Configuration of inter-vlan routing on ASA 5512 ver 8.6? I have everything configured (un-nat, access-list, etc.) but still not working. When i do a packet capture, it says the traffic is denied by the implicit acl. Here is my config:
interface GigabitEthernet0/0.100
vlan 100
nameif data
security-level 100
[Code]...
I have a windows 2003 server and an ASA 5512
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
I setup switch in layer 3 mode. I have a access port in vlan 10 and a access port in vlan 20. I am able to ping form vlan 10 client to vlan20 default gateway (192.168.20.1) I am able to ping form vlan 20 client to vlan10 default gateway (192.168.10.1) However, I am unable to ping from vlan 10 to vlan 20 client. If both the ports are in same vlan, then clients are able to ping each other. Proxy Arp in enabled.
vlan 10 client ip info
192.168.10.10
255.255.254.
[Code].....
I have Cisco ASA 5505 Firewall with security plus license. I want to Configure 3 different subnet for inside network 10.1.x.x, 10.2.x.x and 10.3.x.x So any PC from 10.1.x.x should be able to ping 10.2.x.x So my question is that possible with ASA?? If yes than how can i configure on ASA 5505, as i know on 5510 we can configure sub interface and do intervlan routing.
View 4 Replies View RelatedI have found multiple solutions to this question for < 8.2 but no solutions for the new way the ASA does nat statments,Basically i have multiple VLAN's and i need 2 of them to communicate
inside - 192.168.1.0/24 ( security-level 100 )
voice - 192.168.100.0/24 ( security-level 100 )
Error i am getting is:
192.168.1.100 192.168.100.100
Deny inbound icmp src inside:192.168.1.100 dst Voice:192.168.100.100 (type 8, code 0)
[Code]....
They are not working, I have found multiple examples for the old style nat statements to resolve this issue but none on the new style.
From what I can find the ASA does not support policy routing.
I have two VLANS that need to go to the same destination but different routes. Anyway to accomplish this on the ASA?
I am trying to setup intervlan routing with a Cisco ASA 5510 and two 2960-S switches. The 5510 currently is using ASA Version 7.0(2) and has a base license. I tried to create a sub interface today based on some info I found regarding the routing piece and it didn't recognize the command. I'm thinking I may need to update the IOS code or the license on the firewall. I know the syntax was correct because I looked it up and found it in a Cisco document.
View 15 Replies View RelatedIn the restructuration of my company network we install due ASA 5510 in failover for the management of internal network and DMZ. We configure the ASA in routed mode, we create the sub interface for server, client and dmz subnet and we connect the firewall ti the network. Everything works very good except the intervlan routin. If i try to send or receive a file in every protocol, ftp, http, smb o if i try to conne with rdp or vns to an host in a different vlan the connection goes very very slow. I particular a ftp connection between two host goes ti 15kb/s. I check all cable and port for some error on duplex ro speed, end all the uplink are 1gb and the single client connection 100Mb. I know that the main purpose of the ASA is not doing routing stuff but this behavior is very strange.
View 1 Replies View RelatedI would like to isolate my wlan from the remaining network but with two exceptions. First it sould be possible to print from all devices in the wlan and second... my notebook should not be isolated
Therefore I did the followning steps:
1. Create vlan
2.Set access rules
Basically I blocked any inter-vlan-routing from the wireless vlan. I allowed all traffic from the wireless address range to the printer's ip address. I allowed all traffic from the notebook's ip address to the private vlan.
3. Set a static DHCP entry for the notebook
4. Set an IP/MAC binding entry for the notebook
For some reason I can reach any ip address from any wireless device.
I would like my SRP527 router to manage 2 VLAN. 1 for my whole LAN and employees WIFI connections, another one for external clients to access Internet by guest WIFI SSID.
- I have this Cisco SRP527W router acting as a gateway between my LAN and Internet.
- I have a second router used for VPN connections between my LAN and 2 external agencies.
- My LAN is using 192.168.0.0 / 255.255.255.0 network
- External Agence 1 is using 192.168.1.0 / 255.255.255.0 network
- External Agence 2 is using 192.168.3.0 / 255.255.255.0 network
The Cisco Router is using 2 VLAN :
-VLAN 1 (LAN port 4 and SSID 1) -> 192.168.0.254 / 255.255.255.0
-VLAN 3 (SSID 2) -> 10.33.0.254 / 255.255.255.0
The Cisco router is using 2 static routes :
- Agence 1 : 192.168.1.0 / 255.255.255.0 -> Gateway 192.168.0.249
- Agence 2 : 192.168.3.0 / 255.255.255.0 -> Gateway 192.168.0.249
The VPN router for external agencies is using 192.168.0.249 / 255.255.255.0.
When the SRP527W router has intervlan routing enabled, everything is working. I can ping my external agencies. However, external clients using guest WIFI can also ping my internal LAN. Disabling intervlan routing separate VLAN 1 and VLAN 3 properly, but i can't ping my external agencies anymore and i don't know why ?
Behind my Cisco router :
- 1 HP Gigabit switch (servers, VPN router are connected to it)
- 2 Switches (HP and Accton) both linked to the gigabit switch and where all my clients are connected.
No trunk link and vlan are defined on my switches.
I'm looking to make a possible configuration for a customer. They need a device to provide :- firewalling- bandwidth limiting based on protocols, IP, users- web content filtering- good reporting to see which device/users are consuming most of the bandwidth.I used to use cisco ASA as firewall but it's a while I last installed on and I'm nt uptodate which current state.So I thought of using an ASA 5512-X but I'd like to know if it comply with all the requirements .Most important being the reporting and bandwidth limiting capability. It would be great to have some configuration example regarding bandwidth management.
View 1 Replies View RelatedMy collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
ASA Version 8.6(1)2
!
hostname ASA5512-X-Remote
enable password ********** encrypted
passwd ********** encrypted
names(code)
I have a customer who needs a 5512-X set up with two ports on the "Outside" interface and act like a switch on the outside. This is very easy to do with the way the ASA 5505 works just by creating vlans and treating the ports as members of the vlan.
View 3 Replies View RelatedI am having soem difficulty getting documentation and setup procedures for the new ASA 5512-X (or X models in general) firewalls.I know the IPS sensor is a software-based one, but I'm not sure how much different the setup in than with a 5510 and IPS module.
Also, is the IOS upgrade procedure different?
I'm trying to access our ASA 5512-X via the Management port, but the address https://192.168.1.1/admin can't be displayed.
View 35 Replies View RelatedI am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
I'm porting our configuration from a Pix 515 firewall to an ASA 5512x. What's vexing me right now is with the deprecation of the "static" command, I can't quite figure out the best way to Identity NAT my inside sub nets (multiple) to the DMZ sub net
So on the pix I have my identiy NATs as an example:
static (inside,dmz) <IntSubA> <IntSubA> netmask 255.255.255.0
static (inside,dmz) <IntSubB> <IntSubB> netmask 255.255.255.0
static (inside,dmz) <IntSubC> <IntSubC> netmask 255.255.255.0
Cisco's migration guide seems to do them one object at a time, which I guess is straightforward enough to do:
object network SubA
subnet <IntSubA> 255.255.255.0
[code]...
I'm thinking that there must be an easier way (aka less lines) to implement this for all the sub nets I want to Identity NAT to the DMZ.
1) Can I do this creating objects using a sub net with a net mask of 255.255.0.0 - one object to cover multiple internal sub nets?
2) Can I do this using object groups and trim this down to: (assuming I have to commands right)
Object-group network Inside_Subs
network-object <IntSubA> 255.255.255.0
network-object <intSubB> 255.255.255.0
network-object <intsubC> 255.255.255.0
nat (inside,dmz) source static Inside_Subs Inside_Subs no-proxy-ARP route-enabled. What would be the best way to translate my Identity NATs?
I am running into a issue that I cannot seem to figure out. I have a asa 5505 with the Security Plus license. I setup a native vlan where all of my network devices sit on. ie my Wireless Access point has an ip of 192.168.3.2, my switch .3. I have no issues managing these devices from any vlan I am on (permitting firewall access rules). When I try to access my ASA via ASDM/SSH. I have to use the gateway of the vlan I am on. For instance. If I am on vlan 10 I have to use 192.168.10.1 for access, if I am on vlan 20 I type 20.1...etc...etc If I type in 192.168.3.1 I get an error in the ASDM logs that states TCP reset by appliance. This is for any gateway I type except for the gateway of the vlan that I am connected to. I am posting a sanitized config. How can I configure the ASA to permit access via any gateway.
View 3 Replies View RelatedIf you look at the data sheet for the 5512-X the High Availability section states "Not Supported; ActiveActive or ActiveStandby" while the ASA 5515-X states "ActiveActive or ActiveStandby". What does "Not Supported" mean for the ASA 5512-X? Does this mean HA does not work, or that I need to purchase an additional license to use the HA feature?
[URL]
I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.
View 7 Replies View RelatedWhat is the benefit of replacing 5512 for 5510.
View 1 Replies View RelatedI am having an issue where I can't connect to VPN after upgrading the license. The license upgraded is related to AnyConnect VPN. I noticed from the newly upgraded license, the Encryption-3DES-AES is disabled whereas previously it was enabled.
ASA 5512-K9
Version 8.6(1)2
I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
[Code].....
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
where I can find detailed documentation on these two products. Particularly, I am looking for high availability capabilities and any license requirements.
View 1 Replies View RelatedI have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
nat (any,outside) dynamic interface. (5.5.5.5)
object network H-192.168.25.10
nat (inside,outside) static H-6.6.6.6X(code)
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
View 4 Replies View RelatedI'm trying to configure intervlan routing between a cisco 2801 router and HP/Amer switches. Using int fa0/1 and subinterfaces I was sure I had it configured correctly, but I cannot ping the default gateways when I place a host in a particular vlan. Below is what I have configured.
HP switch - port 9 connects to fa0/1 on 2801
ip default-gateway 10.1.100.1
trunk 9 Trk1 trunk
trunk 10 Trk2 trunk - to another switch
[code].....
I am using a 3750 as a default gateway for multiple Vlans on a few 2960 switches. The trunk lines are configured and working and I have assigned ip addresses to each of the Vlan interfaces on the 3750. My issue is that I can only ping the ip address on the Vlan interface of the 3750 if I have a working computer plugged directly into the Vlan on the 3750. I only have 3 vlans on the 3750 that have hosts directly connected (vlans 2, 10 and 40) the other vlans ( 20 and 70) don't have any clients plugged into them on the 3750 but the hosts reside on 2 different 2960s that connect via trunk ports. How do I keep the vlan interface on the 3750 switch pingable when I don't have hosts directly connected in that vlan on the 3750? (yes, I have enabled ip routing on the 3750)
View 5 Replies View RelatedI have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net. My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20,I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2),my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to,go out to the internet.
View 3 Replies View RelatedI implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
The configuration is
interface Vlan1
description Data VLAN
[Code].....
On cisco and am having some issues with intervlan routing. I have followed the vids and manuals but just can seem to get this working. I have the following network lab set up.
Vlan 10 = 10.70.1.9/24
Vlan 20 = 192.168.0.1/24
ME2400 firmware
ROM: Bootstrap program is ME340x boot loader
BOOTLDR: ME340x Boot Loader (ME340x-HBOOT-M) Version 12.2(35r)SE3, RELEASE SOFTWARE (fc1)
[Code]...
my company pay a switch 3750 X. WS-C3750X-24T-E. It uses IP services basically but I failed to configure InterVLAN routing. why interVLAN routing doesn't work on my switch?
View 10 Replies View Related