I am new to networking and configuring a ASA 5505. I have one public IP and would like to know if I can Nat this ip to 2 private IP addresses. Both addresses will be passing similar traffic.
View 1 RepliesI have purchased a subnet of 8 private IP addresses from my ISP. 109.x.x.128/29.The ISP has placed a juniper router within our data centre which is routing purely from 109.x.x.206/30 to 109.x.x.128/29 with the ip of fa0/1 set to .129.
I have linked a cisco 5505 to fa0/1 of the juniper from fa0/0 and configured its IP to .130. I have configured NAT to translate our client pool 192.168.16.x /24 address' to the internet.
Is it possible for the 5505 to route / map my remaing private IP addresses through its external port? I have tried creating a seperate VLAN for a DMZ for our servers to sit within but am returned with a subnetting error as VLAN for my external port is all ready configured within the same subnet.
I have set up a private domain network at home. I have a domain controller, a DNS server, and a DHCP server all running on one Windows 2003 Server machine. I have about 10 other machines around the house, getting their IP addresses from this DHCP server.
I have a Netgear WNDR3700 router.
I am about to get 5 public IP addresses from my ISP, and I would like to make some of these machines publicly accessible (while still accessible from the other machines in the network).
I found this link that says on my web server (one of the public machines), that I should use a second NIC and set that up to connect to my router (and get a private IP address from my DHCP server).
On an 887VA running 15.x IOS, is there a way to support both public and private addresses on inside vlans? The outside interface is public static ip, so the requirement would be to not nat anything if coming from inside vlan10 but nat if coming from inside vlan20.I didn't think this was possible since the outside interface would have to use an outside nat command that would not be ignored for traffic coming from vlan10.
View 4 Replies View Relatedi have Cisco 5505 and i configured a remote VPN clients. here is my scenario
Cisco switch 2950 === holds two private network 192.168.8.x and 192.168.4.x
vlan 2 outside interface - Eth 0/0 155.155.155.x
Vlan 1 inside interface -- Eth 0/1 192.168.8.180
VPN pool ip address = 192.168.8.100 --110
I drag i cable from my Cisco switch and put in to Eth0/1. and i want to access this two private networks 192.168.4.x and 192.168.8.x . Now i can access to 192.168.8.x . But i can't access 192.168.4.x ..
We have a private network, multiple vlans etc. for our domain users/employees across several amenities. We also have a Public network, that we have managed by a 3rd party for guests/conference rooms/attendees.Private network is all static ips, mac restricted port security, as strict as possible from a security and PCI Compliance standpoint. The public network is all DHCP with hundreds of users. Having them physically separate has always been the best option. Separate switches, server, and I even have the uplinks separated on a 3825 router. However, unfortunately it seems as though that luxury is coming to an end.One of the meetings that is taking place is going to be at one of our outer amenities so I've got to push that "public" network through my network, over my backhaul to the other side.
My suggestion was to create a new vlan on the switches with the shortest path possible to get where it needs to go. This way the traffic never goes through our ASA, and it has a small footprint on our network, it plugs into the switch access port with the dedicated vlan at the entry point into our network, and leaves from an access port on the other end. To me that seems to be the best/most secure way to handle it. We're also in the process of rolling out Public Wifi through the entire property and since we'll want to push both Public and Private vlans over it....merging the two networks to a point is only inevitable. Especially since it will be going through a controller and the property covers a good 7000 acres.
A good IDS/IPS...other than already having port security on every port, I'd definitely like to know if somebody inadvertently cross connects the two networks and it starts flooding whatever vlan access port it's plugged in to with dhcp...especially since a lot of the laptop users on the domain are set to DHCP first with a static in the alternate for working at the office and remote.
i want to know if the new Catalyst 3750 Support Private Vlan ?
or any other small Switches
We have configured a Cisco ASA 5505 with AnyConnect access. This works great. However, these users cannot seem to ping devices on the private network. We have configured all devices on the network with a 10.10.10.0/24 address space. The inside interface of the ASA i 10.10.10.1/24 and the VPN return addresses are 10.10.10.50 - 10.10.10.65/24.They users can utilize SSH and Oracle or MySQL calls but cannot seem to ping. Obviously, I am over looking something.
View 2 Replies View RelatedI have created a PPTP VPN on a cisco 3745 router, and a pool of addresses for the VPN clients. Now i want to find a way to reserve the addresses in the pool for specific machines, for example, if machine A connects to the VPN it should always be given the IP address a.a.a.a and that address should never be assigned to any other machine even if machine A is not connected to the VPN.
View 1 Replies View RelatedI'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.
View 3 Replies View RelatedIf I ping a NAT'ed IP address configured on an ASA 5505, is it handled at the firewall (as far as priority) as if I were pinging the firewall interface itself, or the end device? The reason I ask is I am seeing waves of ping latency that I can relate to data transfers, but the nothing is even close to being maxed out as far as CPU, memory, or bandwidth. My guess is this is being handled by the ASA in software instead of in hardware.
View 0 Replies View RelatedI need to know the maximum number of MAC addresses that can be entered in to the MAC security filter list on the AP541N.I know it has a maximum number of 200 concurrent users, however the documentation does not specifiy whether this also applies to the MAC filter.
I have used wireless acces points in the past that allow hundreds of users but only allow 64 MAC addresses, so this is very important.
I have a customer thats got a Linksys router now, that has a DMZ port.The DMZ port is configurede to it routes the extra public ip-adress to the DMZ port it has.At the DMZ port they have another router connected, where they routes the public ip-adresses på some other devices.How can i make this setup on a Cisco ASA 5505 (With the Security Plus licens)What i have to do is to replace the Linksys router, and make it so, so it works like it was before with the Linksys.
View 5 Replies View RelatedIs it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).
View 9 Replies View Relatedtrying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks 2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
I have an ASA 5505 with Security Plus License ?I have 5 Static IP Addresses from my ISP?I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.
What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
View 3 Replies View RelatedI have a ASA 5505 that I test with which originally came with the Security Plus license. I recently erased flash and loaded the latest asa841-k8.bin version of IOS along with asdm-642.bin. Everything booted fine and came up as it does when freshly wiped however I noticed that i was now only running a base license. If I issue the sh activiation-key command, I noticed the following messages (full output is at the bottom):
The Running Activation Key is not valid, using default setting
......
This platform has a Base license.
......
Failed to retrieve flash permanent activation key
Did I somehow kill my Security Plus licensing when I did the erase flash? If so how do I recover it?
ciscoasa# sh activation-key
Serial Number: JMXXXXXXHU
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
[code]...
This platform has a Base license.Failed to retrieve flash permanent activation key.The flash permanent activation key is the SAME as the running permanent key.
I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted
[Code].....
We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142)
Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message
Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
I'm currently trying to configure a Site to Site tunnel between an IOS Router and an ASA 5505 running 9.1
When the private subnet of the IOS Router was 10.0.0.0/24 and the private subnet of the ASA was 172.16.1.0/24, it connected fine.
I'm now trying to set it up where both private networks are 10.0.0.0/24, and created network objects, edited the ACL for interesting traffic, and created the twice NAT translation rule, but the tunnels aren't coming up.
There is the IOS Router(R1) and the ASA(F2). In between them is one Internet posing router that is just set up to allow both sides to reach their WAN addresses.
R1 and F2 have private network (10.0.0.0/24) and need to communicate. Twice NAT can be done all on the ASA to allow this, but I must be doing something wrong. The way I understand it, is that the R1 should see the traffic coming from 10.51.0.0/24 and sending to that traffic. The ASA will take that traffic, and the inside network should see it come inbound as 10.50.0.0/24. So the F2 private network communicates with 10.50.0.0/24 and R1 private network sends traffic to 10.51.0.0/24.
I turned on "Debug crypto ipsec" and "debug crypto isakmp" but no output is showing up or giving any hint that it is trying to establish anything.
R1#show run
version 12.4
hostname R1
crypto isakmp policy 50encr 3desauthentication pre-sharegroup 2crypto isakmp key cisco address 10.2.0.254
[Code]......
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
In setup for old RV042 (V1), when updating / adding Mac addresses, the table is always sorted by IP addresses. But in the new oneRV042 (V3) I have, even with latest firmware 4.2.1.02 the list is random, thereby increasing the chance of user entering DUPLICATE IP addr with diff Mac addr. That will result in conflict.If the firmware sorts the DHCP entries by ip addresses, user would be able to catch duplicate ip errors even if the system does not flag the errors. All Cisco smart engineers can you all get the dhcp entries SORT by ip addresses.
View 2 Replies View RelatedI have ASA 5505 that has two inside security level 100 interfaces and an outside interface.On the inside interface we have corporate domain subnet with DC and 30 hosts. On the inside2 interface I have few servers that runs specific application important for our business needs, and dumb terminals that are connected to them.I have a laptop user that periodically needs access from our corporate vlan1 to one of the servers on inside 2 vlan via remote desktop or some other remote viewer client,so he can view reports etc.I have enabled same-security-traffic intra-interface command and added nat exempt command pointing specific laptop host machine to that specific server.
Now my main concern is regarding security. This user carries his laptop home, browses the web, puts USB memory, and you can imagine how this machine is susceptible to all kind of malicious software. Inside2 vlan is very important and until now it has been a very secure environment.This is no longer the case since all traffic between this inside sec level 100 vlan host and corresponding inside2 sec level 100 server is now allowed because of the enabled same level interface traffic and nat exemption rule. Do I have another solution that would allow communication based on just a tcp port number for this host? Something like port forwarding from outside to inside Vlan interface?
I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.. then what i do is a copy start run to get the configuration active..
View 2 Replies View Relatedi have asa 5505 adaptive security plus. and i have only 3 vlans . outside , inside , DMZ restricted.so it's working fine but i want to connect to my inside another private network, or do i need to buy License.and how i can activate the license key.
View 4 Replies View RelatedI have got a working 5505 running 8.3.1 firmware and 6.3.1 ASDM.I have now purchased a second unit and ensured that both units are running the same firmware levels etc.
I have via the ASDM created a backup of the working units configuration, and now i want to load this configuration onto the second unit.I have connected the consiole cable up to the second unit and tried pasting in the contents of the configuration file but no joy.I want to ensure that my configuration will work on this unit before i configure the two units in Active/Passiove configuration.
I have an ASA5505 with Security Plus license so I can have many interfaces (not 2 + 1 limited DMZ like in base license)
I have 2 VLANs.Is it possible to use one ISP for VLAN 1 and other for VLAN 2 ? Is it limited to 2 ISP's or can have more ?
I try to configure my CISCO ASA 5505 for remote access vpn, and I encounter the following issue : Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. [code]
View 2 Replies View RelatedI used my Pix config to setup the ASA 5505.Everything seems to be right. I used ASDM to view settings and it seems right. I am missing something minor, but I am going blind looking at it.
I can remote into the network from outside, but internatlly I cannot get out of network. No internet or email is passing through.
: Saved
:
ASA Version 8.2(5)
!
hostname textasa
domain-name testcorp.com
enable password 579oWRzSY5syo9yt encrypted
passwd 579oWRzSY5syo9yt encrypted
[code]....
I have a ASA 5505 which stops pretty early in the boot sequence.
This is all that shows up,
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
[Code].....
I have had the ASA 5505 set up for over 5 years, no problems. For some reason there is one website that my users cannot access. [url].... (173.161.122.9). Why it is being blocked.
[code]....