Cisco Firewall :: Static Nat On ASA 5510 IOS Version 8.2
Feb 19, 2012
have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime.
One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
Internet for everything else | | Inside ------------------------> ASA 5510 -----------------> Voice router ------> outside to public phone server only 10.10.1.0/20 10.10.1.7/320 172.16.20.1/24 Voice-------------------------> 172.16.20.0/24 172.16.20.254/24
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
So I think I need the following static but I get the error below:
static (Inside,Voice) interface 10.10.0.0 net mask 255.255.240.0 WARNING: All traffic destined to the IP address of the Voice interface is being redirected. WARNING: Users will not be able to access any service enabled on the Voice interface. ERROR: Invalid net mask with interface option
I have an issue, of two parts. The first part I believe I have figured out, just the second part I am unsure of. I have an ASA 5510, currently, there is a mailserver that is static NAT'ed to one of my ISP routed IPs (not the IP of my main Dynamic PAT/Outside interface). I need to convert this over to PAT for ports 25,80,443, etc (standard ports). I know I need to remove the static NAT statement and add in the PAT statements, but I need traffic from that machine to continue to go out the IP assigned to it by the static NAT. E.G.
1.1.1.1 <- main public IP on outside interface, everything gets internet through this IP 1.1.1.2 <-> 10.10.10.10 static NAT to mailserver, secured with ACLs
I need to enable the mailserver to continue to appear to the world as living on 1.1.1.2, due to MX records and rDNS settings, etc...
The terminology for this setup escapes me at the moment.
I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
I got the charge of a ASA 5510 running with 8.3(1) version.Found that this is simple config with Patting for inside host and couple of Static Nat for web servers and FTP server as well.
There is lots of other configuration being done,I assume for the purpose of just R&D by the previous administrator.I need to understand if the following Nat statements holding any relevance?
Where we are running Only NETWORK_OBJ_192.168.0.0/23 subnet at inside and there is no other subnet defined in rest of the statements.i.e 10.0.0.0/27 and 192.168.1.128/27 doesn't exist at all.
This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.no http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.
I got a project where I have to provide NATTED addresses to cutomers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here.
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0 description New 6mb circuit speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
I am facing problem while configuring SSL Web VPN on my ASA 5510 which is on version 7.2.I need to configure RDP access to the internal servers for the users using SSL Web VPN for which i dont see an option while configuring it though I have uploaded the plugin to my ASA.
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
My dynamic ASA is trying to use a Cradle point 4G connection to a head end ASA-5510. The remote end with the Cradle point 4G is not even initiating the tunnel! I need another set of eyes. it was initiating the tunnel last week but not completing the connection. Now its not doing anything. i am going backwards. Below is my remote ASA config.
ASA5510(config)# sh run : Saved ASA Version 8.2(2) host name ASA5510 enable password 8Ry2YjIyt7RRXU24 encrypted password 2KFQnbNIdI.2KYOU encrypted names [code]...
I have a laptop directly attached to the inside interface. The PC and ASA can ping each other. The test interface is the one I am trying to use. Does my default route need to point to 192.168.0.1? Or is the remote peer correct? I thought the remote peer was correct? The 4G modem is like a pass-thru device. If I connect my laptop to it I can get out to the internet.
I have an internal application which requires operators to have a static IP address. I'm looking for a way to do this for our VPN users. At the moment they are given a random DHCP address from a pool. Is there an easy way to get a static address assigned to VPN users on a Cisco ASA5510 any connect VPN?
I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.
I got remote offices connected to our DataCenter some via MPLS and some via VPN terminated on Cisco ASA 5510. I am running OSPF on LAN and BGP for MPLS sites. To have reachability to VPN remote offices I added 'redistribute static in OSPF' and to have rechability to sites connected via metro link i added 'redistribute connected'
I have a ASA 5510 that uses Radius for Authentication. What I am trying to do is assign each user that logs into VPN to have a specfic static IP based on userid. I have about 30 to 50 users. I don't want to complicate this by having them select a different profile when logging into the ASA. What is a clean and simply way to assign user static ip and not use local database for login?
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
i've had two different CCNA's look at this numerous times to no avail. A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network. [code]
I have a Cisco ASA 5510 with static IP and a Remote site with dynamic IP and i want to setup VPN between these 2 sites. i tried it many times but it doesn't come up.
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes HPMFIRE(config-tunnel-general)# authen HPMFIRE(config-tunnel-general)# authentication-server-group none ERROR: The authentication-server-group none command has been deprecated. The isakmp command in the ipsec-attributes should be used instead.
--[code]....
I couldn't find anything under isakmp to disable it.
Only trying to have the mail server reachable via the secondary ISP link if the primary ISP link goes out. The public MX records with priority markings should make it so any outside hosts tries the first ISP address then the second ISP address if the first is unavailable. I would be using object tracking to control the default gateway in the ASA. I'm just a bit fuzzy on the NAT with a dual ISP config on single box.It shouldn't happen but... if traffic comes in on ISP2 while ISP1 is still up (and the current default gate) that traffic should return out the ISP2 interface (using the ISP2 address and avoiding asymmetric routing) since there already an existing connection present inside the ASA. Any server initiated traffic would still use the current default gateway defined via object tracking on the ASA.
ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ. I've added the config, however i'm still unable to get to it from the outside. I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"
I got a project where I have to provide NATTED addresses to customers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here. Any other option to accomplish this task.
