Cisco VPN :: 5510 External IP Address Not Controlled
Aug 19, 2012
We have a strange issue for one of our customers that recently migrated to our internet service.They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out? They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute. [code]
View 1 Replies
ADVERTISEMENT
Jul 8, 2012
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 7 Replies
View Related
Aug 4, 2012
we have 2 DHCP controlled networks at our work:
Network 1: Transparent EOC connection to Internet. Directly behind the EOC box is a router using a static (WAN) address provided from our ISP. Internally, the router uses DHCP (LAN) to manage a 192.168.1.x network. All computers on this network are using 192.168.1.x addresses via DHCP from that router - (rather, they should be). We use this for Internet access, office computers, a POS server and our POS systems. Mostly windows xp and some win 7 systems. Server is Windows 2008 server, but is not controlling DHCP nor a domain. It's just a Win 2008 computer on the network running as a "virtual box" on a VMware-based server.
Network 2: Comes in on a separate DSL line. This DSL modem is set up as a bridge. The router behind the bridge is using a static IP block (8 static IP addresses, 5 usable) from our ISP. Internally, this router uses DHCP (LAN) to manage a 175.69.10.x network (or some address similar to that). All machines on this network are using 175.69.10.x addresses via DHCP from the 2nd router. There is external VPN access to this network via one of the static IP addresses. This is routed correctly. This is Primarily a Linux network controlling several linux based machines. So, someone decided to "bridge" these two networks by simply plugging each network into the same central switch via Cat 5 cable.
The first problem we had (of course) was that the DHCP servers conflicted immediately, so we had to set half of this "mongrel" network to static IPs like 192.168.1.x, and the other computers are getting their addresses via DHCP from the 176.68.1.x network router. The second router keeps "resetting" the network, causing IP address problems on the first network, screwing up our POS system in the process. But we still need to access the linux machines on network 2 (via http) from the machines on network 1.The goal is to be able to be sitting at machine 192.168.1.x on one network, open a web browser, type in a 175.69.10.x address on the other network and have the linux web-based application come up from the machine on the second network. (We may need more services bridged besides just http.)Putting both networks on the EOC connection controlled by a single router is NOT an option.
View 3 Replies
View Related
Jan 30, 2012
In the Power Schedule section, when I input my desired date and time to turn a socket on and off, the settings do not stay. It reverts back to the preset date from the manufacturer after I submit.
View 1 Replies
View Related
Dec 23, 2012
i have an ASA 5510 My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)
Assume that non routable network is a.a.a.a and routable is b.b.b.b so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1 Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP) So the problem:For my international partners i need to provide VPN.So the traffic flow is the following:for exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1 The packet arrives to interface a.a.a.1 and............. Being discarded.7Dec 24 201211:09:477100051.1.1.162548b.b.b.110000TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000 I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.Am i right?Also i tried to setup a bypas policy, but no effect?
View 2 Replies
View Related
May 2, 2012
I keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?
View 3 Replies
View Related
Aug 4, 2012
We have 2 DHCP controlled networks at our work:
Network 1: EOC connection. We use this for Internet access, office computers, a POS server and our POS systems. Mostly windows xp and some win 7 systems. Server is Windows 2008 server, but is not controlling DHCP nor a domain. It's just a computer on the network. Directly behind the EOC box is a router using DHCP to manage a 192.168.1.x network. All computers on this network are using 192.168.1.x addresses via DHCP.
Network 2: Comes in on a separate DSL line. Primarily a Linux network controlling several linux based machines. This network has it's own router behind the DSL modem managing DHCP using 175.69.1.x (or something close to that) addresses.
Someone decided to "bridge" these networks by simply plugging each network into the same switch via Cat 5 cable. Bad idea.
The first problem we had (of course) was that the DHCP servers conflicted immediately, so we had to set half of this "mongrel" network to static IPs like 192.168.1.x, and the other computers are getting their addresses via DHCP from the 176.68.1.x network router.
This works - badly. The second router keeps "resetting" the server address on network 1, screwing up our POS systems. But we still need to access the linux machines on network 2 (via http) from the office machines on network 1.
I am thinking the solution to this issue is to place a 3rd router as a bridge between the two networks. Is this correct?
The goal is to be able to be sitting at machine 192.168.1.x on one network, open a web browser, type in a 176.67.1.x address and have the linux web-based application come up from the other network.
View 1 Replies
View Related
May 23, 2012
My IP adress has always been external. About 2 years ago, after reinstalling my windows,(I am using and used before reinstalling windows7) my IP adress started to work as it wouldn't be external. I couldn't host servers and stuff like that anymore.I tried turning off firewall, few other tricks but nothing changed.When I look information about my IP adress ,most of the sites see it as external.Also, when I call my interned providers, they tell me that they see my adress as external.
Some details :
-Internet is provided by a cable (not using telephone, TV or something else from those internet dealers)
-I am alone using this internet, no one else is connected to it.
View 4 Replies
View Related
Jul 26, 2011
I use an online software host. They put print jobs into a queue and send them directly to my printer. I just got a new printer. The software host needs it's "External IP address" I have my internal IP address. I pinged the printer and got my internal IP address instead of the printer's. I am on a home wired network running through a modem and router.
View 2 Replies
View Related
Dec 20, 2010
Our head office has two 4402 wireless controllers 16 AIR-LAP 1142 access points in the office. we've just bought an AP541 for one of the regional offices. What I want to know is can I 8inergrate the AP541 into the wireless network with the 4402 so I can administer from a central site and so the wireless users will be active at the regional site connected to the WAN.
View 1 Replies
View Related
May 15, 2012
Although I am quite used to using the WLC 4402 and the attached APs, I have no knowledge about licensing and I'm wondering if it has a limited number of AP's that can be controlled by the WLC? I'm not planning on adding 1000's but at the moment we have 21 and will probably be adding an additional 30 in the near future.
View 1 Replies
View Related
Nov 26, 2012
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies
View Related
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
Sep 18, 2012
I have an ASA 5510. (ASA 8.0(4) ASDM 6.1(3) I have 2 internet connections (only 1 is currently active) Currently all internet and VPN traffic go over 1 interface. What I want , is to move general internet onto the new internet connection but keep VPN traffic on the old internet connection. I can get the internet working but as soon as i do the VPNs go down. VPNs are site to site vpns.
View 4 Replies
View Related
Oct 20, 2010
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
View 8 Replies
View Related
Nov 18, 2012
We have a Router with one External IP and a couple of VLANs. We have got a Teleconferencing Unit that needs almost every port known to man to work, so decided to get the unit its own External IP.
We have the IP now and how to get it in the router and then also to use it only for the Video unit (From outside straight through to Video).
Im comfortable adding lines to the router but just don't know what the lines should be.
The new IP's purchased are 116.199.222.200/30 (Only need to use one address, lets say 116.199.222.200). No idea what the subnet mask should be...
The router config below stripped of irrelevant stuff:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code]......
View 11 Replies
View Related
Oct 11, 2011
Whats the difference between DNS Server and External IP Address? When I dump Ipconfig /all into a .txt file I see that it shows three seperate values for the DNS Server. My question is, since ipconfig /all does not give an external IP address, are they the same? Why are theyre three?
View 2 Replies
View Related
Oct 12, 2011
We once had a virtual server with two network adapters, one was internal and the other was external, and people could access it directly from the internet.
That server recently, died (someone put the .VHD file on a massive RAID 0 array, and that went boom), and I need to set it back up again. All the DNS entries appear to still be there, but how to assign the external IP to the network adapter. I tried Google, but my Google-fu must be weak today as I can't find anything useful.
It's a Server 2008 R2 machine running inside Hyper-V. Nothing's changed except for the new Windows install, it's running with the exact same VM settings, which I didn't touch except to add a new VHD.
View 5 Replies
View Related
May 22, 2012
I have a client that has 2 servers behind the same router. They have an IP block from Time Warner -> (x.x.x.18-.30) The router has the IP address of x.x.x.18. Server A (192.168.1.6) is setup with the forwarding of ports 22, 23, and 115 and can be seen with the ip address x.x.x.18. An external company needs to access the other server and is requesting an external IP for Server B (192.168.1.5) which need the same ports open along with 6200.What is the best way to set this up with what they have? The router is a Linksys WRT54G. Is there a way to set them up with a x.x.x.19 address from time warner? Is this something time warner will need to do?
View 4 Replies
View Related
Mar 3, 2011
I have a home desktop, home laptop, and work laptop that I use. I have Ultra VNC setup on my work laptop that allows me to remote into that machine when I am traveling for work. I have always been able to use the external IP address (not private) to login into the machine with no problem. This week, for some reason, I can no longer do that. When I started doing some discovery, I noticed that when I have all 3 machines booted up at home that the exact same external IP address is assigned to all 3 machines. The internal IP addresses are all different as they should be.Shouldn't each machine have a seperate external IP address assigned as well? Or is this working the way it should? I didn't change any setting on my router or DSL model. But I think the conflict that VNC is having on my work laptop is that it has the exact same IP as the destination computer and it fails. I can remote in if I use the private IP address (192.168.x.x) just fine.
View 1 Replies
View Related
May 6, 2013
I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.
View 1 Replies
View Related
Apr 5, 2011
i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
View 4 Replies
View Related
Oct 13, 2011
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
View 13 Replies
View Related
Sep 25, 2012
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
View 2 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
May 13, 2010
I have the following setup:
R--H1
|
F
|
H2
R: 3840
F: ASA 5510
H: Hosts 1 and 2
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).
View 4 Replies
View Related
Feb 20, 2012
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
View 10 Replies
View Related
Oct 28, 2012
Our company uses a commercial copier monitoring package called FMAudit to obtain meter readings from our clients' copiers, and it uses a feed to send the readings back to us. We have used port 90 for this purpose.Due to a recent server crash and emergency reconfiguration of our network, we have moved our FMAudit central server from in-house to a hosted service, with of course a different external IP address.
Without interfering with our other systems, is there a way to redirect JUST PORT 90 to another IP address external to our own? I don't care if it has to happen at the router or server level. We are using Server 2003 and a Cisco 887VAW.
View 2 Replies
View Related
Sep 15, 2011
The problem is that the PABX is sending out an internal address in it's INVITE messages and the ASA5505 isn't changing the internal address to the external address.We need> From: Calling Number <SIP: SIP Username@Public IP Address>However our PABX sends out> From: Calling Number <SIP: SIP Username@Private IP Address>. How to translate the internal IP address to the external IP address on an ASA 5505?
View 1 Replies
View Related
Sep 17, 2012
Accessing exteral address internally.
I have a mail server, with external access which works fine for external access thorugh our router (a 1941). I have a laptop which connects to a wireless network that is inside our router. When attempting to navigate to the webmail or use outlook, it cannot connect.
The laptop is configured to access the mail through the external path as it would be offsite occasionally.
I think the problem seems to be that the traffic is not leaving the router to come back internally. The laptop can ping the external address ok.
I read about something called hairpinning - is this what i need to be looking at?
View 3 Replies
View Related
Mar 13, 2013
We have an ASA 5505 and are changing ISPs so we'll be getting a new static IP address. How do I change the external IP address using ASDM? (I haven't done it in 5 years so I'm rusty and just want ot make sure.) The ASA and ASDM are up to date.Am i correct in that I only need to change the external address in the configuration under Interfaces, then under Routing - Static Routes - Gateway IP I just need to enter the new WAN gateway address?
View 2 Replies
View Related
May 30, 2013
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 5 Replies
View Related
Aug 24, 2011
We have a new Cisco ASA 5550 that I am trying to configure. We are currently using a borderware firewall.
We have multiple external IP addresses and I can NAT traffic from all except for our external interface IP address.
When watching the packets in the ADSM monitor if the IP address is our external IP then I see nothing unless it is ICMP. I can ping the IP address just cannot do anything else with it.
All the rest of our provided IP addresses can be NATed and work correctly.
Traffic for our external interface IP does show up when we use the borderware firewall so we know the traffic is getting here.
View 6 Replies
View Related
