Cisco Infrastructure :: Configure ASA5505 Network With Split DNS
Mar 13, 2011
We have several branch offices that only have a Cisco ASA 5505 connecting clients to the Internet, our main office and other networks. Some of the branch offices uses Site-to-Site VPN to connect to our main Office, other uses a VPN-service delivered by our ISP.
The networking is working fine, but we are having problems with figuring out how to handle dns lookups. I see that the ASA DNS Client can use conditional DNS forwarding, but it cannot act as a DNS server for our clients on the inside network.
We want to do the following:
- Default dns quires should use the DNS servers for the site's local ISP (some sites also uses dual ISP, so we are using DNS1 and DNS2)
- The domain name: company.local should use our main office DNS server (acces by Site-to-Site VPN or our ISP's VPN)
- The domain name: sitea.company.local should use our SiteA DNS server (acces by Site-to-Site VPN or our ISP's VPN)
etc...
We have solved the issue by using Windows DNS server's conditional forwarding for the branch offices that has a local Windows 2008 domain controller.
our branch office's that only have a Cisco ASA 5505 Security Applience?
View 3 Replies
ADVERTISEMENT
Mar 29, 2012
I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520. I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505. I get no internet access. Have been trying to troubleshoot this for days.Hee are soe specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:
vpnclient server **.***.***.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup dbernstein-5505 password *****
vpnclient username dbernstein password *****
vpnclient ipsec-over-tcp port 10000
vpnclient enable
and the downloaded dynamic policy:
Current Server : 12.***.163.**
Primary DNS : ***.160.***.39
Default Domain : cisco.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : ***.160.***.0/255.255.255.0
Backup Servers : None
View 9 Replies
View Related
Sep 25, 2012
My company purchased a PAK for ASA5505-SEC-PL a while back. I found it unopened and need to know if it can be used, without activating it on an ASA. I opened up a case with the Cisco TAC, provided them the PAK serial number and got the following responses from 2 different individuals:
1.Since the product was covered under warranty and then expired this means that the activation key was used before.
2. This PAK number is expired since (Warranty End Date 21-Feb-2009).
I responded that I am not interested in warranty information but I just want to know if the PAK can be used. Just because the warranty expired, does that REALLY mean the PAK can no longer be used? That doesnt make sense to me. Isn't there a tool on Cisco's website to put in the PAK S/N to see if it is available, has been used, and if so, when?
View 2 Replies
View Related
Feb 7, 2011
Is it possible to configure split tunneling for default Windows VPN Client and ASA 8.0? Everything works fine with Cisco VPN Client
View 3 Replies
View Related
Jan 15, 2013
is it possible to configure a Cisco 881 router to split the incoming internet connection between two ASA's? If one ASA fails then the router would switch traffic over to the second ASA. The 2nd ASA would takeover from the primary ASA through the active/standby failover configuration and crossover cable. I'm trying to avoid configuring the switch to control the traffic using VLANS if possible.
View 3 Replies
View Related
Jul 21, 2012
We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50)
001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpn_user Group=VPNGROUP Client_public_addr=<client public ip> Server_public_addr=<server public ip>
004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
View 3 Replies
View Related
May 9, 2012
I bought a CCNA lab for doing practice.The lab kit is made of some 2600XM routers.These routers have only one "fast ethernet port 0/0".I don't understand how I can configure these routers whith: Static Routing, Defoulte Route etc etc if I have only one "fast ethernet port 0/0" and I don't have the "0/1 port" too.
View 5 Replies
View Related
Jun 21, 2011
Suppose a broadcasted IP packet reaches one of the integrated RJ-45 ports on a 2911 ISR G2, will it be possible to configure the router so that the other integrated RJ-45 ports, ESM/EHWIC modules installed on the router, as well as the MGF also recieve the packet? Technically, the router should act similar to a switch with the SRE behaving similar to a seperate machine connected via the MGF and other external machine connected to the ports of the router to recieve the broadcasted packet.
Also, if SNMP traps were generated from the router,Will it be possible to send the traps from the router via the MGF to the SRE installed on the router?
View 1 Replies
View Related
Mar 16, 2013
I've setup the WDS and Infrastructure AP according to Document ID: 68098
1. The Infrastructure AP is registered and active in WDS AP.However, any client device such as NB or PDA cannot obtain IP address.In WDS AP the client device is shown as authenticating all the time. What I missed? Or there is somethig else need to be set?
2.Can I configure the WDS AP alslo as Infrastructure AP?I mean, to be WDS and Infrastructure at the same time, broadcasting the SSID etc.?
View 3 Replies
View Related
Jun 10, 2013
I currently have my 5505 setup for AnyConnect SSL VPN connections. Is it possible to also configure the 5505 for IPSec VPN connections? So, essentially my ASA will be capable of running SSL and IPSec VPN tunnels, concurrently.
View 2 Replies
View Related
Apr 23, 2013
I did some searching and the answers said it was supposedly possible but no info on how to do it. I am wondering if it is possible to configure a Cisco ASA 5505/10/20 to be a client to an existing (in this case) cisco client vpn. The reasons why are complicated (and imo irrelevant) but basically I need to be able to make a small network that can be on this vpn rather than individual machines.The client vpn is a basic IPSec over UDP Cisco VPN to an ASA5505.So how would I configure another ASA to connect to this like its a client?
View 3 Replies
View Related
Dec 20, 2011
I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.
On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.
The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5 webserver is natted with 72.72.72.6
sql inside ip is 192.168.1.2, gw 192.168.1.1
webserver ip is 192.168.2.100 gw 192.168.2.1
sec lvl on inside is 100 and on dmz 50
with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...
All i need is to open 1 port ie 6677 both ways for this communication to work.
I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...
on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... :-)
View 47 Replies
View Related
Oct 9, 2012
I need to split a network: 10.0.4.0/24 into 3 subnets with the following hosts per subnet:
Subnet 1: 80 hosts
Subnet 2: 10 hosts
Subnet 3: 120 hosts
split into 3 subnets?
Im thinking something like this:
Subnet 1
Network 10.0.4.0
Subnet Mask 255.255.255.128
[Code].....
View 1 Replies
View Related
May 1, 2012
I need to split a client's current LAN into 2 LANs so that the staff's office computers and devices are not accessible to the residents/guests. They currently have a modem+router device that gets it's public IP via DHCP, a couple of switches and a wireless access point that both staff and residents connect to (same SSID). The catch is they don't have static public IPs and the modem+router device MUST keep the current LAN IP network schema (10.1.10.0/24) or the ISP won't provide technical support.
View 6 Replies
View Related
Aug 31, 2006
I want to configure a MAC address on my asa 5520 interface.I ask you if exist a private MAC address range?
View 5 Replies
View Related
Feb 10, 2013
I need to configure on a cisco catalyst 6509 two VACL. On cisco 6509 there are already two SPAN ports configured, there are problems configuring other two VACL?
These VACLs send traffic to a Traffic Analyzer (SIEM), there are particular configurations to facilitate the operation?
View 1 Replies
View Related
Nov 1, 2012
I have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies
View Related
May 14, 2012
how to configure AnyConnect on an ASA5505, but I wanted to check before to make sure I was going the right direction.
Setup: I have a very simple setup and basic goal. I currently just have one laptop on E0/1 of my ASA5505 and then the ASA configured with a static IP plugged to the Internet. I have the ASA correctly configured and can browse the web through the laptop. I also have the AnyConnect and AnyConnect Mobile licenses as well.
Goal: I want to set up AnyConnect on the ASA5505 and just establish a successful connection from an android mobile device running the necessary AnyConnect software from the market.
There are lots of guides for specifc set ups, but as described, I want to keep this as simple as possible.
[URL]
Also, I'm more comfortable with the CLI. Is it simpler to use the ASDM wizard for this?
View 2 Replies
View Related
Sep 12, 2011
I have a network that I want to split into 3 VLANs, One for the main traffic, another one for the kids so I can control the sites they visit via opendns and the 3rd for the playstation and the Wii. The catch is that I only want the kids network to access the printer and the NAS on the main network, and then the 3rd network not to be able to access the other 2 vlans. I am trying to perform this via a Cisco 871 router
View 1 Replies
View Related
May 23, 2012
What is the best way to install a split tunneling on a network, I got Cisco ASA 5510 with Cisco vpn clients.
View 1 Replies
View Related
Nov 4, 2012
My question is can I split my cable to create my own network? For example my direct cable wire into the home then split it to tv then router to my laptop...
View 1 Replies
View Related
Jan 29, 2013
I'm trying to do configuration archiving in Prime Infrastructure 1.2 with a 5508 WLC (7.4).The job always fails (Admin -> Background Jobs) with the following error (see attachement):"SNMP: Failed to establish SNMP connection xxxx - Cause: Device is Unreachable. Check the ReadOnly community string." I double checked the SNMP credentials, they do match. For testing I also added a Public community just for the PI. Same result.Am I missing something?Is this not intended for Wireless Controllers?
View 5 Replies
View Related
Apr 18, 2011
When using the connect to the internet wizard in SBS 2008 (CTIW) the server comes back with an error that it cannot communicate with the router.Are there any settings that need to be configured in the ASA 5505 to allow communications with SBS 2008 using Exchange Server 2007? I am using ASDM 5.2 at this time.
View 3 Replies
View Related
Aug 1, 2011
Is it possible to configure bridge mode in asa 5505 if it is can u provide me a config.
View 1 Replies
View Related
May 16, 2011
I just started at a new company and they want to use iphones in place of blackberry's, what a surprise. We have a exchange server and blackberry enterprise server. My question is how do I configure the cisco ASA to allow for iphone vpn connection and start replacing our blackberry's.
View 1 Replies
View Related
May 12, 2013
I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool. From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN. I am available at any time if further information is needed. find attached my ASA config.
View 7 Replies
View Related
Sep 14, 2012
I have an ASA 5505 running 8.4.4.1. I've configured three WAN interfaces and have assigned failover on one of them (we have two ISP's, and a total of 3 static IP's in 3 different subnets). I've noticed that all the traffic is flowing through only one of the three interfaces, but I need to allow incoming https traffic on the second WAN port so I can access our Exchange server (we already use https on the first WAN port to access another server).
[code] WAN1 is the default outgoing route and we've configured several incoming services on it (smtp and https for example) and appears to be working properly as mail is coming and going and users can access the RDS gateway.I need to configure WAN2 to accept https traffic and send it to our Exchange server to enable OWA (webmail) access.I've configured the same Access and NAT rules on all three WAN interfaces for smtp (but I suspect only the first one is currently functioning at this point, I'll test it next chance I get). I thought all I'd have to do is configure an access and NAT entry on WAN2 (same as on WAN1), but direct the traffic to the OWA server instead of the rds gateway server, but it is not working.
In the realtime log I can see that it appears to be receiving the traffic on the WAN2 IP, but seems to be passing this through to the inside via the WAN1 interface.
View 5 Replies
View Related
Apr 18, 2012
How to configure this setup.I have an ASA5505 with dual wan failover, FiOS (eth0) & Cable (eth1). how to configure the port forwarding for all my devices so it doesn't matter what external interface the traffic is coming from. For example, I need web traffic on port 80 forwarded to 192.168.1.150 regardless of whether it is coming through eth0 or eth1.
View 2 Replies
View Related
Jul 5, 2011
I need to configure our ASA5505 firewall for remote access to our network using EasyVPN software installed on a laptop. That laptop will be connected in the different places, using DSL or 3G toggle or Public Wi-Fi. For some people it's very easy, but I don't have any experience with firewalls.
View 9 Replies
View Related
May 20, 2012
I'm trying to configure an 1142N AP + 2960-S + ASA5505 with wireless, vlans and trunking with no success. DHCP is provided from my DHCP-server on the inside.
View 4 Replies
View Related
Jun 21, 2012
ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 168.87.3.4.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.
View 1 Replies
View Related
Jan 5, 2012
i am trying to configure a site to site VPN with one of my remote offices.
I have used the ADSM Wizard to go through the steps, and i have added the necessary access rules. However, when i try and do a packet tracei get the following error (ad-drop) Flow is denied by configured rule. (see screen shot below)
View 5 Replies
View Related
Jul 10, 2012
Is there a way to be able to check from one computer on a network to another computer on the same network when both have been set up with NAT?
For example, computer 10.0.0.10 cannot ping 10.0.0.20 because NAT has been set up. Port forwarding does not seem to be an answer. Is it possible for NATted computers to be able to ping each other or not?
View 1 Replies
View Related
