Cisco Firewall :: ASA 8.4 / Nat Internal IPs With A Logical IP?
Feb 17, 2013
I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip(192.168.32.11) which would be the source at his end. Is it possible to Nat my end network(10.130.20.0/24) with logical ip (192.168.32.11) which is not configured anywhere.
here are details.
my end internal network(inside) : (10.130.20.0/24)
logical ip to be natted my internal ip: (192.168.32.11)
Client end network : (10.100.10.0/24)
View 5 Replies
ADVERTISEMENT
Dec 19, 2011
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
View 1 Replies
View Related
Jun 14, 2011
I currently terminate my L2L VPN sessions on the "OUTSIDE" interface via the actual IP address assigned to that interface. Can I assign the OUTSIDE interface a second address (VIP, Logical, Virtual etc.) and then terminate my L2L VPN sessions on that second address?
View 3 Replies
View Related
Nov 29, 2012
We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections. We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?
View 1 Replies
View Related
May 12, 2011
Does any know why the ASA will monitor physical interfaces by default, but monitoring of logical interfaces is disabled by default? Or better yet, is anybody doing a monitor-interface for a subint without issue? I'd imagine it isn't enabled by default for a reason.
View 2 Replies
View Related
Oct 8, 2012
I have a node with one physical wireless interface and I need it to offer AP service to other nodes, connect to an existed AP, and connect to other nodes in ad hoc mode. If I create 3 logical wireless interfaces of that interface and configure each one respectively to the modes above, would this work? do they use the same MAC address or each needs to be configured a different one?
View 2 Replies
View Related
May 20, 2012
I have purchased two catalyst 3560 switches (with 24 interfaces) on Ebay to prepare for ccnp switch exam. It would be great if I have 4 switches. Is it any possibillity to create two logical switches from one? I mean, not by assigning interfaces to different vlans?
View 1 Replies
View Related
Dec 27, 2011
I recently bought 2 SRP527W for customer and i am trying to install them. I have updated the firmware to the latest version.
Problem: It can detect BTs business ADSL but the Logical Link is not picking up. I have checked and rechecked the setting with BT but no joy. the original BT router works.
View 19 Replies
View Related
Nov 16, 2011
We have two logical connection which are connected via 1 physical Ethernet interface to 2 routers in central sites. Both connections are 2 Mb/s. How can i classify the output traffic in order to shape both direction to 2-2 Mb/s.
There are not suitable "match" command!!! ??The branch routers are 2650xm and 2811.
View 4 Replies
View Related
Jan 11, 2012
I am installing a connection between Brocade MLX and Cisco 4503 using SE and SVI's. Below is the config for each. Am I missing anything like MTU Ignore or something along that nature?
*** Cisco 4503 (v15.01) Config ***
VLAN 35
name EOC_Gi1/2
[Code].....
View 3 Replies
View Related
Feb 16, 2013
I have 2 devices which need to communicate through Logical Link Control. Each device functions like this: they have a built in network switch that allows their internal components to communicate with TCP/IP which is then encapsulated inside LLC frames and sent out a special port. The LLC frames from each device all come from a single source MAC address and are broadcast out the network. The receiving deivce receives the LLC frames, unencapsulates the data and uses it directly.
Using it this way through a single 2960 (such that device 1 is connected to fa0/2 and device 2 is connected to fa0/23) with its own dedicated VLAN and no other traffic on the switch (all other ports shutdown), the two devices are unable to "connect". Using a SPAN session, I can clearly see them exchanging LLC frames, but if I connect my computer to the internal device switch and try to ping the other device through the LLC encapsulated link, I get anywhere from a 25% to 100% loss with response times between 2ms and 15ms.
When I connect the special ports of each device together directly with a straight through cat-5e cable, they can connect and I can successfully ping through the link with sub-millisecond response times. The same goes if I connect them through an old unmanaged Linksys switch. I have toggled everything on the 2960 I can think of, including STP, CDP, LLDP, storm control, keepalives, IGMP snooping, management interface VLAN1, and QoS. In general, the more of those that I turned off, the faster the ping responses became, but nothing seems to stop the data loss.
View 1 Replies
View Related
Oct 31, 2012
I was wondering if I can stack WS-C3750E-48TD with WS-C3750G-12S together to created a single logical switch.
View 3 Replies
View Related
May 6, 2013
I found a link to accomplish this on the old code but how can I get this done on 8.4.
[URL]
View 11 Replies
View Related
Jun 14, 2012
I have a problem on allowing ssh traffic between 2 different INTERNAL interfaces. Both the interfaces have the same security level (100).What I have to do is to allow a ssh command from 172.16.0.2 to 172.17.1.200. The firewall is configured but I am experiencing issues on the NAT.The error I get is as follows:#%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
View 3 Replies
View Related
Mar 28, 2012
I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config
Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC
MYFIREWALL# sh run
: Saved
[Code].....
View 4 Replies
View Related
Dec 14, 2012
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
View 5 Replies
View Related
May 13, 2012
I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]
View 2 Replies
View Related
May 1, 2013
I have a requirement to nat two public ip addresses to same interanl ip address. Is this possible on ASA version 9.1?
View 3 Replies
View Related
Jun 29, 2012
I am trying to protect the computing assets on a perimeter firewalled / protected LAN from visiting laptops while still permitting the laptops wifi internet access and printing priviledges on the LAN's networked HP printer To do that I was thinking of setting up a computer as a dedicated firewall with 3 NICs (external internet, internal LAN and a DMZ for a Guest wifi router for use by the visiting laptops). (Will probably use free Untangle Firewall software software or such on the dedicated firewall computer).What I can't figure out is the firewall's topology, IP ranges and rules / forwarding that would permit such laptop operation.I would think it would be a common need for small offices but can't find much material on the subject.I do understand that such would slightly weaken the firewall but feel that I would gain more security overall.
View 2 Replies
View Related
Feb 21, 2013
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies
View Related
Nov 20, 2011
I want to have my port 4 on the asa 5505 only allow access to the internet and not the internal network, what do i need to do?
View 1 Replies
View Related
Mar 18, 2012
I have an ASA5510 running 8.2 code and I have over 200 static nats from the outside to the inside interface and that is how I expose our systems to the Internet. If this inside interface fails we also have a bypass interface that also terminates on the internal network but I am not sure how the nats will behave given they are statically mapped to the inside.
View 1 Replies
View Related
Jul 29, 2011
i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
View 1 Replies
View Related
Jan 25, 2012
I now need to configure an ASA 5505 for a small server farm. It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works; I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.
View 7 Replies
View Related
Jun 11, 2013
I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com
[Code].....
View 1 Replies
View Related
Feb 18, 2013
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it. [code]
View 13 Replies
View Related
Apr 3, 2013
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. [URL]) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuration or the firewall itself is not letting my requests through. The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
[Code] .....
View 2 Replies
View Related
May 28, 2012
We have an internal DNS server that all internal hosts do lookups to .. these requests are forwarded onto open dns for anything the dns server isnt authoritative for.. My question is we have purchased the botnet filter and this requires the asa5505 dns client to be active on at least one interface .. Should i point the asa dns to an external IP such as 8.8.8.8 and apply DNS enabled on interface outside ( am using asdm) I don't want the ASA to control DNS for our internal clients we already have a internal server for this, i DO want the asa5505 to check dns packets against its botnet filter, whilst still using open dns for forwarding.
View 1 Replies
View Related
Jan 12, 2011
I have a client in a workgroup environment. They are a small company with perhaps twenty systems. Their infrastructure consists of a Dell Switch, a Cisco ASA-5505 which hands out the DHCP and a router. And that's that.They have been using an external IP as their DNS Server to get out to the Web. However, they now want to add an internal Linux-based DNS server.In looking through the ASA-5505 today I noticed a field for DNS enteries. Is this where the IP for this new internal DNS Server (in the secondary DNS field) would go?If so, would it be necessary to reboot the ASA-5505 for this change to take effect?
View 12 Replies
View Related
Oct 19, 2011
I've a question about VPN IPSEC on ASA5510
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?
View 1 Replies
View Related
Apr 26, 2011
We recently got a Cisco ASA 5510 Security Appliance and I have some general question.
We have 1 T1 internet connection, and we have 2 internal networks. These 2 internal networks currently hav access to the internet. I am having issues with the 2 internal networks being able to communicate with each other.
View 2 Replies
View Related
Nov 7, 2012
We recently changed locations and acquired a new circuit from our provider. They also connected our remote branch office to our main office through MPLS. Now, as I understand it, the branch office basically connects back to the main office through our providers network (MPLS). We have a new router at the branch office which has a gateway of 192.168.1.225. The clients in that office have IP's of 192.168.1.96 - 100, using the gateway of 192.168.1.225.
The main office network is 192.168.0.0 (Gateway of 192.168.0.1)
At this end (Main office), I also have a new Cisco 2900 provided by the ISP, with port 0/0 for the outside connection (connected to the 0 port on my ASA 5505). The ASA's port 1 obviously running into my network hub. The provider tells me that port 0/1 on the 2900 is or should be used to connect the branch office back to here and has an IP of 192.168.0.225, as that's how the provider provisioned it. So, I plug that into the ASA's Ethernet port 0/2. And I'm assuming they have a route setup either on the 2900 or the router in the branch office so that 192.168.1.225 can reach me here at 192.168.0.0.
There is already a static route setup on the ASA: (192.168.1.0 255.255.255.255 192.168.0.225 1). As soon as I plug in the cable, the IP phones at the branch office work, but they can't access the internet or any resources in the main office. My questions are:
1. Shouldn't I be able to just go straight from the 0/1 port on the Cisco 2900 to my hub. At first I was plugging right into the ASA, but I don't think I need to do that, why go from the branch office through my ASA to access resources and then back out the ASA for internet. If they're already coming from 192.168.1.225, through the MPLS network, then they should go right to my network and then back out the ASA.
2. They have to route through the ASA first, in which case, do I need to setup another VLAN for that branch network in conjunction with a static route? I can ping the router and hosts in the branch office through the ASA only!
Below is the running sanitized config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(2) !hostname ciscoasadomain-name audiology.orgenable password ulzaQiFnKVzDwUmW encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.0.1 255.255.255.0 ospf cost 10!interface Vlan2nameif outsidesecurity-level 0ip address 1.2.3.4 255.255.255.240 ospf cost 10!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa822-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns server-group DefaultDNSdomain-name audiology.orgsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list
[code]....
View 16 Replies
View Related
Mar 26, 2013
Cisco ASA 5510 directly facing the internet on E0/0 (1 Public IP only) with internal LAN on E0/1. Exchange 2010 OWA working fine with ACL and NAT rules configured.Problem:
•1. Cannot publish internal web servers to outside, have tried PAT.
•2. Have multiple web servers to publish with all on one protocol (HTTP) to a single public IP which I don’t know if it’s possible on a ASA.
•3.When SSL VPN is configured with Local user database, connecting from Anyconnect client gives a certificate error. Upon viewing the certificate it points to the internal mail server.
View 7 Replies
View Related
