Cisco Switching/Routing :: ASA5510 - Router Consolidation
Apr 24, 2012
I’ve attached a simple network diagram of my WAN network. We have branch offices that came into our Headquarters using VPN tunnels over the public Internet and then we have a handful of offices that are connected to our headquarters via a private MPLS network. All of this traffic is routed into our Cisco ASA 5510s that we currently use for firewall and core network routing and VPN termination. All branch offices have VPN tunnels to our Cisco ASA. The Cisco ASA isn’t necessarily designed for core routing even though it was worked decent for us. We’d like to move the core routing off of the Cisco ASA and just use it as an Internet security/DMZ device like it is designed. We were hoping to purchase one pair (for failover) of the Cisco ISR router to perform our core routing and VPN termination. Can we eliminate the Cisco 2621 Internet router and use a single, beefy router to handle the Cox MPLS traffic and the Internet traffic on the same router?If we had one ISR doing these duties, where would the router sit in our topology?Is it safe to bring our Internet Circuit and MPLS circuit into the same router? How about with VRF?Do the Cisco ISR 2900/3900 support VRF and can I do VPN tunnels if I do the VRF?
View 2 Replies
ADVERTISEMENT
May 11, 2012
I've recently segmented my network and part of the process was creating a DMZ VLAN. I'm running ESXi 5 and have created two new VM's to add to this DMZ to begin the process of moving everything public facing to the new VLAN. At this point they new hosts will not communicate with each other, their gateway, and of course not the public internet. To get the first out of the way, they are configured according to VMWare's VLAN guide: I have created a new vSwitch port group on the host and assigned them to the VLAN id 11 for the DMZ VLAN, and have the switchport on the switch (3560) setup as trunk in dot1q mode with all vlans tagged. The management VLAN is also NOT the default VLAN 1, so that is not causing any issues. My other server segment VLAN is working fine on the same ESXi host/s, so this does not seem to be the issue.
On the network side of things I have my ASA connecting to a 3560 with two interfaces, one for "inside", one for "dmz."Is this below correct? I feel like the static route should be route dmz with a gateway to 10.0.1.1..
_ASA_
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
route inside 10.0.1.0 255.255.255.0 192.168.201.2 1 <- (192.168.201.2 is my 3560)
[code]....
View 9 Replies
View Related
Feb 29, 2012
I have an ASA5510 from which I am using 3 interfaces.
-One interface have the main internet connection router
-One interface is attache to a switch 3750 and has multiple virtual interface configured on it
-One interface has another internet connection router.
What I am trying to do is to have only one of the Vlan using the second internet connection and not the first one.
My idea was to just have a static route who says that on interface VLAN_B (for the special VLAN), all traffic goes to 2nd internet router interface. But it does not route. All I have is a default route configured : on interface Internet1 0.0.0.0/0 goes to 1st internet router interface.
View 10 Replies
View Related
Sep 26, 2012
On our ISA server we have some publishing rules with the option "Requests appear to come from the ISA Server computer". This allows us to forward incoming external traffic to a network that is not directly connected to the ISA Server internal interface. We need this because our internal server does not know the route to the internet client but does know the route to our ISA Server, so the internal server sends his response to the ISA server and he sends it to the internet client.
View 1 Replies
View Related
Jan 29, 2012
Here is what I have. Windows Domain Controller running DHCP with configured scopes.I have one ASA5510 And 4 HP Procurve switches with VLANS preconfigure from vender.
Here are my DHCP scopes/VLANS:
VLAN1 -Default 10.2.x.x/17
VLAN201 -DHCP 10.2.201.x/24
VLAN202 - WLAN EMP 10.2.202.x/24
VLAN203 - WLAN Guest 10.2.203.x/24
VLAN 252 - MGMT 10.2.254.x/24
Here is how I configured the DHCP Scopes:
Changes needed to make to the DHCP Server (AUSPDC) in order to get things working with the new switches.
1) Configure 3 new DHCP scopes on your DHCP server.
a) scope for 10.2.201.x/24 to serve LAN employees and give them a gateway address of 10.2.201.254.
b) a scope for 10.2.202.x/24 to serve WLAN employees and give them a gateway address of 10.2.202.254.
c) a scope for 10.2.203.x/24 to serve WLAN Guests and give them a gateway address of 10.2.203.254.
I just upgraded and decided to go with the VLAN configuration. None of my VLANS can get out to the internet or each other due to I think My ignorance in configuring the firewall.The PC's are getting proper IP address but they cannot get out or to the other VLANs. I tried to duplicate what is working for VLAN1 but it is not working.
Here is my config.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(3)
!
hostname CiscoASA
domain-name hand.local
enable password 1FVULuGal5s1/ADt encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code].....
View 6 Replies
View Related
Mar 17, 2013
I have 2 ASA5510's acting as routers/firewalls, setup on a LAN, each one pointing to a different gateway (different ISPs), and the exact same VLANs set up as sub-interfaces on each of these. Both act as DHCP relays to a Windows Server 2008 DHCP server. All the Trunking has been setup and works. When I Untag a switch port, and point it to whichever gateway?
View 2 Replies
View Related
Oct 13, 2012
Recently I changed our default gateway from a pair of PIX515 to ASA5510. Since I changed the gateway anyone connecting to our wireless VLAN/network who tries to access the Internet may or may not get a page load. If the page loads it is extremely slow and sometimes the browser page indicator will just spin like it is loading. It's not our access points, if attach an ethernet cable to my laptop and put my switchport in the wireless VLAN I experience the same problem. DNS resolves OK, ping responses are consistent with no drops and access to any internal resources are good. All other LAN VLANs/networks work just fine, it's just Internet access on the wireless VLAN. I see the correct traffic flow in the ASA packet capture. Anything in the ASA Packet inspection related to wireless networking that could be blocked? Is there a way to check for a routing loop possibly?
View 2 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 20, 2013
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies
View Related
Mar 17, 2013
There is a PIX 506E and ASA5510, with different connection to service provider. Problem is Apple remote users can't access resources protected by the PIX506E. Apple users can access resources protected by ASA5510. Physically the PIX and ASA are in close proximity with no physical connections. Is it possible for Apple users to authenticate with the ASA and the traffic get routed to and get authenticated by the PIX, inorder to access resources?Due to bandwidth restrictions, a DMZ on the ASA will not be created at this time inorder to consolodate firewalls. Currently 2 x T1 is the connection between ASA and ISP; 1 T1 connects PIX to ISP.
View 1 Replies
View Related
Jun 3, 2009
I wanted an ASA to do hairpin routing. Here is the situation. A client was running there internet through a partner's WAN. They do not have a layer3 switch/router, and the defautl gateway on there network was actually the the partner's equip. They recently purchased there own internet circuit and an ASA5510. I initially tried putting in the nat exception and permit same security interface and static route on the ASA so that traffic bound for the extranet segment would be routed back out the inside interface toward the gateway to the partner's WAN. Pings worked right away, however no applications would work: no web traffic, application traffic, anything. My only guess is that the ASA does not like this in relation to stateful traffic flow, and the fact that since the partner's gateway is on the same subnet, you end up with asymentric routing.
View 10 Replies
View Related
Jun 14, 2012
I have two interfaces connected to two different subnet - interface 0/1 = 10.100.1.0/24 , interface0/2 = 10.100.113.0/24 as they are direct connected to the ASA i assume i dont need to add an static route but when i try to ping from one interface to the other (ping inside 10.100.113.1) i get "Routing failed to locate next hop". [code]
View 1 Replies
View Related
Sep 2, 2012
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
View 2 Replies
View Related
Dec 10, 2011
I have a ASA5510 with 2 internal interfaces (inside1 and inside2 same security level) configured with OSPF for dynamic routing with 2 routers to corporate subnets. I have a server in a private subnet that needs to be accessed from Internet. So static pat is used in ASA with the command
static (inside1, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255
As OSPF is in use, the subnet 192.168.1.0/24 may be reachable from interface inside2. When I tried to configure the static command for inside2,
static (inside2, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255.the error message came out "WARNING: mapped-address conflict with existing static...". Is this just a warning, or this is not possible in ASA.
View 2 Replies
View Related
Jun 25, 2011
I'm facing a problem with two vlans. Each vlan has internet access by NAT.
In each vlan there is at least one server, who should be accessible from the other vlan and vice versa.
The function "same-security-traffic permit inter-interface" doesn't work, because NAT control is in place - so an expert.
Some experts told me it's not possible to route back out the same interface, and also not route back out the seperate subinterfaces as well.
View 12 Replies
View Related
Feb 24, 2013
I got a Problem with Routing on a ASA5510.
I have ezVPN Clients connected to the ASA5510. Those Clients are assigned an IP from 192.168.236.0/24 Pool.
I have a Router of a contractor connected to a dedicated ASA Interface called IBIZA with IP Net 10.100.10.0/24 and the Router itself with the IP 10.100.10.1. Behind that Router is another private Network which I need to reach from the ezVPN Clients.
The Connection from the ezVPN Clients to the "LAN" Interface/Network on the ASA works fine, but I cannot reach either the Contractor Router (10.100.10.1) nor the Network behind that.
From the LAN Network (on the LAN Interface) I can reach both the Contractor Router and the Network behind.
When I use the Packet Tracer Tool from the ASDM it tells me that the Traffic goes through but ends on the LAN Interface. But it should end on the IBIZA Interface or am I wrong here ?
What do I need to tell the ASA to route the Traffic from the ezVPN Client to the Contractor Router and back ? I have set up the ezVPN Connection as full-tunnel so all Traffic goes through the VPN Tunnel. That shouldn´t be the Problem.
View 10 Replies
View Related
Aug 15, 2011
I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
For that, I tried a more simple config :
ISProuter (192.168.96.1/21) ---- ASA outside port(192.168.96.2/255.255.255.248) ASA INSIDE port (192.168.100.1/255.255.255.0) --- a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1
From my ASA, I can ping 192.168.96.1. but a "ping INSIDE 192.168.96.1" fail
from py pc, can ping 192.168.100.1, but not 192.168.96.1
Here, my ASA config :
ASA Version 7.0(8)host name cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
[code]....
View 1 Replies
View Related
Jun 3, 2012
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
View 1 Replies
View Related
Oct 7, 2012
I configure HSRP on Router 2951 as a primary router, and Router 2811 as backup router. But when I am switching off my Primary router the backup router is taking 2 mins to take over form primary router.
[code]....
View 4 Replies
View Related
Feb 16, 2012
Any "best practices" or recommendations on how to migrate from a fixed router (3745) to vlan routing on Catalyst 4507 switches in order to minimize the disruption to the network.
View 4 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Mar 6, 2012
When mutiple Policy based routing configured on 7600 routers, did the router performace degraded with the number of policy based routing rules?Also, did 7600 running 12.x use per-flow based routing or per packet based routing?
View 1 Replies
View Related
Mar 19, 2012
I have a 5510 running 8.42 code with multiple site to site tunnels coming into it. Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly. That being said I think the ASA side is good. I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA. When I ping from the E0 interface I get the following debug output and nothing else. I've made a lot of changes to no avail in getting closer to a successful configuration. [code]
View 1 Replies
View Related
May 8, 2012
I have an environment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco 3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multiple VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.
I have read inter-VLAN routing i-e creating sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?
View 9 Replies
View Related
Dec 9, 2012
I have an 1811 with several subnets connected to it.I recently installed a 3750x plant and want to bring my interior routing back to it.
All the routing is handled by the 1811 via secondary interfaces on vlan1?
I have 192 ports, and subnets show up on almost all of them. None of the ports are assigned to any specific vlans. Most ports have several subnets on them.
What is the best approach to getting the 3750x to handle the routing?
View 18 Replies
View Related
Nov 14, 2012
We have small which I'm looking to implement and have built this on GNS3.
We have:
Router A in site 1
Router B in site 2
Router C in site 3
Router A and B are connection via a point to point 100M link and from Router C we have a 2 point to point one of which is 5Mpbs and going to Router A and Router B.
For Router C to reach Router A network it will go via Router B and these are 100M connection. When the link between Router A and B goes down. Router C should update and start using the 5m route.
For some reson, the routes are not updating. I have to do 'clea ip eigrp ne' for the routes to update and if I reload the routers all works well, it seems the problem is intermittent.
View 13 Replies
View Related
Feb 21, 2013
I’ve been trying a few days now to implement multicast routing on my home network in order to make airplay work between subnets. Specifically between an iphone and a hifi separated by different vlans. Failed, as I have no experience in multicast routing. we have a clean configuration and simple network which consists of two SVIs
Vlan 10: 192.168.1.0 255.255.255.0
Vlan 20: 192.168.2.0 255.255.255.0
ios platform cisco 887
View 5 Replies
View Related
Oct 1, 2011
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
View 5 Replies
View Related
Jun 4, 2012
Since some days we have a ASA5510, we connected it on a Windows Vista Laptop via ethernet cable (using at the back of the router the mgtm slot) and connect it on the network slot on the laptop. Laptop is getting IP addresses automatically.
Now we tried to reach the router in the Internet Explorer using: http://192.168.1.1, but we could not reach this site. When I try to ping the router via cmd and typing ping 192.168.1.1 I get answers.
For us it is very important to change the IP address of the router, as he will be used in a network with 10.xxx.xxx.xx addresses.
View 2 Replies
View Related
Jul 27, 2009
I m having 2500 series router. when i boot router automatically get into router(boot)> . how to solve?
View 6 Replies
View Related
Jun 26, 2012
I have an 891 router setup to support 4 VLANS with 4 DHCP pools. The router is in place at a charity HQ and I have been asked to setup remote access for around 8 users who will need to be able to connect to a NAS drive via IP on one of the VLANS. I have had some experience with SonicWall devices that use SSL VPN's and would like to do similar here.Can someone start me on the right track to get this working.
- Presumably I need an SSL-VPN license for the router.
- What sort of client will my Windows and Mac based clients need? (with sonicwall it was a proprietary cilent called NetExtender)
- Any other pointers or comments?
I'm not a Cisco engineer, but did manage to set the network up thus far. Everything about this charity is non-profit / cost including the support staff like myself
View 0 Replies
View Related
Oct 25, 2011
I have an 881 router here in house and am attempting to enable the gui interface on the router.
I have tried the steps to enable http but have not had any success. Below is the IOS Version and the portion of the show config that reflects the http allow:
ROM: System Bootstrap, Version 12.4(15r)XZ2, RELEASE SOFTWARE (fc1)
Cisco 881 (MPC8300) processor (revision 0x100) with 249856K/12288K bytes of memory.
Processor board ID FTX1249Y16Q
[Code].....
View 4 Replies
View Related
Jun 19, 2012
I am a service provider, with the task of installing a systech device at a site, and was told all I needed was DHCP enabled and dynamic IP for the internet. The site just put in broadband and their router has a single port. I picked up a linksys dsl router to use as a router/switch to enable more ports for the internet. If I hook the broadband router into the internet port of the linksys, I can not get internet access on my laptop through it. If I hook the broadband to port 1 and my laptop to port 2, I have internet access. If I hook the systech device to port 3, the support team says they cannot see the device. But, if I hook the broadband directly to the systech box, they can find the mac address and download to it. I have set the linksys to default settings, but will not work.
View 2 Replies
View Related
