Cisco Firewall :: Multiple External IPs On ASA 5505?
Dec 26, 2011
We have a working config with 1 external IP, we need to a second webserver (https) and it should be routed via a second public IP address. I already tried some suggestions from the community but haven't been able to find the solutions.
xxx.xxx.xxx.194 is going to the internal IP of 192.168.60.1 for OWA (https)
xxx.xxx.xxx.195 should go to a new webserver on 192.168.60.3
both server should be connected using SSL This is the current configuration :
ASA Version 8.3(1) !hostname fwdomain-name domain.localnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.60.250 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address xxx.xxx.xxx.xxx 255.255.255.0 !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone CEST 1clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00dns server-group DefaultDNSdomain-name domain.localobject network obj_any subnet 0.0.0.0 0.0.0.0object network NETWORK_OBJ_192.168.70.0_26 subnet 192.168.70.0 255.255.255.192
[code].....
View 3 Replies
ADVERTISEMENT
May 23, 2011
I have an existing pair of PIX 515E that has two interfaces. One connected to the public internet via my ISP and one internal.
I recently ran out of IP's and had the ISP route an additional block to public IP of my firewall. This isn't working for some reason and I'm trying to figure out why.
The "ip address outside XXX" command defines the outside address and I don't see any way to add a secondary sub net.
I tried just adding a rule to the firewall for one of the IP's in the new subnet, but I can't seem to get traffic to pass though the device.
View 1 Replies
View Related
Oct 6, 2011
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
View 3 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
Feb 24, 2013
I have a Cisco ASA5505 and windows DHCP server, how do I add this external server to ASA so my PC clients can get DHCP from this server?
View 3 Replies
View Related
Nov 4, 2011
I've configured a 5505 but internal clients can't ping external ip. To test I've connect a pc with the ip of the default router on the Outside int the ASA can ping the PC and the PC can ping the ASA, but internal clients can't ping the PC
PC config 195.12.23.241/28
Here's the ASA config, so far I've wiped the ASA and started with a blank sonfig and built it up but still not working.
ASA Version 8.2(5)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
[Code] .....
View 2 Replies
View Related
Oct 3, 2012
Does the ASA 5505 will allow the addition of a 2nd external link to its configuration? I know the device is capable of Redundant or Backup ISP Links, but that’s not what I need. I will have two different links for two different purposes. Currently we are using the ASA 5505 just for Internet access, so only the ISP link is connected, very basic configuration. We are planning a connection to a client’s global (MPLS) network and we need to be protected against any traffic coming from that network, ergo we need to use a firewall for connection to that external link.Now with the final configuration the Internet traffic must keep being routed to the ISP link, and some other traffic must be routed to the new external link. Can the ASA 5505 be configured for this scenario?
View 7 Replies
View Related
Jun 4, 2012
I have a Cisco 5505, 2 sites that are internal, 1 external IP (dhcp from cable modem). While on my laptop, ipad, iphone, I cannot access the server via it's external IP address. I MUST use the internal IP in order to access this site. I have heard of hairpinning, internal dns server(don't really want this).
View 8 Replies
View Related
Mar 13, 2013
We have an ASA 5505 and are changing ISPs so we'll be getting a new static IP address. How do I change the external IP address using ASDM? (I haven't done it in 5 years so I'm rusty and just want ot make sure.) The ASA and ASDM are up to date.Am i correct in that I only need to change the external address in the configuration under Interfaces, then under Routing - Static Routes - Gateway IP I just need to enter the new WAN gateway address?
View 2 Replies
View Related
May 30, 2013
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 5 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
May 4, 2011
I have a couple of ASA 5505's which work fine for what they are doing VPN and all that - we have 1 DLINK DFR-700 Firewall left and I need to get a new ASA to replace this since it is old.
All this box really does is port forward external clients to 1 address on the internal lan for client software updates. Any example configs?
So lets say we have client a with IP 1.1.1.1 and client b has 2.2.2.2 - at the moment this is what happens client a and b come in through http and get mapped to the internal http server 10.10.1.2
So I need to setup about 100 clients which can come in through http only - get mapped to the internal IP and also keeping the internal server to be able to access anything outside.
View 1 Replies
View Related
May 16, 2013
I have a printer sitting on an outside interface e0/7 that external vendors were able to print to prior to an ISP IP address change and IOS upgrade.
We upgraded our IOS from 8.2.1 to 8.2.5. The printer wasn't changed so the MAC address mapping is still correct on the ISP translation list. The ISP issues DHCP MAC reservations for static IP address assignment. My printer doesn't seem to be getting the DHCP assignment now.
Here is the before and after config. I'm just wondering since this worked prior to changeing the IP and IOS changes if there is another command I need since upgrading from 8.2.1 to 8.2.5. The DHCP IP address is assigned and is working on my e0/0 vlan2 outside interface.
Config that worked prior to the IP and IOS change. hostname hrhdomain-name hrh.comenable password passwd multicast-routingnamesname 10.200.200.0 TestNet!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.8 255.255.255.0ospf cost 10ospf network point-to-point non-broadcastospf
[Code]....
View 3 Replies
View Related
Nov 28, 2011
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
View 2 Replies
View Related
Nov 10, 2011
I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work?
View 6 Replies
View Related
Jul 25, 2011
I have purchased a subnet of 8 private IP addresses from my ISP. 109.x.x.128/29.The ISP has placed a juniper router within our data centre which is routing purely from 109.x.x.206/30 to 109.x.x.128/29 with the ip of fa0/1 set to .129.
I have linked a cisco 5505 to fa0/1 of the juniper from fa0/0 and configured its IP to .130. I have configured NAT to translate our client pool 192.168.16.x /24 address' to the internet.
Is it possible for the 5505 to route / map my remaing private IP addresses through its external port? I have tried creating a seperate VLAN for a DMZ for our servers to sit within but am returned with a subnetting error as VLAN for my external port is all ready configured within the same subnet.
View 2 Replies
View Related
Sep 10, 2012
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies
View Related
May 24, 2011
I have an ASA 5505 that I log into and currently only need a password to log onto the device. How do I set it up so a username is required as well?Another user needs to access the device. How would I set that up so they have to user their own credentials? I tried username apssword priv command and it does not work.
View 1 Replies
View Related
Sep 10, 2011
Attached is my updated ASA 5505 (8.4[2]) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound. No DNS, nothing.
The laptop is windows, the other two are servers with two NICs. The interface cards are Intel Pro/1000s. I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).
View 19 Replies
View Related
May 22, 2011
I have 3 networks coming on DMZ (VPN) interface. Only one network is able to ping the DMZ interface. See below networks coming i on the DMZ.
10.132.24.0/2410.132.25.0/2410.132.26.0/24 Only the 10.132.26.0/24 netork works as it is in the same range as the DMZ interface.
allowing the other two networks to communicate. I've attched the diagram and configs for your perusal.
View 1 Replies
View Related
Dec 23, 2011
I want to configure multiple DHCP pool on ASA. that I create like
int e0/2
no shut
interface Ethernet0/2.10vlan 10nameif inside10security-level 100ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2.20vlan 20 nameif inside20 security-level 100ip address 192.168.20.1 255.255.255.0
dhcpd address 192.168.10.10-192.168.10.254 inside10dhcpd dns x.x.x.x y.y.y.y interface inside10dhcpd enable inside10
dhcpd address 192.168.20.10-192.168.20.254 inside20dhcpd dns h.h.h.h z.z.z.z interface inside20dhcpd enable inside20
I have following query...
1. int e0/2 work as trunk port, is it? any special confiduration require other than dot1Q?
2. How can I configure inside interface? is it like,
access-group inside_access_in_1 in interface inside10
access-group inside_access_in_1 in interface inside10
3. How can I configure static NAT ?
4. How can i configured inside route?
5. How can I configured default NATing?
6. On which interface I access ASA? currently using inside interface.
View 5 Replies
View Related
Nov 8, 2011
I have a problem with a ASA 5505. He is crashing multiple times during the day. I've setup a syslog server en I'd noticed that the last two log notification were:
2011-11-08 12:28:19 Local4.Debug 10.0.0.254 %ASA-7-711002: Task ran for 27016 msec, Process = Dispatch Unit, PC = 84745ce, Traceback =
2011-11-08 12:28:19 Local4.Debug 10.0.0.254 %ASA-7-711002: Task ran for 27016 msec, Process = Dispatch Unit, PC = 84745ce, Traceback = 0x084745CE 0x08474942 0x08475511 0x08475DB7 0x08475EDA 0x08508D9B 0x0850908A 0x083AB5B8 0x083A1D55 0x080655C1 0x08895A19 0x08895AD0 0x08952194 0x08978450
It's a 5505 with a 10 user inside host license, wich incidentally is more.
View 2 Replies
View Related
Sep 13, 2012
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
View 13 Replies
View Related
Jan 7, 2013
I want to know with an ASA 5505 w/ Security Plus License I get up to 20 VLANS/Named Interfaces.I have a customer that is getting a new subnet of external IP addresses from their service provider and a different default gateway to accomodate re-hosting their datacenter at their main office instead of at a Colo. My question, when building out their new DMZ, can I have multiple route 0.0.0.0 commands?
Example.
Current Default Gateway 1.1.1.X
Internal hosts 192.168.1.0 use and are natted to 1.1.1.X
New Default Gateway for DMZ Servers 2.2.2.x
Internal hosts still use 1.1.1.X, but server hosts in 192.168.1.3 should use 2.2.2.X -- there are also a bunch of pre-existing static NAT rules for these servers such as 2.2.2.30 translates to 192.168.1.30.
I think I would accomplish this by using the following:
route inside 0.0.0.0 0.0.0.0 1.1.1.X
route DMZ 0.0.0.0 0.0.0.0 2.2.2.x
Would this be correct?
View 2 Replies
View Related
Sep 13, 2012
We currently have 2 different ASA 5505 connect to our ASA5510. We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520. I have attached pdf of what we have. What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.
View 1 Replies
View Related
Sep 8, 2011
Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).
View 9 Replies
View Related
Jun 10, 2011
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
View 2 Replies
View Related
May 14, 2012
We've read everything about inspecting SIP packets and allowing them to pass through on port 5060, the default SIP port. However, our setup requires the ASA 5505 to allow SIP on ports 5060, 5160 and 5260.
Is this possible with the ASA 5505? If it's not, it would be a blocking issue for us to move forward with ASA appliances. We are currently investigating in a lab environment and really having difficulties configuring it to facilitate full SIP functionality.
View 1 Replies
View Related
Sep 23, 2011
I have an ASA 5505 running 8.2(1), that is configured with three interfaces as follows:
Inside (security 100) 10.0.0.0 /24
Inside 2 (security 100) 192.168.0.0 /24
Outside (security 0) internet
Inside is connected to my internal network, inside 2 is connected to the network of a sister organization, outside is outside.
I'd like to be able to route between from inside to inside 2, and have NAT translate me to inside2's address.
I have inter-interface traffic configured, and when I use a NAT exemption, I can route fine. But the resources on network 2 must see my request as coming from the inside2 interface IP.
View 2 Replies
View Related
Feb 12, 2013
This is for an ASA 5505 with the base license...I have a situation where I will not have one interface in my outside VLAN, but instead I want to have interfaces 1-7 in my outside VLAN and interface0/0 in my inside VLAN.
Is this supported with the Base license, and if so how would I do this? Do I still just need to assign one IP address to the outside VLAN?
Or will I need to upgrade to the Security Plus license and put each interface in a separate outside VLAN, so in essence I would have 7 outside VLANs each with the same security level (0)?
My situation is that I have several partner networks that i want to "aggregate" thru my one ASA 5505. So each outside interface represents a separate partner (outside) network, each of which I want to get to from my inside network. Hence the many outside to one inside.
View 5 Replies
View Related
Oct 4, 2012
I want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
ASA 5505 IOS version: 8.3(1)
License: Security Plus
View 4 Replies
View Related
Aug 13, 2012
Our current cable ISP is having issues providing us with consistant connectivity. I would like to bring in a second ISP to allow my users to choose where they will connect to. There will be two dns names and i just want to to be able to choose between them.
Is this possible on the ASA5505? supporting two ISPs at one time for VPN on both?
View 3 Replies
View Related
May 25, 2011
I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to 192.168.1.0 and IP 2 X.X.X.2 routed to 192.168.2.0. I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.
View 1 Replies
View Related
