Cisco Firewall :: Configuring NAT In 8.3 Using DMZ 2
Sep 26, 2011
We have a requirement where we need to enable a dynamic NAT from DMZ-1 to Inside, I gave the command below, but for some reason it does not work.nat (DMZ-2,Inside) source dynamic any interface,NOTE: The access-list is permitting all the traffic from DMZ-1 and Inside (for test)
View 1 Replies
ADVERTISEMENT
Dec 26, 2012
configuring NAT on intranet firewall. here is the my topology:
DMZ Network - - - - - - - - - External Firewall - - - - - - - - - Internet
|
|
|
Internal Network - - - - - - - - - Internal Firewall
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network
2) Both ASA's are running OS Version 9.0(1)
3) ACL used permit IP any any, on both (i.e inside and outside)
NAT configuration on Internal Firewall (Identity NAT)
object network MGMT-SRV-INSIDE subnet 10.10.10.0 255.255.255.192
object network MGMT-SRV-identity
subnet10.10.10.0 255.255.255.192
object network MGMT-SRV-INSIDE nat (Inside,Outside) static MGMT-SRV-identity
[code]....
View 1 Replies
View Related
Sep 21, 2012
I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be 192.168.0.1 - this is connected to local switch. The client PCs use 192.168.0.1 as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of 192.168.0.254.
View 3 Replies
View Related
May 15, 2012
I'm having an issue configuring NAT on an ASA running 8.3. 've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
object network obj_any-18
subnet 0.0.0.0 0.0.0.0
object network obj_any-18
nat (inside,dmz1.005) dynamic interface
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
What would be the best way to configure the return traffic from the DMZ to the Inside.
View 12 Replies
View Related
Mar 29, 2013
I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
View 4 Replies
View Related
May 14, 2011
I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.
View 2 Replies
View Related
Mar 30, 2012
There seems to be a large number of the subject queries in one form or another. Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products. I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.
What I would like to suggest to the experts, is to include far more ADSM web gui examples and discussion for manual nat. The tools are all there - in the nat rules editing page, the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing). What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries. In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics. With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. At the very least I and others like me will get better edumecated. I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands. In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .I have added the packet tracing jpegs for further context. There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic. What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).
View 2 Replies
View Related
Jun 20, 2011
I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?
View 3 Replies
View Related
Dec 5, 2012
want to know the command for configuring NAT on My ASA5505.
Local IP - 192.168.1.0/241
Public IP - 182.73.109.118 255.255.255.252
View 4 Replies
View Related
Nov 20, 2011
We have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7) where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7
View 1 Replies
View Related
Oct 16, 2012
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
View 1 Replies
View Related
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
View Related
Aug 19, 2012
I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (192.168.1.0/24)
- incoming ssh port 2202 goes to node 192.168.1.2
- incoming ssh port 2203 goes to node 192.168.1.3
- handle incoming https (443) requests
- handle incoming www (80) requests
- cannot see Network-B or Network-C
Network-B (10.0.0.0/16)
- ssh to nodes on Network-A
- incoming ssh port 22 goes to node 10.0.0.20
Network-C (192.168.2.0/24)
- ssh to nodes on Network-A
- incoming ssh port 2210 goes to node 192.168.2.2
ASA-5510
- sends logging to syslog node 192.168.1.3 on Network-A
- there are DNS and NTP servers located outside
View 1 Replies
View Related
Jan 13, 2013
To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:
Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
View 8 Replies
View Related
Jun 6, 2011
I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.
What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.
View 2 Replies
View Related
Apr 19, 2011
I have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B.
Below is the my connectivity:
Site-A IPSec VPN Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.
View 4 Replies
View Related
Apr 15, 2013
Platform: 881WIOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3License:
I have tried both advsecurity and advipservices
Problem: Configuring an auth-proxy redirect on seccessful authentication,Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.
The command is:,ip admission proxy http success redirect <url-string>,However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
View 6 Replies
View Related
May 11, 2011
I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
View 2 Replies
View Related
Oct 28, 2012
I am trying to configure RemoteDesktop on a home lab ASA5505 with IOS 8.4.1 and no matter what I tried, I am unable to remote into a local server behind the firewall. I've searched online and found several threads with solutions online including here at Cisco Support Community forum and have tried them all, but have no success. I'm sure it may be something very simple that I've missed.
ASA Version 8.4(1)!interface Vlan1nameif insidesecurity-level 100ip address 192.168.148.5 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 67.x.x.75 255.255.255.128!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2shutdown!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!ftp mode passivedns domain-lookup outsidedns server-group DefaultDNSname-server 67.x.x.75domain-name demo.localobject network insidesubnet 192.168.148.0 255.255.255.0object network rdp-serverhost 192.168.148.105object service rdpservice tcp source eq 3389access-list outside_in extended permit tcp any object rdp-server eq 3389pager lines 24mtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400nat (inside,outside) source static rdp-server interface service rdp rdpnat (inside,outside) source dynamic inside interfaceaccess-group outside_in in interface outsideroute outside 0.0.0.0 0.0.0.0 67.x.x.75 1
View 7 Replies
View Related
May 25, 2012
I have managed to simulate to Cisco ASA's on GNS3 - ASA1 and ASA2. ASA2 is configured as multiple mode to enable contexts while ASA2 has been configured as single mode.
On ASA2 I can assign an IP address to its gigabitethernet interfaces as normal, however I'm unable to assign an interface to the gigabitethernet interfaces on ASA1.
View 2 Replies
View Related
Jun 11, 2013
I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
old config on 8.2 and earlier
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 216.19.84.5
[code]....
View 4 Replies
View Related
Jul 21, 2012
I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
failover mac address Inside 0012.3456.789a 0023.4567.89ab
The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.Do I get the effect of failover mac address command?
View 1 Replies
View Related
Jan 24, 2012
I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).
View 6 Replies
View Related
Dec 18, 2011
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies
View Related
Jul 27, 2010
I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only
View 6 Replies
View Related
Jun 9, 2011
I can't seem to receive emails although I can send them and my prinet is off line. Had an IT guy come out and got me to the internet but he didn't make sure I was receing emails or able to print.
View 1 Replies
View Related
Mar 26, 2011
I've two Cisco ASA 5550 firewall. I'm don't have much knowlege on configuring this kind of firewall. I need configuring these firewall for simple NAT. I have 3 public IP address. I would like to allow server's inside of the firewall to be able to connect to internet using private address. A basic NAT. Also need to configure some port forwarding. We've bought two firewall for the Active/Active failover support. How can i configure this through ASDM? My ASDM version is 5.2.
View 1 Replies
View Related
Jul 9, 2012
I want to configure ad agent on windows server 2008 R2 SP1 with all need patch installed.When i try to connect to DC with adacfg dc list, status is UP. Log ADOBserver's don't show any errors. But when try to do command "adacfg cache list", result - empty. In what may be the problem? Perhaps it is related to the language of the OS?
View 4 Replies
View Related
Jun 10, 2012
I need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]
View 8 Replies
View Related
Jan 12, 2013
1. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.
2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520 and Other ISP on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.
3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.
Few Clarification If we can achive the above:
1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.
2. Can Web SSL and Client To Site IPSEC VPN users access service via the Secondary ISP- ASA when my Primary ASA and ISP is down.
View 7 Replies
View Related
Sep 25, 2011
I want to restrict outgoing traffic. Currently the deafault any, any IP allows all traffic from the inside to the outside.
So I created some rules to only allow HTTP and HTTPS. First I configured a rule to allow all DNS (TCP 53) traffic out. Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
When I apply and try to surf out to the internet from a box on the inside network I cannot. Remove the rules which returns the default any, any IP and traffic flows.
Packet tracer shows that the traffic should flow. And I have had minor traffic flowing but slow.
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure? I realize this is probably a very simple thing, but I only configure the ASA about once every year!
View 3 Replies
View Related
Sep 20, 2011
One interace is setup as the management interface on a 1 subnet (which is our main network/domain).
Second interace is setup on a 2 subnet (eventually this will be configured to receive incoming/outgoingmail)
I copied most of the settings from our old firewall for testing purposes. I can ping our old email firewall which on 2 subnet from our main subnet (1) successfully.
The only way I can get a successful ping with the Ironprot is to have the management interface hooked into our main network. We don't want this. We do have Ironport firewall and Webfilter setup similar and working fine.Is there someway I can configure this unit to allow both subnets to talk successfully to each other without having the managment interface connected all the time?
View 1 Replies
View Related
Nov 29, 2011
I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.
View 1 Replies
View Related