Cisco Firewall :: ASA5510 Static Nat From Outside To 2 Internal Interfaces?

Mar 18, 2012

I have an ASA5510 running 8.2 code and I have over 200 static nats from  the outside to the inside interface and that is how I expose our systems  to the Internet.  If this inside interface fails we also have a bypass  interface that also terminates on the internal network but I am not sure  how the nats will behave given they are statically mapped to the  inside.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA-5-305013 / Ssh Between 2 Internal Interfaces?

Jun 14, 2012

I have a problem on allowing ssh traffic between 2 different INTERNAL interfaces. Both the interfaces have the same security level (100).What I have to do is to allow a ssh command from 172.16.0.2 to 172.17.1.200. The firewall is configured but I am experiencing issues on the NAT.The error I get is as follows:#%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse  

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Communication Between Two Internal Interfaces

Jun 11, 2013

I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
 
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
 
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA5510 Multiple Outside Interfaces

Jun 16, 2011

We have an ASA 5510 firewall.  There are 4 ports on it configured as 2 outside, one inside, and one DMZ.  We have two cable modems attached to the outside ports.  Our plan is to have the "inside" port directed to one outside port/cable modem, and the DMZ port directed to the other outside port/cable modem.
 
We have been able to get the "inside-to-outside" setup to work but not the "DMZ-to-outside" setup (at least at the same time).First off, is this possible?  If so, what are we likely missing - some way to have a second default route for the DMZ?(My manager is the "Cisco person" here, not me, so I may not have enough info.

View 1 Replies View Related

Cisco Firewall :: DMZ Sub Interfaces Into Sub Interface Of Asa5510

Jul 5, 2012

We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.

View 7 Replies View Related

Cisco Firewall :: Gigabit Interfaces In ASA5510-SEC-BUN-K9?

Jul 14, 2011

I know with a ASA5510-SEC-BUN-K9, you can increase eth0/0 and eth0/1 to gigabit with the right IOS.  Is the same possible with the CSC version of the ASA?

Exact pn is ASA5510-CSC10-K9.  I believe I only have the base license for the ASA, but the security plus for the CSC.

View 4 Replies View Related

Cisco Firewall :: Can ASA5510 Be Configured To Use 2 Outside Interfaces

Feb 12, 2013

I am trying to determine if this is possible or not.  I have tried several configurations and I can only get half of it to work.
 
LAN (10.1.1.0/24) =====>                      <===== OUTSIDE (T-1)
                                            ASA5510
DMZ (10.1.10.0/29) ====>                      <===== BACKUP (DSL LINE)
 
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line.  No inside traffic (inbound or outbound) should go through the T-1.  No DMZ traffic (inbound or outbound) should go through the DSL line.
 
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.

View 3 Replies View Related

Cisco Firewall :: ASA5510 Possible To Upgrade Module Of Interfaces From 10mb To 1gb

Jul 29, 2012

I am using Cisco ASA5510 Firewall in my network.  Upgraded the Memory and Flash  to 1GB and 512MB.But the 5 interfaces  ports are  10mbps.Can it possible to upgrade the module  of Interfaceses from 10mb to 1gb?

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Verifying NAT Is Fully Disabled Between Two Interfaces?

Jun 24, 2012

I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to  the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.So far I have the following NAT related running-config command (in regards to these two interfaces):
 
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface insideaccess-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-testaccess-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface insideaccess-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-testaccess-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list NAT_Exempt_2nat (inside) 1 0.0.0.0 0.0.0.0nat (Inside-test) 0 access-list NAT_Exemptnat (Inside-test) 1 0.0.0.0 0.0.0.0
global (outside) 1 interfaceglobal (Inside-test) 1 interface

View 11 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
 
Below is a sanitized version of the config.

ASA Version 8.2(1)
!
hostname BOB

[Code].....

View 11 Replies View Related

Cisco Firewall :: How To Enable ICMP Between Two Inside Interfaces ASA5510

Feb 20, 2013

Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2). I tried to ping from 192.168.1.2 to 192.168.2.2  Failed. But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8 So I checked the configuration shown as follow

<omitted>
interface ethernet0/1
nameif inside

[Code]....

View 3 Replies View Related

Cisco Firewall :: 5520 Static NAT And Same IP Address For Two Interfaces

May 28, 2012

We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
 
-static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10  access-list production_nat_static_1

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Use Internal DHCP Throughout VPN IPSEC

Oct 19, 2011

I've a question about VPN IPSEC on ASA5510
 
In the LAN network , we use a DHCP on a Windows2003Server. Is it Possible to Configure the remote VPN Clients to use this DCHPserver throughout the VPN IPSEC and Assigned Automatically IP when the connection is done?

View 1 Replies View Related

Cisco Firewall :: ASA5510 - Connect 2 Internal Networks

Apr 26, 2011

We recently got a Cisco ASA 5510 Security Appliance and I have some general question.

We have 1 T1 internet connection, and we have 2 internal networks.  These 2 internal networks currently hav access to the internet.  I am having issues with the 2 internal networks being able to communicate with each other.

View 2 Replies View Related

Cisco Firewall :: ASA5510 Cannot Publish Internal Web Servers To Outside

Mar 26, 2013

Cisco ASA 5510  directly facing the internet on E0/0 (1 Public IP only) with internal  LAN on E0/1. Exchange 2010 OWA working fine with ACL and NAT rules  configured.Problem:

•1. Cannot publish internal web servers to outside, have tried PAT.
•2. Have multiple web servers to publish with all on one protocol (HTTP) to  a single public IP which I don’t know if it’s possible on a ASA.
•3.When SSL VPN is configured with Local user database, connecting from  Anyconnect client gives a certificate error. Upon viewing the  certificate it points to the internal mail server.

View 7 Replies View Related

Cisco Firewall :: ASA5510 Internal Flash Requirement For IOS 8.2(5) Upgrade?

Dec 21, 2012

Currently my ASA5510 has a 64MB internal flash.  Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)?  The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.

View 2 Replies View Related

Cisco Firewall :: Managing ASA5510 Using ASDM Via Internal Interface

May 17, 2012

I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
 
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else.  Is this correct?
 
I only configured one internal port and it is the path to my LAN.  I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process.  Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
 
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1.  If I open ASDM and connect thru the management port and select Configuration/Device Management/Management  Access/ASDM/HTTPS/Telnet/SSH
 
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address   "10.1.1.0"
Mask       "255.255.255.0"
 
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA? 

View 6 Replies View Related

Cisco Firewall :: Static Nat On ASA5510

Aug 25, 2012

We have network topology:

Inside Network (172.168.1.0/27) --- ASA5510----- Outside network (192.168.10.0/24)
ASA5510 have: Inside interface: 172.168.1.30/27; outside interface: 192.168.10.254
And we config:
# object network obj_inside
# subnet 172.168.1.0 255.255.255.224
# nat (inside,outside) dynamic interface
 [code]...
 
So, we í in from outside, we can't access web at 192.168.10.10?

View 3 Replies View Related

Cisco Firewall :: ASA5510 - Redirect HTTP Traffic To Internal Proxy?

Feb 13, 2011

I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
 
Http Traffic will be routed like that : PC ->  WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.

View 6 Replies View Related

Cisco Firewall :: ASA5510 - Routing / NATing From Internal Network To Outside Interface IP

Jun 3, 2012

I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing

View 1 Replies View Related

Cisco Firewall :: 2801 / Setting Up Static NAT To Internal Server?

Dec 15, 2012

One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443 
 
Here is a copy of my config.
 
IP    172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Ciscso 2801 Router

[code]....

View 5 Replies View Related

Cisco Firewall :: ASA5510 Static 1to1 NAT Configuration

May 21, 2012

We are replacing our EOL Watchguard X1000 Firewall(s) with Cisco ASA 5510 unit - ASA Version 8.4(3).  Following is the static NAT I have build and the corresponding access list.
 
nat (FW2Inside,FW2Outside) source static BW_XSP1_Private BW_XSP1_Public destinat
ion static BW_XSP1_Private BW_XSP1_Public

access-list FW2Outside_access_in extended permit tcp any object BW_XSP1_Public object-group DM_INLINE_TCP_1
 
Unable to access the server on the inside interface via the public NAT address. Can you point me in the right direction as to what I might be missing to make this work?

View 1 Replies View Related

Cisco Firewall :: ASA5510 Dynamic Routing And Static NAT

Dec 10, 2011

I have a ASA5510 with 2 internal interfaces (inside1 and inside2 same security level) configured with OSPF for dynamic routing with 2 routers to corporate subnets. I have a server in a private subnet that needs to be accessed from Internet. So static pat is used in ASA with the command
 
static (inside1, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255
 
As OSPF is in use, the subnet 192.168.1.0/24 may be reachable from interface inside2. When I tried to configure the static command for inside2,
 
static (inside2, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255.the error message came out "WARNING: mapped-address conflict with existing static...". Is this just a warning, or this is not possible in ASA.

View 2 Replies View Related

Cisco Firewall :: ASA5510 With Dual ISPs And Static NAT On Backup

Dec 12, 2012

Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.

View 4 Replies View Related

Cisco Firewall :: ASA5510 - Applying Static Command / Not Found Error

Apr 3, 2011

I have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).

So why i can't found this command ?

View 1 Replies View Related

Cisco Firewall :: ASA5510 Static Routes For Management Interface Not Working

Mar 30, 2011

We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
 
e0/0 = outside
e0/1 = inside
m0/0 = management
 
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
 
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
 
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
 
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
 
route management 10.72.211.0 255.255.255.0 10.72.232.94 10   <------------- this works
 
route management 10.72.211.79 255.255.255.255 10.72.232.94 10   <------------- this works too
 
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
 
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
 
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
 
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby

[Code].....

View 3 Replies View Related

Cisco Firewall :: Create Static PAT To Allow Host Address To Access Network Through ASA5510

Aug 23, 2012

The old syntax that I am much more familiar with has been deprecated.  On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255  Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA.  I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on  port 1433.

View 11 Replies View Related

Cisco VPN :: ASA5510 Can't Seem To Route Traffic To Both Interfaces

Sep 12, 2012

I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?

View 14 Replies View Related

Cisco VPN :: AnyConnect 3.0 With ASA5510 No Internal Access?

May 9, 2012

We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,

View 5 Replies View Related

Cisco VPN :: ASA5510 SSL Access To Internal Network?

May 18, 2011

We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?

View 8 Replies View Related

Cisco :: Internal Server Is Not Accessible From Outside Static?

Mar 23, 2013

I have nated my 172.81.15.0 255.255.255.0 into my internal server 10.1.10.164 , i can ping the out side server but the internal server is not accessible from out side static (Database-Servers,interface-sms) 172.81.15.2 10.1.10.164 netmask 255.255.255.255icmp permit 172.81.15.0 255.255.255.0 interface-smsroute zemen-sms 172.81.15.0 255.255.255.0 10.131.199.201 1access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq 9090access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq wwwicmp permit host 10.185.62.144 interface-smsi can ping the out side server 10.185.62.144 with out a problem . from the server 10.185.62.144 i can ping untill 172.81.15.2 and it will not ping the natted server 10.1.10.164. as u seen the accesslist ping is permitted.

View 1 Replies View Related

Cisco VPN :: L2L VPN With Static NAT To Hide Internal IPs On 1841 ISR?

Mar 14, 2011

I have configured a L2L VPN on a Cisco 1841 ISR.  I am statically NATing some of my internal hosts to IP addresses that are included in the encrypted traffic.  Please note that not all of the internal hosts are being NATed.  I am doing this to hid some of the real IP addresses on the inside network.  I have confirmed that the VPN works, as well as the NATing of the VPN traffic.  I have traditionally configured L2L VPNs on Cisco ASA 5500 series appliances, and this is my first attempt with the 1841 ISR.  I just want other to take a look a see if I missed anything, or, could I have done some of the configuration more efficiently.  All comments are welcome.
 
 VPN-RTR-01#show runBuilding configuration...

Current configuration : 9316 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname VPN-RTR-01!boot-start-markerboot-end-marker!! card type command needed for slot/vwic-slot 0/0logging buffered 51200 warningsno logging consoleenable secret 5 xxxxxxxxxxxxxxxenable password 7 xxxxxxxxxxxxxxx!no aaa new-modelip cef!!!!no ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!!crypto pki trustpoint TP-self-signed-2010810276 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2010810276 revocation-check none rsakeypair TP-self-signed-

[code]....

View 1 Replies View Related

Cisco WAN :: 5510 To Add A Static Nat To Allow Access To Internal Webserver

Mar 20, 2011

ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ.  I've added the config, however i'm still unable to get to it from the outside.  I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"

View 0 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved