

Oct 21, 2011

Today we have a simple ASA-5520 SVC setup with just one connection profile and one group policy. Authentication (2 factor – AD + SMS) is performed by RADIUS. We would now like allow access to this VPN service only if you reside in a particular group in the MS AD. From what I understand this can be accomplished through DAP. Either by matching the LDAP attribute “memberOf” or RADIUS id 146. I’m I right? Can I still perform authentication using RADIUS and then DAP using LDAP or must I use DAP using RADIUS?

View 3 Replies View Related

Cisco Wireless :: C1131AG - Multiple SSID With Multiple VLANs Configuration On Aironet AP

Oct 21, 2012

how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
 
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
 
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
 
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?

View 1 Replies View Related

Cisco Wireless :: Configure Multiple SSID With Multiple VLANs And DHCP Pool WAP4410N

Sep 18, 2012

My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?

View 2 Replies View Related

Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?

interface GigabitEthernet0/1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdown
interface GigabitEthernet0/0nameif outsideip address 198.24.210.226

[Code].....

View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (201.148.156.193/28), one IP valid (201.148.156.194) have the Global NAT (all users LAN) and server FTP, but i need that IP 201.148.156.195 is used for VCSe, and the IP 201.148.156.196 is used for other server FTP.

View 5 Replies View Related

Cisco Switching/Routing :: 6509 - Configure Multiple Dhcp Pools On Switch For Multiple VLANs

Mar 9, 2010

Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.

View 5 Replies View Related

Cisco Switches :: How To Implement Multiple VLAN On SGE2010P

Mar 7, 2012

I am new to VLANs and Cisco SMB switches. I have a new SGE 2010P switch and i am trying to configure different VLANs, one for data, one for Voice and the other for server.
 
Is there any tutorial on how to configure VLAN, by the way i tried to used the web interface and admin guide, it totally confused my understanding of Vlans.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Connection To Multiple Switch Stacks

Nov 11, 2012

Currently in our environment we have have two buildings with an ASA 5520 in each and a core stack of 3750's in each building. I am currently working on a network segmentation project and am thinking of adding another stack of 3750's in each building to add more redundancy to our network. This will allow our access layer switches to have a trunk to each stack and prevent an outage if one of the links or stacks were to go down.
 
My question is how I would set this up on the ASA end of things while using a common subnet and HSRP on the 3750's. I understand how to use HSRP and STP on the switches to achieve this on the 3750 end of things. I saw you can do etherchannel on the ASA with 8.4 but how does that work in a failover situation?

View 2 Replies View Related

Cisco Firewall :: 5520 - Multiple Global IP Address Range On ASA Outside I/f

Mar 17, 2011

Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
 
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
 
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
 
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
 
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
 
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?

View 2 Replies View Related

Cisco Firewall :: Multiple Context Active / Standby (ASA 5520)

Mar 8, 2013

I need to configure multiple context mode with active/standby failover solution.
 
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
 
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
 
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
 
The last question is: can I use management interface within all 3 contexts ?

View 8 Replies View Related

Cisco WAN :: ASA 5520 / Implement Failover For Branch Office Connectivity?

Aug 1, 2012

We have AT&T Managed MPLS service are our datacenter and our branch office locations.  AT&T has provided the routers and simply give us an ethernet connection.  We also have ethernet connectivity to the internet through our datacenter...with our network being protected by an ASA 5520.Each branch location has a 29xx series router (voice gateway) and switching gear attached to their AT&T MPLS router.  Some of our branches also have 3rd party cable internet service with an ASA 5505 to protect it from the internet. What I'd like to do is better utilize this cable modem/ASA5505 setup.  Right now, if there were an outage, I would be connecting manually to the remote location to change static routes to point to the cable link and to configure a VPN tunnel between the remote and our DC.

View 2 Replies View Related

Cisco Switching/Routing :: Route Internal VLANs On 3750X?

Apr 28, 2012

How can i route internal VLANs on a 3750X , my current network its small ( about 8 -10 subnets) so i dont wnat to add overhead using maybe dynamic protocol , My scenario is my stack of 3750X ( 2 switches)  will be my CORE SW, i will have 2 stack more (2960S - 4 switches ) and it will connect to the 3750X with a trunk port etherchannel each link connected to a different switch, ( i was planning to use a L3 routing in the 3750X but not sure how it will works )
 
My core SW 3750X it will be connect with a firewall for aVPN , by a Layer 3 interface (using a static or dynamic protocol)

View 2 Replies View Related

Cisco Firewall :: To Deploy ASA5585 In Between User Vlans And Server Vlans

Jun 1, 2012

WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.

View 2 Replies View Related

Cisco :: DHCP Server With Multiple VLANs?

Jan 26, 2013

How to configure DHCP server if i have 2 vlans. I know how to configure rest of the network, just i don't know server.I use packet tracer and i attached file with my network. PC1 is on VLAN1 and PC2 is on VLAN2.I want ip addresses in vlan1 to be from 192.168.1.2 and in vlan2 from 192.168.2.2. I would like to do it just like in the designed network, without router.

View 5 Replies View Related

Cisco :: Multiple VLANs Inside The Same Subnet?

Apr 4, 2013

The network topology is like this. Router with DHCP_Server on it.

VLAN 10
VLAN 20
VLAN 30

My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.

View 5 Replies View Related

Cisco Switches :: Multiple VLANs Between 2 SG300-10

Aug 26, 2012

I have 2 SG300-10 switches, and I need two VLANs, one for internal network and one for WiFi APs.I need ports 1->4 on both switches to be part of 1st VLAN  and ports 5->8 on 2nd VLAN; and port 10 uplink to 2nd switch.How I set up the VLANs and interface VLAN mode?
 
[code]...

View 1 Replies View Related

Cisco VPN :: VPN Setup On ASA5505 With Multiple VLANs?

Jun 17, 2012

I'm trying to setup a VPN connection for the two PC's in the graphic below. I have the link between the two locations setup and secured, now I just working with the routing elements.what I need to add to the firewall config in order to get this to work? Here is what I have:
 
SITE A------access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2 access-list mpls_vpn_sitea extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_siteacrypto map mpls_vpn 1 set peer 172.168.199.2 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
SITE B------access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1 access-list mpls_vpn_siteb extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_sitebcrypto map mpls_vpn 1 set peer 172.168.199.1 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

do I need to specify a route between the two networks? What do I need to have for NAT statements?

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved