Cisco Firewall :: NAT On ASA 8.2 For Second ISP Connection
Mar 21, 2012
I'm working on a problem at the moment where I have 2 Internet connections each with their own Interface on an ASA running 8.2(5). What I want to be able to do is host different web sites on each ISP's ranges but I'm banging my head against a wall at the moment trying to either get the routing or NATing to work in a satisfactory way.
The default route is via one of these Internet connections and obviously the website hosted on this Interface is working fine.
To get another website hosted on the other ISP or interface - traffic is getting blackholed as it is being routed in the 2nd ISP interface and then trying to be routed back out the 1st ISP interface.
I thoguht I could overcome this using Policy Based Routing but ASA does not support this. I'm also aware that I can overcome this problem by upgrading the ASA code to 8.3 or 8.4 where the NAT will overide the Routing table
I'm vaguely thinking that there might be a way to overcome this using clever NAT but not been able to figure it out yet. A lot of other Forum posts have sugested that you can use Policy NAT (either Static or Dynamic) or a Dynamic NAT to get the second NAT working and overcome this routing problem but all of these options seem to define a specific source where I need to allow ANY Source on either connection. (Connections inbound to the webservers originating from anywhere on the Internet).
I toyed with the idea of Source NAT'ing traffic coming in on the 2nd ISP connection so that it would appear to originate from an IP in the same network. This would overcome the routing problem but not ideal as WebServer logs would see all connections originating from this IP as opposed to the real IP on the Internet.
My current (relevant) congfiguration looks something like this:
static (DMZ, EXTERNAL_ISP1) 192.168.1.1 10.0.0.1 netmask 255.255.255.255
static (DMZ, EXTERNAL_ISP2) 172.16.100.2 10.0.0.2 netmask 255.255.255.255
!
route EXTERNAL_ISP1 0.0.0.0 0.0.0.0 192.168.1.254 1
I would have thought that this is a fairly simple task to achieve but it seems not (at least not on ASA 8.2). I have attached a rough VSD to illustrate what I mean.
View 3 Replies
ADVERTISEMENT
Dec 18, 2011
We're getting "Connaction Timeout / Connection Failure" error messages several time per day. Here is our setup:
Verizon FiOS Internet (ONT Box) --> Cisco ASA 5505 --> EdgeMarc 4500 Router --> Cisco 300-24G Switch --> Dell PE1950 Servers
From past few months, we keep getting Connection Timeout and Connection Failure error messages in our vendor application which connects to SQL Server 2005. Also Terminal Server 2003 keep disconnecting for every few hours.After several days of troubleshooting, we come to know that this Cisco ASA 5500 is not working properly. When I access the ASDM, it shows several warning messages.I know there is a setting option to configure TimeOut, but is there anyway to test and track the ASA 5500 regarding this Timeout issues?
View 3 Replies
View Related
Jul 4, 2011
how simultaneous connections is supported on the ISR G2? I need a router with the 60,000 concurrent connections.
View 1 Replies
View Related
Apr 25, 2012
Trying a simple Easy VPN connection and getting the following in the error logs:
Built inbound UDP connection 684 for outside:xx.xx.xx.xx/1106 (xx.xx.xx.xx/1106) to identity:xx.xx.xx.xx/500 (xx.xx.xx.xx/500)
View 1 Replies
View Related
Dec 20, 2011
I have just put an ASA5510 in place and have the following setup:
Interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
[Code]....
I have connected my stations to an ESW540 inside of the Int Eth0/1 and am able to get ip addresses to the stations as well as DNS addresses. I cannot however connect to the outside connection in any way. From a computer connected to the ESW540 with a DHCP assigned IP address, I can ping the computer's IP, the ESW540's IP, and even 192.168.15.1. But I cannot ping the ip address from the Int Eth0/0, nor anything beyond 192.168.15.1.
From inside of the console of the ASA, I can ping all addresses of all ports as well as devices outside of the building and inside of ESW540.
View 6 Replies
View Related
Sep 22, 2011
What would be the equivalent of the below static translation below which limit the connection to 100 and embroynic to 50 in ASA 8.3 above.
View 1 Replies
View Related
Apr 2, 2012
I have a Cisco 1841 serving as a connection between my ISP and my Firewall (non Cisco).
I seem to be having performance issues with my traffic going through the Router.HTTP (web browsing) is fine andI get my download rate as I would expect for a 10mbps connection.But anything to do with my VPNs I find a delay when sending via the 1841.(all my VPNs are managed by my Firewall and I have never had problems with those).
I also have a legacy ADSL connection to my firewall, which bypasses the 1841 and I am having no issues on that at all.If anything it is quicker! Which is madness as my Fibre should out-perform it easily.This leads me to believe the issue is not with the Firewall.
My 1841 is very simply setup, 2 fa interfaces with simply a default gateway setup within it.Which leads me to ask if I need more static routes in or a dynamic route protocol setup?
View 4 Replies
View Related
Jun 13, 2012
I've been having a major problem with our Internet service. Our ISP insists it's the firewall.
I'm not a Pix expert by any means, but here's what's happening:
- Our Internet service drops.
- When this happens I try to ping the PIX on the inside interface and it times out.
- Our Internet service comes back up and I am able to ping the Pix.
- I connect to the Pix and issue a SHOW INTERFACE command to look for errors. I FIND NONE.
View 4 Replies
View Related
Feb 13, 2012
I have the asa 5505 with asdm 6.4(5). my inside LAN is 192.168.0.0/24. the outside of asa is connected on lan 10.13.74.0/24 and i need over LAN 10.13.74.0/24 connect on LAN 10.15.100.0/24. i put nat rule on asa 5505 and acl rule and users from lan 10.15.100.0/24 can connect on my server, but i can't connect on from inside of asa connect on lan 10.15.100.0/24 and 10.13.74.0/24. my configuration asa is Result of the command:
"show running-config"
: Saved
:
ASA Version 8.4(2)
!
host name Cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[ code]....
what i do that connect on LAN 10.15.100.0/24. i cant ping my outside interface, put rules on acl, i enabled service policy rule for icmp ,but nothing.
View 3 Replies
View Related
Jun 12, 2012
I have a firewall behind 2 routers and 1 modem. I set the vpn up in the firewall and not getting a connection. Do I need to set something up in the 2 routers and modem for it to work?
View 5 Replies
View Related
Jan 31, 2012
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies
View Related
Feb 24, 2013
ASA-5510, inside, outside, and some DMZ.Some services published with Static NAT - no problem.Now we need to add a second outside connection, with a second provider.Internet navigation only through the first provider (default gateway to the provider router "A").I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.
View 6 Replies
View Related
Dec 12, 2012
I have a problem with the connections to the remote webservice passing through ASA 5520 firewall. Connections are usually interrupted in perod of half an hour in every few days.
This ASA 5520 firewall is only one firewall in a path to the remote webservice.
During the interruption I find the logs:
UTC: %ASA--4-419002: Duplicate TCP SYN from dmz1:x.x.x.x/.... to outside:y.y.y.y/p with different initial sequence number
Teardown TCP connection 28309406 for outside:y.y.y.y/p to dmz1:x.x.x.x/.... duration 0:00:30 bytes 0 SYN Timeout
How I could find root cause? Could it be solution implemetation of TCP State Bypass?
View 1 Replies
View Related
May 17, 2012
My firewalls are running in multiple context mode.According to my troubleshooting, the problem happens because of the following things:
1- The host 10.15.5.100 do a telnet to 10.0.6.100 using the default gateway that is the context firewall C2;
2- The packet go to the C2 and is forward through the interface e0/0 (direct connected);
3- The packet is delivered direct to the host,without passthrough the context firewall C1;
4- The host receive the packet and return the answer to the source host 10.15.5.10 using the default gateway 10.0.1.10;
5- The packet is received by the context firewall C1 and is dropped with the reason Deny TCP (no connection) syn ack;
I think the the problem is on step 4, the context C1 receive a packet that didn't pass by it before. Am I right?
View 2 Replies
View Related
Oct 7, 2012
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies
View Related
Sep 19, 2011
i have a 5510 with SDM 8.2.5 from clients connected to LAN i cant open a VPN connection! (using windows client L2TP or PPTP) there is not rules tho block this ports, why i cant connect?
my configuration:
FIREWALLP01# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MAIOR.local
enable password 28kg/dOQX80WtMHA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Jun 13, 2011
I have a monitoring rule that checks the number of connections on the firewall using the following command: show conn count
My results are always between 3,000 and 9,000.A while back, I had an issue where all 130,000 connections were being used up. I configured a service policy to limit the number of connections between any two end points.
I'm monitoring the error logs and I'm noticing that my connection limit rule is being triggered on a regular basis. I receive the following message.Per-client connection limit exceeded 20000/20000 for output packet from x.x.x.x to x.x.x.x on interface outside
I'm confused as to the difference between the connections limited by my rule and the connections shown by "show conn count". why I never see any connections higher than 9,000 using "show conn count" yet I am seeing alerts stating that the firewall has reached 20000 connections?My firewall is an ASA5510 running.
View 1 Replies
View Related
Feb 15, 2011
We recently got a 10 meg dedicated internet fiber connection installed. I connected it to a PIX 501 firewall and everything worked fine (I tested it for a couple of weeks). A couple of days ago I got a new ASA 5505 and replaced the PIX with this device. It works, but every so often there seems to be a timeout when surfing the web whereby I click on a link and there is up to a 45 second wait and then the page loads quickly. I was not getting this before on the PIX so I'm assuming it's not a latency issue with the connection. I am the only one using this connection on the network so it's not to say that it's being bogged down. I want to roll this out to the other users on the network but not when this is happening. The configuration is below:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 8 Replies
View Related
May 2, 2012
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
View 0 Replies
View Related
Apr 9, 2013
Device Cisco ASA
Model:5520
OS 8.4(2)
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
View 13 Replies
View Related
Apr 14, 2013
I am facing problem in implementing NAT on Cisco 8.4 . the scenario is
Inside interface network 10.10.10.0/24 and 10.118.0.0/16 is also routed towards inside network
Other network 192.168.10.0/24 is routed via outside interface.
My requirement is to NAT the 192.168.10.2(real IP) to 10.10.10.2(mapped ip) so that when users from inside network (10.118.0.0/16) will come they will access the 10.10.10.2 instead of the real Ip(192.168.10.2)
So I used nat (inside,Extra net) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2 but the connection is not working but with show nat I am getting hits on the NAT statement.
cap test Ethernet-type arp interface inside real-time
1: 23:29:05.684199 arp who-has 10.10.10.2 tell 10.10.10.1
2: 23:29:09.687998 arp who-has 10.10.10.2 tell 10.10.10.1
I have also enabled the proxy arp on the inside interface but still the connection was not working.
Packet tracer output
[Code] .........
View 11 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Feb 7, 2013
i've two cisco asa5510 with 4 FastEthernet interfaces each.They are connected as below:
[code]...
to three different ISP each of them! The 4rth interface of each of them, is connected to internal LAN network. Both Firewalls, offers VPN Services to ISP connections on Fa0/0
How can i achieve high availability for this scneario?is this possible to implement some HighAvailability and to offer the actual services to each of them, in case that the other firewall fail?What about using subintefaces? can i connect bothe ISP and Customers links on one or each of them, in case that firewall01 fails, all the services to be online on firewall02?
View 1 Replies
View Related
Aug 22, 2012
i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did
isakmp key ******** address 208.39.107.230 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 208.39.107.230
crypto map outside_map 60 set transform-set ESP-3DES-SHA-1
i have one question that i need to use physical subnet or nat subnet for crypto map acl? and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?
View 7 Replies
View Related
Oct 29, 2012
I have this box. I have few questions about it.
1) Will I be able to update firmware (from 8.2 to 8.3 or higher for example) without smarnet for ASA 5510? And what can not I do without smartnet?
2) I have only AIP-SSM-10 module to this asa 5510. is there a smartnet for it, too? And when I buy only module is there build in a 1 year subscription for IPS signatures?
3) If I have Cisco ASA 5510 base license, will my IPS on AIP-SSM-10 work?
4) Also I'm planning in a year buy one more 5510 with same module and put ther in failover. Will I really need Security Plus license for failover (Active/Standby)? For Active/Active I know that I need one, yes?
View 5 Replies
View Related
Jan 22, 2012
A Cisco engineer told me hat CSM 4.3 has a Interface to Tufin . How to confirm that ?
View 3 Replies
View Related
Apr 15, 2013
I have a SIP trunk in my Florida office connected to a Cisco 2851 ISR. I'm using Unified Communications Manager 8.0 and life is great.
We just opened a new office in Spain and now the fun begins. We created a site-to-site VPN tunnel using ASA 5510 in Florida and ASA 5505 in Spain. We can register IP Commuicator phones in Spain but when they make calls it shows up as a Florida call. We need it to show up as a Spain call.
We are thinking to get a SIP trunk into the Spain office but I only have a ASA 5505 over there. Can I terminate a SIP connection to it? Is this the best option? If not, what is the recommened setup?
View 1 Replies
View Related
Nov 13, 2012
I am having a problem with a ASA 5505. The users on the inside cannot access internet for the most of the time. When i looked over the configuration and tried a few changes i got out to internet about 5 seconds every 30 minute or so. Very strange. When i try to access internet i just get the windows post that DNS is not working properly. As you can see in my config i get all addresses dynamic from ISP.
I am not sure what to do next, i tried to set static routes, make Nat changes, static dns addresses, searching this forum but nothing works. It seems like there is a ISP problem but i have talked to the support twice today and they say that all is fine from their side. Does ASA behave like this?
ASA Version 8.2(2)
hostname ciscoasa
domain-name
enable password encrypted
passwd encrypted
names
[code]...
View 7 Replies
View Related
Jun 23, 2012
I have a Cisco ASA 5505 - 50 VPN edition. I have baffling network issues that I have not been able to pinpoint and I recently started to think it may have something to do with my ASA. I'm a network administrator and I have a Cisco ASA 5505 in my home network so I can learn how to manage Cisco ASA's and utilize the Easy VPN feature so I have a always on VPN connection into work to log into servers, etc. I've been using the ASA for almost 6 months with the EasyVPN feature with no issues. My ISP is Comcast.
Within the last week my connections have been randomly dropping for about 20 seconds and then reconnecting. I have two computers on the network that have a direct ethernet run to the switch ports on the back of the ASA. When the connection drops, I see my LAN icons completely lose connectively (yellow exclamation warning) then after 20 seconds, reconnect. This is very random. I was able to get it to happen every time I connected to XBOX live and play a online game. It would almost on cue drop after 30 minutes of online gamming. Here are the steps I have taken:
1. Replaced 10/100 switch to a brand new 10/100/1000 switch from computer run in my office to the ASA.
no joy
2. I upgraded the ASA to the most recent firmware: ASA Version 8.4, ASDM Version 6.4
no joy
3. I had an ethernet run under my carpet to the office, I started to think that maybe one of the cables had an issue after walking on it and vacumming causing a short. I removed all the ethernet under the carpet and installed power line over ethernet adapter from the ASA to my office.
no joy
4. I checked both computers on the network for viruses. All computers came back clean after scanning wth Malwarebytes and SuperAntispyware.
5. I've watched the logs on the ASA as the LAN connection drops and I don't see error messages to troubleshoot this issue.
The only thing left to replace is the Comcast modem or the Cisco ASA. The Comcast modem is newer and only about 1 year old (rented from Comcast). Since my actual LAN connection drops and I lose connectively I believe there may be some issue with the ASA or the ASA switch ports or some sort of internal hardware issue on the ASA.
View 4 Replies
View Related
Jun 24, 2012
I'm trying to get an asa5505 set up so that our web server can send an LDAPS login to a client's server and receive the request back. The default IP our traffic goes out on is different than where I want the connection to come back in on. So, I set a NAT rule to send all traffic from a specific inside IP out a default outside IP. I also allowed LDAPS traffic from the client's server IP address in and have nat'd it back to the appropriate inside IP address. It seems to build the outbound connection fine, but then seems to drop it right away, which then seems to not allow the response back in. I've attached a picture of the log, with (what I think are) the lines in question highlighted. I'm far from a routing expert, but this seemed like a fairly easy setup.
View 1 Replies
View Related
Jun 7, 2011
We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times
Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
[Code]....
View 4 Replies
View Related
Feb 21, 2013
ASA5545 : Software Version 8.6(1)2Connection table (cfwConnectionStatValue) gradually increases and never goes down. Upon 750000 connections, user activity is hampered and the box claims that it can not support more connections.
View 4 Replies
View Related
Mar 10, 2011
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
View 3 Replies
View Related
