Cisco Switching/Routing :: ASA 5510 / Routing Mobile Users Via VPN To Different Gateways
Oct 6, 2012
I have mobile users using air cards that connect to the network with a VPN product called Net Motion. Our firewall is a ASA 5510. Once connected to the Net Motion VPN server the user will get a DHCP address from our network. In the past we could not get the VPN tunnel to complete since our layer 3 switch (3750G IP services) has 3 egress points and the egress point that we needed the VPN traffic to go out of is not the default gateway. To solve this we had the air card carrier set switch our air cards to static IP addresses and using route statements for the public IP addresses and access lists we got it to work.
The problem with this is that every new air card we provision needs a static IP address. My question is would policy based routing work in this scenario? The problem has been that the VPN tunnel was not able to complete the negotitaion phase as the traffic came into the switch and was trying to go out the default gateway. The VPN client wont get an internal IP address until the VPN tunnel is created.
I would like to get away from using static IP addresses.
View 1 Replies
ADVERTISEMENT
Feb 15, 2013
We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 & 192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. [code]
View 20 Replies
View Related
Apr 4, 2013
I have a small network that i want to setup, i have 1 2900 router and i'd like to create subinterfaces for the internal. but more importantly i'd like to have the dsl modems connected to the router with traffic from one subinterface going through one modem and traffic from the other going through the other.
View 1 Replies
View Related
Apr 11, 2013
remote location on MPLS circuit terminated on a Cisco router that has Internet connectivity through Central Site router. We are installing a cable modem at the remote location that is to be used as the Primary Internet Connection but still be able to use Internet through MPLS if the cable Internet goes down. We want the failover/fallback to be handled automatically.
We have an ASA5505 for the cable Internet which then feeds into the ISPs modem.
At first I was thinking about getting a module for the remote router so the cable Internet could be terminated on the remote router as well but that introduces a single point of failure. I would also like to firewall both the MPLS and the cable Internet but if I do so on the ASA there is another single point of failure.
View 2 Replies
View Related
Dec 8, 2011
I have 2x v10000 Websense Security Gateways that are connected to 2x 6500 SUP720. When I turn on cluster management function between Websense appliance, they speak to each other only if they are connected in the same 6500. When they are connected one in every 6500 cluster management does not work. They are connected on the same physical vlan. Do I need multicast to be configured in the 6500 switches?
View 5 Replies
View Related
Apr 28, 2012
I have two different networks on same LAN.One net has public 2xx.x.x.x IPs (some on DMZ, they are servers with their own internal firewalling) and goes through a GBeth switch to a Cisco 25xx router for accessing HDSL modem with several HDSL trunks and then Internet. That router is configured to let external IPs access only DMZ IPs, of course.The other net has 192.168.x.x IPs and goes through another GBeth switch to a DLink router to access ADSL. Mainly for download traffic at a low flat cost.I would like to have a way to let the 192.x.x.x machines access the servers on the DMZ of the 2xx.x.x.x net without going outside the physical LAN. The servers host mail services and so sending heavy attached documents needs a hi-speed LAN connection and certainly not the ADSL upload capability. Not to say about servers web contents maintenance.
View 1 Replies
View Related
Nov 8, 2011
I need to route a subnet from a 7204 to 2 different gateway's which are not Cisco based. I cannot use HSRP, GLBP or VRRP as the other 2 gateways don't support theses protocols. Yet they do support OSPF, RIP, and BGP.... Take note that this setup is in a ISP scenario. How can I acheive gateway redundancy?
View 4 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Mar 25, 2012
I have an environment where i have two nexus 7010 switches, along with 2 nexus 5510's. I need to run OSPF as a layer 3 routing protocol between the vpc peer links. I have 1 link being used as a keep alive link, and 3 other links being used as a VpC link.
1) Is it best to configure a separate Vpc VLAN i.e 1010
2) Is it best to configure a vrf context keep-alive
3) just have the management address as the peer ip's.
View 2 Replies
View Related
May 1, 2013
Interestingly enough I've seen about 3-4 posts with the exact same problem and yet not a single one is ever answered.. The task is simple:
"username USER password 5 SOMEPASS role network-admin"
It consistently outputs: "String failed to match token pattern at '^' marker." - always the carat is at the first character in whatever password I input. I've ensured passwords I input meet the conditions of "password strength-check" and I have also disabled this feature and repeated with numerous passwords to no effect.
View 7 Replies
View Related
Jan 21, 2013
I'm currently undergoing CCNa academy so I got a "job" from my boss to configure Cisco 871 router. Unfortunately we just finished first semester at academy so there are some things that I'm still having hard time to understand. I managed to configure router so it connect to internet or to be exact it has internet access through another adsl modem that is in bridge mode. url...The problem is that users are not able to use internet when connected to this router. I'm able to access router through telnet ( ip 192.168.13.10) but that's it.192.168.13.0 255.255.255.128 is network that we use at work. 192.168.13.5 is IP address that is assigned to zyxel adsl modem ( If I'm correct, we could have used any address here since we are connecting this directly to router ? ) Zyxel adsl modem is connected to FA4 port on Cisco router. LAN cable is connected to FA0 port and from there it goes to switch ( it's some asus switch with 50 ports). [code]
If I ping google dns from router e.g. ping 8.8.8.8 it works. If I ping url... it doesn't work. Also I'm able to access router via 192.168.13.10 but if I use router as default gateway then I'm not able to access the internet.
View 8 Replies
View Related
Jun 7, 2012
I'm trying to decide what switch to use as a core for 500 users. I'm currently looking at either 2 x 3750X stacks or 2 x 4500s with dual SUPs and PSUs, both options will provide the number of switchports required without the need for additonal access layer swiches. Which switch option is best to go for here? All of our services will be located in our data centre which will be connected using 2 1000Mbps MPLS circuits. I wont need any advanced L3 features and we are not likley to scale over 450 users. Also is it ok to use the dual switch stacks or chassis to provide the collapsed core/access layer or is it best to have a dedicated core (using one of the above options with less switchports) and having a dedicated accesss layer using 2960Gs for example. Our structured cabling terminates in a single comms room so we wont need to distribute switches throughout the office.
View 3 Replies
View Related
Apr 15, 2012
I'm trying to allow 2 users to access as 2955 switch.
-admin privilege 15
-eousers privilege 2
When they both log in they just get to the user exec mode, how can I get them to go to their respective modes? [code]
View 1 Replies
View Related
Mar 19, 2013
We have a Cisco 3750 stack connecting to the MPLS router, able to ping 8.8.8.8 - [URL], the internal users on their own Vlan can ping the default gateway the 3750 switch but no further, trace route from the PC/Servers stops at the 3750 stack.We have the switch configured to ip route 0.0.0.0 0.0.0.0 to the public interface in the MPLS router, from the switch I'm able to ping the internet.
View 17 Replies
View Related
Jan 30, 2012
I wish to block some url that users have access through my LAN .That's i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.what i have in place is a cisco 2800 series routers,
View 7 Replies
View Related
Jul 26, 2012
I have Cisco 2960 switches deployed in my environment along with radius server authentication. Now i need to assign some roles to particular users (shutdown port, description) so what i need to do for this task so not all users have same privileges.
View 1 Replies
View Related
Nov 13, 2012
we recently upgraded from an RVS4000 router which didn't have this issue.
the problem; Internal users from Site A cannot access the external owa address.From Site A i can successfully ping both the external/internal IP addresses/names and they resolve correctly, including pinging the address ('mail.company.com") resolves correctly to the external ip address.
[code]...
View 1 Replies
View Related
May 14, 2012
is it possible to prevent the users with static IP's to connect the Network?We use Cisco sw 4500 series as an access and distribution switches.Is there any features on the switches that fit my request?
View 3 Replies
View Related
Jun 8, 2013
We have 2 nexus 7010 switches configured with HSRP in the network. For all the vlans core1 is Master and Core2 is standby. In the current setup we have external dhcp server and dhcp relay is configured for all the vlans on Master and standby switch. The setup is running the IOS 5.2
Activity Done: During the Maintainacne activity, we isolated core1 switch in the network by disabling the vpc/keepalive and all the uplinks from access switch. The core2 switch was master for all the vlans.
Issue observed: It has been observed that new users were not getting ip address from the dhcp server. The ethereal capture showed that dhcp server was not getting the dhcp requests from the core2 switch. We disabled the dhcp feature in core2 and enabled again with dhcp relay again configured on vlan interfaces .even after doing this no change was observed in behaviour. Finally we got core1 back in network by enabling all the links.
Observation: The moment VPC link came up between the core switches, users started getting ip's from dhcp. Then we started enabling all the uplinks on core1.Core1 again become master for all the vlans and users continued getting ip’s. Network running fine.
Further Testing
1. For one of the vlan, core 2 switch has been made primary and for new users checked the dhcp functionality and it was working fine. The aim was to identify if anything wrong on core 2 related to dhcp relay
2.Again we changed the priority for this vlan and made core1 master for the same. This time we disabled this vlan on core1 and tried new user with core 2 became master and dhcp functionality worked fine for new user. Actually in this case we have simulated the same behaviour when we observed the issue with only difference of VPC was not available during the issue time as core 1 was isolated form network
Inputs needed.
Is there any known behaviour for dhcp functionality when VPC is unavailable? If we see the test scenario2 (wherein core1 was master for the vlan and we disable this vlan on core 1 and core 2 was able to relay dhcp requests for new users in this vlan.) it was actually same as scenario we observed during issue time..
View 7 Replies
View Related
Sep 16, 2012
A customer contacted us that he can't connect his devices via web since he changed the IP address. Ok, big laugh "type the correct IP" but no. Even if you use the correct IP, no user can't connect anymore to the device. Also via CLI!The only thing that worked was the password recovery procedure. After that everything worked fine.The customer and me tried it again with another 2960, maybe there went something wrong when he did it last time and it was an accident. Nice thought but no: another device same error, no login possible.
View 1 Replies
View Related
Feb 6, 2012
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
View 6 Replies
View Related
Sep 6, 2012
For my Lan, I have created two Vlan; Vlan 10 = for Users and Vlan 20 = For Database Servers,There are 15 Lan computer/laptop and 5 SQL database server (Dell Server) connected through same 24 port cisco 2960 switch. Means, 15 + 5 port occupied.
I have applied access list on cisco switch to restrict communication between vlan 10 and vlan 20.But My main purpose to create two Vlan is not for any kind of communication or restriction. My main Purpose is that Users traffic do not distrub or choke or affect the Database servers. then what will i need to do for that is VLAN Concept is sufficient for my concern OR I will need to buy seperate Cisco Switch to connect 5 database servers OR Else ?
View 9 Replies
View Related
Feb 6, 2013
Wondering if this switch is capable of being a backbone switch for a network of about 1000+ users and if the switch can handle a sustained 30Meg of data going across it?
View 3 Replies
View Related
Apr 2, 2012
is it possible to share the same network segment like my LAN for mobile users? In a so called bridge mode? I got a VPN tunnel to a customer from my local network and i need to access it within the mobile access. I can not change the VPN Site to Site tunnel.
View 2 Replies
View Related
Oct 28, 2012
I'm really struggling to setup the routing through a site to site vpn to another site using subnet 212.xxx.xxx.0/24 10.1.1.2 is a gateway that has access to the site. If I add to any server on the 10.1.1.0/24 subnet route add 212.xxx.xxx.0 mask 255.255.255.0 10.1.1.2 it is able to connect to any system on the 212. xxx. xxx.0/24 subnet. However it doesn't work for computers connected via remote access vpn. I need to have all the servers on 10.1.1.0/24 subnet have access to 212.xxx.xxx.0/24 subnet and also any computer connected via remote access vpn to the 5510. [code]
View 2 Replies
View Related
Mar 30, 2012
i have a problem with ASA 5510 version 8.2(1),i have a mac os x 10.6.8 dns server when the asa is online and i want to use the internet my internet is very slaw it neede about 1.5 min to open yahoo.com and the asa log viewer shows too many drops, i have only the rule allow any tcp/udp domain.
View 1 Replies
View Related
Jan 11, 2012
Can i configure proxy on ASA 5510? i.e for internet use my user should be authenticate by ASA5510 and after successful authentication user should be allowed to access internet and futher is it possible to do bandwidth managment with ASA5510?
View 1 Replies
View Related
Dec 9, 2011
i'm currently deploying LMS 4.2.3 Demo version and i'm unable to discover my ASA 5510.how to discover my ASA to mange it in my Cisco Works 4.2.3.
View 35 Replies
View Related
Jul 2, 2012
Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1841
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
View 2 Replies
View Related
Mar 12, 2012
I work at a small company and have very limited experience with networking We have an ASA 5510 that connects out to our ISP. The inside interface is connected to a port on a Trendnet Switch (where all of our clients are connected as well)using 192.168.0.0/24 We also have a Linksys wireless router connected to one of the ports on the Trendnet in which it (wireless router) receives an IP via DHCP from the ASA. I know this isn't the best setup so I would like to connect the wireless router to one of the interfaces on the back of the ASA and have it able to communicate with the 192.168.0 network without any restrictions. Is this possible to setup? If so can it be done using the ASDM?
View 4 Replies
View Related
Jul 24, 2012
I have Cisco ASA 5510 series router which was handling by our one of our network admin who left without giving admin password. Now this is time to break the password . Since i don't know the admin password of the router , i don't how to handle few request. I am not a basically network admin guy to handle such things but i need to know how to break the password in order to do further requests. How to login router admin console without password or any chance to bring into default factory configuration.?
View 1 Replies
View Related
Nov 15, 2012
I am trying to reset the password of ASA 5510,it is entering in Rommon mode but after boot command i am getting following error.
View 3 Replies
View Related
Mar 27, 2012
I'm trying to set up a new ASA 5510. I have a pretty simple set up with one /24 on the inside NATed to a DHCP address on the outside. Everything on the inside works and I can ping the outside interface from external devices. No matter what I do I can't get anything internal to route across the border to the outside and back. To try and eliminate ACL issues as a possibility I added permit any any rules to the incoming access lists on the inside and outside interfaces. Here's the sh run.
: Saved
:
ASA Version 8.4(3)
!
hostname gateway
domain-name xxx.local
[code]....
View 7 Replies
View Related
