Cisco Switching/Routing :: ASA 5505 Outside Access For Clients With Dynamically Assigned IPs
Feb 7, 2013
We have an ASA configured to access the internet, which works fine for clients who have an IP address assigned by DHCP, but not for clients with manually assigned IPs.
For instance, with the DHCP server configured to give IP addresses between 172.16.101.1 and 172.16.101.10, a device may get the IP address 172.16.101.1. This machine will have connectivity to the internet.
If we then configure DHCPd server range as 172.16.101.2 to 172.16.101.10 and statically assign the 172.16.101.1 IP to the client, it will not have internet access. It will, however have inside access and VPN access.
If I try to ping 8.8.8.8, the following is logged:
ASA 3 Feb 08 2013 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Deny inbound icmp src outside:8.8.8.8 dst servers:xxx.xxx.xxx.100 (type 0, code 0)
Where 'servers' is the name of the inside interface the request is made from and 'xxx.xxx.xxx.100' is the external IP. It seems as DNAT is not working when the client IP is static assigned.
View 5 Replies
ADVERTISEMENT
Jul 7, 2011
I have connected an ASA 5505 to an ADSL router that is able to assign the IP address and the also the DNS servers for the ISP for the outside interface. The ASA is loaded up with IOS "asa842-k8.bin"
I am using vpnclient with a hostname as oppose to an IP address to connect to a headend remote server. If I hardcode the DNS servers IPs in the "dns server-group DefaultDNS" I am able to resolve the hostname. If I then remove the IPs from the group and rely on the dhcp to assign them, when I try to resolve the name I have an error at the console "ERROR: % Invalid Hostname"
View 2 Replies
View Related
Sep 6, 2012
Just installed ASA -5505 replaced cisco 851
My exchange server hosts remote outlook clients and remote web access
no one on the remote side can access my exchange server
internal mail flows in bound and out bound.
My iphone can not access the exchange server either.
When the Cisco 851 was online all the above worked great. Nothing changed on the remote client side just put the ASA 5505 in service.
I am new to the ASSA 5505 family. Had a reseller configure the router but unable to get them at this hour. Called Cisco support but they are closed at this time also.
View 5 Replies
View Related
Aug 7, 2011
ASA 5505 and DMZ and Base License,"For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network." Page 6-17.
This is exactly what I need. Mail server in DMZ, full access from internet to DMZ, and from inside network to DMZ, no access from DZM to inside network. If I good understand, this is possible with base license.
I successfully configure, internet Access for DZM and inside network, Mail server can be accessed from internet, as well as RDP on inside network. But I have problem to configure communication from inside network to DMZ. [code]
View 13 Replies
View Related
Aug 30, 2012
I am administering a Catalyst 2960S switch and I would like to connect several computers to it. Some of those each have a static IP address. For a few of them, I would like the switch to dynamically assign an IP address to them via DHCP. Is the switch capable of doing this? If so, how can I do it? I tried looking through Cisco Network Assistant and I couldn't find it. Some web pages have suggested I telnet into the switch and issue commands like "ip dhcp ?" to see what commands are possible. I can telnet in and if I type but I get an "Unrecognized command" for both "ip ?" and "ip dhcp ?". This makes me think I'm reading the wrong web pages. I did come across the term "DHCP snooping". It seems relevant, but very difficult for me to grasp.
View 9 Replies
View Related
Oct 22, 2012
I have a RV110W which is am using as a router (not gateway), because it is connected to the DSL modem (not planning to bridge it) through its WAN port. The DSL modem forwards all PPTP traffic to the RV110W.The only pupose of the RV110W for me is to use it as a VPN router.
Info:
Firmware version: 1.1.0.9
Below are the settings I have:
WAN:
LAN:N.B. The modem runs a DHCP server, so I am relaying the requets to it
VPN:N.B. Also tried with 192.168.0.0 and 12.168.2.0 networks; same thing.
Routing Settings:
Routing Table:NB: 192.168.1.11 and 10 are VPN clients (created automatically).
Firewall:Users are being able to successfully connect to the VPN; however, there are couple of problems:
1. They are not assigned a gateway; hence, not internet connectivty (i want them to use the remote gateway)
2. They are not able to access the 192.168.0.0 network; hence unable to reach their DNS server and other hosts (run a tracert; they couldn't go beyond the RV110W VPN server IP). For this, i tried to turnoff the firewall on the RV110W, and also tried to create and Access Rule to allow all outboud and inbound traffic between LAN and WAN, but no success.
View 1 Replies
View Related
Jun 24, 2007
Here at HQ we have a 4402 WLC. At our remote sites we have 1231G APs running in autonomous mode. I upgraded one of the APs -- IOS 12.4(3g)JA -- to run LWAPP. Per release notes I've read upgraded 1231's do not support REAP/HREAP mode, consequently, it's running in LOCAL mode.
The AP is managed by the WLC. I created a WLAN for the remote site and assigned it to the MGMT interface; the remote site subnet doesn't exist in HQ. The DHCP server for the remote site is presently at that site; AP and DHCP server reside at the same place.
Clients authenticate successfully to the remote site AP, however, they are not getting DHCP addresses assigned. Does the DHCP server for the remote site have to reside in HQ since the AP is running in local mode? If so, where is that specified, on the MGMT interface config?
View 4 Replies
View Related
Mar 31, 2013
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
View 3 Replies
View Related
Dec 31, 2012
ASA Version 9.1(1)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code]....
View 9 Replies
View Related
Mar 27, 2012
I'm trying to configure an ASA 5505 to view my Slingbox from my iPhone/iPad from an outside or 3G network. I can't ping my internal networks while connected via AnyConnect. I know that I need to free up port 5001, but I can't seem to get it to work.
View 0 Replies
View Related
Jun 9, 2010
I'm looking to setup AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems this should be really easy. I must be missing something.
I can get the AnyConnect users to connect fine and they can access sites internal and at other IPSec-tunneled sites. But no access to the internet.
Internal is 10.1.1.x, VPN pool is 10.1.1.251-253 (Temp list for testing). I issued the following tracer: packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed
The last reported point (where it fails) is:
Phase: 7
Type: WEBVPN-SVC
Subtype: in
[Code].....
View 10 Replies
View Related
Apr 15, 2012
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
View 1 Replies
View Related
Jul 8, 2012
I am trying to setup VLANs and most of configurations are working ok now except IP address assignment from DHCP. If any computer in VLAN 120 or 130 configured with manual IP address, then all works fine. It can reach internal servers and the internet without problem.If the IP address is assigned automatically then any computer in VLAN 120 or 130 are obtaining IP address (strangely!) from VLAN 100. Because switch ports that connected to the computer belongs to VLAN 120 or 130, the computer cannot reach internal servers and the internet with ip address from VLAN 100 . All SVI interfaces for VLAN 100, 120 and 130 have ip helper-address option defined pointing to the DHCP server. No DHCP snooping enabled on all switches at this point. DHCP server have three scopes for the three different VLANs.
View 2 Replies
View Related
Oct 8, 2012
We have a Cisco Aironet 1242 AG Series which we are trying to setup. The DHCP assigns the IP address, but we cannot connect to it. We have had this problem with a previous Aironet unit, which this new one we have got now is also having the same problem!Everything seems to be correct, but we cannot get to the IP address to set it up.
View 12 Replies
View Related
Jun 4, 2013
I have just set up my asa5505 and while in the sh run I have the following lines
-dhcpd address 192.168.2.200-192.168.2.231 inside
-dhcpd enable inside
-dhcpd dns 68.94.156.1 interface outside
When a client connects to the device like: 192.168.2.215 there is no dns assigned. My devices are unable to access the internet unless I manually assign the dns in the local settings for that host.
View 6 Replies
View Related
Jun 18, 2012
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
View 3 Replies
View Related
Jul 27, 2011
I'm new to working with the ASA 5505 ,VPN and reverse NAT.
The basic setup is as follows. I'm trying to setup a IPsec site to site tunnel with reverse nat on the remote side.
I have as the tunnel up and it passes traffic. I have setup reverse NAT for 172.x.x.1 to translated IP 216.x.2.101 my ASA also has an IP address of 216.x.2.102.
Any connection from 172.x.x.1 to 216.x.2.1 should appear to be comming from 216.x.2.101
When I ping or telnet from 216.116.86.1 to an open port on 216.x.2.101 I get the banner from 172.x.x.1, seems like it is working.
However in my setup I'm only given a singel IP that of the NAT address 216.x.2.101, so when I remove the IP address assigned to the inside interface 216.x.2.102. all conductivity is lost.
When I set the inside interface to 216.x.2.101 and I setup a static NAT rule for 172.x.x.1 to 216.x.2.101, I get a message that says all traffic will be redirected and I will be unable to connect to the ASA.
Once thats in place, and I make any connection from 216.x.2.1 to 216.x.2.101on any port I get a connection but then it's reset, I no longer get the telent banner I was expecting.
My running config is,
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Nov 13, 2011
I've configured vpn ipsec with wizard but my ip address assigned by pool not reach the lan network ,lan network: 192.168.0.0 /24,pool network: 193.168.0.0 /24
View 12 Replies
View Related
Jan 19, 2012
i have configuration my network infrastructure with the asa5505 like on image. i want that my users from lan 10.13.10.0/24 can to access to my LAN 192.168.0.0/24. can i use just routing or i must to use site to site VPN. how can i do it? how configure my asa 5505.on my LAN1 there's DHCP. From LAN side of my asa5505 i must disable DHCP.In my LAN1 i have DNS,Domain Controller. The users from my LAN3 need to access to LAN1 because of authentication and access to resources and programs. i attached my picture with configurtion.
View 2 Replies
View Related
Dec 22, 2012
I have set up a scenario for a small business and have some questions about how to manage the access between the VLANs. Is there is a better / another way to do it. See the attached picture for the topology / info.
My question is:
My switches is set up with x numbers of VLANs and a routed port (no switch port) to the ASA for internet connectivity. How is the best (or only??) way to manage the access between the VLANs? Is it ACL's on the switch?
And by "managing access" I mean VLAN 50 (public WiFi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on. Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself? I have thought about "router on a stick", but then I imagine there will be a bottleneck between the switch and the ASA?
(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file).
View 3 Replies
View Related
Jun 21, 2012
I have a Cisco 5520 using ASDM 6.4
Currently my VPN settings use a shared key without certficate to access the VPN. I would like to now set up a self assigned certifcte from the ASA to get users to import the certficate in order to VPN..
View 1 Replies
View Related
Jul 6, 2012
My ip address of my WRVS4400N changes every so often. when i use the ip assigned to connect remotely, it works until the ip is re-assigned through dhcp. I know there is a way around this bu ysing a name or something. I just don't know how to set that up.
View 1 Replies
View Related
Mar 14, 2012
i am willing to know that how we will refresh our WAN IP's dynamically.
View 3 Replies
View Related
Dec 16, 2012
Pix 515e 6.3.4..A web server on our DMZ is exposed for external access.There is an "A" record (webserver.yyy) on a public DNS for this public IP.This works fine for external users. url..Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.
1- Where does the request from an internal user to hit url is dropped?
2- what can be done to allow this type of connectivity in the PIX 515e device?
View 7 Replies
View Related
Jun 5, 2009
I have some Catalyst 3560 PoE switches running the latest 12.2(50)SE1 image. I have a working configuration for STP, QoS, Voice & Access VLANs, Port-Security & IGMP snooping - I stress this is working PERFECTLY. Now I have been playing with wired 802.1x port authentication for a while which again I have sucessfully deployed on ports without IP Phones. I did some more testing with 802.1x clients behind some Cisco IP Phones and after understanding the issues and workarounds I thought I had a working environment. The environment is XP SP3 with the new separate wired 802.1x supplicant, workstations are all in a 2003 AD Domain and the wired 802.1x settings are configured through group policy. I had issues with Windows Server 2003 SP2 not working behind IP Phones but this I put down to the supplicant being different from the new one in XP SP3. MS don't have any plans for Server 2003 SP3 (or XP x64 SP3?) nor can I find any hotfixes to resolve this so it's a 'caveat'.Anyway I have tested this many times and with XP SP3 and the new supplicant it all seems to work well (only the access VLAN is using 802.1x Authentication, I am not authenticating the IP Phones via 802.1x).
Now today it stopped working and 802.1x clients behind the 7970 IP Phones no longer authenticate. I have spent an hour or so looking at this and the IOS is the same, as is the configuration on the IAS (Radius) server, as are the XP clients. I was scratching my head a bit and then looked at the IP Phone - the software on the phone has been upgraded to 8.5(2) - previously it was 8.4(4). I managed tp downgrade the software via CUCM to 8.4(4) and it now works. I have retested it several times so this is obviously an issue (either a new feature or a bug?) with the latest code for the 7970. I have checked and it's the same codebase for all the latest IP Phones - 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971 & 7975 which was released on 1st June. I have looked through the release notes and EAP-FAST has been added but this is an update to the EAP supplicant on the phone and not a feature of the 802.1x pass-thru from the attached device. I can find no other 802.1x or EAP references.
View 9 Replies
View Related
Oct 3, 2011
I was so fed up of using the out of a box routers from PC World or the provided router from the host that I decided to splash out and buy a decent router.The Cisco 887 came highly recommended and seems to be a great purchase so far. Our down time and internet hangs vanished overnight.Having had this installed for several weeks now I thought it was time to look at my problems with it,I have 2 broadcom network cards, 1 for the LAN and 1 for the WAN, All machines connected to the LAN get full internet access but my server will not.
The router plugs directly into the Server (2008) with an IP address of 10.10.10.1 - this is listed under the LAN settings in Cisco CP Express.I have a fixed IP address which appears to be set up correctly and all my terminals / client pc's that are plugged through the switch. These all show IP's that look like 192.168.1.x / I am not an IT wizz kid but I know my way around a computer pretty well. I am guessing I need to move the router IP to within range. At present the Server sorts out the DHCP and we also have a VOIP phone system.
View 15 Replies
View Related
Mar 10, 2013
What is the maximum VPN Clients that could be connected to cisco router 2821, with this IOS c2800nm-adventerprisek9-mz.124-20.T.bin
View 3 Replies
View Related
Apr 2, 2013
I want to do with my ea4500 is assign it a static IP and access it after doing so. But, no matter how many times I try, I cannot enter its IP address in the address bar and see its settings. I change its IP to192 168 1 200. Subset 255... DG 192 168 1 1 DNS same.Under router address 192 168 0 1I CANNOT access this router at 192 168 0 1 at all. The thing is, the **bleep** settings are not any different the. How they were when it was WORKING. I literally took a screenshot of my setting in case a scenario like this would come up, yet it more problems arise. The only way I can access the router is by doing a factory reset and accessing it at 192 168 1 1.
View 9 Replies
View Related
Nov 18, 2012
We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024
We have Win DHCP Server in subnet 192.168.181.024
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
Here's part of cisco cfg:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code].....
View 3 Replies
View Related
Jan 1, 2013
I have a Cisco 1721 router with an ADSL wic. I have followed guides on the Cisco website so that I can connect the router to my home adsl connection. The router connects to my broadband provider and sucesfully obtains an IP address along with Dynamically assigned DNS servers. I am able to ping google.co.uk from the router but not from clients attached via DHCP.
I have noticed that if I ping the IP address of google.co.uk from a client it resolves but it will not resolve the name. This would lead me to believe that the problem lies with DNS resolution/forwarding but I do not know how to investigate further.
View 3 Replies
View Related
Jun 6, 2012
We have a 3750G 12S that is connected to its clients with 1000 Mb SFPs. On the switch is a simple Vlan all the ports are assigned to. The ports are auto-sensing gig connection speed and full duplex when I run the show interface command.What happens is that if a client workstation is restarted or shut down and powered back up, the client cannot reconnect to the switch unless we cycle the switch itself (power off and back on)I know only the very basics of switch configuring and finding it difficult to source any trouble shooting info on issues like this.
View 13 Replies
View Related
Mar 4, 2012
Cisco 881W WLAN module running in autonomous mode. How do I list connected wireless clients?
View 1 Replies
View Related
Apr 2, 2013
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration
Authentication Proxy Banner not configured
Consent Banner is not configured
[Code].....
View 6 Replies
View Related
