Cisco Firewall :: ASA5520 - Cannot Use Public NAT Address From Any Of Other Interfaces
May 31, 2012
I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scenario is as follows:
There is a sub net (on a sub interface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source Na Ted through the ASA to the outside interface. This works fine.
There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.
Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (Na Ted) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.
What I have tried so far:
- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.
- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"
- when I use the real addresses of the host, it works, so it shouldn't be an issue with the firewall rules
So any reason why I cannot use the public NAT address from any of the other interfaces?
I have a pair of brand new 5520s I am in the middle of commission. After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2). How can I turn these "Not used" interfaces into useable ones?
ASA's G0/2 interface is connected to G0/1 interface of a 3560G switch in DMZ, below is the config and diagram
Switch Config int g0/1 switchport mode trunk switchport trunk encapsulation dot1q int vlan 1 ip add 192.168.0.100 255.255.255.0
We are running out of IPs in 192.168.0.X network and planning on creating sub interfaces on the ASA and trunk it to the switch so that we can have multiple V LANs in DMZ. Tried the below config in LAB but that didn't work, can you have a look at it and let me know if I miss anything. No change on the switch config since G0/1 is already a trunk port.
ASA Config interface GigabitEthernet0/2 description Trunk to DMZ networks no nameif dmz [code]...
If I change the V LAN on the switch from 1 to a different V LAN, say V LAN 50 for example, and configure the ASA accordingly its working fine.
I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
My question is this:
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the ASA.xxx.yyy.zzz.64/26 as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.xxx.yyy.zzz is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
How do I setup routing for this non contiguous address range?
I need to connect from an inside host to a host located in the DMZ zone for DNS queries. The host in the DMZ zone has a static NAT to the outside. The point now is that I would like to connect from inside to the NATed outside address, means to the public Internet address.
Inside host: 10.0.0.1 -> PAT for 10.0.0.0/8 to 126.96.36.199 (Outside Interface) DMZ host: 192.168.1.1 -> NAT to outside to 188.8.131.52
The traffic should be 10.0.0.1 udp>1024 to 184.108.40.206 udp=53. The source IP address on the outside interface now is 220.127.116.11 (according to the PAT), the destination IP address 18.104.22.168. The DNS reply from 22.214.171.124 should go back now to 126.96.36.199 and then to the inside host 10.0.0.1.
I know that on the PIX it was not possible, to have outgoing traffic on the outside interface which immediately enters again the same interface. Can I realize this scenario with the ASA 8.4(3) release now?
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 188.8.131.52) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.
My problem includes little bit design issue.I have site2site vpn between customer and my cisco router.But the customer wants to add L2TP traffic in this site2site tunnel.I have no experince about L2TP tunneling.I have also ASA 5500 series which locates behind the Cisco router.ASA interfaces have not public IP.Question is that Can I use my ASA firewall for just L2TP tunelling?Every document says ASA use IPSEC over L2TP. But IPsec tunneling is already done by Cisco Router. Or should I have to do both tunnel in same network device? I mean ASA or Router?
I have a Cisco 2801 with two DSL cards that are both routing to the internet, with NAT to the private LAN interface. I am using IP SLA and route maps to accomplish this load balancing. I have rsolved most of the issues that come with this setup, but I still have a major issue: I cannot SSH into both of the WAN addresses, only one. I have included whqat I think is the most relevant config info.
I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 184.108.40.206 address.
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
I work for a state agency and our network connectivity is provided to us by another agency/department. The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network. I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication. My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.
Putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.
Any way of narrowing down a degub for a peer address only? For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 220.127.116.11?I know you can run 'sh crypto ipsec sa peer 18.104.22.168'.We're using an ASA5520 (8.4.2).
I am having an issue with the user VPNs. For users connected via the AnyConnect VPN client, all of their Internet traffic goes out their local Internet connection, since I am using split tunneling. However, I need a specific public IP address to go through the VPN tunnel and out the DIA at the main office, rather than the user's local internet connection. I managed to have this IP address go through the tunnel to the ASA at the main office, but it appears that it gets blocked somewhere there, or maybe the return traffic gets blocked. I am using an ASA 5520 at the main office, with software version 8.3.
I was wondering why do L2 swicthes have a unique mac address on all switchports ? These addresses are not used for mac rewrite during L2 forwarding since these switches themselves are layer to transit switches. What are these mac addreses used for then ?
I have a ASA5505 that I need to allow IPSEC and SSL VPNs through. The ASA is connecting to a BT Business ADSL router, what address should I be using on the ASA outside interface that will allow the ASA to be reachable from the Internet?
I've got a new 5508 wireless lan controller and can ping the ip address of the management interface, but can't access the GUI at the management interface's ip address. I can access the GUI on the service-port interface. No static routes in the controller; trunk appears to be set up correctly.
I'm really bad on networking so I have a question about NAT. I got two public IP addresses from my ISP: 92.x.x.252 - 92.x.x.254. 92.x.x.254 is configured as secondary on external interface and clients will use it two connect (vpn) it from outside through cisco 1841 to zywall p1 with wan ip address 92.x.x.253. Is this configuration (look at picture) allowed? How can I route traffic from 92.x.x.254 to zywall p1, if posible?
My company wants to create a VPN Tunnel to allow a remote office to connect to ours. I purchased 2 ASA 5505 and I was expecting to be able to set this up without any issues. Sadly, that is not the case.
What I'm having trouble with is configuring my Public IP Address to the device. I go through the setup wizard and enter the IP Address like normal, but I have no option to input my ISP's subnet, Gateway or DNS. Without those, I get no internet connection. I know there is a way to do this, but I'm stumped.
2 ASA 5505 series ISP Modem (Which they control) - SMC SMCD3GN with DHCP disabled
I have a public IP and I want to be able to view my three systems connected to a linksys router from the internet. How can configure the router to see three systems with just one Public IP address whenever I am on the internet?
Am having an issue with my cisco 1841. I recently brought some IP Publics. Now that i need them i just can't use them, I don't know much about routers but till now have successfully manage to do some stuffs with the router after googling ,OK we already have some other ip publics and when i look at the config file i can see something like this: