Cisco Firewall :: NAT Only Working For Some IP Addresses On 5505

Dec 16, 2011

I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues).  One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines.  I'm having trouble getting that working properly with the new device.
 
After a lot of trial and error, I finally got some ports working, but only for some IP addresses.  In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189).  For historical reasons, the external IP of the device is .178.  Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841.  As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it.  And it was working with the 1841 in place before its untimely demise.
 
One note - I am also having trouble getting the VPNs working, so they are a work in progress.  That will account for some of the differences in the configs.

View 7 Replies


ADVERTISEMENT

Cisco Firewall :: Multiple Public IP Addresses On ASA 5505?

Sep 8, 2011

Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).

View 9 Replies View Related

Cisco Firewall :: ASA 5505 - Create ACE For Range Of IP Addresses

Nov 7, 2011

trying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
 
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
 
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
 
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks  2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
 
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?

View 1 Replies View Related

Cisco Firewall :: Possible For 5505 To Route / Map Renaming Private IP Addresses Through Its External Port

Jul 25, 2011

I have purchased a subnet of 8 private IP addresses from my ISP. 109.x.x.128/29.The ISP has placed a juniper router within our data centre which is routing purely from 109.x.x.206/30 to 109.x.x.128/29 with the ip of fa0/1 set to .129.
 
I have linked a cisco 5505 to fa0/1 of the juniper from fa0/0 and configured its IP to .130. I have configured NAT to translate our client pool 192.168.16.x /24 address' to the internet.
 
Is it possible for the 5505 to route / map my remaing private IP addresses through its external port? I have tried creating a seperate VLAN for a DMZ for our servers to sit within but am returned with a subnetting error as VLAN for my external port is all ready configured within the same subnet.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 / Site To Site VPN Using Public Addresses On Local Network

Jul 28, 2011

I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
 
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.

View 5 Replies View Related

Cisco Firewall :: PoE On ASA 5505 Not Working (8.4)

Jun 2, 2012

I recently acquired a used ASA 5505 and have encountered issues with getting the PoE output on Ports 6 & 7 working. Theese two PoE ports are behaving like all the other ports (100mbit, Vlan 1). Per the best I could Google, I made sure the all relevant ports are set to "auto" for duplex and link speed. Again, the ports do work for data - just not PoE. The LEDs light up ok.
 
I've tested four different working devices that can be powered off PoE with it, and all failed to power up using a straight-thru Ethernet cable connected to ports 6 & 7.

Ubiquiti PicoStation M2
MikroTik OmniTik
MikroTik RB450G
MikroTik RB433
 
What should I do to get PoE working? Is it a defective unit?
 
: Saved
: Written by enable_15 at 18:56:43.926 CDT Sun Jun 3 2012
!
ASA Version 8.4(4)

[Code].....

View 1 Replies View Related

Cisco Firewall :: SSH Not Working In 5505?

May 20, 2013

i'm trying to setup my 5505 for SSH but it seem doesn't work. console and HTTPS/ASDM are working.
 
my teraterm is just stuck with the user/password screen. also tried using putty but still failed.
 
ciscoasa# exit 
Logoff 
Username: admin

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Not Working?

Jul 2, 2012

When i install my ASA5505 i get the following message? "This platform has a Base license.
 
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode   :  CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode:  CNlite-MC-IPSEC-Admin-3.03
IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.05
i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte
count = 1. Reason: I2C_UNPOPULATED_ERROR"

View 5 Replies View Related

Cisco Firewall :: Static 1 To 1 NAT Not Working On ASA 5505

Jan 28, 2013

i have 2 internal server sitting in inside interface
 
inside network vlan 1 ip address 192.168.0.20, and 192.168.0.22
 
i going to map 192.168.0.20 to public ip routable address 203.117.124.180 and 192.168.0.22 to public ip routable address 203.117.124.181
 
the purpose is to make those 2 server 192.168.0.20, and .22 to be able to access remotely using public routable ip address,
 
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
 
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Antlab) 1 0.0.0.0 0.0.0.0

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA 5505 9.0(2) Traceroute Not Working

Apr 16, 2013

there is an issue with tracroute from ASA 5505 with 9.0(2) - here is the running configuration [code] with this running configuration - from the LAN tracerouet to public IP, it is working fine.  but once I traceroute from the LAN 192.168.225.x to the corporate networks via the IPSec l2l tunnel - it does not show any hop at all - even the inside interface of the ASA does not show in the traceroute. 

View 4 Replies View Related

Cisco Firewall :: ASA 5505 SLA Commands Not Working

Jan 28, 2013

I am trying to set up a SLA statement on an ASA 5505 version 8.2(5). When I enter the command "sla monitor schedule 1 life forever start-time now" I get a message stating "%Entry not configured."

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - 8.4(3) - PCTV Not Working?

Apr 1, 2012

I have an ASA 5505 running 8.4(3) at home and I'm banging my head against the wall trying to get the PCTV working from my local ISP.Basically I open a web page for the service and I can stream all the basic TV channels to my PC screen.
 
I just simply cant get this working through the ASA.. I know absolutely nothing about voice/video in networking.
  
My setup regarding ASA configurations are as follows
  
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.0.1 255.255.255.0
igmp forward interface WAN

[code....
 
I can get the PCTV working if i bypass the ASA. I can for example get the PCTV working on PC2 if I simply change the port Ethernet0/2 to access vlan 10. So theres just simply something that I havent configured on the ASA or the ASA doesnt support something?I took a capture from my PC2 just as I opened the browser and connected to the PCTV url (opens our local channe 1 right away)Only thing I can see in the capture at that point is:
 
- V2 Membership report / Join group 232.1.3.1

- Right after a remote host from the ISP networks starts sending the stream with the destination port udp/2000 with the destination address of 232.1.3.1
 
what I could check in my configuration? Or is there something that I have simply configured wrong already on the partial configuration shown above?

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Base License - How To Get AnyConnect Working

Mar 29, 2012

I have a base 5505 and would like to get AnyConnect working.  To do that, would I have to first purchase either an essentials or premium license and then purchase the AnyConnect Mobile license?

View 1 Replies View Related

Cisco WAN :: 5505 Multiple IP Addresses On WAN Interface

Jan 6, 2011

We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.

View 3 Replies View Related

Cisco :: ASA 5505 - Ping Times To NAT Addresses?

Nov 28, 2011

If I ping a NAT'ed IP address configured on an ASA 5505, is it handled at the firewall (as far as priority) as if I were pinging the firewall interface itself, or the end device?  The reason I ask is I am seeing waves of ping latency that I can relate to data transfers, but the nothing is even close to being maxed out as far as CPU, memory, or bandwidth.  My guess is this is being handled by the ASA in software instead of in hardware. 

View 0 Replies View Related

Cisco Security :: ASA 5505 - NAT To 2 Private IP Addresses

Apr 22, 2012

I am new to networking and configuring a ASA 5505.  I have one public IP and would like to know if I can Nat this ip to 2 private IP addresses.  Both addresses will be passing similar traffic.

View 1 Replies View Related

Cisco WAN :: 5505 Route Public Ip Addresses To DMZ Port

Sep 25, 2011

I have a customer thats got a Linksys router now, that has a DMZ port.The DMZ port is configurede to it routes the extra public ip-adress to the DMZ port it has.At the DMZ port they have another router connected, where they routes the public ip-adresses på some other devices.How can i make this setup on a Cisco ASA 5505 (With the Security Plus licens)What i have to do is to replace the Linksys router, and make it so, so it works like it was before with the Linksys.

View 5 Replies View Related

Cisco Switching/Routing :: ASA 5505 - Multiple Outside Statics IP Addresses?

Dec 14, 2012

I have an ASA 5505 with Security Plus License ?I have 5 Static IP Addresses from my ISP?I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.
 
What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.

View 14 Replies View Related

Cisco Switching/Routing :: 5505 Running Out Of Available IP Addresses On Subnet

Oct 7, 2012

I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.

View 3 Replies View Related

Cisco Switching/Routing :: ASA 5505 - Blocking Traffic To Specific IP Addresses

Sep 24, 2012

I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network.  Here is the basic layout:
 
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
 
I'm able to get onto the Internet without any problems.  Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x).  However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9.  I've tried using ACL's but end up killing my Internet connection.  192.168.10.1 is the default route and is how I get out to the Internet.  Is this possible?  Essentially, I'm trying to set up a small Network that guests can connect to.  The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
 
Here is the config:
 
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted

[Code].....

View 5 Replies View Related

Cisco Routers :: RV042 When Updating / Adding Mac Addresses / Table Is Always Sorted By IP Addresses

Oct 8, 2012

In  setup for old RV042 (V1),  when updating / adding Mac addresses, the table  is always sorted by IP addresses. But in the new oneRV042 (V3) I have, even with latest firmware 4.2.1.02  the list  is random, thereby increasing the chance of user entering DUPLICATE IP addr  with diff Mac addr.  That will result in conflict.If the firmware sorts the DHCP entries by ip addresses, user would be  able to catch duplicate ip errors even if the system does not flag the  errors.  All Cisco smart engineers can you all get the dhcp entries SORT by  ip addresses.

View 2 Replies View Related

Cisco WAN :: 3 NAT Addresses On 1800 Firewall

Oct 15, 2012

I have a client that has 6 public  IP addresses.  He needs to use 3 of them.  One for workstations which is  currently working fine.  It is using the default gateway IP.  One for a  email/web server which has a statis NAT and is also working fine.  But  we need an additional NAT but it is for 3 servers that all need to go  out as the smae public IP.  I am not sure and been unsuccessful getting  those to go out as the same IP.  I either cannot get them to exit the  same IP or it breaks the workstation NAT.
 
Workstations would be 10.0.0.100 - 200 going oput the FE1 interface or I think x.x.94.122
Email would be 10.0.0.5 going out the statis NAT of x.x.94.123
I then need 10.0.0.2 - 4 to go out x.x.94.124
 
I removed some ACLs and IP info for security. Attached is the current config.
 
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address x.x.4.240 255.255.255.0

[Code]....

View 1 Replies View Related

Cisco Firewall :: Public IP Addresses On DMZ (SA520)

Feb 29, 2012

I just bought an SA520 to replace my existing FW.
 
The thing is that I have private IP adresses on my LAN, and I have been issued a public IP network for my DMZ by my ISP.
 
Meaning I want to NAT my LAN but not my DMZ, but I can't seem to find a way in the 520 to do that. I can only find the oprion to turn off NAT all together.

View 1 Replies View Related

Cisco Firewall :: 1841 To Hold Public IP Addresses Behind ASA

Apr 21, 2013

I am trying to figure out how this works. I have an ISP device that connects to my 1841. ISP and fa0/0 hold the /30 WAN addresses. Fa0/1 hold one of the public IPs, lets say 1.1.1.1/29. Then the outside interface of the ASA holds 1.1.1.2/29. Now I have two routes in the 1841, one for default route going back to the ISP device, and a route for the 1.1.1.0/29 network going to the ASA.Now I have 4 more publics I can use 1.1.1.3 - 6. I do not want to assign these IPs to the servers, but yet just NAT them. I know this is possible, but cant figureI took an internal host and did a one to one static NAT from private to public. Packet tracer says my NAT rules are ok. Allowed all IP traffic for testing and still can't ping the server.

View 3 Replies View Related

Cisco Firewall :: 5580 Need To NAT Addresses To Inside Servers

Jul 7, 2012

We are going to setup a L2L VPN with a vendor and they asked us to NAT a couple IP addresses for remote access to a couple of servers on our inside network. Our device is an ASA 5580 with version 8.1 and we have a handfull of public IP addresses for use if needed. The vendor's remote network is a public IP address but for this posting I will use 192.168.10.0. Our inside servers are 10.100.10.20 and 10.100.10.30. Because 10.100.10 is in use with another customer they asked us to NAT 10.77.97.20 and 10.77.97.30 to the two inside servers.

View 2 Replies View Related

Cisco Firewall :: Configuring Virtual MAC Addresses On ASA 5520?

Jul 21, 2012

I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
 
failover mac address Inside 0012.3456.789a 0023.4567.89ab
 
The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.Do I get the effect of failover mac address command?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Allow ICMP From Three Blocks Of IP Addresses?

Jul 12, 2011

I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?

View 9 Replies View Related

Cisco Firewall :: ASA 9.1 Access-list / Real IP Addresses?

Feb 26, 2013

So in the past from 8.2 down I had one to one NATs like so
 
static (inside,outside) A.A.A.A B.B.B.B netmask 255.255.255.255
 
but for 9.1 im running now I need to do this
 
object network obj-B.B.B.B
host B.B.B.B
nat (inside,outside) static A.A.A.A
 
So if I make an ACL to permit outside public access to the public IP (A.A.A.A) in 9.1 do I use real B.B.B.B ip address or the object itself obj-B.B.B.B?

View 4 Replies View Related

Cisco Firewall :: NAT Source And Destination Addresses On ASA5520 Running 7.2(5)?

Apr 22, 2013

Is it possible to NAT source & destination addresses (twice nat) on an ASA5520 running 7.2(5)?

View 4 Replies View Related

Cisco Firewall :: ASA 5525X - Multiple Outside Addresses PAT To One Inside Address

Apr 30, 2013

I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
 
Object NAT is configured as follows:
 
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
 
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
 
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
 
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.

View 5 Replies View Related

Cisco Firewall :: 7609 / FWSM - Duplicated MAC Addresses Across Contexts

Feb 27, 2012

I have two 7609S routers each with a FWSM running 4.0( 8). I am licensed for 20 contexts.

Recently, I added a context for a new application and required access to a VLAN that already had an interface in another context.

The MAC address assigned to the interface in the new context was assigned the same MAC address as the interface in the previous context. This caused an application running through the first context to fail.

I know that on the FWSM I cannot hard code a MAC address to an interface in a context so how do I get around this problem caused by the duplicate MAC addresses?

View 1 Replies View Related

Cisco Firewall :: ASA5505 / Pcs To Get Their IP Addresses Directly From DHCP Server?

Feb 7, 2012

We have a Cisco 5505 ASA fireawll at a remote site. I can get the firewall to issue the IP addresses to the pc's, Is there a way for the pc's to get their IP addresses directly from our DHCP server?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - How To Assign Multiple Public IP Addresses

Dec 2, 2010

I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  I'm doing the config via ASDM.
 
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.

View 15 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved