I have two RFC1918 domains I wish to connect, can I use double NAT with PAT so that each domain is represented as one single ip address with each session a port of that address-
The link is a private point to point link with a /32 mask so could I use this as the PAT address ?
I am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
object network remote-server
host 192.168.2.155
nat (outside,inside) static 10.168.2.155
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
object network remote-server
host 192.168.2.155
object network remote-server-mapped
host 10.168.2.155
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
I am setting up a new ASA running 8.3 and I am having problems with configuring double NATs.
Here is the thing I am trying to solve:
Original Packet
SRC: 1.1.1.1
DST: 1.1.1.10
After it hits the firewall and it comes out on the outside interface I want this:
SRC: 2.2.2.1
DST: 2.2.2.10
Now when I set this up the way I did in 8.0(4) it just ain't working.
All the NAT examples I can find are simple NATs, I have not been able to find an example of a SRC and DST NAT.
We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ). Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them. Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel. Here's the boiler plate from the customer:
"Important Note: The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). We do not support PPTP, L2TP, or client VPN connections through a dialer application."
I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable. How do I get this to work with a routable address? The tunnel will be carrying patient data and is basically a single server to single server link. It needs AES-256 and SHA-5 encryption but that shouldn't be a problem. The hospital is using a PIX, we are using an ASA-5510 with Security Plus license. We also have a couple of ASA-5505 units with base license to test with.
i have R1(F0/0 :1.1.1.1 and R2 (F0/0:1.1.1.2) connected togather once i applied acl at R1 on the inbound direction i lost the ospf session and the ping between these 2 routers despite for the below ACL Config
acl 101 permit icmp host 1.1.1.1 host 1.1.1.2
acl 101 permit host 1.1.1.1 host 1.1.1.2
acl 101 permit ospf 1.1.1.1 host 1.1.1.2
acl 101 permit ip 192.168.1.0 0.0.0.15 any
R1
int f0/0
ip access-group 101 in
R1 is my main router while R2 is my customer , i gave my customer the block 192.168.1.0/25 so i m going to implement some security like RFC 1918 and RFC 2827 Filtering along with uRPF
I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 63.117.98.222 address.
View 5 Replies View RelatedI have inherited a Cisco VPN 3005 and need to configure an interesting scenario:
2 LAN-2-LAN tunnels: 1 required an outside IP and has an existing static NAT of 192.168.1.1 -> 12.2.1.1 for 0.0.0.0 as the destination.I now have a need to created a new NAT for 192.168.1.1 to translate to 10.99.1.1 for destination of 13.3.1.1, 14.3.1.1 and 15.3.1.1.
Is it possible to have the above scenario, or even NAT 12.2.1.1 from the first NAT back to 10.99.1.1??
Facing a problem of double multicast on one of our cisco 3750 switch. On checking with sniffer it was found that out of double packet’s one packet is having source mac-address of vlan and another packet is having a source mac-address of switch base mac-address.
View 3 Replies View Relatedi bought me a router so that me and a few other friends could play to star craft 2, but i would like to know that if i could play an LAN with NO internet on it?
View 2 Replies View RelatedI want to know how to have a double SSID but it's forbidden to have a wireless interruption with the wep which is on my cisco aironet 1242AG. I need to have wpa2 in addition of the wep.
View 2 Replies View RelatedI have 2 LANs in my own PC & 2 Routers (TP-Link WR941N each) with 2 internet accounts (512Kbps each) connected to the same ISP signal & company using NanoStation 5 from ubnt.As u know the connections work separately by default!! (I use Windows 7 64bit)Can I merge them to get double speed (download/upload simultaneously) using reg edit or special software or method?
View 2 Replies View RelatedWe just upgraded our Sg300 series switches to the new IOS so we can get CLI access. The upgrade went fine but it seems we have two login prompts, the first being completely unnecessary as you can just hit return to get by it. IE here is the progression:
1. Connect SSH
2. Receive a "login:" prompt. Anything can be entered here, including just return
3. Login banner is displayed
4. Username Prompt is then displayed. Valid username required
5. Password Prompt displayed - Valid password required
6. Now at CLI 1. Connect SSH
I am trying to get rid of that first login prompt (IE Step 2) as it is causing issues with our configuration software. I have tried every line and authentication command I can think of, the only thing that gets rid of it is using none authentication which obviously we can't stay with. how did you get around it?
is it to increaze the broadbandwith by using a double usb-modem dial-up ...i know tha we can use double connection, but not in real time...
View 8 Replies View RelatedI have 2 LANs in my own PC & 2 Routers (TP-Link WR941N each) with 2 internet accounts (512Kbps each) connected to the same ISP signal & company using NanoStation 5 from ubnt. As u know the connections work separately by default!! (I use Windows 7 64bit) Can I merge them to get double speed (download/upload simultaneously) using reg edit or special software or method?
View 3 Replies View RelatedThis is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and need parts of the config.
View 14 Replies View RelatedI'm currently switching from a certain internet provider to another and I'm forced to get another router. What I wanted to do is since the initial router has to be on the first floor, I'd like to have the second one on the top floor closer to my computer whereas they would share a dedicated connection between each other wirelessly so it would make my connection faster rather than just having my pc connect directly wirelessly to the initial router on the first floor. Is that possible?
View 4 Replies View RelatedI only have access to rather slow connections (256 Kbps). But since I have two lines and two modems, I was wondering if I could bond them together and make a faster one. My main modem is a Lynksys WAG120N Wireless-N ADSL2+ Modem Router, which as you can see is also in charge of both wired and wireless networks at my place. The second one is an older D-Link ADSL modem (JUST modem).Since I have an extra LAN port on my Lynksys modem, I want to know if and how I can connect the second modem, and combine the two rates.
View 2 Replies View RelatedI'm new to networking (at least at this level) and need some guidance. First, I have an Actiontec MI424WR (Rev. F) Coax Verizon Fios modem that I use as my home networking wireless router. From a LAN port on that I've connected a cable to the WAN port on my DIR-655 which acts as my gigabit office hard wire/wireless router. I need to keep the home network and the office network separate.All of my computers are Windows, either 7, Vista or XP.Connected to my Dir-655 on the office network are 2 wireless computers, a printer, an IOMEGA 1TB Home Personal Cloud NAS HDD, plus 2 desktop computers.The DIR-655 is set with a static IP address matching the range of the Actiontec. The DIR-655 is set for DHCP for the devices on the network (although 2 of the computers have static IP address).
When the DIR-655 had a Dynamic IP address set by the Actiontec, the IOMEGA NAS HDD kept losing connection with all the devices on the network. Only after I set the DIR-655 to static IP did that stop and everybody started to play nice. I'm not sure why that would make a difference, but it did.But regardless of whether it is set to dynamic or static, no computer on the network or program, even third party programs, can connect to ANY of the time servers out there... and I mean any of them. I've tried at least 20 or more of the standard and not so standard ones. The DIR-655's time is off, and it is set to get time automatically. None of my computers, or my IOMEGA NAS, can access time. The Actiontec, though, seems to be set correctly.Everything connects to the internet just fine. Web, email, auto product upgrades. Fine. So far it's just the time server thing which troubles.I done everything I know how to do to enable Port Forwarding through both routers for NTP > UDP 123 since that is the standard port for the Network Time Protocol, but I could have easily screwed that up.
On our 6504 - 12.2(33)SXH, we currently have a single connection to our ISP (GI1/1) and want to add another connection (GI1/2) Is there a way to bond the two connections to form a single connection (a single pipe) to double the throughput?
View 3 Replies View RelatedI would just like to double-check a point with the forum on licensing on 4710 Appliance.If with version 4.2 and above 2Gbps Bandwidth licence is required, the output of the sho license status should be?
View 1 Replies View RelatedI've a network with 28 computers and 2 servers. Each server have a double Gbit port configured in Load Balancing & Fail Over.Now, I want to buy two Cisco's Switch SG 200-26 and I would know the best way to connect them and if it's possible to interconnect them with more than one cable to share the trafic.
1. Is this following solution a good one (does the link between swhitches will work when computers will access to servers) ?
2. Is this next solution possible ?
I have an HP C5280 printer running wirelessly via a TP Link wireless print server and D Link Di 624 wireless router. I can print successfully from either my desktop (which is connected direct to the D Link router) or either of my laptops (wireless). However, when I select the double-sided print option I get a print error message after re-inserting the odd number pages to print the other side of the paper and then click 'continue'.Could I resolve this by connecting the printer both direct to the desktop using USB AND leaving it connected via the wireless TP Link print server? This would enable me to print double-sided from my desktop (as I did before when the printer was only connected via the USB desktop port).
View 1 Replies View RelatedI'm suffering from an annoying problem with my E4200 router. I have a DSL connection. I have my DSL modem in bridge mode and I have my router set up to sign into my ISP's PPPoE to avoid double-routing. This set up worked marvelously with my previous WRT54G and WRT610N routers.Now the E4200 signs me out of PPPoE every ten minutes or so. I have the connection setting on "Keep Alive" but it seems to be dropping the connection regularly. I took the router back and was given a replacement. The new router is doing the same exact thing and now I am beyond the 30 day return limit so I'm stuck with the E4200. I'm running the latest firmware 1.0.03
I reinstalled the WRT610N and the connection is steady but the WRT610N has its own problems (devices connected via wireless cannot see wired devices and vice-versa). I'd like my new router to actually work properly. I've ruled out errors on my end and given that two brand new units of the E4200 generated the same problem I tend to believe it is a design error.
I have a problem with my home network/internet - I have a working wireless network that I have used for some time now and it works just fine. the problem is that internet restrictions where I live require me to register each unit to the building network before I can gain access to the internet. My caretaker told me today that normally, I only should register my primary computer and the wireless router to be able to use the internet freely. However when a new laptop appears( I have a guest), I can easily connect it to my own wireless, but it can't use the internet, as if it needed to be registered again. I ran out of registration codes and I really would like to have freedom i connection opportunities. The caretaker said that the system gives every registered unit a "fake" IP, so after giving it to mu router, all other units connected through that router should have unlimited access. Is my network configured in a wrong way? I don't know how to ask this in a more simple way... I just want to be able to connect a friends laptop to the net with just my local password, which isn't happening.
View 3 Replies View RelatedI will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View RelatedI have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
I do have the below setup,,
1. I have 6509 switch
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
3. On switch side i have configured the port as Trunk
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...