Cisco Firewall :: ASA5520 8.21 - Setup Routing For Non-contiguous Address Range?

Apr 13, 2011

ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the ASA.xxx.yyy.zzz.64/26 as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.xxx.yyy.zzz is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.

[ie. Route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.33] 
 
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
 
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
 
How do I setup routing for this non contiguous address range?

View 4 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5520 - Cannot Use Public NAT Address From Any Of Other Interfaces

May 31, 2012

I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scenario is as follows:
 
There is a sub net (on a sub interface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source Na Ted through the ASA to the outside interface. This works fine.
 
There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.
 
Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (Na Ted) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.
 
What I have tried so far:
 
- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.
- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"
- when I use the real addresses of the host, it works, so it shouldn't be an issue with the firewall rules
 
So any reason why I cannot use the public NAT address from any of the other interfaces?

View 3 Replies View Related

Cisco Firewall :: 5520 - Multiple Global IP Address Range On ASA Outside I/f

Mar 17, 2011

Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
 
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
 
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
 
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
 
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
 
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?

View 2 Replies View Related

Cisco Firewall :: ASA 5512x Restrict Email Delivery To Ip Address Range

Feb 2, 2013

I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different).  Right now anyone sending email to a particular ip address on my firewall can do so.  I want to restrict that to two ip address ranges it will accept deliver from.  I'm thinking I need two network objects for the two ranges then add to a network object group.  Configuring the ACL for delivery using that group if I'm correct about that ?

View 4 Replies View Related

Cisco VPN :: ASA5520 Starts To See Internal Rfc 1918 Address Instead Of Configured Address

Mar 6, 2012

I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 63.117.98.222 address.

View 5 Replies View Related

Cisco Switching/Routing :: 2955 - Can't Use Interface Range To Restrict By Mac Address

May 20, 2012

I need to only allow 5 Mac Addresses on a range of ports on a 2955 switch.  If I do the following it only changes the first port in the range:
 
interface range fastEthernet 0/5 - 10
 
no spanning-tree portfastswitchport port-securityswitchport port-security maximum 5switchport port-security violation restrictswitchport port-security mac-address 00:1D:24:25:F7:AA

[Code].....

View 2 Replies View Related

Cisco Switching/Routing :: 3560 - Dhcp - Excluded Address Range

Apr 29, 2012

we have a 3560 switch configured with EIGRP with dhcp.  We have a user that we cannot ping, however the interface show up / up and no errors on interface. the ip address is 10.2.0.199 - however we have dhcp configured to exclude the range from dhcp ip dhcp excluded-address 10.22.0.1 10.22.0.200 how can this work station get a dhcp address if we have that ip range excluded from the dhcp pool?
 
The user is off a different switch that is a uplink to this distribution switch. Traceroutes shows that the problem is with the distribution switch.

View 4 Replies View Related

Cisco Firewall :: ASA5520 To ASA5520 Via L2L Tunnel

May 31, 2011

Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
 
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
 
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
 
My 2nd is that I have debug enabled on my rules but am not logging anything.

View 1 Replies View Related

Cisco Firewall :: ASA5520 - Stub Multicast Routing And Forwarding?

Jun 26, 2011

I can't seem to find where in ASDM (6.4.1), can we configure IGMP forwarding? ASA5520(config-if)# igmp forward interface outside The ASDM doc reference does not seem to be correct pointing to:configuring Stub Multicast Routing  

Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Multicast > IGMP.
#Step 2 In the Multicast pane, check the Enable Multicast routing check box.
#Step 3 Choose MForwarding.
 
which generates:
 
ASA5520(config-if)# mfib forwarding

View 4 Replies View Related

Cisco Firewall :: ASA5520 Routing Packets To Wrong Interface?

Apr 17, 2012

We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
 
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?

View 11 Replies View Related

Cisco Firewall :: 5520 - Object-group With Network-object Containing IP Address Range

Apr 7, 2013

Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
 
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D  Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
 
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.

View 5 Replies View Related

Cisco Security :: ASA 5510 Multiple Non-contiguous Blocks Of IPs?

Apr 30, 2012

Currently I have an asa 5510 set up with one block of outside IP addresses. Everything is working fine in regards to my initial setup. However we needed to purchase additional IPs from our provider and ended up being a whole complete different block. Where I am getting stuck is getting the new IPs to NAT to inside addresses.

View 2 Replies View Related

Cisco VPN :: ASA5520 Outside Interface Non Route-able Address

Aug 29, 2012

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
 
I work for a state agency and our network connectivity is provided to us by another agency/department.  The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network.  I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication.  My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.
 
Putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.

View 1 Replies View Related

Cisco VPN :: ASA5520 To Narrow Down Debug For Peer Address

May 8, 2013

Any way of narrowing down a degub for a peer address only?  For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 1.1.1.1?I know you can run 'sh crypto ipsec sa peer 1.1.1.1'.We're using an ASA5520 (8.4.2).

View 2 Replies View Related

Cisco VPN :: ASA5520 - Redirect Single IP Address Through User

Sep 11, 2012

I am having an issue with the user VPNs. For users connected via the AnyConnect VPN client, all of their Internet traffic goes out their local Internet connection, since I am using split tunneling. However, I need a specific public IP address to go through the VPN tunnel and out the DIA at the main office, rather than the user's local internet connection. I managed to have this IP address go through the tunnel to the ASA at the main office, but it appears that it gets blocked somewhere there, or maybe the return traffic gets blocked. I am using an ASA 5520 at the main office, with software version 8.3.

View 3 Replies View Related

Cisco VPN :: 172.16.x.x / 16 / Setup VPN But Both Side Use Same IP Range?

Sep 26, 2011

We need to setup a VPn to another company, but we both use 172.16.x.x/16.  Would I need to get both sides to setup a VPn using 2 different subnet ranges and then get us to NAT it to our own range?I was thinking of making our side 10.7.x.x/16 and their side 10.6.x.x/16

View 1 Replies View Related

IP Address Range Different To What It Should Be

Jul 9, 2012

we had servers with 10. addresses and they now give out 192. addys when pinged. The addresses haven't been changed manually but what might cause this?

View 1 Replies View Related

What Is Range Of Ip Address

Jan 19, 2011

So i set up my trendnet ip camera. It stopped working so i called their tech support and they gave me another ip number. My question is what is the range of ip addresses.? ,my address is 192.1.1..xxX do they just pick a random number??

View 1 Replies View Related

Increasing Ip Address Range?

Dec 24, 2012

I have an IPAD, pc , laptop, mobile and my daughter comes over with her ipod and mobile.As I understand things my IP address range is not big enough and as a result my IPAD keeps dropping and saying not connected

View 14 Replies View Related

D-Link DIR-655 :: IP Address Range?

Jan 12, 2011

I have a device(internet radio) that seems to require an address format of 192.168.xxx.xxx. The router does not do this range and I cannot set it to that range ( the first three xxx). If I try the router defaults back to 192.168.x.xxx. Any way to over come this so I can connect the radio (which works fine wired as the ISP can supply a 192.168.xxx.xxx IP address).

View 6 Replies View Related

Cisco Firewall :: ASA5520 Bypass All Network Through Firewall

Dec 22, 2011

With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.

View 1 Replies View Related

Cisco :: Use DNS Entry In Extended ACL Instead Of IP Address Range?

Sep 1, 2011

Is it possible to use a DNS entry in an extended ACL instead of an IP address range?

View 2 Replies View Related

How To Prevent Same Ip Address Range Conflict

Aug 5, 2011

I'm trying to perform ping to another network segment using nat to those devices but the ipaddress i assigned are the same as the segment i am trying to monitor is there anyway to overcome this?

View 4 Replies View Related

Cisco WAN :: WAP4410n On A Home Network - IP Address Range?

Mar 5, 2011

I am trying to set up a WAP4410n Wireless access point and add to my home network. One problem I can't seem to get around. The IP adress range setup does not accept 1 (example 192.168.1.245) as a range setup for IP address. How do i get in communication with the unit when I can't view the setup due to the factory default set as 192.168.1.245? If it were 192.168.0.245 I could easily change my routers IP range to include it.

View 0 Replies View Related

Cisco Routers :: Rv082 - NAT Only For Specific IP Address Or Range

Mar 26, 2013

Any solution for NAT only for a specific ip address or a range of ip addresses from the same  subnet?
 
I've read that the router in gateway mode automatically makes the translation and in router mode does not.  Starting from this, is there any way to nat from firewall access rules only.

View 5 Replies View Related

D-LINK DIR-524 / Setup Second Router To Existing One To Make Range Better

Jan 26, 2012

I just bought a new wireless router and I currently using my older dlink dir-524 wireless router in my home.eason in buying a new one is because currently the dlink router is in the family room use to be a garage and my wifes imac is in our bedroom the couple rooms down not next door or anything, and the imac and even our smartphones when in our bedroom the connection gets disconnected then reconnected etc etc, basically signal strength is low initially when connected to the router.

View 8 Replies View Related

Routers / Switches :: 2 Different Ip Address Range On One Network

Jan 1, 2011

I have a Buffalo NAS with IP address 192.168.1.30 linked to my router, which has IP address 192.168.2.1. Both have the same subnet mask: 255.255.255.0.DHCP on the router assigns IP's to my computers on the network (192.168.1.xxx). How do I access my NAS?

View 3 Replies View Related

Change Existing Server Ip Address To A Different Range?

Jan 22, 2013

how do i change existing server ip address to a different range,,what changes do i have to make?

View 3 Replies View Related

Auto-configuration IPv4 Address In 169 Range?

Mar 30, 2012

Last two weeks, I have had a problem connecting to public hotspots. My own WiFi network is fine, but while I am connected to any public hotspot I get the 'no internet access' message on the wifi symbol.While connected to my own network, ipconfig/all shows that I have an Autoconfiguration IPv4 address in the (correct) 192 range - but when connected to a hotspot, the address is in the 169 range, or occasionally (as in the instance below) in the 10 range. Clearly this is the problem, but I cannot figure out what has caused it. Is it hardware? Software? Malware? Or user error?I have run the Wireless Test and the log results are pasted below.

Windows IP Configuration

Host Name . . . . . . . . . . . . : XPS-CLIENT-TIM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

[code]....

View 14 Replies View Related

Cisco Firewall :: Keep ASA5520 Firewall In Sync

Aug 22, 2011

I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.

View 1 Replies View Related

Cisco WAN :: 2960 Physical IP Address Of Server Is Private Range

Aug 3, 2012

I have Internet connection in Ethernet Medium connected to a L2 Switch (Cisco 2960). I have 2 Routers (Cisco 2900). I have a webserver to be accessed from Internet. The physical IP address of the server is Private range.
 
I have configured Stateful NAT as below
 
157.220.100.61 is Static NAT to 10.1.1.3 using redundancy
 
Though HSRP is working good, when RTR-1 is down, I am not able to reach Webserver (10.1.1.3) using RTR-2
 
We found in the that ISP Switch, that even when RTR-1 is down, the MAC address for 157.220.100.61 is still present one pointing to RTR-1 and other pointing to RTR-2. There are 2 MAC address entries for 157.220.100.61

View 5 Replies View Related

Increasing Number Of Addresses And Dhcp Address Range

Dec 2, 2011

A small network and uses the Linksys Router BEFSR81 as dhcp.the default Number of addresses is 50 and starts 10.0.0.100 to 10.0.0.149.A new Cisco IP Phone just introduced requires ip addresses and have noticed running out of addreses.Can I increase the number to 120 so that the address range would start from 10.0.0.100 to 10.0.0.219, also, I have a VPN device which automatically configures itself for 10.0.0.199 address and this is /24 network configuration.

View 1 Replies View Related

What Is Correct Subnet Mask And 10th Address Range

Nov 3, 2012

Given an IP address range, select the correct subnet mask for the scenario. IP address: 132.250.0.0/16, You need to create 100 networks with a minimum of 500 hosts per network. What is the correct Subnet mask and the 10th subnet address range?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved