Cisco VPN :: 5510 Summary Address In ACL Rather Than Having Five Lines
Jan 4, 2012
I have setup a site to site VPN with an ASA 5510 (8.4) and a Cisco 2811. The tunnel is working fine, however both sites have 5 different contiguous networks. The crypto ACL between sites states only one subnet.Is it possible to state a summary address in an ACL rather than having five lines for the ACL?The tunnel works when the router uses an ACL of 10.2.200.0 0.0.7.255, however if a summary address of all the subnets on the inside network of the ASA are stated in an ACL - 10.1.200.0 255.255.248.0 - then the tunnel does not come up.Is it possible to state a summary address on a crypto ACL on the ASA?
View 2 Replies
ADVERTISEMENT
Sep 19, 2011
if I can do the following deployment using a Cisco ASA5510 security plus.
At this moment I have two interfaces in use one (outside) with the IP: 172.16.21.254/24 and the other (inside) with the IP: 192.168.4.1/24. Now the customer needs to connect another network that works with the IP segment: 192.168.0.0/22.
The IP segment 192.168.0.0/22 goes from 192.168.0.1 to 192.168.3.254 that means that there is no a overlap with the network segment 192.168.4.0/24. My question is: If I configure another interface in the ASA that works in the segment 192.168.0.0/22 the routing table will auto-summary the network and merge it with the network 192.168.4.0 or will it leave the networks apart??
I don't user dynamic routing protocols but I cannot do the changes if I have doubts because the network 192.168.0.0/22 is a the Network for the Factory Automation Systems.
View 1 Replies
View Related
Sep 16, 2012
I have a layer 3 switch with a bunch of SVIs all in the 192.168.x.0/24 range. I just want to advertise a 192.168.0.0/16 summary to the BGP neighbors. I can do this either by:
1) Redistributing connected into BGP and then using the 'aggregate-address' command to advertise the summary.
2) Specifying a network statement in the BGP config for every single SVI, then using the 'aggregate-address' command.
3) Create a static route to null0 (ip route 192.168.0.0 255.255.0.0 null0) and put 'network 192.168.0.0 mask 255.255.0.0' command in the BGP config.All three fulfill the same purpose of summarizing all the SVIs, but creating the static route is much cleaner in this case. It seems like the aggregate-address command is mostly intended for routers that are aggregating connections coming from other routers and all of them share a common prefix.
View 4 Replies
View Related
Jun 13, 2011
My remote office staff are stating it takes "forever" to open simple work/excel files.I think forever really means more than 5 seconds.My main office has a 5510. I have a brand new server in place here that my remote offices vpn into.
Those remote offices have 5505.
Each office has a dsl connection. Their download speeds range from 7mb to 10 mb and their upload speed are 0.5 mb to 0.8 mb.My first thought was to add a second dsl line to my main office. Then have dsl line #1 serve my main office and office 2.Then have dsl line #2 serve offices 3, 4 and 5.
Would this speed up the opening speeds of my remote offices?If so how challenging is adding the second dsl line into my 5510?
View 1 Replies
View Related
Feb 26, 2013
When you configure an ABR to inject a summary route into an area, what are the circumstances under which the ABR will inject the summary? I.e., since it's not a set of specific subnets learned directly from other OSPF routers, does the summary get injected regardless of what's in the routing table of the ABR?
I would imagine this could cause problems in a situation where there is an ABR injecting a large summary into an NSSA that also has a backup path over the Internet (IPsec tunnel or something). For example, if the area 0 routers from which the ABR receives routes went down, the ABR would continue to inject the summary route into the NSSA thus tricking those routers into sending traffic to the ABR rather than over the backup link.
I can't imagine any other way an ABR would decide when it's suitable to inject the summary though.
View 1 Replies
View Related
Apr 15, 2012
I have two MLS conected by 2 fast ethernet links f0/11 and f0/12 on both sides.I am trying to set up a layer 3 etherchannel using these two links . But when i see etherchannel summary, they dont show up as layer 3. Instead they show as layer 2.
View 19 Replies
View Related
Dec 12, 2011
I am unable to generate bug summary report in RME. Even I can not generate PSIRT report as well..LMS always gives error "incorrect cisco.com credential. enter correct credential" I have checked my credentials are correct... it gives me error no BTKT:0014..I am using LMS 3.1 attaaching snap shot of my patch level and application version running on LMS...
View 3 Replies
View Related
Mar 12, 2013
In my Lab environment in GNS I have connected two 7200 series router through fastethernet on router A I have given IP adress 192.168.10.54 and router B I have given IP address 192.168.10.53 and default route as 0.0.0.0 0.0.0.0 192.168.10.53 and when I run the command on router A it shows result as follows "C 192.168.10.52/24 is directly connected ,Fast ethernet 2/0".
So I need to know why it's showing the result of .52 at last why not .53 or .54 at last what is the reason it's showing .52 which I have not mentioned in my IP address.
View 5 Replies
View Related
Dec 2, 2012
I have a 5508 WLC running on 7.0.116, I need to be able to pull all configured users off the WLC and import into excel, I have 900 odd users configured. When I run a show net user summary it only displays a third of users. I'm hitting space to tab through each page, then eventually I just get dumped back to the command prompt.
View 5 Replies
View Related
Feb 28, 2012
I have a Nexus 7K router, has 2 ospf process, ospf 1 and ospf2. OSPF1 has several subnets in 10.1.0.0/16 subnet range , OSPF2 has several subnets in 10.2.0.0/16 subnet range. I want to summary OSPF 1 subnets to 10.1.0.0/16 then redistribute to OSPF2. but it doesn't work. [code]
View 2 Replies
View Related
Dec 14, 2011
I am trying to generate bug summary report from RME but once job completes i can not see/view report. whenever I am trying to click on view under job result to see reports I get apache/http error. snap shot is attached for reference.
I am running LMS 3.2.1 and RME 4.3.2.. struggle alot to reach this stage where I can see report are getting generated for PSIRT and bug summary..but can not see report for Bugs though I can see PSIRT report...
View 1 Replies
View Related
Dec 19, 2012
Anyn equivalent command of show etherchannel summary for a 10008 router running 12.2(33)SB9 ?
View 1 Replies
View Related
Feb 19, 2012
What is the OID for the count of the APs connected (and Status UP) to a WLC 5508?
View 2 Replies
View Related
Oct 4, 2011
In earlier versions of LMS it was possible to choose i.e. the Routers category (top level) and enter a series of commands to be excluded from the comparison. In LMS 4.0.1 I experience, in several different installations, that this is not possible. It seems I can enter one exclude command beyond the defaults per category, the rest is not applied even though the feedback from the application is positive. Next time I access the Exclude Commands view, the commands I entered are gone. Is this a change of behaviour or a bug?
View 2 Replies
View Related
May 9, 2013
My Cisco 3900 router is not taking the no auto summary command?
View 5 Replies
View Related
Mar 11, 2012
I have a Nexus 7K router, has 2 ospf process, ospf 1 and ospf2. OSPF1 has several subnets in 10.1.0.0/16 subnet range , OSPF2 has several subnets in 10.2.0.0/16 subnet range. I want to summary OSPF 1 subnets to 10.1.0.0/16 then redistribute to OSPF2.but OSPF 2 didn't receive 10.1.0.0/16. Below is the config
ip prefix-list all seq 10 permit 0.0.0.0/0 le 32
route-map all permit 10
match ip address prefix-list all
router ospf 1
router-id 10.10.3.9
[code]....
View 2 Replies
View Related
Nov 20, 2011
tell me if there is an equivalent command to Show int Summary on the Nexus 7000?
eg
MYCISCOSW01#show int summary
*: interface is upIHQ: pkts in input hold queue IQD: pkts dropped from input queueOHQ: pkts in output hold queue OQD: pkts dropped from output queueRXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)TRTL: throttle count
[code]....
I find it a useful command on the 6500 to spot high traffic flows.
View 7 Replies
View Related
Feb 8, 2012
i recently get high speed link for my compagny to replace the old frame realy.the internet service provider gave me a non routable range to set on my asa like this : [code]then the ISP tell my public ip wan range was x4.23.209.166/29.i made this kind of configuration works when i put a cisco routeur in befor the cisco asa like this: [code] it is possible to make this works on cisco asa 5510 without putting a router in front ?if it works problem can happen to establishing vpn from the outside interface having a private ip ?
View 6 Replies
View Related
Feb 25, 2012
I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1
access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.
**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.
View 1 Replies
View Related
Aug 19, 2012
We have a strange issue for one of our customers that recently migrated to our internet service.They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out? They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute. [code]
View 1 Replies
View Related
Jan 17, 2012
We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.
View 4 Replies
View Related
Mar 3, 2013
I am using an ASA 5510 firewall in routed mode.How can I filter incoming traffic by mac address on the AS 5510 ? I have already setup a static access rule for rdp users on the outside to access a terminal server on the inside.Now, i would like to further limit access from specific computers only.
View 7 Replies
View Related
Nov 22, 2011
Today I was playing the ps3 (call of duty MW3)... normally I would connect via wireless but I'm getting a ton of lag and it's becoming frustrating. Later on I moved the ps3 downstairs and connected it via Ethernet and it worked so good.I want to look into buying those Ethernet power lines but not sure how good they are compared to running a Ethernet cable from the ps3 to the router or how good they will be vs wireless? I just don't want to waste money on these. If all else fails we will probs run a Ethernet cable through the ceiling
View 1 Replies
View Related
Nov 16, 2011
I added a new server and created a new static NAT assignment on the ASA 5510 to the server's IP. When I browse to the web to check what public IP it's reporting, it shows the wrong IP. I disabled the network interface on the server, ran "clear xslate", reenabled the network interface, ran "sho xlate" and while the correct translation was in the table, the server still reported the wrong IP address.I even ran a packet trace and it showed the IP address being correctly translated to the proper public IP, but when I browse to the web I get the same erroneous public IP. [code]
View 8 Replies
View Related
Jan 23, 2012
im lookin to establish a a multiple L2L ips tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?
View 6 Replies
View Related
Mar 27, 2011
I am using the Cisco VPN Client 5.0.06.0160 - and am having an issue connecting to my ASA 5510 via VPN. This issue is happening on 1 of our laptops. All other laptops connect just fine. So the problem is not in the ASA. I have double checked the client setup and config and it too is correct. The interesting thing is, we are connecting to an IP Address and not a host name.
View 1 Replies
View Related
Apr 5, 2011
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies
View Related
Nov 28, 2012
We have hosted spam filter service with 3rd party vendor. My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service. I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]
View 2 Replies
View Related
Mar 17, 2013
Is the following sysntax correct in removing a remote access vpn address pool and inserting a new one on an ASA5510?
(config)# NO ip local pool BWCVPN 192.168.200.1-192.168.200.128
(config)# ip local pool BWCVPN 192.168.300.1-192.168.300.128
(confif)# tunnel-group BWCVPN ciscovpn general-attributes
(config-general)# address-pool BWCVPN
View 5 Replies
View Related
Dec 10, 2012
I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
Information:
Lease length: 172800
address pool: 134 addresses
hosts: around 45 + mobile units 45
View 3 Replies
View Related
Jul 19, 2010
We are bonding two LLU DSL lines using MLP. Our LLU provider supports MLP bonding and we have a few other customers working well on Cisco 1841s, although not such high sync speed lines as this problem site.
So the lines work well with no interface errors and sync speeds are very good and evenly matched between the two lines (approx 14Mbps downstream). It's all good - it's great in fact except that it just doesn't work properly! By that I mean we're not seeing the downstream throughput we'd expect. We actually get the downstream throughput of less than a single DSL line, so about 12Mbps. Upstream bonded throughput is fine and in line with the sync speeds.
Both circuits are 'active' in the PPP multilink bundle and I see 3 sessions on our core LNS Cisco 7301 (c7301-boot-mz.124-2.T.bin) - i.e. 2x circuits + 1x bundle. We've checked the circuits individually and 'actual' throughput (using NetPerf software) is similar for both lines and in line with the sync speeds.
We are seeing quite high CPU (50%) on the Cisco 1841 (c1841-ipbasek9-mz.124-24.T1.bin) at the customer premesis, but having tested a Cisco 2951 on the customer premesis with two new HWIC-1ADSL-M cards, this is not the cause. The 2951 ran at 5% CPU whilst we experienced the same problem.
We've checked the setup of both Cisco CPE and LNS with our LLU provider and they are happy with the MLP config. They themselves have been able to bond two similarly sync'd Annex-M DSL lines and get 25Mbps throughput on a 1841.
View 6 Replies
View Related
Aug 14, 2012
I work for an ISP and we are currently bonding 5x 6Mb ADSL connections for use as a wireless backhaul. We are currently using a Cisco 3725 and bonding the links via MLPPP. This set up is working fine except that we are not getting the full 30Mb on the download side. We are seeing more like 18 to 20. I am wondering if we can acheive the full speed with our current set up or will we need something different to get the job done.
View 1 Replies
View Related
Jan 19, 2013
Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
View 11 Replies
View Related
