Cisco Switching/Routing :: 5520 To Redirect An External Address To An Inside Server
Mar 21, 2012
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
View 2 Replies
ADVERTISEMENT
Oct 28, 2012
Our company uses a commercial copier monitoring package called FMAudit to obtain meter readings from our clients' copiers, and it uses a feed to send the readings back to us. We have used port 90 for this purpose.Due to a recent server crash and emergency reconfiguration of our network, we have moved our FMAudit central server from in-house to a hosted service, with of course a different external IP address.
Without interfering with our other systems, is there a way to redirect JUST PORT 90 to another IP address external to our own? I don't care if it has to happen at the router or server level. We are using Server 2003 and a Cisco 887VAW.
View 2 Replies
View Related
May 16, 2012
I would like to know whether LMS 4.1 (local server mode) has the ability to relay syslog messages received from devices to an external syslog server? If so, how do I configure such?
From reading the document and going through the LMS 4.1 GUI, it appears that it could receive and forward messages but only between LMS system (ie. multi server mode) as SSL is required.
View 1 Replies
View Related
Dec 8, 2011
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60 70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
My CSS is 11503
Version: sg0810106
View 2 Replies
View Related
Oct 23, 2011
I guess I'll start with the easy stuff, Cisco ASA 5520 ver 8.2, ASDM ver 6.2, IPSec L2L tunnel with overlapping private IPs.
I have about a dozen L2L connections on our 5520 but never had to do one with overlapping IPs. I have two that I have to build and one definitely overlaps our inside locals, and the other is requesting that we NAT our inside locals to a 10.x.x.x.
I've searched the board and found several good posts including document 112049, but I just don't seem to be able to get my head around how to translate one inside address to another. It would seem like is would be as easy as doing an (inside,inside) static NAT, but most everything has the solution as a policy NAT or doing an (inside, outside) but in the less secure address space place the name of an ACL. I have ordered that brick of a book on ASAs from Cisco Press, but need to get something going and I'm not having much luck getting this thing up and running.
Perhaps my basic understanding of NAT rules is wrong. I thought that when using NAT the command speaks to the interfaces and the direction of travel, (inside,outside). I also thought that the IP adresses used must be valid on the interface refferenced, so any refference to "inside" would have to be an address on the "inside interface of the FW and likewise for the "outside" interface. Finally, to be sure I'm not calling a duck a goose my understanding is that the following are correct; "inside local" = my private, "inside global= my peer, "outside local"= their private, "outside global"= their peer.
So if I'm translating say a 192.x.x.x on my inside local and wanted to present them a 10.x.x.x, wouldn't I need an (inside,outside)? And even though I'm translating my private IP into a different private IP, the translated IP must be on the "outside" interface because that is the interface that I want to present the new private IP on?
So for the scenario I suggested at the top where I need to translate my private 192.x.x.x into a 10.x.x.x and present that 10.x.x.x to the other side, I need something like NAT Static (inside,outside) 10.x.x.x 192.x.x.x?
View 8 Replies
View Related
Nov 18, 2012
We have a Router with one External IP and a couple of VLANs. We have got a Teleconferencing Unit that needs almost every port known to man to work, so decided to get the unit its own External IP.
We have the IP now and how to get it in the router and then also to use it only for the Video unit (From outside straight through to Video).
Im comfortable adding lines to the router but just don't know what the lines should be.
The new IP's purchased are 116.199.222.200/30 (Only need to use one address, lets say 116.199.222.200). No idea what the subnet mask should be...
The router config below stripped of irrelevant stuff:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code]......
View 11 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Oct 2, 2012
I'm trying to translate my inside network of 192.168.20.0 to my outside ISP address on ASA 5505. The ping from all hosts to 4.2.2.2 works, but it still only let's one address out to translate.My configuration is:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
still doesn't work.
View 2 Replies
View Related
Oct 2, 2012
I'm trying to translate my inside network of 192.168.20.0 to my outside ISP address on ASA 5505. The ping from all hosts to 4.2.2.2 works, but it still only let's one address out to translate.My configuration is:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
still doesn't work.
View 3 Replies
View Related
Jul 7, 2012
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X
2. VLAN 100 - ( SVI IP address 192.168.100.1 /24)
3. VLAN 200 - ( SVI IP address 192.168.200.1 /24)
4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
View 4 Replies
View Related
Sep 20, 2012
I need to configure my ASA 5520 version 7.3 firewall to translate our SMTP server residing in local LAN to use different IP address from the outside interface which is used by all other computers to access Internet.
Under NAT section, i have NATted this internal SMTP server with different IP address(eg x.x.x.1) and also translated the remaining IP addresses in the LAN to the outside interface(eg x.x.x.2)
my problem is, Whenever i check the header for message coming from the smtp server it shows that, the SMTP server is also translated by using the same outside interface public ip address(i.e x.x.x.2) which is used by other client machine to access internet instead of the x.x.x.1.
how i can get my SMTP server to use separate IP and avoid to be blacklisted by some domain.
View 3 Replies
View Related
Mar 3, 2013
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
View 6 Replies
View Related
Dec 8, 2012
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
View 1 Replies
View Related
Oct 11, 2011
Whats the difference between DNS Server and External IP Address? When I dump Ipconfig /all into a .txt file I see that it shows three seperate values for the DNS Server. My question is, since ipconfig /all does not give an external IP address, are they the same? Why are theyre three?
View 2 Replies
View Related
Oct 12, 2011
We once had a virtual server with two network adapters, one was internal and the other was external, and people could access it directly from the internet.
That server recently, died (someone put the .VHD file on a massive RAID 0 array, and that went boom), and I need to set it back up again. All the DNS entries appear to still be there, but how to assign the external IP to the network adapter. I tried Google, but my Google-fu must be weak today as I can't find anything useful.
It's a Server 2008 R2 machine running inside Hyper-V. Nothing's changed except for the new Windows install, it's running with the exact same VM settings, which I didn't touch except to add a new VHD.
View 5 Replies
View Related
Mar 27, 2012
Wondering if on the ASA (8.4) its possible to do something like what DNS rewrite does, but with IP requests. Scenario. Mobile phone accesses a web app inside our network fine over cellular. Once it comes inside on to wifi it still has the public IP address cached so the ASA doesn't allow its request to loop around and the app appears broken. We're considering lowering the TTL on the DNS host entry but I think we are battling phones/mobile OS's that don't have a strict adherence to name resolution standards. A lot just seem to refresh their caches every 10-15 minutes.
View 4 Replies
View Related
Feb 6, 2012
I have a cisco 2504 running 7.0.220.0. I am trying to configure Web Auth for External Redirect, Passthrough. I have a page created on an external web server that was taken from the Web Auth Bundle and modified. It is a simple "accept" or "reject" on a Terms and Conditions page. I have a Pre-Auth ACL configured to only allow communication to the server the T&C page resides on.
When I connect to the SSID, the page redirects to the external URL and the the URL shows up in the browser window with all the variable data as a GET on the URL line, but the page never loads. It just hangs. I can copy the the URL data, paste that in once I am on-net, and the page loads just fine.
So, something is happening when the WLC is attempting to proxy-redirect the page back to the client.
View 7 Replies
View Related
Jan 18, 2010
I want to redirect internal web traffic (browsing) to an external web server for Web, Virus and Spyware filtering. Those externals proxies are running in 8080 port. I have one ASA firewall and a Cisco 2600 router. I was thinking in doing PBR in the router but in the next hop I can only set one IP, not an IP and a port. So how can I redirect web traffic to an external proxy listening in 8080 port?
View 11 Replies
View Related
Jan 22, 2012
I have a 1841 deployed as my NAT device towards internet. NAT is setup so that internal addresses can access WWW. I also have some NAT translations opening speciic ports from outside to inside in the form: ip nat inside source static tcp A.B.C.D 443 A.B.C.D 443 extendable.
Now have an outside address/port setup with a public DNS reference and using NAT from outside to get access to the corresponding inside address. It works when being outside the LAN.
Now to the problem: From the LAN side of the router - i cannot access the public name. I can ping it - but my browser dont find the webserver behind the name. Someone told me it should be setup as "local firewall domain" - and i should set this up as "source NAT".
View 12 Replies
View Related
Mar 17, 2011
I am using 2 vpn-routers RVS4000, to interconnect 2 hybrid telephone IP-PBX. After configuring the VPN the head offices are not seen in network. The VPN is active in windows.
IP-PBX works correctly in te same LAN. I understand that the problem is that I do not find how to indicate the router to send de UDP packets to the correct IP thought the VPN.
View 1 Replies
View Related
Oct 16, 2012
Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.The switch is in running real time production and so we cannot power cycle or reload the switch.
View 9 Replies
View Related
Oct 28, 2012
I have the switch ============>>>>>
sw2960g============server linux
As u see above , the inetrface Gi0/6 , Gi0/7 are connected directly to linux server by two redundent links .
I mean that Gi0/6 is connected to interface0 in linux server
and Gi0/7 is connect to interface interface1 in linux server
Gi0/6===>vlan 1
Gi0/7===>vlan 2
each interface of linux server has a different ip and different gateway .
Now from switch, I make ping to interface 0 of linux server and i have a reply , every thing is ok but when i type the command :
#sh mac address-table | i Gi0/6
There is no Mac addresses and seems no Mac address relative to Gi0/6, I mean that doesn't it mandatorty to learn the mac address of linux server and write in mac table relative beside interface Gi0/6 ? How I could ping the server but no mac beside Gi0/6 ?
View 11 Replies
View Related
Jun 11, 2013
I have 2 servers, one active, the other standby, both will be using the same IP. If the active fails then a re-patch for the standby to make this the active. I understand that i will need to clear the arp & maybe mac address table on the 6500 for the new active server to work, as the failed server will have its mac address on the 6500,.
is there a way around this so i dont have to clear the arp cache & clear the mac table? [code]
View 6 Replies
View Related
Dec 11, 2012
a new LAN installation, two VSS pair 6509 core, 15 closets, with 3750 stacks. Floor 15 only, devices/hosts can ping teh DHCP server but cannot aquire IP addresses. no such problem on other floors?
portfast an dother parameters are intact.
View 2 Replies
View Related
Jan 30, 2011
I have a 3911 router with a 1242 AP. The problem that I have is that when the user is trying to connect, the user get the OS Ip address 169.254.168.154 and I see that when I do the "show dot11 association" command, but when I do sh ip dhcp binding on the router I see
172.19.9.141 0100.18de.74db.14 Jan 31 2011 11:14 AM Automatic
The router is seeing as if the router gave the ip address to the user, but the reality the user was assigne the OS ip address 169. I did "debug ip dhcp server events" and I got the following:
Jan 31 11:09:06.752 EST: DHCPD: Seeing if there is an internally specified pool class:Jan 31 11:09:06.756 EST: DHCPD: htype 1 chaddr 0100.18de.74db.14
Jan 31 11:09:06.756 EST: DHCPD: remote id 020a00000a58218400000000Jan 31
[Code].....
View 10 Replies
View Related
Jun 8, 2013
We have 2 nexus 7010 switches configured with HSRP in the network. For all the vlans core1 is Master and Core2 is standby. In the current setup we have external dhcp server and dhcp relay is configured for all the vlans on Master and standby switch. The setup is running the IOS 5.2
Activity Done: During the Maintainacne activity, we isolated core1 switch in the network by disabling the vpc/keepalive and all the uplinks from access switch. The core2 switch was master for all the vlans.
Issue observed: It has been observed that new users were not getting ip address from the dhcp server. The ethereal capture showed that dhcp server was not getting the dhcp requests from the core2 switch. We disabled the dhcp feature in core2 and enabled again with dhcp relay again configured on vlan interfaces .even after doing this no change was observed in behaviour. Finally we got core1 back in network by enabling all the links.
Observation: The moment VPC link came up between the core switches, users started getting ip's from dhcp. Then we started enabling all the uplinks on core1.Core1 again become master for all the vlans and users continued getting ip’s. Network running fine.
Further Testing
1. For one of the vlan, core 2 switch has been made primary and for new users checked the dhcp functionality and it was working fine. The aim was to identify if anything wrong on core 2 related to dhcp relay
2.Again we changed the priority for this vlan and made core1 master for the same. This time we disabled this vlan on core1 and tried new user with core 2 became master and dhcp functionality worked fine for new user. Actually in this case we have simulated the same behaviour when we observed the issue with only difference of VPC was not available during the issue time as core 1 was isolated form network
Inputs needed.
Is there any known behaviour for dhcp functionality when VPC is unavailable? If we see the test scenario2 (wherein core1 was master for the vlan and we disable this vlan on core 1 and core 2 was able to relay dhcp requests for new users in this vlan.) it was actually same as scenario we observed during issue time..
View 7 Replies
View Related
May 29, 2012
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies
View Related
Dec 26, 2011
You have a Cisco ASA 5520 where clients connect using Cisco Anyconnect SSL VPN, say the URL is connect.whatever.org. You would like for when a user enters either [URL] or just connect.whatever.org into their web browser that it automatically puts the required url...
View 1 Replies
View Related
Mar 18, 2009
Can a layer 2 cisco 2950 switch be used as a dhcp server with it's own address pool.
View 3 Replies
View Related
Nov 15, 2012
Does the 2960 switches with LAN-Lite support DHCP Server Port-Based Address Allocation?
View 1 Replies
View Related
Mar 30, 2011
How can I change my external IP address which is assigned
View 1 Replies
View Related
Apr 19, 2012
I think the subject gives a good first impression of what I'd like to achieve.Anyway i'll give a little more context.I'm running a Windows Home Server in my LAN and I would like to use it's functionalities (especially the streaming) features from "anywhere" using the same URL.My is a Linksys WRT160Nv3 running on the DD-WRT v24-sp2 firmware.I've already setup the necessary port forwardings, as most of the WHS sites run on ports 80 (http) and/or 443 (https) and my isp is blocking all ports < 1024 (I know it suck, but nothing to do about)Anyway, outside my network (friends home, work, ...) I can access my home server browsing to ://xxx.homeserver.com:10080 or https://xxx.homeserver.com:10443What I want is that this (external) DNS also works when i'm inside my network (so when I'm at home).
Is this possible?I want this because on the home page of the WHS web interface, I have some links (for example to sabnzb, or the webpage of my raid controller, etc etc, but they all point to http://xxx.homeserver.com:These url's (with the external dns) are not working when i'm inside my lan.I'm not an export but i'm quite sure it's a DNS issue.Some more info:When i do an nslookup xxx.homeserver.com I see the (external) static IP that has been assigned to my router.When I do a ping to xxx.homeserver.com I also get a reply from the (external) static ip that has been assigned to my router.
View 3 Replies
View Related
Dec 6, 2012
i want to to ask about redirecting in MLS 7600 .assume the user a has an ip x.x.x.xand that user requested url...i want to to redirect his request to url...the users that have to pay the monthly bills , i want to give thim an ips and redirect all the http requests from this to a special local webpage .is is applicable to to it on router cisco 7600 ??or is it applicable on router 7206 npeg2 ? also i have siwtch 2960g.i dont want to do it by proxy server.
View 4 Replies
View Related
