Cisco Security :: Changing ASA5505 Configuration To Use Different ISP
Mar 22, 2012
We have had an ASA5505 for close to two years. About a year ago, we added a second ISP ("BOB") which became our primary and our old one (SBC) became our backup. I successfully modified the config for this and it's been working well.
Now we're changing our primary ISP to Comcast and getting rid of BOB, so right now we actually have 3 ISPs coming into our building.
I removed the BOB interface and routes, then added an interface for Comcast using an IP address from the range they provided as well as a static route to the gateway they provided - everything is analagous to the previous interfaces and routes, but it doesn't work. If I physically disconnect the Ethernet cable going to the Comcast cable modem, then the ASA does fail back to the SBC interface as expected. If I put the BOB interface & route back in there, it works again through BOB.
If I connect a PC to the Comcast cable modem and use an IP/Gateway they provided, the Internet connection *does* work. Using this same exact IP info in the ASA doesn't work.
Is there some other configuration item besides interfaces and static routes that I should be modifying? Is there some way I can dig deeper into the ASA to see exactly what is failing?
View 2 Replies
ADVERTISEMENT
Mar 5, 2012
Does changing the device certificate for AnyConnect Connection Profiles break any established AnyConnect connections, or is it transparent to the users?
View 1 Replies
View Related
Nov 4, 2011
How do I change my security key on my laptop?
View 1 Replies
View Related
Jan 29, 2011
How to change the security key. How does one go bout that? Did not see that within the manual for some strange reason.
View 1 Replies
View Related
Apr 27, 2011
I am looking for some resources on what steps would be involved in configuring a Cisco ASA 5500 when obtaining a new ISP. Since our static IP will be changing with the new ISP, just need to know what configurations changes will need to take place. We currently have a working config with DSL, but are switching to cable. We are using a DMZ configuration, and are going to try using ASDM first since that should be easier
View 3 Replies
View Related
Mar 30, 2011
I'm having troubles with a cisco 877 router, it keeps changing itself to either 0x2101 which is good, or to 0x3100 which is bad because it messes up my bautrate to 1200 instead of 9600.it doesn't seem to matter if I change it, it will still tell me that it will change at next reload. [code]
I have never seen this before.the command in conf t : configuration-register 0x2101 is not working, played with wr mem or copy start run neither of one useful.
View 5 Replies
View Related
Jun 1, 2013
I am having two 6509E working in VSS and both are working fine. But the configuration register of command "remote command switch show boot" is 0x8000 which is different from that of RP (0x2102) .Now i want to change the value of configuration regsiter of SP to 0x2102.
View 1 Replies
View Related
Mar 30, 2012
I ve been trying to acess some websites at work, but they are blocked via proxy, wich means, the only way you can access the internet is if you type a certain proxy (172.16.0.1, port 8080), at the control panel of your browser. I can only use the internet browser. If I try to change the proxy, to enter the blocked websites.Is there a possibility to unblock the websites without changing the proxy configuration?
View 2 Replies
View Related
Feb 10, 2011
They keep changing SSID and Security. No one is reseting them. I have changed the password already.
[url]....
View 4 Replies
View Related
Aug 27, 2012
I am going to change a running 6500 switch. I am missing a best pratice doc for changing a cisco switch configuration. My question is if a startup-config has an error (due to typo mistake, or due to comands not supported on latest IOS) and I do copy tftp startup-config then what will happen ? I want to make sure when I do "reload" the switch then it should boot normally with the latest startup config !
View 3 Replies
View Related
Dec 24, 2011
I have verizon fios internet and a wireless home network with verizon internet security and I want to ghange my IP adress on my laptop
View 6 Replies
View Related
Oct 24, 2012
I am installing a several new Cisco VM servers. The VM hosts are losing connectivity when we apply the etherchannel config in the core stack. VMware has stated that the etherchannel load balance needs to be src-dst-ip in order for the etherchannel to work.However, my current stack has 2 etherchannels configured to other switches through out the bldg in network closets. The current load balance configuration is src-mac.My question....when I make the change to src-dst-ip, will my network connectivity go down? I saw there was an older article on this that doesnt provide an answer just a work around. Here is the article. [URL].
View 1 Replies
View Related
Jan 31, 2013
We have cisco asa 5505 series ulbunk8 and if it is possible to upgrade it to k9?
View 5 Replies
View Related
Jul 20, 2012
i have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
View 3 Replies
View Related
Aug 22, 2012
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router. Our responsibility is to just to make sure the tunnel comes up.
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp(code )
View 2 Replies
View Related
Jul 2, 2012
I have Cisco ASA5505 8.2(5) connected with Cisco 5520 8.2(1) via IPSEC tunnel, I was able to SSH from the inside 5520 to inside IP of the asa5505. but I after I upgrade the license to security plus at 5505 I lost the SSH and ASDM to inside IP of 5505 from the inside network of the 5520. however I still can use SSH and ASDM on outside IP of 5505.
I did a lot of testing to make it work but I couldn't I added SSH 0.0.0.0/0 inside and outside also I added acl on both interfaces. when I did a trace on the outside interface from the private network of 5520 to 5505 inside IP I got IPSEC spoofed by the way that trace only works with security plus because I try to test on all my other firewalls 8.2(5) it shows nothing and all my firewalls can accessed from the private network 5520 except the one with the security plus!
View 11 Replies
View Related
Jun 18, 2008
I have two ISP's and I want to channel specific traffic out of an interface based on traffic type. Will the ASA 5505 security bundle allow me to route specific traffic out through a specific interface?
View 2 Replies
View Related
Mar 8, 2011
I would like to configure a cisco ASA5505 IPSEC VPN. I used the wizard and tried to connect to the outside .. does not work .. The network is configured in this manner: - ADSL router with public address and internal address 192.168.2.1 -> firewall interface inside and outside 192.168.2.2 192.168.3.1 (my network is 192.168.3.0). I used a VPN to the pools ranging from 192.168.4.1 to 192.168.4.100.
INTERNET ----- ROUTER ------ ASA5505 -------LAN
What should I change? there could be problems between the router and firewall?
View 6 Replies
View Related
Mar 17, 2012
i have the asa5505. the configuration of asa 5505 is:
: Saved
Code...
i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows. where i made error?
View 0 Replies
View Related
Dec 18, 2011
We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
static (inside,outside) outside_ip inside_ip netmask 255.255.255.255
static (inside,inside) outside_ip inside_ip netmask 255.255.255.255
In 8.4, if I use object nat, the hairpin functionality works perfectly,
object network obj-insideip
nat (inside,inside) static publicip
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
nat (inside,inside) source static private_object public_object destination static public_object private_object
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
View 1 Replies
View Related
Apr 8, 2012
I teach in a High School and we've got about a 300 node MS Windows Network. Two MS2003 File Servers act as my DNS/WINS/DHCP servers. We have been using a WATCHGUARD FIREBOX III to act as the router/gateway between the outside external address and my internal (10.0.0.1) gateway address. All p.c's inside the network are routed to one of the Servers (10.0.0.2 or 10.0.0.4) for DNS/WINS/DHCP addressing. The servers point to 10.0.0.1 for gateway.
We are trying to replace the Watchguard Firebox with a CISCO ASA 5505 (eventually we'd like to implement VPN). When I connect the CISCO ASA, I get no internet passthrough at all.
View 1 Replies
View Related
Feb 20, 2011
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies
View Related
Dec 30, 2011
I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working. [code]
View 3 Replies
View Related
Jan 9, 2012
There are two issues which are testing my resolve.
1) Bad Cryptochecksum Ignored error
2) Unable to boot to a save startup-config file.
I want to take the configuration from one ASA 5505 and move it to another ASA 5505. I copied the startup-config file from an ASA 5505 running asa821-k8.bin to an ASA running 8.222-k8 to flash using tftp. I set the boot config parameter on the new asa to flash:/startup-config which is the location of the startup file. If I use copy run start command, I over write the startup file. When I copy the startup configuration to the running configuration I get a Bad Cryptochecksum Ignored error and the startup file does not copy over to the running file. How can I resolve this issue?
View 1 Replies
View Related
May 11, 2013
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network.
View 15 Replies
View Related
Sep 28, 2011
I am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have.
ASA:
ciscoasa# show run interface Ethernet0/1
!
interface Ethernet0/1
[Code].....
View 5 Replies
View Related
Oct 17, 2011
Client has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
View 2 Replies
View Related
May 27, 2013
so we have been using our current ASA5505 for a long time. Since it only support up to 10 VPN licenses, so we buy a new ASA5505-SEC-BUN-K9(support up to 25 users).
the old ASA are running: 8.0.3 and ASDM 6.0.3
the new ASA are running: 8.2.5 and ASDM 6.4.5
I thought it would be simple as export and import the config file, but when i tried to restore, the new one is looking for a zip file but the old one doesn;t backup file in ZIP. It looks like i need to update the ASA version or/and ASDM?
I am pretty new to this and never upgrade any of these versions since I am aware of the upgrade may mess things up. So do I need to upgrade both the ASA version and the ASDM in order to restore my config? any effect if i do the upgrade? I also read some articles, we need to upgrade on the version one by one, like 8.0 to 8.1 then 8.2?
View 4 Replies
View Related
Jan 9, 2012
I am wondering if it's possible to convert a Pix 501 configuration running version 6.3(5) to a new ASA5505 which we just purchased? We have site to site VPN on this device and i am just trying to save some time. I believe Cisco TAC might have a tool to do this but i am not sure.
View 4 Replies
View Related
Dec 26, 2011
I’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.
In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.
My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,
C:UsersSuthakarDocumentsOffice_DocsThakralABC Computers
Final config on ASA5505
host name Cisco
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
!interface Vlan1
nameif inside
security-level 100
ip address 192.168.155.201 255.255.255.0
[Code] ......
View 3 Replies
View Related
May 13, 2012
I have a couple of ASAs 5505 (HQ & Branch) running version 8.2(4). They are configured with a Site-to-Site VPN over a single WAN link: [code]
I want to enable sla monitor on one of the devices in order to know the real status of my unique link because the interfaces sometimes don't go down, so I don't have any real statistic of failures.
All the information is related to dual ISP links failover. Is there any extra-consideration for my single link scenario?I already have a static route route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 so I think I have to overwrite it with something like this route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 track 1. Is this correct?If so, when I overwrite it, will the S2S VPN go down and will it go up automatically?
View 1 Replies
View Related
Aug 29, 2011
I try to configure PGM in my 2911 plattform but it was impossible. I tried with many 15.1 version that support this protocol.
Someone configured PGM over 2911 Routers? What does correct IOS for work?
View 4 Replies
View Related
Aug 18, 2011
Our client ( a webhost, they have a lot of servers ) has a an older Cisco Pix, everything works fine with the PIX. They have a Cisco ASA 5500 with ASA version 8.3 , to replace the PIX. Upon migrating the PIX config to the ASA we are running into issues with Dynamic NAT. The static NAT entries are working flawlessly (there is a lot of them), however when Dynamic is enabled for the remainging hosts, outside communication works then drops off. The remaining hosts need outside access for updates. We have access lists set up but I dont se ehow that could cause a problem when the original ACL's were working fine with the PIX, they have not been altered.
The NAT config may be wrong or cluttered, have a look at the full NAT config.
The static NAT addressing is the same, example 207.11.129.65 will equal 10.10.10.65
View 1 Replies
View Related
