Cisco VPN :: AES-256 - ASA That Does Not Use RFC-1918 Addresses
May 21, 2012
We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ). Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them. Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel. Here's the boiler plate from the customer:
"Important Note: The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). We do not support PPTP, L2TP, or client VPN connections through a dialer application."
I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable. How do I get this to work with a routable address? The tunnel will be carrying patient data and is basically a single server to single server link. It needs AES-256 and SHA-5 encryption but that shouldn't be a problem. The hospital is using a PIX, we are using an ASA-5510 with Security Plus license. We also have a couple of ASA-5505 units with base license to test with.
View 1 Replies
ADVERTISEMENT
Sep 5, 2011
I have two RFC1918 domains I wish to connect, can I use double NAT with PAT so that each domain is represented as one single ip address with each session a port of that address-
The link is a private point to point link with a /32 mask so could I use this as the PAT address ?
View 3 Replies
View Related
May 24, 2012
i have R1(F0/0 :1.1.1.1 and R2 (F0/0:1.1.1.2) connected togather once i applied acl at R1 on the inbound direction i lost the ospf session and the ping between these 2 routers despite for the below ACL Config
acl 101 permit icmp host 1.1.1.1 host 1.1.1.2
acl 101 permit host 1.1.1.1 host 1.1.1.2
acl 101 permit ospf 1.1.1.1 host 1.1.1.2
acl 101 permit ip 192.168.1.0 0.0.0.15 any
R1
int f0/0
ip access-group 101 in
R1 is my main router while R2 is my customer , i gave my customer the block 192.168.1.0/25 so i m going to implement some security like RFC 1918 and RFC 2827 Filtering along with uRPF
View 2 Replies
View Related
May 16, 2011
I am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
View 1 Replies
View Related
Aug 2, 2011
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
object network remote-server
host 192.168.2.155
nat (outside,inside) static 10.168.2.155
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
object network remote-server
host 192.168.2.155
object network remote-server-mapped
host 10.168.2.155
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
View 1 Replies
View Related
Oct 8, 2012
In setup for old RV042 (V1), when updating / adding Mac addresses, the table is always sorted by IP addresses. But in the new oneRV042 (V3) I have, even with latest firmware 4.2.1.02 the list is random, thereby increasing the chance of user entering DUPLICATE IP addr with diff Mac addr. That will result in conflict.If the firmware sorts the DHCP entries by ip addresses, user would be able to catch duplicate ip errors even if the system does not flag the errors. All Cisco smart engineers can you all get the dhcp entries SORT by ip addresses.
View 2 Replies
View Related
Mar 6, 2012
I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 63.117.98.222 address.
View 5 Replies
View Related
May 25, 2012
We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.We asked the user, he said he only restarted his computer.The MAC addresses happen to be existing MAC on the network.How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively?
Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.
Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.
[code]....
View 11 Replies
View Related
Apr 21, 2013
When I try connecting via anyconnect the logs (and anyconnect messages) state the connection "cannot be established due to no addresses being available for SVC connection'". The group etc has a dhcp scope assigned, (and this was working for the past year). I'm not sure what config changes (if any) he made before leaving.
View 10 Replies
View Related
Nov 15, 2011
We sold an ESW 540 switch to a 3COM customer that is replacing old equipment. This replacement will be on different faces so we have to interconnect some 3COM switches to the Cisco equipment. We are installing rigth now and this two situations:
Virtual machines can´t get IP addresses via DHCP (using a different MAC address) when connected to the Cisco switch. Physical machines receive IP addresses from DHCP without problem. This situation never happened with 3COM switches.When we interconect the Cisco Switch to the 3COM switches (not using uplink ports) the connection never goes up. Remembering that 3COM switches are old we fixed the speed to 100 Mbps Full Duplex but it didn't work.
View 5 Replies
View Related
Mar 15, 2012
On my desk top home computer (XP Home Edition) connected directly to High speed Internet modem/router with a ethernet cable :The modem/computer connection worked for many months. Recenttly, I had to re-install my Network Driver because of a virus problem. The LAN icon now says :"Status: Acquiring Network Address" but it never gets to a connected status. IPconfig/all shows all 0.0.0.0 I have another laptop (Windows 7) using same network/modem thru wifi WLAN mini card and it connects fine to the Internet. IP values[CODE]
View 1 Replies
View Related
Oct 8, 2012
Why do we need them? Could we leave the LAN with a subnet broadcast packet (for instance with an address of 192.168.1.255 /24). Are those addresses used for something?
View 4 Replies
View Related
Apr 18, 2013
when you have a device that you don't know it's IP what do you do to find it out, I normally just plug directly into the device and use nmap to scan the ranges I think it might be, but that takes quite some time?
View 17 Replies
View Related
May 25, 2011
I've just installed a 2106 Controller at a remote site. The Controller is seen by the WCS at the main site so, connectivity is good and I'm able to login from the main site. I've configured the DHCP server which is at the Main site on the AP manager interface and the Manager interface and on the WLAN of the new controller but, APs are not getting addresses.
View 6 Replies
View Related
Apr 18, 2011
I purchased a Cisco 520 and am trying to set it up on my home network.Its ADSL PPPoA for WAN.I am trying to setup 2 LANS. One General Network,One DMZ for webhosting.Now, since this router has 4 ethernet ports, i assumed i did not need VLANS. Except when i try configure an interface with an IP address i get this error: % IP addresses may not be configured on L2 links.Now. Ive looked around on the internet about this error. And it seems that since these interfaces are not Layer 3 interfaces,they need to be associated with VLANS.This would be OK. Except this requires an IP address on an interface on the router! Back to square one.
View 6 Replies
View Related
Apr 16, 2012
I have a solution of thre ACS.. one primary and two secondaries. My customer report me that in port of the switch where is connected the ACS show two mac address. [code]
View 1 Replies
View Related
Feb 5, 2012
I have a Cisco 2811 with 8 serial interfaces. Three of them are in multilink1 which is our active connection to AT&T MPLS. I have the other 5 in multilink3 which will be an upgrade to a new MPLS. The two multilinks have different ip addresses. AT&T cannot get the multilnik3 (the new one) to come up. The serial links are clean with no errors. Cisco TAC looked at the config and ran some debugs. Their conclusion was that the far end AT&T router keeps dropping the multilink.Here is a debug of what it does (this shows only one serial interface in the multilink - for testing purposes). [code]
View 6 Replies
View Related
Oct 15, 2012
I have a client that has 6 public IP addresses. He needs to use 3 of them. One for workstations which is currently working fine. It is using the default gateway IP. One for a email/web server which has a statis NAT and is also working fine. But we need an additional NAT but it is for 3 servers that all need to go out as the smae public IP. I am not sure and been unsuccessful getting those to go out as the same IP. I either cannot get them to exit the same IP or it breaks the workstation NAT.
Workstations would be 10.0.0.100 - 200 going oput the FE1 interface or I think x.x.94.122
Email would be 10.0.0.5 going out the statis NAT of x.x.94.123
I then need 10.0.0.2 - 4 to go out x.x.94.124
I removed some ACLs and IP info for security. Attached is the current config.
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address x.x.4.240 255.255.255.0
[Code]....
View 1 Replies
View Related
Mar 4, 2011
Our company is a small one and steadily growing towards mid size. We currently have about 200 or so users. Naturally we have run out of IP addresses and now we must redesign the entire IP schema.Initially our plan was to just implement a class B subnet for the whole network with certain ranges belonging to certain kinds of devices/machines/servers.Are there any cons to this? If so, could you link me to documentation that explains this?
View 4 Replies
View Related
Nov 20, 2012
I have an exercise with picture you find below. The question is: Will the network shown in the diagram work correctly when you consider that the MAC-addresses PC0 and PC8 are the same, and why?
View 1 Replies
View Related
Jan 20, 2012
I am in charge of a network that has two dns servers with directorys, one main and one for back up. I also have a cisco firewall.When I run a scan on my network, the scan results return clients that have two diffent IP addresses for one client or server etc.
View 1 Replies
View Related
Jun 27, 2011
I have a DIR-615 rev C1 with the latest firmware (v3.13). I am trying to reserve all the IP addresses in my home network, which includes a printer, 3 computers, a network bridge to a PS3, the PS3 itself, an iPhone, and an A/V receiver. On my network setup page, I can see the MAC addresses under DHCP CLIENTS for the wired Win7 computer, a Win7 computer with a USB adapter, the PS3, the network bridge to the PS3, the iPhone.
[code]...
View 13 Replies
View Related
May 21, 2012
I've created a tonne of dhcp scopes on my routers before never had any issues, however this one will not hand out any addresses at all, i even give the router a reload to see if any magic happened but nothing, ive ended having to put a temp server in with just dhcp installed until i get the router diong what it should my config below, its something simple i havent seen, as ive compared it to plenty of my working DHCP configs and seen nothing.
View 11 Replies
View Related
Oct 8, 2011
I have an unusual deployment scenario which may require the use of a SRP-521W, the scenario is as follows:Temporary Setup:Cisco 857 As the ADSL router until Ethernet Hand-off is installedMultiple IP addresses delivered on the ADSL WAN serviceCisco 857 put into Bridge Mode and connected to SRP-521W WAN portCisco 521W handles the Authentication and RoutingCheck Point Firewall System connected to SRP-521W LAN-1Check Point Firewall has WAN IP 203.XXX.XXX.XXXCisco UC-540W Connected to SRP-521W LAN-2Cisco UC-540W has WAN IP 203.XX.XX.XX If you understand the above scenario, I am curious if this can be done and if so how? I need to keep the networks totaly separate and the only thing they would have in common is the Cisco SRP-521W.It should also be noted that the SRP-521W Is being used because the ADSL service is only temporary whilst the Fibre Build is completed and the carrier provides an Ethernet Hand-Off, then the Internet service will change to this type of presentation and the ADSL router will be relegated to the dark world of loneliness.I have gone through the router and have been playing around with the settings, the issue Is I have nothing in the LAB work up that can allow me to replicate this environment and test it before deployment... So, how to reduce the amount of trail and error I have to encounter to get it to work.
View 5 Replies
View Related
Nov 23, 2011
I would like to configure an 877w I just bought. It's connecting to a UK ADSL2+ link.I'm a penetration tester and I want to put the Cisco router in front of my existing firewall which has an IPS on it, so that it doesn't get in the way of port scans and vulnerability scans. My ISP has issued me with 14 usable addresses a/240 subnet and basically I want to be able to use the route with just the public IP addresses. I have configured Cisco routers before, but never with this type of configuration. It's always been single public IP address NAT'd through to one or two internal LAN's.
It will be nice if I could assign the wireless and fast ethernet ports to the same VLAN using the public addresses. I don't want to use DHCP I'm quite happy statically assigning IP addresses to the computers wireless and LAN interfaces. I am reasonably certain this is possible because not sure how to do it and a little busy at the moment carrying out penetration tests.
View 7 Replies
View Related
Sep 15, 2011
I've put in an SRP-527W for a client and got it working fine. However, it's not connecting using the 5 static IP addresses BT gave me. Where do i input the 5 static IP's on the router that it should connect using?
View 1 Replies
View Related
Dec 12, 2011
Is there a way to set static ip addresses to each port on at sf 300-08?
View 1 Replies
View Related
Jan 21, 2013
I work for a company that recently upgraded to a Cisco RVS4000 router in place of a failing D-Link router. I configured the RVS4000 to utilize the same address space as the D-Link previously did (192.168.0.0 Network Address, 255.255.255.0 Subnet Mask, RVS4000 in Gateway Mode with IP Address 192.168.0.1, DHCP Scope from 192.168.0.101 - 200 managed by the RVS4000) before installing it on the network. I powered down the D-Link as well as the cable modem, then all of the workstations in the office. Then, I installed the RVS4000, powered up the cable modem, and once it was ready, powered on the RVS4000.
When devices connect, the RVS4000 is assigning them an IP address in the 192.168.1.0/24 subnet, instead of the 192.168.0.0/24 subnet. I have verified that the RVS4000's GUI is showing the correct settings, but connected devices are not picking up addresses from the correct address pool. In troubleshooting, I went to each workstation, released and renewed their IP addresses, and they picked up addresses in the correct subnet. I thought everything was solved, but the next day, the same problem resurfaced.
I left the DHCP lease time at the defaul value "0", which according to the unit's documentation should correspond to a 24-hour lease period. I suspect this is why I had to renew the clients' IP addresses the next day (today), but I still don't get why the RVS4000 wants to give out addresses in the 192.168.1.0/24 scope. Could this be a holdover from the factory settings?
Additional Information: I did not set up any VLANs on the network and the office only requires one subnet as there are not a lot of devices connected, nor do we need the traffic segragated. The VPN functions of the RVS4000 work fine. Using the QuickVPN utility, I can access the network and resources on the network remotely without issue.
View 2 Replies
View Related
May 7, 2013
I am in the process of implementing 750 Cisco Access Points acros the business. I need to make a note of the serial numbers and Mac addresses for our inventory before I get these configured and sent out to their relavent destinations. The AP's have have arrived in boxes of 10 (75 boxes). The sticker on the box with the barcode is either covered with a postage sticker, ripped, or my scanner will not scan it becaise it is too small. There is a sticker with the serial bundle which is larger and therefore scanable. Is there a way that I can scan this and get the MAC address and serial number.
I know that this is not a technical question but I don't want too spend the next 3 weeks opening 75 boxes and removing each AP individually and recording it.
View 4 Replies
View Related
Feb 10, 2011
I currently have a asa 5500. is there a way to authenticate based on mac address throught the vpn client. We are haveing problems with useres using there home computers to connect. Yes they are smart enought to install the client and copy the profile.
View 1 Replies
View Related
Dec 16, 2011
I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
View 7 Replies
View Related
Mar 5, 2011
I have just installed an SRP 527w and it's basic operation is working fine. However, the ISP has allocated (and set up routing for) a range of 16 additional static addresses to the link that I now wish to configure and use, but I am having problems. Details are as follows (ip addresses are fictitious): [code]Extra ip range Netmask: 255.255.255.240From what I understand, these are added as subinterfaces which are bridged off the main WAN interface. However, when I try to add a subinterface by specifying (say) I get an error when saving : [code] The error states "IP Address and Gateway cannot be the same as the netmask".
View 3 Replies
View Related
Jan 6, 2011
We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.
View 3 Replies
View Related
