I am using Cisco ASA 5505 between my two network.
1) I want 192.168.1.0/24 LAN user can go to access 172.16.1.0/24 network but 172.16.1.0/24 cant access 192.168.1.0/24 network
2) what interface nameif will be or security Laval
3)what access list should be configure
4)what IP route should be used
I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?
I have a new Cisco 3925 router. I have 2 network segments 10.0.1.X with net mask 255.255.255.0 and 10.0.2.x woith netmask 255.255.255.0. I have an internet gateway router at 10.0.1.21. I have set GBethernet 0/0 to 10.0.1.1 / 255.255.255.0 and GBethernet 0/1 to 10.0.2.1 / 255.255.255.0. I have set a static route 0.0.0.0 / 0.0.0.0 to 10.0.1.21 for gateway of last resort.
When I setup a workstation on the 10.0.2.X segment at 10.0.2.100 wirh a gateway of 10.0.2.1, I can ping 10.0.2.1 and 10.0.1.1 but can not ping anything else on the 10.0.1.X network or on the internet. When I am connected to the console port on the router I can ping 10.0.1.1 and 10.0.2.1 and 10.0.1.21 and any address in the internet but I can not ping 10.0.2.100.
When I am on a network connected to the 10.0.1.x network af 10.0.1.100 I can ping 10.0.1.1 and 10.0.2.1 and 10.0.1.21 and anywhere on the internet but can not ping 10.0.2.100 or any other address on the 10.0.2.x network other than 10.0.2.1. What Do I need to do on the 3925 to get to all address on each segment and to get to the 10.0.1.21 gateway from the 10.0.2.x addresses?
I have a WAN router that's on 172.x.x.x segment, and another WAN router that's on a 147.x.x.x segments.How can I make them communicate, I would like to interconnect both segments to talk to each other.We are using a Cisco 2800 on both segments.
View 8 Replies View Relatedhave a 2921 with 3 segments, let's say 172.16.0.1/24, 172.16.2.1/23 and 172.16.5.1/24
How can I browse for computers (in Network... Windows xp/7) from other segment?
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
Client has a Cisco ASA 5510 with 4 L2L VPN's all using 5505's
The L2L connect to the "outside" interface as do the VPN Users (I'm leary of this
The VPN Users need access to the "inside" networks and all L2L subnets.
The VPN User has its own subnet (192.168.168.0/24( seperate from the Local LANs (172.16.0.0/16)
When the Users VPN in they can get to all the subnets connected to the inside interface but none of the L2L subnets
I have verified that the UserVPN Subnet is in the crypto acls and in the route statements of all L2L 5505s
With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.i have 2 differents ISP.My major problem is the metric. I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".I don't know how to manage such LAB. is that possible with ASA 5505 appliance?
View 9 Replies View RelatedCisco ASA 5505
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
I have and vpn tunnel between a pix network (192.168.200.0/24) and an asa network (192.168.100.0/24); it's been running fine for awhile now but this morning i've come in an i can not access anything on the pix network, (mail, file & web servers). Each attempt to access results in a SYN timeout.
6 Nov 30 2012 14:24:01 302014 192.168.200.9 192.168.100.115 Teardown TCP connection 6014 for outside:192.168.200.9/135 to inside:192.168.100.115/51240 duration 0:00:30 bytes 0 SYN Timeout
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies View RelatedI now need to configure an ASA 5505 for a small server farm. It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works; I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.
View 7 Replies View RelatedI've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. The Cisco 1841 is running sub-interfaces for my VLAN's.
View 4 Replies View RelatedI am having a problem trying to figure out how to add a new ASA 5505 to an existing network. My current network is:Cable Modem > Linksys > 48 port switch With multiple hosts residing on the 192.168.0.x network.Now i know that the ASA comes default with 192.168.1.1 on the inside interface and i want to change that to 192.168.0.1. I have tried to do this thru ASDM using the wizard and manually. Once i hit ok for it to write the config, it gives me an error that it didnt take. I then lose connection to the ASA and have to hard boot it to get it back.I am trying to do this without my external connection connected and i have a laptop connected to the ASA on port 0/2 with an IP address of 192.168.1.75.Do i need to connect my internet connection to it first and then run the wizard? I was hoping to get it configured for my existing network before i plugged in the internet connection to limit my downtime.This ASA came with 6.4.1 ASDM and 8.2 OS installed. i was able to upgrade the ASDM to 7.X but when i go to update the OS to 9.1, i get an error that i am not registered to use cryptographic software. Dont know where i need to register to get it?
View 4 Replies View RelatedI have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet. Office 1 has a fiber internet connection, and all traffic flows fine. Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud. both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine. when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else. I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1
I have an asa 5505 and I would like to adding a new rule for a network, however it was added, it seems it would be inactive. I have two inside network,192.168.12.0/24 (name: lanA) and 192.168.99.0/24. (name: lanB) I have the following in the running-config:
access-list lanB_acl line 1 extended permit ip 192.168.99.0 255.255.255.0 any
access-group lanB_acl in interface lanB_interface
But when I tried to reach a host in the lanA, the packets are dropped. I configure the asdm, which shows this on the LanB interface:
1 lanB_network | any | ip | permit (hits 344)
2 any | any | ip | deny
and I checked the packet tracer with: tcp, source: 192.168.99.57:10460 dest: 192.168.12.2:443 and it shows that the packet has been dropped by the last 2. 'implicit any any ip deny' rule, in spite of my access-list rule (access-list lanB_acl line 1 extended permit ip 192.168.99.0 255.255.255.0 any) preceded it, and active.
The lanB and lanA interfaces are the same security level 100, and I can reach the outside/internet from 192.168.99.57 Is it possible that I have to reload the rules or something like in order to apply? Or I missconfigured something?
I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.I believe a picture tells a thousand words in this case so I have attached some images which show the problem. I have also tried going through the VPN wizard, this also does not allow me to add new network objects.
View 2 Replies View RelatedWhat should i do on my Cisco ASA 5505 firewall to grant access to my network systems to access internet via gateway. I use ASDM to configure the firewall.
View 5 Replies View RelatedCisco ASA 5505 Cannot Ping Secondary Internal Network.
View 9 Replies View RelatedASA 5505 and DMZ, I have a Base License.
What do I need to do for access inside network to DMZ?
I successfully configure, internet Access for DZM and inside network, web server can be accessed from internet, but I have problem to configure communication from inside network to DMZ.
For a customer I have configured a new ASA 5505 firewall with 8.42 software. I had to build 3 ipsec tunnels to different locations and firewalls. All tunnels are working except one. I have to translate the inside network 1 to 1 to a different private range before it is sent over the tunnel. Each host from network 192.168.133.0 /24 has to be translated to a 192.168.112.0 /24 host and then sent over the tunnel. (e.g. 192.168.133.22 translated to 192.168.112.22)
View 3 Replies View RelatedWhen I start a VPN-session my server looses internet access. The server is host for a few virtual machines and they have internet access.using 5505 and asa is version 8.4(2). [code]
View 6 Replies View RelatedI am having a very strange issue with connecting new machines to reach the internet.We have a ASA 5505 which the previous tech configured the DHCP pool to 192.168.1.60 - 192.168.1.110
We ended up reaching our limit which I changed it to: 192.168.1.60 - 192.168.187
Then next day when I arrived to work, our DC was hung from windows updates. Once we got everything back up, every computer currently on the network can reach the internet/VPN tunnels etc. So (continuing with my day) I created a new server in a VM (Hyper-V)I can ping everything internally (even the router) 192.168.1.1, but I cannot resolve DNS. I have configured a static IP, tried Dynamic IP.I have looked for any ACL indicating to block outside the range of the old DHCP pool but no luck.On my local maching I can ping the DNS addresses, but just not on the new server.
I have configured an ASA 5505 to connect a single internal network to internet, it is not working. I have attached the config
View 9 Replies View RelatedI have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm
View 10 Replies View RelatedWe want to use a Cisco 861 Ethernet router to link our LAN's data and voice segments together (each on separate switches). Our switches are not Layer3 so routing over them is not an option. We only use the default VLAN1 on both switches.There is a data segment 192.168.1.0/24 and a voice segment 192.168.150.0/24, each with it's own internet/WAN access (internet for the data lan and SIP provider for the voice lan).
Diagram:
internet-~--router_192.168.1.1------192.168.1.0/24_data_lan--------192.168.1.254_cisco861_192.168.150.254-----192.168.150.0/24_voice------192.168.150.1_router--~-sip_provider
This is want i want to achieve:
- Link the data and voice switches using the 861
- I want to make the Cisco 861 the default gw on both segments, but they should only route traffic destined for the other segment to each other and route all other traffic to their segment's designated internet connection. I don't want the Cisco to do any NATting and there's no need for firewalling either.
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.
View 1 Replies View RelatedWe have an ASA5510 and a few days ago we were unable to access some segments from remote access VPN, the problem was not the config. A few hours later the problem was resolved on its own and I suspect we have an IOS bug. This has happened a few times in the past and its becoming an issue. How can this be confirmed and which IOS should we upgrade to? Prefer not 8.3 given the syntax difference
View 1 Replies View RelatedI have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies View RelatedI have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View Relatedsetting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
Trying to set up a asa 5505 in transparent firewall mode. I cannot set the management ip address:
ciscoasa> enable
Password:
ciscoasa# config term
[Code].....
