Cisco Security :: ASA 8.4.1 Destination Address NAT?
Jul 15, 2012
i have a situation where i have a deployed asa5505 running 8.4.1.The client has an existing mail server that is located on their lan and has Port Nat's configured for the normal mail ports, 25,110,993,587 etc.
This works fine for mail inbound and for any user popping mail off the server externally or visiting the webmail interface from outside the network.However when users inside the LAN try to connect through the ASA back inbound to the IP on the External Interface of the ASA they are unable to do so.
One solution i came up with is Split DNS. and well this works it rely's on the users not changing their dns servers.I was wondering if it's possible to do some sort of NAT that rewrites traffic destined for the above ports on the external IP to the Internal LAN Ip instead.
View 1 Replies
ADVERTISEMENT
Mar 13, 2012
Here is a snippet from "show ip cache flow", from a border router of our network; [code] To clarify, Gi0/3 faces our customers, Fa1/0 faces a transit provider. These results have come from configuring "ip flow egress" on Fa1/0, facing the transit provider. 1.2.3.4 is a static IP we have assigned a customer. I know this customer has a firewall terminating this connection so I want to understand the cache flow results on this route. Why is the destination address an RFC1918 address? Is it possible that the customers firewall is trying to connect to these addresses, the flow gets as far as this border router, and drops? I assume that to be false, and only successfully initiated flows are recorded?
Also, looking at those figures it's IP protocol 0x11 which is UDP (17) and source port 62023 to destination port 161. 161 is SNMP? Without asking the customer what they are doing I suppose I can never know at that level, but I'm really more interested in why these flows are showing at all, when 192.168.1.0/24 isn't in this routers FIB?
View 2 Replies
View Related
Feb 25, 2012
I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1
access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.
**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.
View 1 Replies
View Related
Jan 23, 2012
im lookin to establish a a multiple L2L ips tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?
View 6 Replies
View Related
Jul 9, 2012
I have a Cisco 2600. I would like to know how to redirect traffic going to a certain IP address three hops away to an IP address on a locally connected segment.
Ex. Packet leaves a device with source IP of 10.10.10.10 and destination of 20.20,20.20 When the packet hits the router (10.10.10.1) I want the router to redirect the destination of 20.20.20.20 to 30.30.30.30 (locally connected segment).
The router has two physical interfaces.I am thinking along the lines of creating a VLAN with an ip of 30.30.30.1 and then doing a NAT translation from 20.20.20.20 to 30.30.30.30.
View 3 Replies
View Related
Sep 26, 2012
transport the serial0 and serial1 from a remote route to a local router at his local serial0 interface.The routing mechanism is very easy, it like a RS485, incoming data at the local router is trasmited to the remote serial0 and serial1. If some data income at the serial0 or serial1 at the remote, this data travel to the local an is printed into de local serial0 Remote Serial0 and Serial1 ends at the local Serial0. The local Serial0 starts and ends at the remote Serial0 and Serial1.Both serials are RS-232 (is a async-protocol group)The RS-232 protocol is UNADDRESSED The application is a back-up serial link.
My Config is:
LOCAL R236:
bstun peer-name 192.168.33.236
bstun protocol-group 10 async-generic
interface serial0
physical-layer async
[code]....
If i debug the BSTUN PACKET:
*Mar 7 02:31:18.182: %BSTUN-3-NOPEER: No peer configured to route frame with destination address 0 (bstun group 10)
At the Cisco IOS Software System Error Messages ARAP Error Messages Manual notes:
BSTUN-3-NOPEER: No peer configured to route frame with destination address
[chars] (bstun group [dec])
Explanation A BSTUN route has not been configured for the frame with a destination address.Recommended Action If this message appears while you are debugging BSTUN, it indicates that no specific BSTUN route has been configured for the frames being received with the device address listed in the packet debug trace. You may choose to configure a BSTUN route, or ignore this message.I know that the address must be content on the frames that income at the serial port interface, I mean the router fordward the frames if this have some BYTE and the start that indicate what is address of a remote device, so i guess that this routing mechanism use that byte to select the remote router.But If I set the address at the local and remote route, the router is not who must include his own address in the frame?If I set a point to point link, the only way if I want to transport more that 1 link,? for now the only way is set TWO groups and set one for first link ant the other for the second. (Serial0--Group1--Serial0 and Serial1--Group2--Serial1)The router do not let me set the same group ant the same route. where at the Serial interface i set the LOCAL ADDRESS for a BSTUN protocol?
View 3 Replies
View Related
Aug 26, 2012
I'm working with Cisco ASDM 6.1 for pix. I want some of ip addresses are not shunned thus provide a list of addresses which should not be shunned in threat detection, but some of ip addresses are shunned yet.
View 1 Replies
View Related
Jul 18, 2012
I'm trying to configure MAB on a Cisco 3560G to work with FreeRADIUS.
I have been assured that my RADIUS configuration is fine and the server is functioning properly.
This is my current switch config:
Header 1
!
version 12.2
no service pad
[Code].....
View 2 Replies
View Related
Dec 27, 2012
I read somewhere that the security log could be set to display web address vs dns address. How do i adjust this?
View 1 Replies
View Related
Jan 23, 2011
Is it possible to configure cisco router like C3800 or catalyst switches like C4500 or C2960 to filter traffic based on allowable mac addresses only? I would like only to allow those devices that belongs to the domain, meaning if a user connects a computer or any devices that concerns network which I have not allowed the mac addresses, it will be denied access to the network. However, any of the allowable devices could able to use any port of the switch, meaning I dont want to associate an allowable Mac Address to a physical port on the switch.
View 2 Replies
View Related
Dec 16, 2011
I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.
View 4 Replies
View Related
Apr 11, 2011
why I would be getting traffic on my outside interface that has a destination address which is not my assigned outside address? I recently set up my ASA 5505 on the network and gave it an available outside address of say 192.x.x.250 on interface vlan 100. When I assign vlan 100 to e0/0 and bring the port up, I start seeing lots of traffic pour into the ASDM Syslog with various destinations belonging to my subnet but that are not actually destined for my specific outside address of 192.x.x.250.They are showing a destination of say 192.x.x.85 or 192.x.x.29.
View 3 Replies
View Related
Oct 24, 2012
I am running v6.3.1172.4 of InterScan for Cisco CSC SSM. The previous administrator has left and I need to change the email address that email notifications go to. I click "Administration", then I click "Notification Settings" and type over the previous admin's email address.
When I click the "Save" button, I get:
The email address entered was not recognized. Verify the syntax and try again.
View 2 Replies
View Related
Jul 31, 2011
I have a Linksys WRT54G router.I am trying to set up my internet connection so only my approved MAC Addresses can connect.I set everything up. I purposely excluded my laptop from the list to see if I did it right and I guess I didn't because my laptop is still able to connect to my network.
View 7 Replies
View Related
Feb 22, 2011
I have configured 3355 NAC appliances in HA pair everything is running fine.But not able to Login through GUI (Virtual IP) which is used during the configuration of HA pair.
View 1 Replies
View Related
May 2, 2012
I have a problem viewing my security cam on my android IP cam app.I forwarded port on my router to my security cam then fixed security cam to have a static IP but my computer being on DHCP, after reboot changed IP, so I lost connection to android IP cam app.I read on a forum,that If your camera is using DHCP,setup your router so that it always gives the same static IP address for the camera based on it's MAC address but where do you set this up a Linksys E1000 router & on Samsung Y? so I can view my security cam on my android IP cam app.?
View 9 Replies
View Related
May 5, 2012
Our customer has a Cisco ME3600X with the IOS me 360x-universalK9-mz.122-52.EY3.They are saying that is not possible to configure the "switchport port-security mac-address sticky" in the interfaces and want to know whether any additional license is needed.As far as I know there isn't any extra license to activate this feature and also I believe the ME3600 switch should have this feature with the universal IOS, isn't that right?
View 1 Replies
View Related
Dec 24, 2011
I have verizon fios internet and a wireless home network with verizon internet security and I want to ghange my IP adress on my laptop
View 6 Replies
View Related
Feb 28, 2013
I have 2 3560 switches that are running 12.2(25)SEE2. Port security is enabled on some of the ports. Whenever there is a power failure, when power is restored, 1 port on each switch goes to err-disabled. The mac address that causes this is a valid address for that port. Below is the configuration on one of the ports.
View 1 Replies
View Related
Dec 17, 2007
When ever I create a network object in ASDM 6.0(3) the UI also wants to send the command 'asdm location (network object IP address)' to the device.What is the purpose of 'asdm locaction ....'? Is it telling the ASA-5540 that the IP address is allowed to connect to the device using ASDM?If that is the case why does 'asdm location xxx.xxx.xxx.xxx'get denerated for every network object I create?
View 3 Replies
View Related
Sep 11, 2011
I have E4200 with fixed ip 192.168.1.2, DHCP off connected through LAN ports to FIOS ActionTec as 192.168.1.1. When connecting through wireless network off the E4200, I can obtain and connect fine under Guest network and WEP security, but for any other security setting, WPA, WPA2, Mixed mode, etc. I get the message "Aquiring network address" forever, and I never get a connection.
View 1 Replies
View Related
Jul 24, 2011
I have a situation which requires some non best practice stuff to be done. There is a box behind an ASA that has a lot of code that references public DNS names and therefore needs access to itself and a number of other boxes on the same subnet via the public DNS names (that obviously resolve to public IPs). This traffic is dropped on some pretty fundamental ASA characteristics.I know this isn't really ideal, and it should be handled by DNS nstead, but I'm in somewhat of a bind and need to know if the ASA can allow this traffic.I figure I could match the traffic and exempt it from state-checking and that would probably work, but it's not a very graceful solution.
View 2 Replies
View Related
Feb 27, 2013
I configured dns on the router on this command ip name-server 4.2.2.2when i tried to ping www.google.com showing no valid routeTranslating "www.google.com"...domain server (4.2.2.2) [OK]Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2800:3F0:4001:807::1013, timeout is 2 seconds:
View 9 Replies
View Related
Aug 2, 2012
a) one router with two ethernet interfaces (LANs) and a serial interface. The serial interface is connected to the internet, dynamic nat is used for hosts in the two lans. A web server has a private address of 172.168.50.10 and it is being translated to the internet with serial's interface 68.32.x.x (public ip) with static nat. Clients in the internet type the public address to access the web server.
b)Problem: clients inside the LANs cannot access the web server by typing the public address, they use the server's private address instead, this create a problem with DNS static entries in the HOSTS file in the OS. It is a test server and is only available to authenticated users (lock and key ACLs), so no need to make a real DNS record. The entry in the HOSTS file points to the public address.
c)Question: how can a create a route map to change the public address in the HOST file to the private address of the test web server everytime a user in the LANs type the domain name.
View 6 Replies
View Related
Mar 4, 2011
I have several Cisco switches connecting our network. Switch N connects to the gateway, Switches Y & Z connect to some hosts. Switch N connects to Y and Y connects to Z. Assume our gateway IP is a Class B address with a netmask of 255.255.254.0 and all the hosts attached on switches Y & Z have static IP addresses assigned to them. This gateway connects to the internet.In addition to this IP address, some of the hosts also have a second IP address assigned to the same NIC. This IP is Class A (10.0.###.###) and have a netmask of 255.255.0.0 A second gateway address is not defined.
The hosts that have 2 IP's bound to their nic, use the 10. address to communicate with each other. (Programs running on the hosts are specifically configured to use 10. address).I have several questions regarding this setup:
1) Assume Host has only 1 IP (Class B) - if the destination is on the same network, does the host system send the packet to the gateway first to find the destination on the network or does the host send a "where are u" packet to the broadcast address to find the destination?
2) Assume Host as 2 IPs (Class A & B) - if the destination is a 10. address, how does the host go about finding it?
Since there is no Gateway defined for the Class A address, does the host simply send out a packet to the broadcast address for the Class A network? or does it go to the gateway defined in the Class B network as it was defined first (i'm assuming primary connection)
3) Assume Switch N's connection to Switch Y is disabled - how will this affect communication between hosts on Switches Y & Z that have a 10. IP trying to share data with each other, using the 10. Address. If the answer is this should not affect it, what additional circumstances are required that may cause the systems with a 10. address to be unable to communicate when the connection from Switch Y to N is terminated?]
View 3 Replies
View Related
Jun 17, 2013
One of end costumers is trying to configure IP Accounting on 7206 running version 12.4(4)XD8,The issue we are having is that while the physical interface is up (the sub interface is part of a metro line which is directly connected) we dont see packets being accounted if the destination IP is down.
View 2 Replies
View Related
Apr 16, 2012
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54
2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address
3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
View 1 Replies
View Related
Jun 11, 2013
I need configure destination NAT in my ASA 8.2 version only for a specific origin.
Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need Nat the IP 172.17.3.150 to 10.96.202.10 only for
10.84.25.0/24 network.
How i can configure this in 8.2 version?
View 2 Replies
View Related
May 12, 2012
i have my 9 computers 1 prolink modem/router h5200 and tplink switch...for 3 months my connection is quite good..but in the 4th month its starting to Reply 192.168.1.1 Destination net Unreachable..i called up a technician from the network..He changed my modem/router with the same model and it runs for an hour... 5-6 hrs..the problem starts again it begins to ping Reply 192.168.1.1 Destination net Unreachable...b4 my TCP/IP i configured it automatically but now i try to put it manually...my modem/router starts with 192.168.1.1 my first unit starts in 192.168.1.2 and so on.
View 1 Replies
View Related
Aug 3, 2011
Test a destination port if it blocked or not by my ISP
View 8 Replies
View Related
Apr 2, 2013
I have Cisco RV180. I can not set static route with destination to all IPs (0.0.0.0/0.0.0.0). It always shows errors. It asked me to input non zero number. I can do this on Cisco RV042 without any problem.
View 3 Replies
View Related
Apr 25, 2013
i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.
crypto keyring preshared
pre-shared-key address x.x.x.x key ....ncvnbxcnbLsaYiKtxc4ex4U99Tn...
pre-shared-key address x.x.x.x key ....qerqwerJLsaYiKtxc4ex4U99Tn...
pre-shared-key address 0.0.0.0 0.0.0.0 key ....JLsaYiKtxewrc4ex4U99Tn...
[code]....
View 4 Replies
View Related
Feb 12, 2013
1. the LAN network (multiple subnets) needs to access server 1(outside) - NAT translation works fine no issues
2. a subnet from the LAN e.g SUB-TEST currently acceses server1 but I need to change it to access TESTserver 2 (outside) instead (temporarily)
I dont want to change the original setup .I am trying to implement NAT on the local router such that
- any traffic from SUB-TEST that enters the inside interface and is going to Server1 then change the destination and NAT it to TESTServer 2
- all other LAN traffic is allowed to go to server 1.
i am using a 1941 router for this
View 1 Replies
View Related
