Cisco VPN :: 5520 - Use Public IP As Local Encryption Network
Mar 5, 2012
We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA. We have multiple VPNs on this firewall.
The issue with the latest one is they require a Public IP as the Local Encryption Network. I've seen this question a couple times while searching but never really a definitive answer.
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient? Or would this not work at all?
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66. Would using X1.X1.X1.64/28 as the local encryption network make the connection? Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
Edit: Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool. And make that our Local Encrypted Network? I think this might be it, but could it cause IP overlapping? Our webserver is part of this and I'm worried about causing connection issues.
View 8 Replies
ADVERTISEMENT
Jul 30, 2012
I am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.
We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.
With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.
I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.
View 6 Replies
View Related
Mar 14, 2013
I have a Cisco ASA 5510 I am using ASDM 6.1
I have a LAN and a DMZ and an internet connection. I am using one of the internet connection IPs to host a HTTP service on a server in my DMZ. (its the same interface as my internet connenction but a different IP to the one used for internet connectivity)
so say my LAN is 192.168.1.x
and my DMZ is 172.168.1.x
I can access DMZ from Lan and vice versa. when i try to access the public IP (or URL) from a pc in my LAN i get nothing.
I have enabled DNS rewrite (doctoring) but it is still not working. the HTTP service is available from other sites.
View 1 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Dec 15, 2011
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
View 3 Replies
View Related
Nov 6, 2012
I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.
View 7 Replies
View Related
Jan 10, 2012
I have a local web development server that I'd like to open up so my clients can see the sites I build for them. The server is just my old laptop that I now use only as a web server.
I'm having trouble figuring out the port forwarding for this. I have a Netgear WGR614v9. I've configured the server to have a static IP, and have port forwarding sending port 80 over to the server. I've made an exception in Windows Firewall for port 80.
So, from my understanding, I should be able to go to my http://[my public ip], and I should in the least see my servers default site.
I think my problem is that I don't have just one website hosted by Apache. But instead am using Virtual Hosts to have a handful of sites hosted. So what I don't know is how to configure the server to know what site to serve.
I know I'm missing a step with having DNS setup. I haven't gone through that step yet because I thought it wasn't immediately necessary to configure the port forwarding.
View 13 Replies
View Related
Apr 28, 2013
I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdown
interface GigabitEthernet0/0nameif outsideip address 198.24.210.226
[Code].....
View 9 Replies
View Related
Oct 16, 2012
I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (201.148.156.193/28), one IP valid (201.148.156.194) have the Global NAT (all users LAN) and server FTP, but i need that IP 201.148.156.195 is used for VCSe, and the IP 201.148.156.196 is used for other server FTP.
View 5 Replies
View Related
Nov 8, 2011
How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.
View 1 Replies
View Related
Jun 11, 2013
We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN. We are changing ISPs soon and we will be getting a new block of public IPs where do I even start to plan the migration and how? Can I overlap somehow and do a slow migration or must I do it in one big swoop?
View 1 Replies
View Related
Apr 19, 2013
Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.
View 2 Replies
View Related
Jul 9, 2012
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
View 3 Replies
View Related
Jun 22, 2011
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
View 1 Replies
View Related
Aug 23, 2012
Is it possable to use rsa token on the ASA without setting up any other server just using the ASA, out clients use the cisco vpn client version 5.0.07.0290 and IOS 8.3(1), How would this be done?
View 3 Replies
View Related
Mar 21, 2012
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
View 4 Replies
View Related
Jul 19, 2011
We have an ASA 5520 using for VPN & would like make use ASA's local CA to manage certificate.Do you know if there's any limitation on number of certificates that the local CA supports ?
View 6 Replies
View Related
Jun 12, 2011
i have moved my router to upstairs and want to make the computer downstairs wireless but it keeps asking for my encryption key or wapp?
View 2 Replies
View Related
Feb 28, 2011
Is it possible to assign public IP address as Router's local IP address (RVL200, RVS4000)?
View 1 Replies
View Related
Sep 22, 2011
if there is a wireless adhoc network and i want to provide the security to the data which i want to transmitt over this network but i dont want to encrypt the whole data but to apply encryption in a part of data which conatins the important information.
View 1 Replies
View Related
Jan 25, 2011
I use my desktop for streaming media throughout the house. I found it was causing lag for gaming most likely because it was taking up all the bandwidth for the router. We had a 2nd router laying around as well as a 2nd wireless adapter so we set up a 2nd network that was not connected to the internet for strictly media streaming.I attempted to change the network settings so the internet connection appeared as a public network so that streaming of media was hopefully diverted to the non internet wireless adapter.I want a faster way of transferring large video files from my laptop to my desktop. I recently bought a crossover cable to do this through direct connection.Both use the same user name and password as well as run the same win 7 pro however the desktop is the 64 bit version. I set up both ipv4 with the same addresses.When it has worked I am only getting a connection speed of just over 10mb and once I connect the crossover cable between the computers it knocks out my internet connection on the wireless card.
View 5 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Apr 2, 2013
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
.ASA Version 8.2(5)
!
hostname ciscoasa
[code]....
View 4 Replies
View Related
Feb 13, 2011
I want to setup a DC++ HUB for sharing data within the university local network. We have addresses of the form 172.31.*.*. These addressed are accessible within the university bu non routable outside on the internet. My plan is to setup a local HUB for DC++ for sharing data within the university intranet. So even if internet is unavailable data can be exchanged through LAN. This HUB must not be accessable outsied the university network.how should I do this all..implementing network sharing other than DC++. My basic idea is that everybody can share their data and the data is searchable from one common interface( Web interface is better option, if possible). And data featching should prefferably be from many hosts, using multiple connections so that speed can be improved..
View 4 Replies
View Related
Mar 3, 2012
I have a home network running all Mac computers (though can run Windows VM if necessary) and a pair of USB printers. The wireless router and cable modem are in one room, but the printers are in another. I'd like to find the most practical way to add the printers to the local wireless network without sharing them from a computer. I've tried that for a while, but don't want to leave a laptop connected 24/7 just to enable wireless printing (rather defeats the purpose of a portable computer). I don't have any wired network lines in the home, and am not excited by the idea of running any cables.
View 5 Replies
View Related
May 19, 2011
My partner imposes that i create a VPN connexion with CISCO ASA5505 and send requests by public IP on my private network.Is it possible to create NAT rules with this possibility?
View 2 Replies
View Related
Jun 28, 2012
i'm connected to the internet through a shared internet connection through a switch,and also have 3 computers connected to the same switch,what i want to setup a local network between the 3 computers but separated from the internet network?
View 6 Replies
View Related
Aug 19, 2011
I like to create a village-wide wifi network...The purpose is to provide a public service so although we'd have to charge to cover capital and operating costs but the purpose would be to run it on a non-profit basis. If it does by chance make a profit it would be donated to local community projects so we should be able to get support from local business and residents if the technical solution requires their collaboration.
View 1 Replies
View Related
Nov 13, 2011
I brought my desktop PC thinking their would be an ethernet port in the room but there isn't. I went out and bought a Belkin USB Wireless N150 network adapter and I download things at roughly 25kbps which just... sucks. I tried to ask the "tech guy" here what type of router they are using and he said "W-E-P" so I just said "okay" and walked away knowing that he barely speaks english. What can I do to get any more speed out of this? I don't know if it's a B, G, or N. If it's a G, would buying the N300 (i think it's "N+") or the N600 Dual Band work at all? What settings can I change? What can I buy?I've also got my Xbox 360 hooked into my PC via the ethernet port and shared the network connection with it to play Xbox Live, it's slow, but not unplayable.
MY PC SPECS:
3.2 intel core 2 duo (conroe)
asus p5q mobo
4gigs kingston
Windows Vista 64bit Ultimate
View 2 Replies
View Related
Aug 25, 2011
I'm trying to connect an Xbox 360 to my University's wireless network using a bridged connection between the wireless adapter and the LAN adapter. I can connect to the internet on the Xbox, but not Xbox LIVE. I get an error message stating that my MTU setting must be 1364 or higher. I obviously cannot access the router settings because they are the schools routers and I do not have administrative privileges. So, Is there some other way to modify MTU settings without that access?
View 3 Replies
View Related
Nov 1, 2012
There is a device which is connected to the PC via Lan. I have an exe file which is supposed to get connected to that device and perform some operations. However, the problem is, the exe file tries to connect to the local host ip address 127.0.0.1 and i cant change the ip since it's been coded.So, I'm wondering if i can use the device connection (which already has a different ip like 169....) as a local host connection. So whenever it tries to connect to the loopback 127... it automatically connects to the external device.
View 2 Replies
View Related
Mar 17, 2012
I am planning to deploy a "Digital Notice Board system" in my office, which gets feed from web server and display data/stream on LCD Screen. Well i am done with implementing all the interface on server side and its working pretty well with client side computer. But instead of using Client Side Computer, I just want to use LCD and make some network interface of Local Area Network directly with LCD (to save cost/installation/maintenance of a dedicated computer with LCD ).
View 1 Replies
View Related
