Cisco Security :: ASA 5510 Client Static IP

Sep 28, 2011

I have a ASA 5510 that uses Radius for Authentication.  What I am trying to do is assign each user that logs into VPN to have a specfic static IP based on userid.  I have about 30 to 50 users.  I don't want to complicate this by having them select a different profile when logging into the ASA.  What is a clean and simply way to assign user static ip and not use local database for login?

View 1 Replies


Cisco Security :: RDP Access For Remote VPN Client On ASA 5510?

Jan 17, 2011

We have configured site to site VPN tunnel from offshore to client location using ASA5510 and accessing RDP from client location. Also configured remote VPN access at offshore location. But using remote VPN client we are able to get RDP from officeshore location but not able to access RDP from client location. Is there any additional changes required ?

View 4 Replies View Related

Cisco Firewall :: 5510 Security Plus To Terminate Client VPN Access For External Support Team

Aug 7, 2012

I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?

View 3 Replies View Related

Cisco Security :: How Many Default Context In ASA 5510 Security Plus Edition

Aug 8, 2006

ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.

View 3 Replies View Related

Cisco VPN :: PIX 515E VPN Client Static IPs?

May 13, 2013

I have my PIX 515E (8.0(4)24) configured for VPN access. In the VPN configuration, I am using an RA tunnel group configured to use Windows 2003 IAS to authenticate users against active directory based on group membership and using a local IP pool for address assignment. This all works fine. I got a request from a single user to have a static IP assigned from the pool. I read that one way you can do this is to get into the user properties in Active Directory for the user and in the dial-in tab tick the box for 'Assign a static IP address' to have it give the particular user a static address for VPN, but it does not work. What I would like the PIX to do is assign addresses from the local pool unless there is an address assignment configuration in RADIUS. Basically does the PIX honor the IP assigned via RADIUS even if the tunnel group is configured for a local IP pool or do I need to configure the tunnel group to use AAA address assingment for the AD dial-in config to work at all? Does the PIX functions this way? I configured the user in AD for this but it does not work. I also have the no vpn-addr-assign aaa command enabled in there which might be the whole issue. I will try to change this in the next window and see if it flies then. Just wanted to see if the PIX works this way or if I am way off here.

View 5 Replies View Related

Cisco Routers :: Setting Up Static IP For Client Rv220W

Dec 16, 2011

Initial setup with RV220W completed without difficulty,Need to set up static IP for one of the machines in the LAN (not static IP for WAN),I presume I use the static DHCP option, which allows me to select a particular IP for the machine I select based on it's MAC,1. My confusion stems from the manual stating that "the IP address that you pick should be outside the DHCP address range specified on the Networking> LAN(local network)>IPV4(local network)page".,Does that mean that the range on the IPV4 local network page should be modified to exclude the IP address that I want to use for the static IP..e.g. change the range from 1-255 to 1-200 and then use an IP of XXX.XXX.X.201 for instanceor does that mean that as soon as I choose an IP on the Static DHCP page, that if will reserved for use only on that machine and not used for another machine on the LAN, without me having to do something else to exclude it's use (i.e. does reserving a static IP automatically remove it from the range of IPs available to other machines)If I simply set a static IP on the local machine by going to "change network adapter" settings, what's the liklihood that the router might use the same IP on another machine.

View 2 Replies View Related

Saving Client Static Network Settings?

Jan 23, 2011

I have a laptop that travels alot to different networks. I go to two differnent networks where I need to enter static network settings (wireless nic). How the heck do you save these settings so I don't have to enter them all the time. I know you can save the network profiles but does this save static settings assigned to the wireless nic?

View 3 Replies View Related

Cisco WAN :: 876 - DHCP Client Injects Static Routes In Config

Aug 8, 2012

I have a Cisco 876 router running 12.4.(15)T5, configured as DHCP client.  This works nicely.
A Cisco 886 router, running 15.1 software also works with the DHCP client.  This also works but has the following strange beheaviour: In the running-config an ip route <dhcp assigned address> appears. Also - some other static routes that are in the config using the dhcp keyword are duplicated with the dhcp-assigned address
Now - when a write mem is done, these dhcp-generated route entry's are stored in the startup-config...
This beheaviour is completely different and VERY unwanted.  After a change from DHCP server the config will simply stop working, when a write mem was done at the first DHCP situation.
Should we stop using write mem commands when a DHCP client is active in IOS?  Is it a bug? Is it a feature?

View 1 Replies View Related

Cisco VPN :: Configure Static IP Address In Remote Client ASA 5500?

Aug 13, 2011

i am trying to configure static ip on remote client user side , i am using the following doc as an example but i am not getting the ip which i am mentiong in the user .[url]...

View 10 Replies View Related

Cisco VPN :: 1921 Loop Back Interface / Static IP Address For Client

Nov 17, 2012

I have a couple a questions answers on which i cant google for a period. BTW maybe i simly use wrong aproach to choose keywords.

1)  Is it possible to assign same ip address to the same client each time  it authenticated, preferably without using DHCP? Im definely sure that  it possible but cant find corresponded configuration examples (my device  is Cisco 1921 with IOS 15.0.1).
2)  Is it possible to assign dynamic crypto map to loopback interface (the  purpose to make EASY VPN Server accessible through two interfaces -  maybe you recommend other approach instead?) - as i move workingcrypto  map from phy int to loopback - i cant connect with reason "Phace1 SA  policy proposal not accepted"

View 3 Replies View Related

Cisco :: Site-to-Site From 5510 To 5510 One Dynamic One Static IP?

May 26, 2011

I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP

View 12 Replies View Related

Security / Firewalls :: Static IP Will Be Changing With The New ISP?

Apr 27, 2011

I am looking for some resources on what steps would be involved in configuring a Cisco ASA 5500 when obtaining a new ISP. Since our static IP will be changing with the new ISP, just need to know what configurations changes will need to take place. We currently have a working config with DSL, but are switching to cable. We are using a DMZ configuration, and are going to try using ASDM first since that should be easier

View 3 Replies View Related

Cisco Switching/Routing :: 3560 G - Static DHCP Client Drops Connection

May 31, 2012

i am not sure if this is something with my DHCP setup or not, but it certainly seems to be the culprit.  I am running a 3560G and using it as DHCP and to do V LAN routing (Geiger protocol).  I have 10 pools configured with a few static addresses per pool.  Now to get down to the problem.  I have a computer (and this problem seems to be a gremlin as it changes what computer is affected quite often) that will connect, get its IP, immediately disconnect, then send out a DHCP req again.  The computer has a static assignment in the pool, and for the brief second that it connects, it gets the right address.  If i move the computer to another v lan, all works right.  If i delete the static entry it will get an address in the right v lan no problem.  The command i have been using to add static entries is:

address client-id 01xx.xxxx.xxxx.xx
That seems to have been working on all my static routes except for a bank of computers in vlan3.  I have went as far as to delete the pool and recreate it, heck i even recreated the v lan and i am still having issues.   Below are some snippets of the running config for review.
The DHCP Pool for the affected LAN:
ip dhcp pool Dev3
boot file
dns- server
 [Code] .....

View 4 Replies View Related

Cisco VPN :: ASA 5510 - Static To Dynamic Via 4G

Mar 17, 2013

My dynamic ASA is trying to use a Cradle point 4G connection to a head end ASA-5510.  The remote end with the Cradle point 4G is not even initiating the tunnel! I need another set of eyes.  it was initiating the tunnel last week but not completing the connection.  Now its not doing anything.  i am going backwards.  Below is my remote ASA config.
ASA5510(config)#  sh run
: Saved
ASA Version 8.2(2)
host name ASA5510
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
I have  a laptop directly attached to the inside interface.  The PC and ASA can ping each other. The test interface is the one I am trying to use. Does my default route need to point to  Or is the remote peer correct?  I thought the remote peer was correct? The 4G modem is like a pass-thru device. If I connect my laptop to it I can get out to the internet.

View 3 Replies View Related

Cisco VPN :: ASA 5510 - Getting Static IP On AnyConnect VPN

Apr 17, 2013

I have an internal application which requires operators to have a static IP address.  I'm looking for a way to do this for our VPN users.  At the moment they are given a random DHCP address from a pool.  Is there an easy way to get a static address assigned to VPN users on a Cisco ASA5510 any connect VPN?

View 3 Replies View Related

Cisco Security :: ASA 5505 8.41 Dynamic NAT / Static Configuration

Apr 17, 2011

I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output:
object network DrJones host network LAN- subnet
"sh run nat" output:
object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN- nat (inside,outside) dynamic interface
"sh run access-list" output:
access-list inside_access_in extended permit ip anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343

View 6 Replies View Related

Cisco WAN :: Asa 5510 Redistribute Static Options

May 24, 2012

I got remote offices connected to our DataCenter some via MPLS and some via VPN terminated on Cisco ASA 5510. I am running OSPF on LAN and BGP for MPLS sites. To have reachability to VPN remote offices  I added 'redistribute static in OSPF' and to have rechability to sites connected via metro link i added 'redistribute connected' 

View 5 Replies View Related

Cisco VPN :: 5510 - L2TP Over IPSEC Static NAT

May 22, 2013

I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface.  I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.  The second issue involves DNS.  I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS.  What is the workaround for using split tunneling AND internal DNS servers, if any?
i've had two different CCNA's look at this numerous times to no avail.  A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd.  You can see in the config where i added the extra STATIC NAT to try and fix the issue.  And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network. [code]

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Static VLAN NAT

Mar 9, 2012

One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
                                Internet for everything else
Inside ------------------------> ASA 5510 -----------------> Voice router  ------>  outside to public phone server only                    
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the network. So I need to nat the network to the Voice interface on the ASA
So I think I need the following static but I get the error below:
static (Inside,Voice) interface net mask
WARNING: All traffic destined to the IP address of the Voice interface is being redirected.
WARNING: Users will not be able to access any service enabled on the Voice interface.
ERROR: Invalid net mask with interface option

[Code] .......

View 5 Replies View Related

Cisco VPN :: ASA 5510 - VPN Between Remote Site And Static IP

Nov 11, 2011

I have a Cisco ASA 5510 with static IP and a Remote site with dynamic IP and i want to setup VPN between these 2 sites. i tried it many times but it doesn't come up.
I want to know how to do it?

View 3 Replies View Related

Cisco Firewall :: Static Nat On ASA 5510 IOS Version 8.2

Feb 19, 2012

have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
static (inside,outside) 196.68.99.x 192.168.1.x netmask
access-list inbound extended permit tcp any host 196.68.99.x eq 225
accesslist outbound extended permit host 192.168.1.x host 196.68.99.x

View 9 Replies View Related

Cisco Firewall :: 5510 - Convert Static NAT To PAT

May 27, 2013

I have an issue, of two parts. The first part I believe I have figured out, just the second part I am unsure of. I have an ASA 5510, currently, there is a mailserver that is static NAT'ed to one of my ISP routed IPs (not the IP of my main Dynamic PAT/Outside interface).  I need to convert this over to PAT for ports 25,80,443, etc  (standard ports).  I know I need to remove the static NAT statement and add in the PAT statements, but I need traffic from that machine to continue to go out the IP assigned to it by the static NAT.
E.G. <- main public IP on outside interface, everything gets internet through this IP <-> static NAT to mailserver, secured with ACLs
I need to enable the mailserver to continue to appear to the world as living on, due to MX records and rDNS settings, etc...

The terminology for this setup escapes me at the moment. 

View 2 Replies View Related

Cisco :: Dual ISP On A 5510 With Static Nat To A Mail Server?

Sep 2, 2011

Only trying to have the mail server reachable via the secondary ISP link if the primary ISP link goes out. The public MX records with priority markings should make it so any outside hosts tries the first ISP address then the second ISP address if the first is unavailable. I would be using object tracking to control the default gateway in the ASA. I'm just a bit fuzzy on the NAT with a dual ISP config on single box.It shouldn't happen but... if traffic comes in on ISP2 while ISP1 is still up (and the current default gate) that traffic should return out the ISP2 interface (using the ISP2 address and avoiding asymmetric routing) since there already an existing connection present inside the ASA. Any server initiated traffic would still use the current default gateway defined via object tracking on the ASA.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Static NAT For Outside Access Not Working?

Sep 19, 2011

I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
4    Sep 20 2011    16:20:33        fw_outside_ip    62678    outside_host    2001    Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]
When I try to use the packet tracer to simulate the outside traffic, I get the following
5    Sep 20 2011    16:17:41        inside_host    2001            Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure
I've got over my NAT statement and access rule and can't find anything wrong with either.
Here are the pertinent NAT and access rule...
static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask
access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001

View 5 Replies View Related

Cisco WAN :: 5510 To Add A Static Nat To Allow Access To Internal Webserver

Mar 20, 2011

ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ.  I've added the config, however i'm still unable to get to it from the outside.  I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"

View 0 Replies View Related

Cisco :: 5510 - Static NAT Required But Outside Pool Already Exhausted

Mar 10, 2012

I got a project where I have to provide NATTED addresses to customers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here. Any other option to accomplish this task.

View 1 Replies View Related

Cisco Firewall :: 5510 8.3 (1) Static Nat For Web Servers And FTP Server As Well

Sep 13, 2011

I got the charge of a ASA 5510 running with 8.3(1) version.Found that this is simple config with Patting for inside host and couple of Static Nat for web servers and FTP server as well.
There is lots of other configuration being done,I assume for the purpose of just R&D by the previous administrator.I need to understand if the following Nat statements holding any relevance?
Where we are running Only  NETWORK_OBJ_192.168.0.0/23 subnet at inside and there is no other subnet defined in rest of the statements.i.e and doesn't exist at all.

View 1 Replies View Related

Cisco Security :: ASA5505 To Allow SMTP Relay And ACL Static Created Is Not Working

Dec 30, 2011

I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working. [code]

View 3 Replies View Related

Linksys Wireless Router :: E1000 Static IP Address For Security Cam App

May 2, 2012

I have a problem viewing my security cam on my android IP cam app.I forwarded port on my router to my security cam then fixed security cam to have a static IP but my computer being on DHCP, after reboot changed IP, so I lost connection to android IP cam app.I read on a forum,that If your camera is using DHCP,setup your router so that it always gives the same static IP address for the camera based on it's MAC address but where do you set this up a Linksys E1000 router & on Samsung Y? so I can view my security cam on my android IP cam app.?

View 9 Replies View Related

Cisco Firewall :: Unable To Reserve Port 443 For Static PAT In Asa 5510

Jul 15, 2011

This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.

View 1 Replies View Related

Cisco Firewall :: 5510 - Static NAT Required But Outside NAT Pool Already Exhausted

Mar 10, 2012

I  got a project where I have to provide NATTED addresses to cutomers for  the internal servers and I found out that the outside address range /27  already in use. We are using 5510 with ver 8.1. We cant use PAT here.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Static Route By Interface Or Destination

Sep 21, 2011

Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.
I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.
All interfaces are on the same security level of 100 except Outside which is 0.
Office 1 Interfaces ASA 5510
VLAN  1               vOffice1Data
VLAN  3               vOffice1Video
VLAN 5                vInterOffice     (QOS  connection Between Offices)


At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Static Route Tracking

May 15, 2013

I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do

   route isp2  0 0  yy.yy.yy.yy  50
   route isp1  0 0  xx.xx.xx.xx  31  track 1
   route isp1  0 0  xx.xx.xx.xx  32  track 2
   route isp1  0 0  xx.xx.xx.xx  33  track 3

the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?

View 1 Replies View Related

Copyrights 2005-15, All rights reserved