Cisco Firewall :: Two Public IP Blocks On ASA 5505?
Jan 16, 2013
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
View 7 Replies
ADVERTISEMENT
May 22, 2012
I am trying to configure my ASA 5505 security plus through ASDM to receive two blocks of outside IPs (each of which is on a different subnet and a different gateway ip) to translate to my internal server giving it public access.I have searched for days (and maybe incorrectly) but I am finally asking for the configuration of the ASA to support this.
View 1 Replies
View Related
May 22, 2012
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
View 1 Replies
View Related
Nov 25, 2012
i cannot send emails to outside, i have an access rule on interface inside permit source: inside destination: any servic: tcp/smtp and when i make paket tracer it shows me that the packet is dropped but i cant see through which rule!!
ASA version: 8.4(3)
ASDM version 6.4(7)
View 2 Replies
View Related
Nov 21, 2012
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
View 11 Replies
View Related
May 2, 2013
The client I am doing work for as ASA 5505 at a remote location that is using Cox Communications for the ISP. The ISP assigned 5 static IP addresses, but we only need 1 for this location. However, that is the minimum you get no matter what. The issue is that the subnet mask is a /25 and what they are telling me is that the ASA is grabbing all the IP addresses in that range. They asked if there is anyway to keep the ASA from grabbing those IP addresses. Now, I have never run into this issue before with a provider. The gateway is in the /25 subnet, so going to a /30 isn't an option.
View 5 Replies
View Related
Sep 10, 2011
Attached is my updated ASA 5505 (8.4[2]) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound. No DNS, nothing.
The laptop is windows, the other two are servers with two NICs. The interface cards are Intel Pro/1000s. I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).
View 19 Replies
View Related
Feb 18, 2013
How to get DynDNS or some other public dynamic DNS services on the Internet working on ASA 5505?
View 2 Replies
View Related
Sep 8, 2011
Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).
View 9 Replies
View Related
Feb 3, 2013
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
View 4 Replies
View Related
May 26, 2012
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies
View Related
May 23, 2013
i can't get it working to expose on internal server to an outside interface.I used the public server function in ASDM.Internet access works if i nat my private adress to one of the available ipadresses provided by our isp.
Internal Server : owncloud 172.10.0.4
External Server : ext181 46.245.171.181
I can't see the error in the configuration,
: Saved
:
ASA Version 9.1(1)
!
hostname rhedetest
domain-name xxxxx.de
enable password 59t92OvRofWL9yf3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 10 Replies
View Related
Dec 15, 2011
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
View 3 Replies
View Related
Apr 19, 2012
I'm trying via the ASDM to port forward http connections to a DVR for the purpose of viewing IP cams.I've tried via ASDM to create a public server but I'm not allowed to use my public IP address for the public Interface.I have only one public IP address available.Is there any way round this ? I would also like to know how I can enable NAT with PAT.I've tried setting the outside Interface for use with PAT but It keeps reverting to the setting for a range of external addresses.I'm not really used to the ASA cli yet , I'm getting there.If there's a workaround via the CLI , I'll take that route.
View 4 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
May 8, 2012
I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
Specific error is:5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
Here is my config.
: Saved:ASA Version 8.2(2) !hostname asawooddomain-name wood.localenable password W/KqlBn3sSTvaD0T encryptedpasswd W/KqlBn3sSTvaD0T encryptednamesname 192.168.1.117 kylewooddesk description kyle!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNSdomain-name wood.localobject-group service rdp tcpdescription rdp accessport-object eq 3389access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list outside_access_in extended permit tcp any interface outside eq 8080 access-list outside_access_in extended
[code].....
View 2 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
Oct 3, 2011
I have an ASA that is logging the message %ASA-3-321007: system is low on free memory blocks of size 2048. I ran the "show blocks" command and the "Cnt" value for the 2048 blocks is 0. How do I reclaim these blocks and what are they used for?
View 1 Replies
View Related
Mar 19, 2013
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
View 4 Replies
View Related
Jul 12, 2011
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
View 9 Replies
View Related
Sep 6, 2012
I have two complete networks in my office. I want to access my printer from both the networks. Condition: With the Firewall I can't access computer of one network from another how can I access the printer from both the LANs. I am not allowed to play with Firewall.
View 1 Replies
View Related
Aug 24, 2011
I am having trouble with our ASA5510. After upgrading the internal memory from 256 MB to 1 GB and upgrading the firmware to 8.4.2 we are experiencing that the ASA is running out of 1550 byte blocks. When that happens it is not possible to connect to the ASA by ADSM or SSH and new VPN IPSEC tunnels are not coming up. The only way I know how to fix this is to reload the ASA. This is happening every 2 to 3 days.
In the free blocks graph one can see that there is a loss of about 20 blocks per 10 minutes.
View 4 Replies
View Related
Dec 10, 2011
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (https, http, smtp, rpc).
I can use the IIS, if the firewall is activated, but the exchange Server can not receive any emails. I have also created some firewall access rules for the mentioned services but without success.
View 1 Replies
View Related
Jan 20, 2013
I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. [code]
View 6 Replies
View Related
Apr 6, 2011
I have a problem after upgrading the ASA5505 unlimited to 8.4.1, the message shown after startup is:IO memory blocks requested from bigphys 32bit: 9672 It has 512 Mb of ram and this is the view from sh ver:
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Compiled on Mon 31-Jan-11 02:11 by builders
System image file is "disk0:/asa841-k8.bin"
Config file at boot was "startup-config"
[code]....
View 6 Replies
View Related
Dec 10, 2011
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
View 16 Replies
View Related
Jul 19, 2012
We have ciso asa 5505 and we are using one public ip of 155.155.155.9 , so i wanna disable to ping from outside this ip , but not effect our site to site and remote vpn connections ,the only thing i need is to disable the public ip to ping from outside.
View 7 Replies
View Related
Jul 25, 2012
My company wants to create a VPN Tunnel to allow a remote office to connect to ours. I purchased 2 ASA 5505 and I was expecting to be able to set this up without any issues. Sadly, that is not the case.
What I'm having trouble with is configuring my Public IP Address to the device. I go through the setup wizard and enter the IP Address like normal, but I have no option to input my ISP's subnet, Gateway or DNS. Without those, I get no internet connection. I know there is a way to do this, but I'm stumped.
My Specs:
2 ASA 5505 series
ISP Modem (Which they control) - SMC SMCD3GN with DHCP disabled
View 1 Replies
View Related
Sep 25, 2011
I have a customer thats got a Linksys router now, that has a DMZ port.The DMZ port is configurede to it routes the extra public ip-adress to the DMZ port it has.At the DMZ port they have another router connected, where they routes the public ip-adresses på some other devices.How can i make this setup on a Cisco ASA 5505 (With the Security Plus licens)What i have to do is to replace the Linksys router, and make it so, so it works like it was before with the Linksys.
View 5 Replies
View Related
Mar 29, 2012
We are in a planning phase of adding another service to our DMZ. The DMZ has a singe publicly accessible IP. We are running Citrix inside our network externally accessible via w121eb https (443). Another service will be added to the DMZ (Exchange/O365) requiring ADFS & and ADFS proxy also using port 443 as well. Both services (the Citrix secure gateway & ADFS) will have separate subdomains but directed to that same IP, each with its own cert.
Now, I guess the question is: How (if possible) can we forward the public requests to the two services that hit our network on the same port (can't change the port on either), to two separate appliances with their own internal IP's internally?Our current appliance on the DMZ is an ASA 5505. Also could use a PIX
View 5 Replies
View Related
Jun 29, 2011
Currently using WCCP with squid for content filtering. One of our sites we connect to needs to see the connection coming from our public IP address, not the proxy server IP. I've created a acl in squid for direct lookup, but the website gets angry with the X-Forwarder-Header squid attaches to each packet. Is there a way in a cisco ASA 5505 to bypass wccp for a specific public ip address or url?
View 4 Replies
View Related
Dec 19, 2011
I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets. The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network. I have a DNS server on my internal network and it does resolve to the public IP correctly. NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly. I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress to the external (NATed) address is allowed.
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network. If I am outside my cisco then I can go to http://72.22.214.121 easily. [code]
View 1 Replies
View Related
