how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below). I'm able to ping from host1 to 40.40.40.2 (host 2) and it works, as does pinging from host 2 to 50.50.50.2 (host 1). The issue I'm having now is that I've replaced that router with another ASA (second configuration below). Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well. I'm only seeing issues when using two ASAs. I've verified that ICMP and telnet are permited inbound on the ASAs as well. I even tried seperating the final host with another router (third configuration).
I'm trying to connect two operlapping networks via IPsec.
Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
2- Any sample config for ASA 5520 for this type of network?
I have 10.10.10.10 in 2 VRFs (lite) on 2 different VLANs What i would like to achieve:- if i connect to 172.16.7.125 in the global VRF then translate it to VRF1 10.10.10.10 destination address.- if i connect to 172.16.3.162 in the global VRF then translate it to VRF2 10.10.10.10 destination address IMHO the solution is quite simple:ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1 ip nat outside source static 10.10.10.10 176.16.3.162 vrf VRF2 However the router thinks something else:
IMHO this configuration should be valid. The global VRF has two IPs (172.16.7.125 and 172.16.3.162) while the 2 other VRFs work happily with the two identical 10.10.10.10 destinations as they should. The two translations should be easily distinguished as these are from two different VRFs.Either i am missing something or it is a problem in IOS.
Our IPS has given us a second range of IPs as we were running out. Unfortunately, they can only give us two non overlapping range. I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges. This is not a failover scenario -- and I need outward facing servers on both ranges. It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans. As there are two subnet there are two gateways. How do I keep the traffic on track?
In my LAN, I have always been used an Aironet 1250 for internal use and always work fine. Now, I added a 3com AP but both AP are not correct. When I turned off the AIRONET 1250, the 3COM AP settings works fine. When both are turn on, the 3COM AP loses connectivity all the time.I have heard about the overlapping channels in 802.11b/g networks.
I have an ASA5510, and site-to-site VPN with several remote clients. I have to add another client but their network range overlaps an existing tunnel. Both are using 172.16.0.0/16. I would like to 1-to-1 NAT them as 172.17.0.0/16.
Is it possible to perform the NAT on my device, post-decryption, or is it necessary that I have them perform the NAT at their end?
I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening.
I have run into a very strange problem while doing pre-deployment vPC/STP testing in the lab with a pair of Nexus 7000s.
The basic configuration is as follows:
2x Nexus 7000 VDCs (ver 6.0(4)) are configured as vPC peers and connected with a vPC peer-link (redundant on different 10G blades) and a vPC peer-keepalive link. The switches also act as HSRP and EIGRP routers. The N7K-A switch is nominally configured as STP root and HSRP prime for all VLANs, N7K-B switch is STP backup root and HSRP secondary. STP version is PV-RSTP+. As it stands now STP root and vPC prime are on different switches, STP root is on N7K-A and vPC prime is on N7K-B.
3x Layer-2 access switches (3750-1, 3750-2, 3560-1) are configured as access switches and connected to the Nexus 7Ks with a 1G uplinks in V-pattern.
3750-1 and 3560-1 are configured for vPC as Port-Channel10 and Port-Channel12 respectively. 3750-2 is configured for STP. Vlan 35 is shared between all three switches and is enabled on the vPC peer-link (overlapping vPC and STP domains). The downlink port to the STP-only 3750-2 on N7Ks is configured as "vpc orphan suspend".
Everything seems to work fine and pings on VLAN 35 between access switches (that have mgmt interfaces in VLAN35) recover rapidly after failures. However, if I break the vpc peer-link the ping between the two vPC switches 3750-1 and 3560-1 stops. Moreover, this appears to be sporadic in nature with some vpc peer-link failure attempts recreating the problem and some not. Sometimes the problem manifests itself when the peer-link is brought back up rather than taken down.
After doing a bit of troubleshooting, I have isolated the problem to MAC address blackholing. Basically when the peer link is taken down, MAC Address table on the vPC primary switch, N7K-B, (I believe during vPC convergence) forces the traffic destined from 3750-1 to 3560-1 through the STP only switch 3750-2, which apparently goes through the RSTP convergence and enables its alternate link to N7K-B before vPC has finished its convergence. After vPC convergence is finished the path through the STP-only access layer switch 3750-2 no longer exists, as vPC will take down all vPC ports and suspend orphan ports on the vPC secondary switch (N7K-A). However the MAC Address table on N7K-B still points through the 3750-2 access layer switch instead of directly through Port-Channel 12 on N7K-B and thus creates a traffic blackhole. Issuing a ping or bouncing SVI interfaces on N7K-B fixes the problem.
I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and ISP2) and two networks (network 1 and network 2). My customer need that clients in the network 1 connect to Internet with ISP1 and clients in the network 2 connect with ISP2. If a failure occurs in ISP1 (just an example) the network 1 clients connect with ISP2.
1. I currently have a Comcast Business Class Gateway, Cisco 2100 Series WLAN Controller and a Cisco ASA 5505 all connected together to supply LAN and WLAN internet connections on my network.
2. I also have a Card Access Security System on it owns network. It currently does not have internet access.
I would like to put my security system on the internet so that I can support it remotely. To do this, it has to be on a firewalled internet connection.Can I put the two networks on my ASA 5505 and keep them seperate? I don't want to provide a path into the Security System through my current LAN & WLAN. But I do need a frewalled internet connection on my Security System. I am trying to avoid purchasing a seperate firewall.
I'm using asa 5505 with 8.4(2) and have the following problem.I have 2 Networks. each Network has it's own externel Internet-Ip and also Mail-Server. [code]
Now I want a communication between the two Mailservers with their external Ip-Address.I did a static NAT from ipnt any to int any or also from int routed to int routed, but nothing worked.Packet tracer showed at NAT-Lookup where the externel adress of the second Mailserver is passed: Info Static translate Network1 to Network1
But it should show a translation from network1 to network1-external.Due to Security reasons, I cannot paste the whole config.Under 8.0 I did the same configuration with Policy-Nat and it worked.
I've got an ASA5510 with an IPS/IDS module. Because of a merger, I've got two 10.10.10.x networks (West and Central). I'd like all West traffic to be IPS checked before going into Central. Once it goes into Central, it's out of my hands. Can I set up NAT to accomplish this?
Again, the traffic flow would be from West (10.10.10.1) through the ASA/IPS, and then to Central (10.10.10.1).
Is this possible? If not, do I need another router?
I am able to create 2 LAN networks (192.168.9.0 and 172.16.9.0) Vlan1 and Vlan12 respectively. I also setup 2 outside interfaces (outside1 and outside2).
Network 1 (192.168.9.0 - VLAN1) has no issues going out via Outside1, however I can't get Network 2 (172.16.9.0 - VLAN 12) to go thru outside2.
I put in a static route (route outside 172.16.9.0 255.255.255.0 x.x.x.x), the x.x.x.x is the default gateway of my ISP.
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside 2. DMZ 3. ServerNet1 4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it. [code]
We recently got a Cisco ASA 5510 Security Appliance and I have some general question.
We have 1 T1 internet connection, and we have 2 internal networks. These 2 internal networks currently hav access to the internet. I am having issues with the 2 internal networks being able to communicate with each other.
We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.
The main office network is 192.168.0.0 (Gateway of 192.168.0.1)
At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.
There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:
1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!
There arer 3 stacks of 3750 at each building. The core switch/router in our network is at location B. The way it was originally setupis every L3 device has an ip address for each lan. So let's say we have VLAN 200 withnetwork 192.168.200.0/24. The DataCenter would be assigned (192.168.200.3), Building B would be assigned (192.168.200.1), and Building A would be assigned (192.168.200.2). I'm configuring the DC and BA to be L2 only and Building B to be the only real router in the network besides a few ASAs. When I ran a 'no ip address' on the vlan interface on Building A, the internet connectivity for 192.168.200.0 dies, but local connectivity is fine. After doing some research and troubleshooting, I found out that if I set the next hop on the ASA for the local networks for an IP address on building B everything works perfectly.
The way the routes on the ASA are setup for local networks are as follows.
All local networks have ip route localnetwork mask x.110.215.17. This address is the IP address of the inside interface on the ASA. Now, when I kill the IP address on the vlan interface on Building A internet connectivity goes down, while the next hop is still pointed to this address, BUT if I give it a next hop of the vlan interface ip address on B everything works fine. Now, I can easily fix this, I was just wondering why this is happening?
I have 3 ASA 5505 Firewall, I am creating Site 2 Site Full mesh tunnel with each firewall, the problem i am facing is two of the firewalls internal schema are same, Like Site 1 has an Internal Schema: 192.168.0.0, Site 2 has an Internal Schema 192.168.0.0, Site has an Internal Schema 10.10.10.0
For that i have to create a policy static nat and access list??
I configurred a access-list like below,
access-list vpn_ih_site3_site1 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0access-list vpn_ih_site3_site2 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
A pix 515E with software 8.0(4)28 connects the inside and outside networks. There are some servers in "outside" that have addresses overlapping with the internal subnets (192.168.10.25 and 192.168.10.26), and those servers have a reverse route only to a specific subnet (172.16.5.0/24). [code) Now to the problem. 192.168.10.26 is an HTTP server. On the pages it has hyperlinks pointing to http://192.168.10.25, the browser tries to access that server and, surely, fails, as the target server is only available by sending requests to 172.19.100.1, with the packets being DNAT'ed.Is it possible to rewrite the packet's body, replacing all occurances of url... I know it's a kludge, but other options are even worse.ASA eith 8.4 software? IOS router?
Currently a network consists of two subnets, one subnet is behind a ASA and the other behind a PIX, both connecting to the ISP's routers. If the PIX is retired, is it possible to create/consolidate the two networks protected by the ASA5510 with the default gateway being the ISP?
How can two private networks be protected by the ASA5510? One conceptual way is to create the VLANS on a layer 3 switch, on the "inside" interface of the ASA. In this senario what would the "inside" network's IP address? If the above is possible, how would natting occur?
Is there an efficient configuration to protect two networks protected by the 5510, other than creating a DMZ?
Is it possible to create two private networks with same level of security, 100 on a three network interface connections?
We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.
I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired. Below are the interfaces, security and ip addresses .
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
I have been assigned to find out the nature of the network's bandwidth utilazation. Is there a way to analyze traffic and breakdown the traffic on the ASA5510?
I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:
192.168.0.0/24 192.168.43.0/24 (the intended migration network)
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
I just installed a new ASA 5505 for an office with three internal subnets. The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own. How do I configure the ASA to allow all traffic between these three inside networks?
how do i create 2 networks using 1 cable modem and 1 router and i would like to add a firewall thinking of using xywall usg20 for the firewall..... the issue is i have a small business with 1 point of sale and1 back office computer.(network1) and i would also like to use an air port wifi to offer wifi to my cleints on a seperate network(network2) not allowing access to network1 and i want a firewall on network 1 to protect the back office and pos system
