Cisco Firewall :: Multiple Static NATs With ASA 8.4.X Code
Mar 12, 2012
We have a need for an inside address to have more than one static NAT outside addresses. I know this wasn't possible before 8.3.X code. I still can't quite get it to work with 8.4.X code yet.
Here is what I had with 8.2 code.
static (inside,outside) 10.21.197.0 10.17.197.0 netmask 255.255.255.0
our inside network is 10.17.197.X/24. the current NAT we have in place is 10.21.197.X/24.
we need to add an additional NAT of 10.22.197.X/24 and I also have networks that will need to hit the address with no NAT.
I do know the source networks where I need each of the three cases:
from 172.20.X.X I need to hit the inside of 10.17.197.X natively, no NAT.
from 192.168.X.X i need to hit the inside of 10.17.197.X with 10.21.197.X NAT
from 10.10.X.X I need to hit the inside of 10.17.197.X with 10.22.197.X NAT
View 2 Replies
ADVERTISEMENT
Jun 28, 2011
I am just designing a solution where a FWSM consists of 2 contexts initially and has a shared outside interface pointing to the 6500 switch. There are 3 subnets connected to each of the FWSM contexts. So if anyone wants to access these 6 subnets then a route would be needed pointing to the interface vlan of the shared interface on the switch. But that would not be enough to access the subnets.. I am sure we have to define static NATS to point them to the right context where these subnets reside.
The FWSM is running version 3.x code So say 1.1.1.0(shared), 10.10.0.0(inside1), 10.20.0.0(inside2) and 10.30.0.0(inside3) reside in Context 1 and 1.1.1.0(shared), 20.10.0.0(dmz1), 20.20.0.0(dmz2) and 20.30.0.0(dmz3) reside in Context 2 in each of the context we would have to make three static NATS
static(inside1,shared) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static(inside2,shared) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static(inside3,shared) 10.30.0.0 10.30.0.0 netmask 255.255.255.0
The same would go for context 2 as well
static(dmz1,shared) 20.10.0.0 20.10.0.0 netmask 255.255.255.0
static(dmz2,shared) 20.20.0.0 20.20.0.0 netmask 255.255.255.0
static(dmz3,shared) 20.30.0.0 20.30.0.0 netmask 255.255.255.0
By creating these NAT statements, would the outside users be able to access the subnets residing in the context?
View 1 Replies
View Related
Jun 10, 2011
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
View 2 Replies
View Related
Feb 24, 2012
I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
[code]...
View 2 Replies
View Related
Aug 15, 2011
I am at a loss on configuring a new ASA5505 for multiple static port translations.I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations. [code] However, if entered in that order the 8443 overwrites the 8080 static translation.What is the correct procedure to establish multiple translations? If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
View 4 Replies
View Related
May 15, 2013
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
route isp2 0 0 yy.yy.yy.yy 50
route isp1 0 0 xx.xx.xx.xx 31 track 1
route isp1 0 0 xx.xx.xx.xx 32 track 2
route isp1 0 0 xx.xx.xx.xx 33 track 3
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
View 1 Replies
View Related
Nov 1, 2011
I have 2 xboxs, 1 is wired and one has the microsoft adapter for wireless.. I have been searching tons of forums to try to solve this issue, and I'm at my end if it! I really need both my nats open, so far I can get 1 nat open while the other one is strict. I have a Cisco DPC3825.
View 1 Replies
View Related
Mar 13, 2012
I am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
View 2 Replies
View Related
Oct 16, 2012
Is it possible to have 2 IP addresses on wan and setup specific routing rules for each IP ? Or do I need to use another router for that and if which one ?
View 4 Replies
View Related
May 7, 2011
I am fairly new to the Cisco world and aim to take my CCNA in the coming months.I am now working with a customer who has several Cisco 857 (UK PPPOA ADSL over POTS)The have sonicwall firewall VPN devices that needs to have one block of 8 static ip addreses from the ISP at each site.The current configurations use the network address on the VLAN interface use Static NAT to a private IP address to connect to port 23 on the VLAN interface. Why would you set up the router this way?,I thought that from a block of 8 IPs the first would be the network address the last the broadcas address, one for the router (on the VLAN interface) leaves 5 usable for the hosts attached to the ethernet ports on the VLAN.
View 2 Replies
View Related
Mar 11, 2012
I am trying to configure a Cisco 871 router.I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
View 2 Replies
View Related
Mar 20, 2013
Looking for a recommended code on the ASA 5585x firewall. We ran into a bug (CSCtr24705) on version 8.4.2 where it rebooted the primary firewall. The bug has to do with modifying an existing ACL that's part of a custom policy-map inside a service-policy. If we upgrade to 8.4.5 (which has the previous bug fix in it), there is another major bug (CSCud70273) where if you use the packet-tracer input command on an inside interface it causes problems too.
I don't understand why packet-tracer input would have a bug associated with it when it's been around for a long time and we use it on a daily basis for troubleshooting. Is there stable code for the 5585x to upgrade to without running into possibly a major bug? This is our core firewall so there are no VPN tunnels on it. It's setup in active/standby failover in routed mode.
View 1 Replies
View Related
Oct 8, 2011
I have 8 RVs4000's to built a test system with. On each side of the network is 2 servers, both with 2 NIC's. Both are on different /24 networks.
The idea is to simulate a WAN link, with the RVS4000's G1 & G2 running in "Gateway" mode to simulate the WAN. All other RVS4000's will be in Router mode ('R1,R2...etc..') All networks in /24 range. As I understand it, the RVS4000 CANNOT take 2 diverse networks on the LAN side: - ie 192.168.168.1 & 10.1.1.1 on the LAN side. The NIC's on the server only need to communicate to the similar type of addresses on the other side - 192.168.168.1 on server 1 to 192.168.170.2 on server 2, but NOT 192.168.168.1 to 10.1.2.1 on server 2. The G1 & G2 link is so that all communications are routed between this link - as a testing point.
So, my questions are this:
1) Will this work? Is there any easier way of doing this? (Bear in mind this is the only equipment i have to do this).
2) Is the static routing I have thought of work? (see below)
R1
0.0.0.0 0.0.0.0 10.1.1.10
R2
5.5.5.0 255.255.255.0 10.1.1.100
4.4.4.0 255.255.255.0 1.1.1.200
[code]....
I know using the RVS4000's inbuilt RIP may be easier, but I've never configured RIP routing. As this is a test environment, using static routing would be enough to get it going. No security lock down is required, all I'm trying to enable is for the servers to communicate with each other (NIC1 on both servers e.g 10.1.1.1 on server 1 to 10.1.2.1 on NIC 1server 2, and NI 2 on server 1 192.168.168.1 to NI 2 on server 2 192.168.170.1) The 10.1.x.x networks DO not need to talk to the 192.168.x.x networks. THe G1 & G2 link is just for testing - but all communications must pass through here and be routed to their relevant networks on the other side.
View 4 Replies
View Related
Jan 15, 2013
I've got a server that is connected to the network through one physical ethernet adapter. From my ISP, I got 4 static, public IP adresses, one of which is in use on the Host-Server itself, the remaining three each on a virtualized server. All 4 Servers are running on the same machine.Everything is running smoothly, however, I need to do some Bandwidth Management and Port Mapping, this is why I bought a ZyWall USG20, thinking it would be perfectly capable of doing what I need. is it possible, with a ZyWall USG20, to have all my four IP adresses being forwarded to the one physical machine, and apply some bandwith shaping and port mapping to it?
View 9 Replies
View Related
Aug 14, 2012
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
View 2 Replies
View Related
Sep 11, 2011
I am trying to configure a BT Business ADSL Router (BT2700HGV) to work in bridge mode in front of a Cisco RV120W router and cannot get this to work.I have followed numerous posts I have come across in configuring the BT router for bridged mode and this has been configured as follows:
ATM Encapsulation - Bridge LLC
DSL and ATM - VPI=0, VCI=38 (also tried VCI=35)
ATM PVC Search - Disabled
Connection Type - Direct IP (DHCP or Static)
Disable Routing - Yes
There are also some other options on the same configuration page for 'Broadband IP Network' (which I have left on DHCP) and also a 'Public IP' which has been left blank. After setting the above options this removes the LAN DHCP configuration, the PPPoA logon details and sets the internal IP address of the BT router to 192.168.1.254.
My understanding of 'Bridge' mode is that this router will now act simply as a modem and configuration details such as logon details and WAN IP address information are configured using the Cisco RV120W router?The configuration of the Cisco router is as follows:
Internet Connection Type - PPPoE
Username and Password set
Authentication Type - Auto-Negotiate (options here are PAP, CHAP, MS-CHAP and MS-CHAPv2)
Routing Mode - Router (Other option is 'Gateway (NAT))' - I have tried both options
The WAN interface on the Cisco router is connected to one of the LAN ports on the BT router. The 'Broadband' light is on the BT router but the 'Internet' light isn't. The WAN status on the Cisco router is 'Connecting'. I am sure I am missing something simple.We have been assigned a range of static IP addresses from BT so am trying to get these working too (x.x.x.24/29 - 5 usable statics), another option available (other than PPPoE) for configuring the WAN interface on the Cisco router is a 'Static IP', not sure if this is the correct option but have tried messing with it, I have tried assigning a static IP from the range given to us (.30 - the router address specified by BT) along with the subnet mask, however don't know what to put as the default gateway, would this be the peer address (but assume that would change anyway), in any case, using the 'Static IP' option does not give an option to supply the BT logon details which I assume is required?
In bridged mode, what is the peer address assigned to, the BT router or the Cisco router?Does the BT router need to be configured with a public IP address?
View 2 Replies
View Related
Feb 19, 2013
I have been searching through the cisco docs for a while and i just cant seem to find this info. Can I run aironet 1600's with my wism running 7.0.116? Also, could I run my 1130 series ap's with a wism2? Basically, what is the minimum code level for a lightweight 1600, and what is the maximum code level for a lightweight 1130?
View 3 Replies
View Related
Jun 10, 2013
Is there any way to have my Cisco 877W Router alter from using one static route to another static route when another router on the network is reporting destination host unreachable?
Router 1 (192.168.2.253)
Dialer0 -> ppoe to internet
Vlan1 -> local 192.168.2.0/24
Router 2 (192.168.2.254)
Dialer0 -> ppoe to managed VPN (172.16.28.1)
Vlan1 -> local 192.168.2.0/24
Router 2 is connected to another network through a managed VPN and that network also has internet access. I want to be able to have two routes to the internet on Router 2. And when Router 1 internet goes down packets get routed through the VPN instead.
I currently have on Router 2
ip route 0.0.0.0 0.0.0.0 192.168.2.253
ip route 10.0.0.0 255.255.255.0 Dialer0
ip route 0.0.0.0 0.0.0.0 172.16.28.5 250
Which does nothing when Router 1 has its Dialer0 interface shutdown, or goes offline completely.I suspect I could reverse the setup and have everything routed through the VPN by default and then if / when Dialer0 interface goes down it would switch to using Router 2, but if the problem is in the remote network and interface Dialer0 stays up, it would probably do the same thing... nothing.All devices mentioned are Cisco 877W routers with ADSL and a bunch of fast ethernet interfaces.
View 2 Replies
View Related
Jul 22, 2012
What is the difference /how to show part number,part code and serial number on cisco ASA 5520 series.succeed to get serial number by command show activation-key detail..how to get part code /part number?
View 2 Replies
View Related
Feb 28, 2013
I am in the process of rebuilding our ASA 5540 pair. We are currently on 8.2 code with this set of firewalls and I was going to upgrade it to 8.4 being I have a couple of other firewalls running this code currently and am familiar with it. That said, I saw that the 9.x code is out there now. Are there any major advantages or caveats with the 9.0 code? I plan to use this firewall with SSL VPN and RSA Secure ID integration for the next 2-3 years at least. Any quick pointers on these two code versions and on upgrading to 9 or staying with 8.4 line.
View 2 Replies
View Related
Mar 21, 2012
I Have an asa 5510 running code 7.2 configured with ssl vpn,ssl vpn users able to connect to to portal which i have configured with the required resources,but the thing is that these ssl users unable to upload files to cifs shared directory , although they have full access to the shared folder
View 0 Replies
View Related
Oct 17, 2011
I have a ASA# here that refuses to load 8.x# code. I do not have an issue loading 7.x# code at all. When I power on the ASA# it does not pass the fsck#.
Loading /asa842-k8.bin#... Booting...Platform ASA5520# Loading...IO memory blocks requested from bigphys# 32bit#: 20848dosfsck# 2.11, 12 Mar 2005, FAT32#, LFN#
I have tried 8.0, 8.2, 8.3, 8.4 codes. I have also swapped RAM and flash.
View 5 Replies
View Related
Mar 24, 2011
We are in the process of building a new DC and would like to know which is the recommended version of code to run on the following:
Firewall Services Module
Cisco ASA5580, 5550, 5520
ACE module
View 4 Replies
View Related
May 29, 2013
Does ASA 9.x code supports Change of Authorization (CoA). I have looked through the release notes and can't find anything.
View 1 Replies
View Related
Feb 3, 2013
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime.
View 8 Replies
View Related
Feb 11, 2012
For some reason whenever I try to turn on my firewall I get the following error message:
Windows firewall can't change some of your settings Error Code 0x80070424
View 13 Replies
View Related
Jun 22, 2011
I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code. It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it.
View 4 Replies
View Related
Jul 11, 2011
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
May 6, 2011
Based on the network object below, I am looking for confirmation that It is good practice to use this natted object in my ACL applied incoming to the inside interface rather than have another object specifically for the object My_PC. I have tested and it does work, however this is my preffered option rather than having to create 2 objects, for the host and also the natted host.ASA(config)# object network My_PCASA(config-network-object)# host 192.168.33.2ASA(config-network-object)# nat (inside,outside) static 209.165.201.2
View 5 Replies
View Related
Sep 1, 2011
The order in the older ios was nat 0 then static. With the new ios how is the static nat treated if i have a nat (inside,outside) source static Now I need to do some static one to one nats for some servers in the same subnet as the no nat
View 2 Replies
View Related
Oct 26, 2011
I am trying to configure static nat on ASA 8.3 but its not working.
here is the configuration:
object network Unix-Server
host 172.16.0.7
description Unix server
object network Unix-Server
nat (Inside,Outside) static 195.44.148.53
its basic configuration where i have my server on the inside network (172.16.0.7) which i want it to be natted to public ip to (195.44.148.53) .
i tried to add an access-list ingress direction on the outside interface to permit traffic from any to the public ip 195.44.148.53 but still its not working.
View 4 Replies
View Related
Jul 6, 2011
i am doind a policy NAT on the folowing scenarion.
acess-list policy_nat extended permit ip host 10.0.0.1 host 192.168.1.1
static (inside,outempresa) 170.66.53.1 access-list policy_nat
I understand that when host A 10.0.0.1 wants to connect to host B192.168.1.1 its going to be translated to 170.66.53.1 when host 192.168.1.1 wants to connect to10.0.0.1 the same entry will change the destination when the packet hits the asa from 170.66.53.1 to 10.0.0.1, is that correct ?
View 2 Replies
View Related
