Cisco Firewall :: Dual ISP And Inbound NAT ASA5505 8.2
Oct 30, 2012
I have setup an ASA5505 running 8.2 with dual ISP's
Primary link is the current live static route out and the backup picks up if the primary fails. That all works great However I have an issue with inbound NAT rules
I have configured an inbound static on the primary which works great
static (inside,primary) *.*.*.* 10.1.1.1 netmask 255.255.255.255 access-list outside_access_in line 2 extended permit tcp any host *.*.*.* eq 3389 (hitcnt=4)
Question? With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host 10.1.1.1
on the backup link?
If the primary fails users will need to be able to connect inbound to this service
When I try to set it up I got this error ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
So I tried that and got this error WARNING: All traffic destined to the IP address of the backup interface is being redirected. WARNING: Users will not be able to access any service enabled on the backup interface.
So what is the best practice for configuring inbound NAT for a dual ISP configured ASA
View 1 Replies
ADVERTISEMENT
Dec 29, 2011
I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.
View 1 Replies
View Related
Dec 26, 2011
I’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.
In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.
My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,
C:UsersSuthakarDocumentsOffice_DocsThakralABC Computers
Final config on ASA5505
host name Cisco
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
!interface Vlan1
nameif inside
security-level 100
ip address 192.168.155.201 255.255.255.0
[Code] ......
View 3 Replies
View Related
Oct 1, 2010
for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans) Currently not using the 3rd vlan (dmz)
View 5 Replies
View Related
Jun 3, 2012
I have a site with an ASA5505 and 2 isp connections but the catch is the 2 isp's are giving me a dynamic IP so I am unable to use this [URL]
View 3 Replies
View Related
Apr 6, 2013
I have a working L2L between two locations. Location A and Location B.
Location A: 172.16.16.0/24
Location B: 192.168.0.0/24
I would like to block anything inbound to Location A from Location B that isn't initiated from Location A. The block should be done on the ASA5505 at Location A. Location B uses an ISR G2 router. i.e. Location A can start an SSH session to a server in Location B Location B cannot start an SSH session to a server in Location. .
I tried using a VPN filter on the ASA5505 but it isn't stateful, I cannot pass any traffic when using it.
Config on my ASA:
access-list vpn-traffic extended permit ip 172.16.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list block-vpn-to-local extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0
[Code]....
I also have an AnyConnect VPN setup for the ASA5505 and it is running 8.2(5).
View 4 Replies
View Related
Nov 17, 2011
I have an ASA 5505 with the Security License running 8.4 and 6.4.5 software, I have a fully working VPN solution on there using a ISP IP - works fine. My boss wants to split the lines/bandwidth to another ISP we have coming into the office. So what I want to acheieve if possible is this Say my current isp is 5.5.5.5, my internal network is 192.168.2.x and my other ISP is 6.6.6.6 - is it possible to use the ASA to accept VPN clients from both ISP's and use the internal network?
View 2 Replies
View Related
Sep 18, 2011
I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.Routing is working correct (connect to Internet from siteA is working trought 1st also second ISP) but IPSEC is working just trought the first ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets are just encrypting but not decrypting.
I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)
config site A:
##########################################################################
ASA5505 Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.65 255.255.255.248
!
interface Vlan2
[code]....
View 7 Replies
View Related
Jun 18, 2008
I have two ISP's and I want to channel specific traffic out of an interface based on traffic type. Will the ASA 5505 security bundle allow me to route specific traffic out through a specific interface?
View 2 Replies
View Related
Jul 1, 2012
I've been searching the net for days now trying to configure the ASA5505 for dual DHCP ISP use. All guides available assume you have one static.
After realizing that it required a Security Plus license to even configure 3 VLANs.
I can choose a backup interface in ASDM. It even says dual ISP enabled. Why cant there be a guide or simple configuration example or am I the only one looking for this kind of solution?
Customer has two ADSL internet connections and want to switch between them if they fail. No load balancing required.
View 2 Replies
View Related
Jun 7, 2011
I'm trying to set up a S2S VPN between two ASA5505 SP units running ASA Version 8.2(1). I've ordered additional ADSL2 lines to handle this traffic and I'm having troubles with the configuration for the additional PPPoE connection. Here is are extracts from my current config; First the interface vlans
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
[code]....
The result being that I can ping the OUTSIDE interface, but get no reply from the VPN interface. I've checked ADSL lines, they are up. The two PPPoE sessions are logged in and active. I can even see the ICMP packets hit the VPN interface, but there is no reply.
View 1 Replies
View Related
Apr 25, 2012
Trying a simple Easy VPN connection and getting the following in the error logs:
Built inbound UDP connection 684 for outside:xx.xx.xx.xx/1106 (xx.xx.xx.xx/1106) to identity:xx.xx.xx.xx/500 (xx.xx.xx.xx/500)
View 1 Replies
View Related
Aug 6, 2012
I am trying to setup an inbound NAT on an ASA5510 running 8.4 code.
object network obj-192.168.1.2
host 192.168.1.2 (internal web server)
object network NAT-external IP
host ** external IP **
object network NAT-external IP
nat (outside,inside) static 192.168.1.2 service tcp https https
access-list outside_access_in extended permit tcp any host 10.2.0.10 eq https
This seems to be setup now?
sh nat
2 (outside) to (inside) source static NAT-*.*.*.* 192.168.1.2 service tcp https https
translate_hits = 0, untranslate_hits = 0
sh access-l
access-list outside_access_in line 2 extended permit tcp any host 192.168.1.2 eq https (hitcnt=27) 0x59383a04
When I try to connect to the external IP using https I get hits on the access list, however the nat translate hits do not go up?Do I need to allow the 192.168.1.2 server back out again?
View 1 Replies
View Related
Apr 20, 2013
I have a 2621 router - old. but works well.Need to put in an ACL to limit the inbound SMTP traffic to be FROM a specific set of IP's, and deny all others.
I have tried various combinations with no luck. Something obvious, I am sure.
When I do a show access lists 160 it shows all SMTP traffic being snagged by the SMTP deny statement. All other traffic works correctly.
Here is my config so far...
Current configuration : 3093 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname xxxxxxxxxx!logging rate-limit console 10 except errorsenable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!ip subnet-
[Code] ....
View 6 Replies
View Related
Jan 30, 2012
I know I can use the RTR statement to determine when the primary ISP circuit goes down via this technote: url...My question can I assign static Nats on the backup ISP connection to the same inside servers in the dmz.?Example 10.1.1.11 is mapped to ISP1 ExternaIP of 65.217.77.11. Can it 10.1.1.11 also be mapped to ISP2's 208.217.77.11?This way I can get my DNS changed and my inbound traffic to servers in my DMZ on the asa 5510 running 8.0.3 code can continue to receive Inbound traffic.
View 1 Replies
View Related
Jun 1, 2011
I have ASA 5510 and public FTP server from my local network to external IP address, with static nat translation. All works, but I need request to ftp come from internal ASA interface (need use gateway different ASA). How configured ASA for forwarding request?
View 4 Replies
View Related
Feb 26, 2012
I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network eg
-Internet address 94.175.x.100 goes to 151.5.3.100,
-The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.
Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic
View 6 Replies
View Related
Nov 7, 2012
I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?
View 1 Replies
View Related
Oct 6, 2011
I configured an ASA 5505 a couple of weeks ago. Every thing is working properly except it sends irritating messages to the syslog server. Her is an example of the message:
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/252 flags PSH ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/2252 flags ACK on interface outside.
View 1 Replies
View Related
Dec 18, 2011
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies
View Related
May 31, 2011
Last night I switched out our old Cisco pix 515 with a asa 5505. The config is the same and internet and outgoing mail is working but no mail is coming in. Below is a copy of my config. Why my inbound mail is not coming in.
smtp 192.168.51.248 (Barracuda email filter)pop3 192.168.50.11 (exchange server). Tried to telnet into the firewall but connection timed out. Went to mxtool box and that also timed out while trying to connect to smtp. Port scan from mxtool box timed out too on all ports.
[Code] ........
View 5 Replies
View Related
May 12, 2011
how to set up port forwarding for inbound SSH?
The outside interface on the ASA is on DHCP. I have a single dynamic public IP from my ISP. The inside interface provides Internet access for the network using NAT.
I have a server on the internal network with an IP of 192.168.0.6 and I would like to access this via SSH (TCP port 22) from outside.
I've been able to do this in the past on a PIX with a static public IP block, but I'm new to ASA and I don't know how to do it with PAT.
Current running config attached for what it's worth, but it's pretty basic at the moment.
View 3 Replies
View Related
Nov 20, 2011
I'm running a Cisco ASA 5510 with version 7.2(3) and I've been tasked with permitting some inbound & outbound TCP & UDP ports to/from a specified address space on the internet.
In looking at my current ASA config I see other access lists already configured so I'm assuming I can just set up a new access list in similar fashion, but I wanted to verify here first.
View 6 Replies
View Related
Jun 24, 2012
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
View 4 Replies
View Related
Oct 18, 2011
allow ports 18082 and 18086 inbound to one of my internal servers. how to create a static nat rule but I dont know how to only allow those two ports. I dont want to open the server to all ports. This is what I am doing via ASDM v6.1:
Configuration-NAT Rule-Add=Add Static NAT Rule
Original
Interface: inside
Source: my internal IP address
Translated
Interface: outside
Use IP Address: my available external IP address
Now under PAT I assume that's where I put the ports, so I place a checkbox on Enable and select TCP. Then I enter 18082 on both the Original and Translated Port boxes. I tried adding 18086 by entering 18082-18086 or with a comma as a separator but it doesnt allow it and spits an error saying that the format is incorrect.
click [OK]
Now is that how I add a single port to forward to my internal server? Do need to create another Static NAT Rule including the second port of 18086
View 4 Replies
View Related
Apr 5, 2013
I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly.
View 2 Replies
View Related
Nov 3, 2011
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies
View Related
Feb 5, 2013
-I need to configure the following on my PIX:
TCP port 2195 - outbound
-TCP port 2196 - inbound
How would I configure this via ASDM?
View 3 Replies
View Related
Nov 22, 2012
I have upgraded an ASA 5505 to 9.0(1) as I would like to use ipv6 version of dhcprelay. That said, I am unable to obtain a global unicast address but the link-local address is able to communication with the ISP's gateway/DHCP provider which I hope will allow v6 dhcprelay provide internal clients with IP's from the ISP. Trouble is, unsolicated inbound ICMPv6 messages from the ISP's gateway are being dropped on the way into outside interface.
%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
[Code]...
View 4 Replies
View Related
Nov 5, 2012
Trying to allow inbound access from any host outside to my LAN server on port 995. [code]
View 1 Replies
View Related
Feb 28, 2012
I have a weather station at our high school that needs UDP port 9500 open inbound/outbound to specified IP addresses.
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)57
View 1 Replies
View Related
Dec 1, 2012
Setup firewall rules that will block all inbound Internet access to the web server except port 443, Setup firewall rules that will block all communication between the two internal networks, except ports 7000 and 1702
View 1 Replies
View Related
Feb 24, 2011
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
View 2 Replies
View Related