Cisco Firewall :: Migrate Multiple Static NAT From ASA 7.x To IOS Router?
Feb 24, 2012
I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
On PIX515T(804) in packet-tracert option no Phase 1 - Route-lookup and both static nat works fine. May I disable on ASA phase route-lookup, that it not send packet on wrong interfaces ?
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1 Log into active/primary ASA Configure Multiple Context mode Reboot both devices Login to active/primary ASA
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
We have a need for an inside address to have more than one static NAT outside addresses. I know this wasn't possible before 8.3.X code. I still can't quite get it to work with 8.4.X code yet.
our inside network is 10.17.197.X/24. the current NAT we have in place is 10.21.197.X/24.
we need to add an additional NAT of 10.22.197.X/24 and I also have networks that will need to hit the address with no NAT.
I do know the source networks where I need each of the three cases:
from 172.20.X.X I need to hit the inside of 10.17.197.X natively, no NAT. from 192.168.X.X i need to hit the inside of 10.17.197.X with 10.21.197.X NAT from 10.10.X.X I need to hit the inside of 10.17.197.X with 10.22.197.X NAT
I am at a loss on configuring a new ASA5505 for multiple static port translations.I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations. [code] However, if entered in that order the 8443 overwrites the 8080 static translation.What is the correct procedure to establish multiple translations? If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.My problem is that I do not know what ip put on interface Outside of firewall. For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?
We try to migrate two ASA stateful Active / Passive from version 8.0 to 8.4 but many of acl rules and Nat no longer working. We must go through the version 8.2? The release 8.4 changes everything and seems to me not too stable, it'sl best to stay in 8.2 or 8.3 !!!
I need to upgrade the compact flash of my ASA 5510 from 256MB to 512MB. A friend's recommendation was to buy a card reader, copy all of the data from the existing card and paste it to the new compact flash. I have a hard time believing that it's that straight forward.
Any safer, more foolproof way of migrating between flash cards?
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) . I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
I am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
Is it possible to have 2 IP addresses on wan and setup specific routing rules for each IP ? Or do I need to use another router for that and if which one ?
I am fairly new to the Cisco world and aim to take my CCNA in the coming months.I am now working with a customer who has several Cisco 857 (UK PPPOA ADSL over POTS)The have sonicwall firewall VPN devices that needs to have one block of 8 static ip addreses from the ISP at each site.The current configurations use the network address on the VLAN interface use Static NAT to a private IP address to connect to port 23 on the VLAN interface. Why would you set up the router this way?,I thought that from a block of 8 IPs the first would be the network address the last the broadcas address, one for the router (on the VLAN interface) leaves 5 usable for the hosts attached to the ethernet ports on the VLAN.
I am trying to configure a Cisco 871 router.I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
I have 8 RVs4000's to built a test system with. On each side of the network is 2 servers, both with 2 NIC's. Both are on different /24 networks.
The idea is to simulate a WAN link, with the RVS4000's G1 & G2 running in "Gateway" mode to simulate the WAN. All other RVS4000's will be in Router mode ('R1,R2...etc..') All networks in /24 range. As I understand it, the RVS4000 CANNOT take 2 diverse networks on the LAN side: - ie 192.168.168.1 & 10.1.1.1 on the LAN side. The NIC's on the server only need to communicate to the similar type of addresses on the other side - 192.168.168.1 on server 1 to 192.168.170.2 on server 2, but NOT 192.168.168.1 to 10.1.2.1 on server 2. The G1 & G2 link is so that all communications are routed between this link - as a testing point.
So, my questions are this: 1) Will this work? Is there any easier way of doing this? (Bear in mind this is the only equipment i have to do this). 2) Is the static routing I have thought of work? (see below)
I know using the RVS4000's inbuilt RIP may be easier, but I've never configured RIP routing. As this is a test environment, using static routing would be enough to get it going. No security lock down is required, all I'm trying to enable is for the servers to communicate with each other (NIC1 on both servers e.g 10.1.1.1 on server 1 to 10.1.2.1 on NIC 1server 2, and NI 2 on server 1 192.168.168.1 to NI 2 on server 2 192.168.170.1) The 10.1.x.x networks DO not need to talk to the 192.168.x.x networks. THe G1 & G2 link is just for testing - but all communications must pass through here and be routed to their relevant networks on the other side.
I've got a server that is connected to the network through one physical ethernet adapter. From my ISP, I got 4 static, public IP adresses, one of which is in use on the Host-Server itself, the remaining three each on a virtualized server. All 4 Servers are running on the same machine.Everything is running smoothly, however, I need to do some Bandwidth Management and Port Mapping, this is why I bought a ZyWall USG20, thinking it would be perfectly capable of doing what I need. is it possible, with a ZyWall USG20, to have all my four IP adresses being forwarded to the one physical machine, and apply some bandwith shaping and port mapping to it?
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
I am trying to configure a BT Business ADSL Router (BT2700HGV) to work in bridge mode in front of a Cisco RV120W router and cannot get this to work.I have followed numerous posts I have come across in configuring the BT router for bridged mode and this has been configured as follows:
ATM Encapsulation - Bridge LLC DSL and ATM - VPI=0, VCI=38 (also tried VCI=35) ATM PVC Search - Disabled Connection Type - Direct IP (DHCP or Static) Disable Routing - Yes
There are also some other options on the same configuration page for 'Broadband IP Network' (which I have left on DHCP) and also a 'Public IP' which has been left blank. After setting the above options this removes the LAN DHCP configuration, the PPPoA logon details and sets the internal IP address of the BT router to 192.168.1.254.
My understanding of 'Bridge' mode is that this router will now act simply as a modem and configuration details such as logon details and WAN IP address information are configured using the Cisco RV120W router?The configuration of the Cisco router is as follows:
Internet Connection Type - PPPoE Username and Password set Authentication Type - Auto-Negotiate (options here are PAP, CHAP, MS-CHAP and MS-CHAPv2) Routing Mode - Router (Other option is 'Gateway (NAT))' - I have tried both options
The WAN interface on the Cisco router is connected to one of the LAN ports on the BT router. The 'Broadband' light is on the BT router but the 'Internet' light isn't. The WAN status on the Cisco router is 'Connecting'. I am sure I am missing something simple.We have been assigned a range of static IP addresses from BT so am trying to get these working too (x.x.x.24/29 - 5 usable statics), another option available (other than PPPoE) for configuring the WAN interface on the Cisco router is a 'Static IP', not sure if this is the correct option but have tried messing with it, I have tried assigning a static IP from the range given to us (.30 - the router address specified by BT) along with the subnet mask, however don't know what to put as the default gateway, would this be the peer address (but assume that would change anyway), in any case, using the 'Static IP' option does not give an option to supply the BT logon details which I assume is required?
In bridged mode, what is the peer address assigned to, the BT router or the Cisco router?Does the BT router need to be configured with a public IP address?
Is there any way to have my Cisco 877W Router alter from using one static route to another static route when another router on the network is reporting destination host unreachable?
Router 1 (192.168.2.253) Dialer0 -> ppoe to internet Vlan1 -> local 192.168.2.0/24 Router 2 (192.168.2.254) Dialer0 -> ppoe to managed VPN (172.16.28.1) Vlan1 -> local 192.168.2.0/24
Router 2 is connected to another network through a managed VPN and that network also has internet access. I want to be able to have two routes to the internet on Router 2. And when Router 1 internet goes down packets get routed through the VPN instead.
I currently have on Router 2
ip route 0.0.0.0 0.0.0.0 192.168.2.253 ip route 10.0.0.0 255.255.255.0 Dialer0 ip route 0.0.0.0 0.0.0.0 172.16.28.5 250
Which does nothing when Router 1 has its Dialer0 interface shutdown, or goes offline completely.I suspect I could reverse the setup and have everything routed through the VPN by default and then if / when Dialer0 interface goes down it would switch to using Router 2, but if the problem is in the remote network and interface Dialer0 stays up, it would probably do the same thing... nothing.All devices mentioned are Cisco 877W routers with ADSL and a bunch of fast ethernet interfaces.
Doing a migration. During comparison of "show bgp nei x.x.x.x advertised-routes" between existing C7600 vs new ASR9K. Found that there were some r>i (RIB-Failure) route in C7600 doesn't flagged w/ r>i in ASR9K. Is it normal behaviour in ASR9K? How can I perserve r>i on ASR9K? Due to my IGP (e.g. AD etc) issue or ASR9K IOS-XR hidden config / default config issue?
I've got an RV180W for my office, and so far it has been great. I have two users that use a certain application that crashes all the time. For some reason, they don't crash when put into the DMZ. Is there any way i can put both of them in the DMZ? I can only figure out how to have one host in the DMZ at a time.
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
Any "best practices" or recommendations on how to migrate from a fixed router (3745) to vlan routing on Catalyst 4507 switches in order to minimize the disruption to the network.
Based on the network object below, I am looking for confirmation that It is good practice to use this natted object in my ACL applied incoming to the inside interface rather than have another object specifically for the object My_PC. I have tested and it does work, however this is my preffered option rather than having to create 2 objects, for the host and also the natted host.ASA(config)# object network My_PCASA(config-network-object)# host 192.168.33.2ASA(config-network-object)# nat (inside,outside) static 209.165.201.2
The order in the older ios was nat 0 then static. With the new ios how is the static nat treated if i have a nat (inside,outside) source static Now I need to do some static one to one nats for some servers in the same subnet as the no nat
its basic configuration where i have my server on the inside network (172.16.0.7) which i want it to be natted to public ip to (195.44.148.53) .
i tried to add an access-list ingress direction on the outside interface to permit traffic from any to the public ip 195.44.148.53 but still its not working.
