Cisco Switching/Routing :: ASA 5510 / Subnets Unable To Reach Outside?
Feb 18, 2012
I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues.
Here's my config:
ASA Version 8.4(3)
!
hostname gw
domain-name internal.mycompany.com
enable password asdf encrypted
[code].....
View 6 Replies
ADVERTISEMENT
Apr 2, 2012
The Cisco 1921 router has two routed adapters. One is GE0/0 which I am using for my WAN interface. It is working properly. The 2nd interface is GE0/1 which is being used as my internal adapter. It is running NAT. When I attempt to reach the internet it fails while checking the exit interface. Here is the report.
AttributeValueRouter ModelCISCO1921/K9Image Namec1900-universalk9-mz.SPA.151-3.T.binIOS Version15.1(3)THostnameBulldog
Interface Details
AttributeValueInterfaceGigabitEthernet0/1IP address192.168.1.1DescriptionNOC Link Test Activity Summary
[Code].....
View 1 Replies
View Related
May 27, 2013
I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , I have a different vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , I am not much familiar with Routing . i am using ASA 5520 firewall .
View 11 Replies
View Related
May 10, 2012
I have 2691 router with following config
line console 0
login local
password xty
When i remove the login local from the line console i connect to console port and press enter it shows router prompt 2691Router> but i am unable to go to enable mode.If i telnet to router then i put username and pw then it goes straight to enable mode.
vty config is
line vty 0 4
exec-timeout 600 0
logging synchronous
login local
length 500
transport input telnet ssh
escape-character 3
Any reasons why i can not go to enable mode by console?
View 3 Replies
View Related
Sep 18, 2012
I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.
View 5 Replies
View Related
May 17, 2012
Having trouble with a couple items. First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch? I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet. I have setup static routing on the ASA [
route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5]. The inside interface is on the 10.30.1.x/24 subnet. My host is on the 10.10.96.x/21 subnet. From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212. I can however ping 10.30.1.1 from 10.10.96.212.
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall. I'm doing this in order to transition to the ASA. I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once. Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2). So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall?
View 2 Replies
View Related
Mar 11, 2012
I'm running into what seems a basic ip routing config problem with a Catalyst 3750 (IP Base) switch. I have several VLANS configured on the switch with IP routing enabled, and the switch is connected to the inside interace of a new ASA 5520 as follows:
ASA5520 IP (Default gateway): 192.168.1.1Switchport Gi1/0/1 is configured as a routed port, IP address 192.168.1.3 255.255.255.0Example VLAN is VLAN 100, IP address 192.168.100.1 255.255.252.0 From the switch CLI, I can ping all VLAN addresses, as well as the ASA5520, and the client laptop I'm testing with from VLAN 100.
From the client laptop on VLAN 100, I can ping all switch interface and VLAN addresses (inter-VLAN routing is working), including 192.168.1.3, but I CANNOT ping the default gateway at 192.168.1.1.
Here is the relevant configuration information on the 3750:
!
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
[Code]....
View 4 Replies
View Related
Dec 9, 2012
I have a cisco 2851 router as the edge router, I have a 3750G and a 3560G switch and configured intervlan routing with four vlans, also connected to the switches a four servers and one has active directory and a dns server.i am able to ping from all te servers fine from different vlans and the servers are able to ping the edge router. the problem I am having is with DNS, in the edge router i have configured the isp's dns server address in ip name-server and i am able to reach the outside world.
the problem im having is the servers are not able to reach the outside, do i need to do something in the edge router to forward it to the 3750g or do i have to add my isp's dns servers on the 3750g with ip name-server.
View 5 Replies
View Related
Mar 3, 2012
I have this strange problem with my Macbook pro, when I connect it to my cisco 2940 8 port switch then I can reach my ISP (websites eg. google.com) in like 2 minuttes, then something is happening on my router, because suddenly I can´t reach my ISP
This is what I have found out so far:
1. when I lose connection to my ISP then I can only ping internal ip addresses eg. another computer in my network
2. if I renew my ip address on the Macbook then it works again in 2 minutts, then the same happens again. This is my network setup:
Router -> Switch 1 -> Switch 2
I also know that it is not the Macbook, because it have got a new motherboard, and it have been reinstalled
also if I use the Macbook on a other network then it works fine.
All my other computers ( windows and linux ) works fine, no problems.
To me it looks like it is a Nat and/or DNS problem, but I can´t fine out what it is.
View 7 Replies
View Related
Feb 21, 2013
I’ve been trying a few days now to implement multicast routing on my home network in order to make airplay work between subnets. Specifically between an iphone and a hifi separated by different vlans. Failed, as I have no experience in multicast routing. we have a clean configuration and simple network which consists of two SVIs
Vlan 10: 192.168.1.0 255.255.255.0
Vlan 20: 192.168.2.0 255.255.255.0
ios platform cisco 887
View 5 Replies
View Related
Nov 19, 2012
We have recently started as Internet service provider in an open metropolitan.
We use a Cisco 3560G Layer 3 switch, where we have all our vlan where we have konfiguerat ex. Switch (config) # interface vlan 150, an interface for each VLAN capabilities such as int vlan 1 - 10/10 int vlan 2 to 30/10, int vlan 3 100/10 and so on.
Our int vlan is configured as follows:
dhcp relay information trusted
ip address <x.x.x.x> <x.x.x.x>
ip helper-address <x.x.x.x>
Ports (ex. int Gigabit Ethernet 0/1) are configured as follows:
description Uplink
switchport access vlan x
[Code].....
Now the problem; we have a customer in ex. vlan 3 who needs to access a server provided by another customer in the same vlan (vlan 3), and access to each other in the same vlan is not possible. You can access the server from any other vlan, but when it comes to access to another host in the same vlan, you will not reach it.
We suspect that the energy company has configured with pvlan isolated. If we use the command ip local-proxy-arp on each vlan, it works to reach each other, but it seems that our 3560 becomes overloaded when ip local-proxy-arp is enabled and it streaming and use IP telephony it doesn't work. The response time at ping is longer and the loss of packets increase with ip local-proxy-arp enabled. The other operators in the metropolitan also uses Cisco 3560G so the hardware should be sufficient.
We have also tried to add no split-horizon, but it made no difference. How do we get around this without negative consequences? Probably need something that makes you allow to send out the same interface that it came from, because it works as long as you are in another vlan.
View 1 Replies
View Related
May 20, 2013
PCs --> SG500(4 vlans) --> rv042 --> Internet..vlan 1 is able to reach the internet..vlan 2-4 cannot reach the internet, but can reach vlan 1.
View 2 Replies
View Related
Oct 1, 2012
I have a pair of Core VSS 6509E SUP 2T. Two different LANs, two diff. Subnets. larger LAN has been connected to the VSS pair usng normal SVI and Post-Channles (has lots of closets 3750 stacks) and no problem. Second LAN, two closets, stacked and connected to each other via Port channel and trunk + SVI interfaces. Now, I have SVI interfaces for both LANs on teh VSS pair and that is causing traffic from one LAN to jump over to the other VLAN and rightly so because the VSS pair see both subnets as directly connected subnets. I was wondring if I delete the SVI for the second LAN and only keep the L2 VLAN this will be resolved> The reason for the second LAN to connect to the VSs pair is only that It has to go through the VSS pair to get to the WAN router (both LANs will go out through this Same WAN router) but WAN router is not my concern at this time. I need to isolate these two LANs/subnets traffic so no one VLAM traffic jumps over the other.I have also thought about VRF but at this point I am not sure if teh 3750 stacks supports VRF and if it does how to implement VRF on the second and samller LAN to just allow it go through the VSS pair in order to get to the WAn router.
View 13 Replies
View Related
Jun 21, 2012
configuring a working route between two subnets (172.28.0.0/16 and 192.168.0.0/24) on a Cisco Catalyst 2960-S.
Problem: The subnet 172.28.0.0/16 is on VLAN 40 and the clients on this subnet have to access a preconfigured device with an ip in 192.168.0.0/24 subnet. The configuration of this device cannot be changed.
I have an Cisco 2960-S Lan Base (c2960s-universalk9-tar.150-1.SE3) switch [URL] that I would like to use to solve this problem.
View 17 Replies
View Related
Mar 21, 2012
I have two separate companys both with staff at two locations and thier own networks connected with a wireless antenna which provides a high speed LAN connection between offices. I only have a single path through this antenna bridge. I have an SG200-08 switch at each end. What I am attempting to do is utlise the switches to take the two subnets at one office, combine them to one for transfer through the antenna bridge, and then resolve them into the two separate networks again at the other end.
View 1 Replies
View Related
May 27, 2012
i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.
Here my ASA settings :
Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.
: Saved
:
ASA Version 8.2(1)
!
[Code].....
View 8 Replies
View Related
Jun 29, 2012
I have a Cisco 2901 with the 4port gigabit ethernet switch module that I'm trying to get configured to have a seperate subnet for each port. So far I have it set up so each subnet is a vlan, then on each port I use the switchport access vlan command to tell it which subnet I want that port to be on. However, there is one port that I need to have 2 subnets on. The way I found to do that was to use switchport trunking on that port, but it doesn't seem to be working properly. how they would configure this? Right now I have vlan 101 as x.x.x.17/28 and vlan 103 as x.x.x.53/30. I think where I'm getting hung up is the proper association between the physical port and the vlan subnets.
View 5 Replies
View Related
Nov 30, 2012
I have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)
[Code].....
View 3 Replies
View Related
Sep 13, 2011
I am working on a Cisco 5510 with multiple interfaces and requirements. I have experience with Cisco IOS, but not too much with the ASAs. I seem to be getting a bit confused on the NATing and ACLs on a firewall that was started by another employee, who is no longer here. With my current config I can get the firewall in place (we are currently using an older PIX) and most basic functions work except for two key things: 1) communication from the finance interface to the inside interface. The finance subnet has some restrictions that you will see in the ACL- we are trying to limit connections to the those systems, but they need to be able access an e-mail server on the inside. 2) communication from the DMZ interface to the inside interface. Maybe related to the first problem?
View 2 Replies
View Related
Jul 18, 2012
I have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
View 1 Replies
View Related
Mar 14, 2011
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration [code]The vpn goes up and I get an ip address, but it's impossible to reach the internal network. [code]
View 9 Replies
View Related
Jan 4, 2012
I am simulating Anyconnect VPN connection in the lab.I have an issue while configuring Anyconnect VPN on ASA5510.
I can have a successfull anyconnect connection but i can't ping my firewall Interface IPs while i am in the connection.
ASA 5510
Outside IP: 192.168.1.1/24
PC connected to Outside Interface: 192.168.1.10/24
Inside IP:10.10.10.1/24
PC connected to Inside Interface: 10.10.10.100/24
Pool : 10.20.20.11 - 10.20.20.50 /24
I have a successful VPN connection & the PC connected to the outside Interface gets an IP address from the assigned pool (10.20.20.11 with default gateway of 10.20.20.1).But i can't reach (ping/telent) to the ASA while I am on the anyconnect VPN connection.
I beleive it is mostly due to NAT/Routing issue..
View 10 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Aug 31, 2011
i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.
New:
IP-adresses: 87.1.1.194 - 87.1.1.254
Default gateway: 87.1.1.193
Subnetmask: 255.255.255.192
Old:
IP-adresses: 200.1.1.34 - 200.1.1.46
Default gateway: 200.1.1.33
Subnetmask: 255.255.255.240
Config:
route wan 0.0.0.0 0.0.0.0 200.1.1.33 1
And statics like:
static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255
View 22 Replies
View Related
Mar 25, 2012
3750 can not support multiple subnets in it's DHCP server pool config.
Is this an issue that can be fixed with a different iOS or is there a different Cisco switch that I can replace the 3750 with that will handle multiple subnets within an individual pool?
View 1 Replies
View Related
May 9, 2012
I have configured a Remote access vpn on pix 525 with 7.2(4) code. After getting connected (with ip address assigned from the pool) i am not able to reach any of the internal networks. [code]
View 3 Replies
View Related
Feb 8, 2011
I have remote access vpn setup and I can get connected with no issues. I assigned the vpn a pool of addresses from the end of my inside interface subnet. When connected I can ping any device on that subnet, I can also connect to my switch on the same subnet via my browser. I can not however access any device located in my dmz while connected. This is a new setup I'm testing but I need vpn user to be able to use rdp to connect to machines in the dmz.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ASA1
domain-name
enable password encrypted
[code].....
View 4 Replies
View Related
Mar 12, 2013
I am facing the following problem. SmartPhone is connected WiFi hotspot. Suppose SmartPhone ip is 10.0.2.2 and hotspot ip is 10.140.13.12. I am able to send data from smartphone to a server(over internet) which has static ip and sender details in server are hotspot ip. Problem is sending data from server back to smartphone. Tried sending to 10.0.2.2(smartphone) from server but packets are not received.
View 3 Replies
View Related
Jan 2, 2012
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
[Code].....
View 7 Replies
View Related
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
Nov 17, 2011
I am in the process of migrating our existing server farm subnets to our new Nexus server farm and I discovered something I wasn’t expecting. My intention is to migrate our existing legacy server farm which is comprised of for paired 3750 switches off of our core 6509s and onto the Nexus and connect them to the 2232s via multi gig port-channel connections, two port channels per switch stack.
NOTE this is expected to be a temporary move as next year we intend to install additional N2Ks and move servers over to these directly. But to minimize the outage/downtime it will be better to move the subnets and switchs all at once.
These connections would be grouped 1 gig connections as port channels, one from each switch into one of the two 2232s.
Problem I discovered is Cisco does not intend to have switches connected to the Nexus and it immediately disables the ports when they see BPDUs.
I found a config that does work and it does fail over from one port-channel connection to the other but with the limitation that when the original port channel comes back online it does not fail back over to the original one, an acceptable situation for us. But I am wondering if Cisco would support this design if we did experience issues down the road.
The only issue I really see is to get it to work the config is different on the two N5Ks, see the pert config below for the connections. Both are running the same OS
augs1-ba-ar17# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support: [URL]
[Code].....
View 5 Replies
View Related
Apr 3, 2011
We are facing strange issue in our network. We have a remote branch which is connected to main branch using Leased Line. Remote branch is having Cisco 1700 Router. Every day in the morning time the remote router is unreachable. We are not able to reach (ping/telnet) the remote Router but able to reach L3 switch/ LAN behind this router. The users from remote branch is also not able to reach the local router but they are able to ping the Main branch.Users in the remote branch are not able to access any resources in the main branch during the issue.
During the issue, we have checked the remote branch router and found the CPU utilization of the Cisco 1700 router is very high (99%). If we run "Show process CPU" command (please find the attachment) specially IP input process is very high (97%).
View 1 Replies
View Related
Jul 23, 2011
I have a sg300-10 switch. i update the firmware with the last one. Things are complicated when i create 2 VLAN. ( really 1 VLAN cause the first is native ).So i have the first VLAN with the interface 192.168.1.254 ans the VLAN 2 wich IP is 192.168.2.254
I'm connected with my workstation ( ip : 192.168.1.2/24 with GW 192.168.1.254 ) and i try to ping a web server on VLAN 2 ( ip : 192.168.2.2/24 GW 192.168.2.254 )
Ping is OK ! But when i try to reach any ports of the webserver : Nothing.
View 11 Replies
View Related
