Cisco Firewall :: ASA5510 - Additional Public IPs Added To Outside Interface
Jul 31, 2012
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
My web server is out of public IPs. I requested more from my ISP and I got a different range with a different gateway. How do I handle the configuration on my Cisco ASA? Without any configuration changes to the firewall I saw the traffic hitting it and being blocked. I added an access rule to allow the traffic. I added a virtual interface on the ASA. I added a virtual interface on the web server. Using "Packet Tracer" the traffic flows from the outside interface to the new virtual interface. But I'm unable to access my web server and I don't see any traffic on that IP reaching the web server.Using Cisco ASA 5510.
I’ve been trying to figure out this for quite a while. I have a range of public IP addresses directly assigned on my dmz servers. The inside interface of ASA 5510 has one of those public IP addresses assigned (the default gateway for all dmz servers). Now I have a new range of public IPs that I also want to directly assign to new dmz servers. My goal is to have two distinct public IP ranges on dmz that should communicate between them. The inside ASA interface should be the default gateway for both networks.
We have a setup where clients on the internal network send/receive their emails through Microsoft Outlook client, while the Exchange server is hosted on the internet, outside the organization.The clients are connected to a Cisco switch, behind an ASA5510 Firewall. The Firewall is connected to an internet router, with double NAT (On the ASA and Router).
the outlook clients disconnect from the Exchange server, sometimes for hours, and then reconnect again. During these disconnections, the same client PCs are able to browse the internet normally. There are no restrictions for the traffic going from the inside to the outside. During the disconnections, if we try to connect using a public IP bypassing the ASA & router,.
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.
We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We could deploy a proxy server in the wireless DMZ to make all the wireless devices appear to web filter as a single IP, and apply a single policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?
I'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]
We have a Cisco ASA 5510 with: -version: asa845-k8.bin -ASDM: asdm-711-52.bin
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD" select access type "ASDM/HTTPS" select interface "internal" IP Address "10.1.1.0" Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also, interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.
In this case why to make tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface if name command to dis load devices and network by foolish tests?
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside e0/1 = inside m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
at the moment we are using as default the manager interface as ap-manager interface.
Now I have to change the IP. I would like to change that very smooth with all our locations. My question, is it possible to add a ap-manager interface with a new vlan and IP Range, so that I can move the AP's to the second interface as as soon as it is planed with the location. Sometimes in special cases we have hard coded the WLC IP oder we just need to change the DHCP option but this needs to be planed and I see problem to do that in a hard cut.
Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
I've got a 1U server that has Citrix XenServer 5.6 installed on it. It has 2 physical ethernet interfaces, both connected to the same network switch, one interface has a public IP address on it and the 2nd interface has a private rfc1918 address on it (this can be changed if necessary). I use the private1918 interface to do administrative tasks, transfer data amongst the servers and guest VMs, etc. I'm given a /29 IP address allocation by a friend to use for my servers (using his FTTP internet connection). I want to set up a few guest VMs, but really most of them do not need to be using public IP addresses.
Is there a way to NAT the public interface on XenServer so that guest VMs can use rfc1918 addresses & get online, instead of using the few IP addresses I am given? Also how would I enable portforwards so that I can get applications to work like asterisk, SMTP, etc.?
I have two Windows Boxes connected to RV042 ; each has its own static IP assigned to it and each runs bunch of virtual machines , for which I had configured port forwarding .My hosting company claims that my server(s) are listening on IP 192.168.0.1 on a public interface (i.e., one that uplinks to their network). They see this same IP on two different MACs my uplink interface. I am not really sure how it is possible since 192.168.0.1 was assigned to router itself.
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes ! ! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
I have a 2621 that I am configuring on the internet. My ISP gives me a static DHCP assigned address and then two more static addresses that are not part of the same block. (e.g. 1.2.3.4 is static via dhcp and then they give me 5.6.7.8/30).
I have fa0/0 getting 1.2.3.4 ia dhcp. I have 5.6.7.8 on a loopback interface for PAT/NAT as I have the main one on fa0/0 doing vpn to a remote ASA. The problem is that I have yet another device that needs a public IP, mainly 5.6.7.9... I want to hook that device up to fa0/2 (this box has three fa interfaces). How do I setup fa0/2 if I want to give the device on it a real live public IP address? I have done this before, but it must have been 10 years back on an even older CISCO and I can not remember how I did it.
