Cisco Firewall :: ASA5520 - Cannot Use Public NAT Address From Any Of Other Interfaces

May 31, 2012

I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scenario is as follows:
There is a sub net (on a sub interface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source Na Ted through the ASA to the outside interface. This works fine.
There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.
Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (Na Ted) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.
What I have tried so far:
- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.
- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"
- when I use the real addresses of the host, it works, so it shouldn't be an issue with the firewall rules
So any reason why I cannot use the public NAT address from any of the other interfaces?

View 3 Replies


Cisco Firewall :: How To Enable Not Used Interfaces On ASA5520

May 12, 2011

I have a pair of brand new 5520s I am in the middle of commission.  After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2).  How can I turn these "Not used" interfaces into useable ones?

View 2 Replies View Related

Cisco Firewall :: ASA5520 / 3560 - VLANs And Sub Interfaces

Aug 20, 2012

ASA's G0/2 interface is connected to G0/1 interface of a 3560G switch in DMZ, below is the config and diagram
Switch Config
int g0/1
switchport mode trunk
switchport trunk encapsulation dot1q
int vlan 1
ip add
We are running out of IPs in 192.168.0.X network and planning on creating sub interfaces on the ASA and trunk it to the switch so that we can have multiple V LANs in DMZ. Tried the below config in LAB but that didn't work, can you have a look at it and let me know if I miss anything. No change on the switch config since G0/1 is already a trunk port.
ASA Config
interface GigabitEthernet0/2
description Trunk to DMZ networks
no nameif dmz
If I change the V LAN on the switch from 1 to a different V LAN, say V LAN 50 for example, and configure the ASA accordingly its working fine.

View 5 Replies View Related

Cisco Firewall :: ASA5520 And Public IP Zone

Apr 5, 2011

I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
My question is this:
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.

View 3 Replies View Related

Cisco Firewall :: 5520 Static NAT And Same IP Address For Two Interfaces

May 28, 2012

We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where would be the same public IP address.
-static (inside,Outside)  access-list inside_nat_static_1
-static (production,Outside)  access-list production_nat_static_1

View 2 Replies View Related

Cisco Firewall :: 80 / 443 - How To NAT Public Address To DMZ

May 13, 2011

1. how do I nat a public address to a dmz address.

2. how do I open port 80/443 in the public to this address?

View 1 Replies View Related

Cisco Firewall :: ASA5520 8.21 - Setup Routing For Non-contiguous Address Range?

Apr 13, 2011

ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.

[ie. Route outside xxx.yyy.zzz.33] 
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
How do I setup routing for this non contiguous address range?

View 4 Replies View Related

Cisco Firewall :: ASA 8.4(3) - Access To Public IP Address From Inside

May 22, 2012

I need to connect from an inside host to a host located in the DMZ zone for DNS queries. The host in the DMZ zone has a static NAT to the outside. The point now is that I would like to connect from inside to the NATed outside address, means to the public Internet address.
Inside host: -> PAT for to (Outside Interface)
DMZ host: -> NAT to outside to
The traffic should be udp>1024 to udp=53. The source IP address on the outside interface now is (according to the PAT), the destination IP address The DNS reply from should go back now to and then to the inside host
I know that on the PIX it was not possible, to have outgoing traffic on the outside interface which immediately enters again the same interface. Can I realize this scenario with the ASA 8.4(3) release now?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Public Static IP Address And DMZ

Feb 3, 2013

I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,

View 4 Replies View Related

Cisco VPN :: One ASA5520 With Two Peers Interfaces

Feb 17, 2011

I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Port Redirection On Same Public Address?

May 26, 2012

We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?

View 6 Replies View Related

Cisco Firewall :: ASA5510 - Change Public IP Address On Outside Interface?

Mar 10, 2011

we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.

From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.

View 1 Replies View Related

Cisco Firewall :: 2nd Public IP Address On 5510 That Points Nowhere Internally

Mar 15, 2011

Will I break anything if I create a second IP address on the physical external interface of our ASA 5510?  I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.

View 9 Replies View Related

Cisco Firewall :: ASA 5550 - Direct Access To Public IP Address From Inside Network?

Jan 23, 2012

We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.

View 5 Replies View Related

Cisco VPN :: ASA 5500 Interfaces Have Not Public IP

Aug 21, 2011

My problem includes little bit design issue.I have site2site vpn between customer and my cisco router.But the customer wants to add L2TP traffic in this site2site tunnel.I have no experince about L2TP tunneling.I have also ASA 5500 series which locates behind the Cisco router.ASA interfaces have not public IP.Question is that Can I use my ASA firewall for just L2TP tunelling?Every document says ASA use IPSEC over L2TP. But IPsec tunneling is already done by Cisco Router.  Or should I have to do both tunnel in same network device? I mean ASA or Router?

View 1 Replies View Related

Cisco WAN :: 2801 - Cannot SSH Into All Public Facing Interfaces

Mar 12, 2013

I have a Cisco 2801 with two DSL cards that are both routing to the internet, with NAT to the private LAN interface. I am using IP SLA and route maps to accomplish this load balancing. I have rsolved most of the issues that come with this setup, but I still have a major issue: I cannot SSH into both of the WAN addresses, only one. I have included whqat I think is the most relevant config info.
#sh run
! ........some info omitted........!


View 12 Replies View Related

Cisco VPN :: ASA5520 Starts To See Internal Rfc 1918 Address Instead Of Configured Address

Mar 6, 2012

I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a address. We are not sure what triggers this becuase normally he see's my address.

View 5 Replies View Related

Cisco Firewall :: ASA5520 To ASA5520 Via L2L Tunnel

May 31, 2011

Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.

View 1 Replies View Related

Linksys Wired Router :: RVL200 / RVS4000 Possible To Assign Public IP Address As Local IP Address?

Feb 28, 2011

Is it possible to assign public IP address as Router's local IP address (RVL200, RVS4000)?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
      public wan
       ASA-- public dmz
      private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies View Related

Cisco VPN :: ASA5520 Outside Interface Non Route-able Address

Aug 29, 2012

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
I work for a state agency and our network connectivity is provided to us by another agency/department.  The firewall I want to use for VPN connectivity has an outside address of which is not routable outside the state's network.  I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication.  My DMZ network is setup as a local network and the ASA is performing NAT translations to the corresponding public IP addresses.
Putting in a NAT rule to translate one of the public IP addresses to the outside interface, but I wasn't sure if that would work.

View 1 Replies View Related

Cisco VPN :: ASA5520 To Narrow Down Debug For Peer Address

May 8, 2013

Any way of narrowing down a degub for a peer address only?  For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address know you can run 'sh crypto ipsec sa peer'.We're using an ASA5520 (8.4.2).

View 2 Replies View Related

Cisco VPN :: ASA5520 - Redirect Single IP Address Through User

Sep 11, 2012

I am having an issue with the user VPNs. For users connected via the AnyConnect VPN client, all of their Internet traffic goes out their local Internet connection, since I am using split tunneling. However, I need a specific public IP address to go through the VPN tunnel and out the DIA at the main office, rather than the user's local internet connection. I managed to have this IP address go through the tunnel to the ASA at the main office, but it appears that it gets blocked somewhere there, or maybe the return traffic gets blocked. I am using an ASA 5520 at the main office, with software version 8.3.

View 3 Replies View Related

Cisco WAN :: Unique Mac Address On All L2 Switchport Interfaces

Jun 2, 2013

I was wondering why do L2 swicthes have a unique mac address on all switchports ? These addresses are not used for mac rewrite during L2 forwarding since these switches themselves are layer to transit switches. What are these mac addreses used for then ?

View 1 Replies View Related

Cisco VPN :: Public IP Address For ASA5505?

Sep 7, 2011

I have a ASA5505 that I need to allow IPSEC and SSL VPNs through. The ASA is connecting to a BT Business ADSL router, what address should I be using on the ASA outside interface that will allow the ASA to be reachable from the Internet?

View 1 Replies View Related

Cisco :: 5508 WLC Configuration / Can't Access GUI On Management Interfaces Ip Address

Aug 30, 2011

I've got a new 5508 wireless lan controller and can ping the ip address of the management interface, but can't access the GUI at the management interface's ip address.  I can access the GUI on the service-port interface.  No static routes in the controller; trunk appears to be set up correctly.

View 5 Replies View Related

Cisco WAN :: 1841 - Public IP Address Behind Router

Mar 8, 2012

I'm really bad on networking so I have a question about NAT. I got two public IP addresses from my ISP: 92.x.x.252 - 92.x.x.254. 92.x.x.254 is configured as secondary on external interface and clients will use it two connect (vpn) it from outside through cisco 1841 to zywall p1 with wan ip address 92.x.x.253. Is this configuration (look at picture) allowed? How can I route traffic from 92.x.x.254 to zywall p1, if posible?

View 10 Replies View Related

Cisco WAN :: Assigning Public IP Address On ASA 5505

Jul 25, 2012

My company wants to create a VPN Tunnel to allow a remote office to connect to ours. I purchased 2 ASA 5505 and I was expecting to be able to set this up without any issues. Sadly, that is not the case.
What I'm having trouble with is configuring my Public IP Address to the device. I go through the setup wizard and enter the IP Address like normal, but I have no option to input my ISP's subnet, Gateway or DNS. Without those, I get no internet connection. I know there is a way to do this, but I'm stumped.

My Specs:

2 ASA 5505 series
ISP Modem (Which they control) - SMC SMCD3GN with DHCP disabled

View 1 Replies View Related

Broadband :: Configuring DSL With 5 Public Address?

Jun 23, 2011

We will acquire a DSL connection with 5 static public address. How can I use the 5 static public address using a linksys router. Is it depends with linksys router model?

View 2 Replies View Related

How To Configure Public Ip Address On A Router

Oct 8, 2012

i received a public ip from my ISP and need to configure to enable access my server remotely

View 1 Replies View Related

How To Assign Public Ip Address Using Router

Jul 14, 2011

I have a public IP and I want to be able to view my three systems connected to a linksys router from the internet. How can configure the router to see three systems with just one Public IP address whenever I am on the internet?

View 5 Replies View Related

Protocols / Routing :: Cisco 1841 - Cannot Use Public IP Address

Jun 5, 2012

Am having an issue with my cisco 1841. I recently brought some IP Publics. Now that i need them i just can't use them, I don't know much about routers but till now have successfully manage to do some stuffs with the router after googling ,OK we already have some other ip publics and when i look at the config file i can see something like this:

View 3 Replies View Related

Cisco VPN :: 3845 Public IP Address Is Changed / VPN Is Disconnecting

Aug 29, 2012

I've configured a easy VPN between cisco 3845 and cisco 871 router, 3845 is VPN Server.I am facing problem at client router ie.whenever The public IP address is changed the VPN is disconnecting.

View 3 Replies View Related

Copyrights 2005-15, All rights reserved