Can i configure proxy on ASA 5510? i.e for internet use my user should be authenticate by ASA5510 and after successful authentication user should be allowed to access internet and futher is it possible to do bandwidth managment with ASA5510?
View 1 RepliesI have a Cisco catalyst 2950 and would like it's basic setup. It is connected to a Cisco ASA5510 on GigabitEthernet0/1. The ASA has two v lans configured. 101 and 102. I would like to configure my switch to be managed on the following IP which is on the 102 sub net:
172.16.102.253/24
Also, i would like to configure GigabitEthernet0/1 as a runk port to allow both v lans.
how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other. Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls).
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]
View 3 Replies View RelatedI had problem with IP conflit address from cisco router 2911 , all the time the router respond with ARP reply (duplicate use of IP : x.y.z.t with the same Mac Address ) and the IP subject of conflit dosen't appear in any router's interfaces configuration (basic configuration without dhcp) ,the problem was solved problem when I desactivete proxy arp but I can't understand this behavior , why arp proxy respond to all IP address with same Mac even the IP dosen't exist in router ?
View 4 Replies View RelatedCan Cisco 1721 act as DNS proxy? If yes, how can I configure it?
View 5 Replies View RelatedWe have a custom web application which is heavily relying on javascript. We're trying to access it via the webportal but this application does not load correctly (it barely shows a white page).
the link is [URL] and SUBIF-ISP2 is the public interface facing the internet. This is the rule as displayed by the CLI:
proxy-bypass interface SUBIF-ISP2 path-mask oursubdirectory target [URL]
Despite having this command in place, nothing changes. I tried multiple combinations adding the xml and hostname rewrite or changing the interface but nothing, the page is the same like if this rule was not applied.
My ISP provides me internet connection through password protecting Access Point bearing IP address 192.168.20.1 built with IP filtering which allows only a particular IP 192.168.20.88. I am not able to access internet on more than one computers simultaneously because router allows only single IP and I am not sure what are the WAN IP's uses Access Point provided by ISP eg. IP, Gateway and DNS. My ISP provides me static IP address for home computer as mentioned below :
IP : 192.168.20.88
Gateway : 192.19.20.1
DNS: 192.168.20.1
Alt DNS : 192.168.20.1
My public IP address is 180.87.210.26.
Is there any option to add a router to bride or configure router as proxy server so that i can access internet more than one PC's simultaneously.
currently we are using a proxy (192.168.45.90) for internet. the internal network ip scheme is 192.168.30.0-254. my problem is that how should i configure the new ISA2004 installation on separate PC with new IP range like 192.168.31.0-254 using that proxy 192.168.45.90.
View 1 Replies View RelatedI would like to configure limited internet access to olnly a select group of Windows AD users.
I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
I configure safari with auto proxy configuration, insert the proxy server name, and click apply.However, if i go to network-tools.com and do a traceroute, the trace does not show the proxy serverin the series of IP address's. I have tried with several different server names but i makes no
View 1 Replies View RelatedIn my office environment, my machine is configured with an IP address, Subnet Mask and a Default Gateway. The Default Gateway does not allow internet connectivity but is configured to provide us with connectivity to some server based tool.
Now in order to provide us with the internet access, a proxy server is configured via the LAN settings in the IE. The problem here is the Proxy is restricted for some sites that I need like certain technical blogs and all, which it filters out in the blogs category and does not load.
I do have another Gateway server address that I can use in Local Area Connection IPv4 Properties as Default Gateway address which removes this restriction. I thought that this should be configurable to the LAN Settings as a proxy as well. But when I do so, I lose the connection to the internet.
I am not sure if all Gateways can act as proxy servers. Or is there anything that I am doing wrong. I am using the default port 8080 in LAN Settings.I can ask this from the technician but I am not sure if he would be able to answer that as he is just a first level guy. I thought of figuring it out myself.
I am wondering if this is possible. We have multiple internet connections with fixed IP's coming into the office. We'd like to use one for FTP backup and another to service our websites. From what i have read a 5510 doesn't do policy based routing, but we'd like to configure our ftp server to use one of the internet pipes and our webserver to use another internet pipe. Is that possible?
We'd have two outside fixed IP interfaces and two internal interfaces. I could then use one of the internal interfaces for the web server and the other for the FTP server. consequently if the internal web server and FTP server use the fixed IP"s corresponding DNS server wouldn't that effectively route all FTP traffic out one interface and all web traffic out the other?
Then the FTP traffic would be NAT'ed to an internal interface and the HTTP & HTTPS traffic would be NAT'ed to a separate internal interface.
Then if each of the internal servers used the corresponding internal NIC on the ASA as it's gateway and the fixed IP's that correspond to the external DNS server, then it would affectively only use that gatway out for traffic? Would that work? Does it should route traffic out those pipes correct? Will the asa support two different next hop routers for the two different interfaces?
I want to setup a proxy server and also to create a group policy on proxy that will take effect on two ou's of staff and executives (150 plus pcs) on the executives ou I want the gpo to be only be effective when dey re in the office and non effective when they are outside the office and which to use their own personal internet modem.
View 1 Replies View RelatedI am working on a task of redirecting any unmatched http traffic to Symantec public transparent proxy through Cisco ASA. For the definition of uncatched http traffic, we have inbound squid servers for deploying IE proxy pac and redirect the http traffic to Symantec public transpraent proxy, however we can't deploy IE proxy pac to mobile device and non-support web browers.Since we have some application using IE proxy setting for direct http communication with external domains, the current symantec policy addes those domains in the exception list so that they are not redirect to Symantec public transparent proxy server.
-For the platform - Cisco ASA 5510 ASA 8.4(4)1
-For the solution, I have the following two nat rules
I would like to connect devices to my network so that their traffic passes through a proxy running on my computer. I figured the best way to do this is by setting the proxy on my router to the one I am running, but then I would need to have another connection to the computer running the proxy or else there would be an infinite loop ?? something like that. so:
Internet -> router (1) -> my proxy on comp A -> router (2) -> computer B
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
View 4 Replies View RelatedIn our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
The layer 2 switches are connected to layer 3 Switch via trunks, and routing between layer 2 switch ports with configured SVI's on 3550. All working fine. Now I'm trying to configure routing between 2800 and 3550, I tried connecting both Straight Throught and Crossover cables to the 2800 Fa0/0 and Fa0/1 ports as well as the switchports on 3550
No switchport commands are configured however, the lights do not go on for both straight through or crossover cables. I tried connecting 1750 routers but same result. My goal is to have all the VLANS routed to the internet with configuring NAT translation the router.
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
I have mobile users using air cards that connect to the network with a VPN product called Net Motion. Our firewall is a ASA 5510. Once connected to the Net Motion VPN server the user will get a DHCP address from our network. In the past we could not get the VPN tunnel to complete since our layer 3 switch (3750G IP services) has 3 egress points and the egress point that we needed the VPN traffic to go out of is not the default gateway. To solve this we had the air card carrier set switch our air cards to static IP addresses and using route statements for the public IP addresses and access lists we got it to work.
The problem with this is that every new air card we provision needs a static IP address. My question is would policy based routing work in this scenario? The problem has been that the VPN tunnel was not able to complete the negotitaion phase as the traffic came into the switch and was trying to go out the default gateway. The VPN client wont get an internal IP address until the VPN tunnel is created.
I would like to get away from using static IP addresses.
how do i configure the new asa 5505 to be as a router as shown in the diagram note: the isps' routers placed in head office. but i cannot change the configurations of the isp's routers.
View 9 Replies View RelatedI have an environment where i have two nexus 7010 switches, along with 2 nexus 5510's. I need to run OSPF as a layer 3 routing protocol between the vpc peer links. I have 1 link being used as a keep alive link, and 3 other links being used as a VpC link.
1) Is it best to configure a separate Vpc VLAN i.e 1010
2) Is it best to configure a vrf context keep-alive
3) just have the management address as the peer ip's.
I access the internet from my company�s LAN, which has a restrictive firewall, so I cannot request the admin to open any ports manually for me. Hence I use a software called your-freedom. This proxy software supports both http as well as socks 4 and 5 proxy (by entering the proxy IP 127.0.0.1 (localhost) and Port 8080 for http proxy OR 1080 for Socks Proxy), and I have successfully been using web browsers and some other softwares that support proxy/ allow proxy info to be entered to login/ connect to the internet. Your-Freedom also supports port forwarding.However, the softwares I intend to use do not have any options to enter proxy methods or proxy ports (as far as I have noticed). I have tried to proxify these 2 softwares using softwares such as SocksCap and Free Cap, but either they don�t work, or my settings in proxifying are not correct. I believe I will have to do port forwarding or proxify the softwares, but have been unable to do so in the correct manner.
Following is the info on the 2 softwares:
1.NOW Trading terminal:[FONT=Times New Roman]Normally when I start the NOW or Zerodha software, the software starts and I get a login screen, but under firewall conditions, I get the initial Splash screen but then the software stops with the error: [b][u]NOW Initialisation failed for Interactive Engine << os error>>.
2.PowerIndia Bulls:The software is written in Java and starts with a batch file (PowerIndiabulls.bat) located in C:UsersDEFAULT_USERNAMEAppD..... I converted this batch file to .exe (with battoexe software) and then ran it through a proxifying software. The .exe start properly without proxifying software but not under proxifying environment. Basically the software needs to connect to the internet using Port 443. I am also expected to keep ports 443, 41599 and 59598 open. software's requirement is available at Indiabulls Securities: Indiabulls Securities is a leading capital market company offering securities broking and advisory services, depository services, equity research services to its clients in India. (item no. 5).To confirm, while the software is unable to connect through port 443, you will get an error message: "Connection to Login Server could not be established" when you try to login with any random Username and Password.To know that the software is able to connect properly, you will get an error: "This User ID is not enabled to be used with this product".
i try to configure DNS on cisco 800 , it's worked , but after 24 hours the command ip domain-lookup change to disable, and it stop work
i'm not understanding why it's happen ,
that's the configuration
ip domain name XXXXXX.CC.CC
ip host XXX-RR-FF.com 2.2.2.2
ip name-server 1.1.1.1
[Code]....
If I have an ASA 5520 with an INSIDE interface, a DMZ interface and a WAN interface what would be the best way to configure NAT? If I configure nat-control and a nat (inside) 1 0.0.0.0 0.0.0.0 this will configure everything to be NAT'd when passing from the INSIDE interface out.My question is what about the devices I want to access in the DMZ from the inside for management etc? I'm guessing the ASA isn't smart enough to realise you're accessing hosts in it's DMZ interface so do you have to configure a nat 0 rule for every subnet within the DMZ you want to access or is there an easier way to do it? It's worth noting that the same devices will be accessing the OUTSIDE network and the DMZ network from the INSIDE network.
View 6 Replies View RelatedI have a customer who is on thr 192.168.254.x subnet and is using a Cisco 881 as their gateway.
They wish to create a second VLAN for the 192.168.253.x subnet.
The Cisco has Dialer0 configured for an ADSL connection.
I have partly configured the router but need some info regarding router a device on the 192.168.253.x subnet to the internet.
configure routing to the internet on the new VLAN and assist in setting up a DHCP server on that vlan. I have attached a copy of the current config.
I configured following command to implement QoS on Cisco 3560.
class-map match-any IND
match access-group name Lync
policy-map LyncAV
class IND
set ip precedence 4
[code]....
how to apply this QoS on interface?
I notice that NAT is not possible Cisco Catalyst 4500e series. Is there any other ways to configure NAT? Currently we have 2x Catalyst 6509 and we're migrating to the 4510e and there's NAT in the 6509s. I was thinking of re-using the 6509s and connect to the 2 new 4510e in a meshed trunking layout with MST (Layer 2) and OSPF/EIGRP (Layer 3) protocols turned on.
View 1 Replies View RelatedI am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection.
My Configuration:
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled(code)
I've been trying to configure a connection which requires NAT translation but my devices are too old and seems that the configurations I tried doesn't work or I don't know how to implement it properly.Firstly, I will introduce my router to you, it is a Cisco C3640-JS-M Version 12.2(1), so I found many ways to solve my problem, but none of them are supported by it.
To continue,the connection I am trying to configure is the following one:
10.1.1.0/24(My LAN) --- (My ROUTER) --- 192.168.9.1/25 <-----> 192.168.9.126/25 --- (OTHER ROUTER) --- 172.22.1.0/24 (Their LAN)
So one host from 172.22.1.0/24 needs to connect to a server in my LAN (10.1.1.20) but they can´t use the real IP and we need to configure a NAT rule to translate traffic from them to 192.168.6.10 to 10.1.1.20, but only for this connection (there are other "WAN" interfaces.
These are my failed attempts:
interface FastEthernet0/0.302
ip nat outside
ip nat inside source static 10.1.1.20 192.168.9.10
PROBLEM: Works for this connection, but other connections are affected and no one can reach 10.1.1.20 apart from LAN and incoming traffic to F0/0.302
[code]....
But as I said before, some configurations are not supported by my device.
How to configure a nexus 5K?
View 3 Replies View RelatedI believe I have the steps done at the IOS to config the WAN port for SSH, but I still can't connect to it. I have "logging console 7" on so I am able to see that the router is dropping my TCP session requests. I figure this is just the built-in zone-based firewall at work.
Is there a very straightforward process, via the IOS, to allow SSH inbound on the WAN port? I'm not very familiar with the IOS other than basics so while I know how to do things like "transport input ssh" and "login local" and such on the vty 0 4 line, I have no idea whatsoever on what I should do with the firewall stuff. I believce the WAN interface is already a member of the outside zone though so I imagine one just has to somehow include ssh (preferably on a non-standard port) in the exceptions on the firewall somehow.
I have been poking around for a step-by-step IOS guide for this but only find info on configuring SSH itself but not how to open the firewall to allow the connection for it through.