I have a ASA 5510 that uses Radius for Authentication. What I am trying to do is assign each user that logs into VPN to have a specfic static IP based on userid. I have about 30 to 50 users. I don't want to complicate this by having them select a different profile when logging into the ASA. What is a clean and simply way to assign user static ip and not use local database for login?
We have configured site to site VPN tunnel from offshore to client location using ASA5510 and accessing RDP from client location. Also configured remote VPN access at offshore location. But using remote VPN client we are able to get RDP from officeshore location but not able to access RDP from client location. Is there any additional changes required ?
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.
I have my PIX 515E (8.0(4)24) configured for VPN access. In the VPN configuration, I am using an RA tunnel group configured to use Windows 2003 IAS to authenticate users against active directory based on group membership and using a local IP pool for address assignment. This all works fine. I got a request from a single user to have a static IP assigned from the pool. I read that one way you can do this is to get into the user properties in Active Directory for the user and in the dial-in tab tick the box for 'Assign a static IP address' to have it give the particular user a static address for VPN, but it does not work. What I would like the PIX to do is assign addresses from the local pool unless there is an address assignment configuration in RADIUS. Basically does the PIX honor the IP assigned via RADIUS even if the tunnel group is configured for a local IP pool or do I need to configure the tunnel group to use AAA address assingment for the AD dial-in config to work at all? Does the PIX functions this way? I configured the user in AD for this but it does not work. I also have the no vpn-addr-assign aaa command enabled in there which might be the whole issue. I will try to change this in the next window and see if it flies then. Just wanted to see if the PIX works this way or if I am way off here.
Initial setup with RV220W completed without difficulty,Need to set up static IP for one of the machines in the LAN (not static IP for WAN),I presume I use the static DHCP option, which allows me to select a particular IP for the machine I select based on it's MAC,1. My confusion stems from the manual stating that "the IP address that you pick should be outside the DHCP address range specified on the Networking> LAN(local network)>IPV4(local network)page".,Does that mean that the range on the IPV4 local network page should be modified to exclude the IP address that I want to use for the static IP..e.g. change the range from 1-255 to 1-200 and then use an IP of XXX.XXX.X.201 for instanceor does that mean that as soon as I choose an IP on the Static DHCP page, that if will reserved for use only on that machine and not used for another machine on the LAN, without me having to do something else to exclude it's use (i.e. does reserving a static IP automatically remove it from the range of IPs available to other machines)If I simply set a static IP on the local machine by going to "change network adapter" settings, what's the liklihood that the router might use the same IP on another machine.
I have a laptop that travels alot to different networks. I go to two differnent networks where I need to enter static network settings (wireless nic). How the heck do you save these settings so I don't have to enter them all the time. I know you can save the network profiles but does this save static settings assigned to the wireless nic?
I have a Cisco 876 router running 12.4.(15)T5, configured as DHCP client. This works nicely.
A Cisco 886 router, running 15.1 software also works with the DHCP client. This also works but has the following strange beheaviour: In the running-config an ip route 0.0.0.0 0.0.0.0 <dhcp assigned address> appears. Also - some other static routes that are in the config using the dhcp keyword are duplicated with the dhcp-assigned address
Now - when a write mem is done, these dhcp-generated route entry's are stored in the startup-config...
This beheaviour is completely different and VERY unwanted. After a change from DHCP server the config will simply stop working, when a write mem was done at the first DHCP situation.
Should we stop using write mem commands when a DHCP client is active in IOS? Is it a bug? Is it a feature?
I have a couple a questions answers on which i cant google for a period. BTW maybe i simly use wrong aproach to choose keywords.
1) Is it possible to assign same ip address to the same client each time it authenticated, preferably without using DHCP? Im definely sure that it possible but cant find corresponded configuration examples (my device is Cisco 1921 with IOS 15.0.1).
2) Is it possible to assign dynamic crypto map to loopback interface (the purpose to make EASY VPN Server accessible through two interfaces - maybe you recommend other approach instead?) - as i move workingcrypto map from phy int to loopback - i cant connect with reason "Phace1 SA policy proposal not accepted"
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
I am looking for some resources on what steps would be involved in configuring a Cisco ASA 5500 when obtaining a new ISP. Since our static IP will be changing with the new ISP, just need to know what configurations changes will need to take place. We currently have a working config with DSL, but are switching to cable. We are using a DMZ configuration, and are going to try using ASDM first since that should be easier
i am not sure if this is something with my DHCP setup or not, but it certainly seems to be the culprit. I am running a 3560G and using it as DHCP and to do V LAN routing (Geiger protocol). I have 10 pools configured with a few static addresses per pool. Now to get down to the problem. I have a computer (and this problem seems to be a gremlin as it changes what computer is affected quite often) that will connect, get its IP, immediately disconnect, then send out a DHCP req again. The computer has a static assignment in the pool, and for the brief second that it connects, it gets the right address. If i move the computer to another v lan, all works right. If i delete the static entry it will get an address in the right v lan no problem. The command i have been using to add static entries is:
That seems to have been working on all my static routes except for a bank of computers in vlan3. I have went as far as to delete the pool and recreate it, heck i even recreated the v lan and i am still having issues. Below are some snippets of the running config for review.
The DHCP Pool for the affected LAN: ip dhcp pool Dev3 network 192.168.3.0 255.255.255.0 boot file bootx86wdsnbp.com next-server 192.168.1.78 dns- server 192.168.1.8 192.168.1.78 [Code] .....
My dynamic ASA is trying to use a Cradle point 4G connection to a head end ASA-5510. The remote end with the Cradle point 4G is not even initiating the tunnel! I need another set of eyes. it was initiating the tunnel last week but not completing the connection. Now its not doing anything. i am going backwards. Below is my remote ASA config.
ASA5510(config)# sh run : Saved ASA Version 8.2(2) host name ASA5510 enable password 8Ry2YjIyt7RRXU24 encrypted password 2KFQnbNIdI.2KYOU encrypted names [code]...
I have a laptop directly attached to the inside interface. The PC and ASA can ping each other. The test interface is the one I am trying to use. Does my default route need to point to 192.168.0.1? Or is the remote peer correct? I thought the remote peer was correct? The 4G modem is like a pass-thru device. If I connect my laptop to it I can get out to the internet.
I have an internal application which requires operators to have a static IP address. I'm looking for a way to do this for our VPN users. At the moment they are given a random DHCP address from a pool. Is there an easy way to get a static address assigned to VPN users on a Cisco ASA5510 any connect VPN?
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output: object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0 "sh run nat" output: object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface "sh run access-list" output: access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
I got remote offices connected to our DataCenter some via MPLS and some via VPN terminated on Cisco ASA 5510. I am running OSPF on LAN and BGP for MPLS sites. To have reachability to VPN remote offices I added 'redistribute static in OSPF' and to have rechability to sites connected via metro link i added 'redistribute connected'
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
i've had two different CCNA's look at this numerous times to no avail. A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network. [code]
One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
Internet for everything else | | Inside ------------------------> ASA 5510 -----------------> Voice router ------> outside to public phone server only 10.10.1.0/20 10.10.1.7/320 172.16.20.1/24 Voice-------------------------> 172.16.20.0/24 172.16.20.254/24
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
So I think I need the following static but I get the error below:
static (Inside,Voice) interface 10.10.0.0 net mask 255.255.240.0 WARNING: All traffic destined to the IP address of the Voice interface is being redirected. WARNING: Users will not be able to access any service enabled on the Voice interface. ERROR: Invalid net mask with interface option
have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
I have an issue, of two parts. The first part I believe I have figured out, just the second part I am unsure of. I have an ASA 5510, currently, there is a mailserver that is static NAT'ed to one of my ISP routed IPs (not the IP of my main Dynamic PAT/Outside interface). I need to convert this over to PAT for ports 25,80,443, etc (standard ports). I know I need to remove the static NAT statement and add in the PAT statements, but I need traffic from that machine to continue to go out the IP assigned to it by the static NAT. E.G.
184.108.40.206 <- main public IP on outside interface, everything gets internet through this IP 220.127.116.11 <-> 10.10.10.10 static NAT to mailserver, secured with ACLs
I need to enable the mailserver to continue to appear to the world as living on 18.104.22.168, due to MX records and rDNS settings, etc...
The terminology for this setup escapes me at the moment.
Only trying to have the mail server reachable via the secondary ISP link if the primary ISP link goes out. The public MX records with priority markings should make it so any outside hosts tries the first ISP address then the second ISP address if the first is unavailable. I would be using object tracking to control the default gateway in the ASA. I'm just a bit fuzzy on the NAT with a dual ISP config on single box.It shouldn't happen but... if traffic comes in on ISP2 while ISP1 is still up (and the current default gate) that traffic should return out the ISP2 interface (using the ISP2 address and avoiding asymmetric routing) since there already an existing connection present inside the ASA. Any server initiated traffic would still use the current default gateway defined via object tracking on the ASA.
I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ. I've added the config, however i'm still unable to get to it from the outside. I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"
I got a project where I have to provide NATTED addresses to customers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here. Any other option to accomplish this task.
I have a problem viewing my security cam on my android IP cam app.I forwarded port on my router to my security cam then fixed security cam to have a static IP but my computer being on DHCP, after reboot changed IP, so I lost connection to android IP cam app.I read on a forum,that If your camera is using DHCP,setup your router so that it always gives the same static IP address for the camera based on it's MAC address but where do you set this up a Linksys E1000 router & on Samsung Y? so I can view my security cam on my android IP cam app.?
This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.no http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.
I got a project where I have to provide NATTED addresses to cutomers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here.
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.