Cisco Firewall :: ASA 8.3 Configuration Of Double NAT (SRC And DST)
May 18, 2011
I am setting up a new ASA running 8.3 and I am having problems with configuring double NATs.
Here is the thing I am trying to solve:
Original Packet
SRC: 1.1.1.1
DST: 1.1.1.10
After it hits the firewall and it comes out on the outside interface I want this:
SRC: 2.2.2.1
DST: 2.2.2.10
Now when I set this up the way I did in 8.0(4) it just ain't working.
All the NAT examples I can find are simple NATs, I have not been able to find an example of a SRC and DST NAT.
View 3 Replies
ADVERTISEMENT
Sep 5, 2011
I have two RFC1918 domains I wish to connect, can I use double NAT with PAT so that each domain is represented as one single ip address with each session a port of that address-
The link is a private point to point link with a /32 mask so could I use this as the PAT address ?
View 3 Replies
View Related
Nov 21, 2011
I have a problem with my home network/internet - I have a working wireless network that I have used for some time now and it works just fine. the problem is that internet restrictions where I live require me to register each unit to the building network before I can gain access to the internet. My caretaker told me today that normally, I only should register my primary computer and the wireless router to be able to use the internet freely. However when a new laptop appears( I have a guest), I can easily connect it to my own wireless, but it can't use the internet, as if it needed to be registered again. I ran out of registration codes and I really would like to have freedom i connection opportunities. The caretaker said that the system gives every registered unit a "fake" IP, so after giving it to mu router, all other units connected through that router should have unlimited access. Is my network configured in a wrong way? I don't know how to ask this in a more simple way... I just want to be able to connect a friends laptop to the net with just my local password, which isn't happening.
View 3 Replies
View Related
Oct 27, 2011
I have inherited a Cisco VPN 3005 and need to configure an interesting scenario:
2 LAN-2-LAN tunnels: 1 required an outside IP and has an existing static NAT of 192.168.1.1 -> 12.2.1.1 for 0.0.0.0 as the destination.I now have a need to created a new NAT for 192.168.1.1 to translate to 10.99.1.1 for destination of 13.3.1.1, 14.3.1.1 and 15.3.1.1.
Is it possible to have the above scenario, or even NAT 12.2.1.1 from the first NAT back to 10.99.1.1??
View 1 Replies
View Related
Jun 23, 2011
Facing a problem of double multicast on one of our cisco 3750 switch. On checking with sniffer it was found that out of double packet’s one packet is having source mac-address of vlan and another packet is having a source mac-address of switch base mac-address.
View 3 Replies
View Related
Feb 12, 2011
i bought me a router so that me and a few other friends could play to star craft 2, but i would like to know that if i could play an LAN with NO internet on it?
View 2 Replies
View Related
Feb 3, 2013
I want to know how to have a double SSID but it's forbidden to have a wireless interruption with the wep which is on my cisco aironet 1242AG. I need to have wpa2 in addition of the wep.
View 2 Replies
View Related
Jan 31, 2011
I have 2 LANs in my own PC & 2 Routers (TP-Link WR941N each) with 2 internet accounts (512Kbps each) connected to the same ISP signal & company using NanoStation 5 from ubnt.As u know the connections work separately by default!! (I use Windows 7 64bit)Can I merge them to get double speed (download/upload simultaneously) using reg edit or special software or method?
View 2 Replies
View Related
Jan 4, 2012
We just upgraded our Sg300 series switches to the new IOS so we can get CLI access. The upgrade went fine but it seems we have two login prompts, the first being completely unnecessary as you can just hit return to get by it. IE here is the progression:
1. Connect SSH
2. Receive a "login:" prompt. Anything can be entered here, including just return
3. Login banner is displayed
4. Username Prompt is then displayed. Valid username required
5. Password Prompt displayed - Valid password required
6. Now at CLI 1. Connect SSH
I am trying to get rid of that first login prompt (IE Step 2) as it is causing issues with our configuration software. I have tried every line and authentication command I can think of, the only thing that gets rid of it is using none authentication which obviously we can't stay with. how did you get around it?
View 2 Replies
View Related
Jan 12, 2011
is it to increaze the broadbandwith by using a double usb-modem dial-up ...i know tha we can use double connection, but not in real time...
View 8 Replies
View Related
Jan 31, 2011
I have 2 LANs in my own PC & 2 Routers (TP-Link WR941N each) with 2 internet accounts (512Kbps each) connected to the same ISP signal & company using NanoStation 5 from ubnt. As u know the connections work separately by default!! (I use Windows 7 64bit) Can I merge them to get double speed (download/upload simultaneously) using reg edit or special software or method?
View 3 Replies
View Related
Apr 26, 2013
This is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and need parts of the config.
View 14 Replies
View Related
Sep 30, 2011
I'm currently switching from a certain internet provider to another and I'm forced to get another router. What I wanted to do is since the initial router has to be on the first floor, I'd like to have the second one on the top floor closer to my computer whereas they would share a dedicated connection between each other wirelessly so it would make my connection faster rather than just having my pc connect directly wirelessly to the initial router on the first floor. Is that possible?
View 4 Replies
View Related
Jul 11, 2012
I only have access to rather slow connections (256 Kbps). But since I have two lines and two modems, I was wondering if I could bond them together and make a faster one. My main modem is a Lynksys WAG120N Wireless-N ADSL2+ Modem Router, which as you can see is also in charge of both wired and wireless networks at my place. The second one is an older D-Link ADSL modem (JUST modem).Since I have an extra LAN port on my Lynksys modem, I want to know if and how I can connect the second modem, and combine the two rates.
View 2 Replies
View Related
Aug 30, 2011
I'm new to networking (at least at this level) and need some guidance. First, I have an Actiontec MI424WR (Rev. F) Coax Verizon Fios modem that I use as my home networking wireless router. From a LAN port on that I've connected a cable to the WAN port on my DIR-655 which acts as my gigabit office hard wire/wireless router. I need to keep the home network and the office network separate.All of my computers are Windows, either 7, Vista or XP.Connected to my Dir-655 on the office network are 2 wireless computers, a printer, an IOMEGA 1TB Home Personal Cloud NAS HDD, plus 2 desktop computers.The DIR-655 is set with a static IP address matching the range of the Actiontec. The DIR-655 is set for DHCP for the devices on the network (although 2 of the computers have static IP address).
When the DIR-655 had a Dynamic IP address set by the Actiontec, the IOMEGA NAS HDD kept losing connection with all the devices on the network. Only after I set the DIR-655 to static IP did that stop and everybody started to play nice. I'm not sure why that would make a difference, but it did.But regardless of whether it is set to dynamic or static, no computer on the network or program, even third party programs, can connect to ANY of the time servers out there... and I mean any of them. I've tried at least 20 or more of the standard and not so standard ones. The DIR-655's time is off, and it is set to get time automatically. None of my computers, or my IOMEGA NAS, can access time. The Actiontec, though, seems to be set correctly.Everything connects to the internet just fine. Web, email, auto product upgrades. Fine. So far it's just the time server thing which troubles.I done everything I know how to do to enable Port Forwarding through both routers for NTP > UDP 123 since that is the standard port for the Network Time Protocol, but I could have easily screwed that up.
View 5 Replies
View Related
Nov 1, 2011
On our 6504 - 12.2(33)SXH, we currently have a single connection to our ISP (GI1/1) and want to add another connection (GI1/2) Is there a way to bond the two connections to form a single connection (a single pipe) to double the throughput?
View 3 Replies
View Related
Jan 9, 2013
I would just like to double-check a point with the forum on licensing on 4710 Appliance.If with version 4.2 and above 2Gbps Bandwidth licence is required, the output of the sho license status should be?
View 1 Replies
View Related
Sep 21, 2011
I've a network with 28 computers and 2 servers. Each server have a double Gbit port configured in Load Balancing & Fail Over.Now, I want to buy two Cisco's Switch SG 200-26 and I would know the best way to connect them and if it's possible to interconnect them with more than one cable to share the trafic.
1. Is this following solution a good one (does the link between swhitches will work when computers will access to servers) ?
2. Is this next solution possible ?
View 3 Replies
View Related
Oct 12, 2011
I have an HP C5280 printer running wirelessly via a TP Link wireless print server and D Link Di 624 wireless router. I can print successfully from either my desktop (which is connected direct to the D Link router) or either of my laptops (wireless). However, when I select the double-sided print option I get a print error message after re-inserting the odd number pages to print the other side of the paper and then click 'continue'.Could I resolve this by connecting the printer both direct to the desktop using USB AND leaving it connected via the wireless TP Link print server? This would enable me to print double-sided from my desktop (as I did before when the printer was only connected via the USB desktop port).
View 1 Replies
View Related
Nov 19, 2011
I'm suffering from an annoying problem with my E4200 router. I have a DSL connection. I have my DSL modem in bridge mode and I have my router set up to sign into my ISP's PPPoE to avoid double-routing. This set up worked marvelously with my previous WRT54G and WRT610N routers.Now the E4200 signs me out of PPPoE every ten minutes or so. I have the connection setting on "Keep Alive" but it seems to be dropping the connection regularly. I took the router back and was given a replacement. The new router is doing the same exact thing and now I am beyond the 30 day return limit so I'm stuck with the E4200. I'm running the latest firmware 1.0.03
I reinstalled the WRT610N and the connection is steady but the WRT610N has its own problems (devices connected via wireless cannot see wired devices and vice-versa). I'd like my new router to actually work properly. I've ruled out errors on my end and given that two brand new units of the E4200 generated the same problem I tend to believe it is a design error.
View 9 Replies
View Related
May 16, 2011
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
View 11 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Apr 7, 2013
We have an ASA with 8.4(5) version. we had detected that few ip's were getting shunned ,to overcome the problem no shun was used and the traffic normalised.But, the same problem re-occured a few days after that with logs showing traffic being shunned.
is there any fixed way to get rid of this. what commands can i use to verify related configuration on the firewall.
View 3 Replies
View Related
Mar 31, 2013
I have one firewall need to be configured in transparent mode. I have inside and outside router. What is the configuration of transparent firewall ASA8.2. I didn't find the configuration on Cisco site.
View 17 Replies
View Related
Nov 25, 2012
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....
View 1 Replies
View Related
Sep 11, 2007
I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.
View 5 Replies
View Related
May 5, 2012
Setup new Cisco 861 and working well for a new BTNet line for the customer. Changed the firewall using CCP from Zone to Classic Firewall. Worked great all day and configured what I needed to do.Now, with CCP (version 2.6) have the following message.Cisco CP has detected that the router is configured with either legacy and Zone Policy Firewall (ZPF) or Legacy firewall. If you want to use Cisco CP to configure an zone-based firewall, you must first delete the Legacy configuration.
View 4 Replies
View Related
Mar 28, 2011
I would like to replace my firewall by using ACL on my Cisco 881 for testing. Could it be possible?
Configuration:
access-list n° permit ip host distant_site_public_IP host my_public_IP
access-list n° permit tcp any host my_public_IP eq port
This configuration works fine for SSH in exemple.
I can't allow "web pages" flow!!!
When i put: access-list n° permit tcp any host my_public_IP eq www
It does'nt work.
With Wireshark, I've seen that random ports are used to set the "http connexion". How could I resolve it keeping the best security configuration? I place my ACL on WAN port, Maybe I have to place it on LAN or create others ACL list to complete the configuration?
View 2 Replies
View Related
Jan 21, 2013
I recently installed an ASA firewall for one of our customer. I am trying to map the web server’s private address to the public address:
The private address is 192.168.207.15
The public address is 71.x.x.51
Here is the NAT configuration. For some reason this configuration is not working. I am not sure what is wrong with this configuration.
object network inside-out
nat (any,outside) static interface
object network new-www
nat (inside,outside) static 71.x.x.51
access-group inside_access_in in interface inside
access-group global_access global
NOTE: Inside network users can access Internet just fine. But I just cannot get natting to work.
View 14 Replies
View Related
Sep 26, 2012
I'm having trouble configuring an ASA into a network solution. We have a 501 with the outside interface on 10.24.10.1, the inside interface as 172.18.10.1, and a DMZ on 192.168.1.1. in the DMZ there is a HTTP/FTP/TFTP server connected to 192.168.1.2 on a virtual machine. When on a machine configured to 172.18.10.10 I can ping to the outside interface but not the DMZ. When I am in the DMZ the PIX does block traffic to the inside, but I can't reach the outside interface. When on the outside I am blocked from the inside, but also blocked from the DMZ.
Group10(config)# sh run
: Saved
:
PIX Version 8.0(4)
[Code]......
View 22 Replies
View Related
Dec 26, 2011
I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside}) It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so...Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in [URL] and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway) route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing. Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name marcjacobs.lvmh
[code].....
View 16 Replies
View Related
Feb 12, 2013
I have old ASA with 8.0 configuration that includes huge number of ACL, NAT , VPNs , we got a new ASA with 8.6 , and we are planning to move the configuration to the new box , I'm wondering what is the best approach to do this , I'm thinking of one of the following scenarios1- downgrade the new ASA to 8.3 , the apply the config , remove the identity nat commands and names then upgrade to 8.6 and after that reconfigure the NAT rules and object groups .2- convert the old config manually to 8.6 code including NAT , object-group ,ACL and apply it to the new ASA ( this is going to be huge task). What are the commands that I have to look at when I convert to 8.6 and will the VPN configuration be affected ?
View 5 Replies
View Related
Nov 29, 2011
I want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585
View 9 Replies
View Related
