Cisco ASA 5510 with static routes. I created a new internal vlan and added the correct route to the ASA. Internally the vlan is fully accessible but when I connect to the VPN I cannot communicate with systems on it.
The dynamic access policy and associated ACL are fine. A system associated with this policy but not on the new vlan is accessible thru this policy.
I setup a site to site vpn between location A and location B.The setup is working and both location can see each other. Now the problem is last weekend the vpn is not UP although the Internet is accesibble. The solution is i power off - on the ASA 5510 and the vpn connection is UP again. This already occurs 2 times. The 1st times is 4 month back. The 1st time i thought is nothing, but the 2nd time, I really need to know what wrong?I attach the configuration of the ASA 5510 at location A that i reboot.
View 2 Replies View RelatedI have a similar problem, I'm able to connect via VPN client and ping only one host on the remote lan and nothing else. I'm using both split-tunnel and non-split-tunnel, but none has worked. My main objective is to make the remote user connect to office lan (remote lan for him) and office Internet connection.
View 6 Replies View Relatedi'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.
Here my ASA settings :
Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.
: Saved
:
ASA Version 8.2(1)
!
[Code].....
I am looking to set-up an isolated WLAN for the users in my organization and how to proceed What I have is the following
Cisco 5508 Wireless LAN controller
Cisco Catalyst 3750 24 port (not sure what exact model)
Cisco AIR-AP1131AG-A-K9 POE Access Point
Cisco ASA 5510
Currently what I would like to do is to setup a VLAN on the Cisco ASA 5510, connect the Catalyst to the VLAN and connect the 5508 Wireless LAN to the Catalyst via Fibre. From there on in - I would connect each AP to the Catalyst? The proposed scenario is that the VLAN would be in a DMZ and have direct access to the Internet without any filtering and users would connect their devices to the AP and get a DHCP address and be able to surf with freedom?The problem is - I am unsure as of where to start. I have been certified Cisco in 2001, however I havent started to use my skills until now.The Vlan would be the following: 192.168.20.X
One of our customers has asked us to Nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server through a vendor managed voice router..
Internet for everything else
|
|
Inside ------------------------> ASA 5510 -----------------> Voice router ------> outside to public phone server only
10.10.1.0/20 10.10.1.7/320 172.16.20.1/24
Voice------------------------->
172.16.20.0/24 172.16.20.254/24
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using non at acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
So I think I need the following static but I get the error below:
static (Inside,Voice) interface 10.10.0.0 net mask 255.255.240.0
WARNING: All traffic destined to the IP address of the Voice interface is being redirected.
WARNING: Users will not be able to access any service enabled on the Voice interface.
ERROR: Invalid net mask with interface option
[Code] .......
User want to create on 5 network , 100.x , 200.x , 210.x , 250.x , 220.x .at the ASA5510, no enough port for 5 network.So I want to create 4 vlans on eth 0/3. I can create vlan but i cannot run this command " switchport mode trunk" " "switchport trunk allowed vlan list" how can be done for that?
Actually i want to use like thisASA5510-----4 vlans on eth 0/3------switch----vlan200,vlan210,vlan250,vlan220.
May I know the reason why we cannot create interface vlan on Cisco ASA 5510?
View 2 Replies View RelatedWhether it is possible to have same vlan on multiple interface on ASA 5510 and higher models ?
View 2 Replies View RelatedI am working on the exact same configuration as noted here [URL] that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
My goal is to leave the default gateway for each dmz on the ASA so I don't have to modify other areas of the ASA config.
Topology: 3560 <-access-mode-link-> ASA5510 - Internet,3560 has 3 VLANs and 3 corresponding SVIs (default-gateways for VLANs),Just configured RAS VPN on ASA5510 and successfully made connection,Now, from RAS VPN (IPSEC) client workstation CLI, can ping all 3560 SVIs,CANNOT PING host devices plugged into switchports.
View 1 Replies View Relatedwe have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.
Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with same-security-traffic permit inter-interface configured.
Config:
!
interface Ethernet0/0
speed 100
no nameif
[Code]....
Unable to create VLAN interfaces in ASA 5510
View 1 Replies View RelatedFirewall: ASA 5510
Switch: Linksys SRW2048
Physical topology: PC - > VLAN99 - > SRW2048 - trunk - > ASA5510
Switch Setup:
I've been tasked with breaking up a network that has run out of IP's, and have decided to use VLANs to accomplish this. I have to use an ASA5510 to accomplish all the routing between hosts in different VLANs.Port 48 is trunked to the ASA eth0/0 interface, with VLAN 99 and VLAN 20 tagging packets, VLAN 1 Untagged. Hosts hooked up to appropriate ports on Switch.
I am a complete newbie to Cisco equipment. So far I've been able to figure out how to do most of what I needed by using the ASDM but I have run into something that is a little more complicated that just opening a port. We currently have a connection to our remote site. This site has a T1 internet connection. Our connection is a site to site VPN with an ASA-5510 on this end and a ASA-5505 on the other.
We are upgrading this connection to a 75mbit hybrid microwave/fiber link. The provider is going to hand it off to us as an untagged VLAN. We made the decision to route all of the remote site's internet access through this location as to avoid having to split off part of the bandwidth of this link to dedicate to internet access.........
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
View 2 Replies View RelatedHave multiple Catalyst 2960S switches, Cisco 2911 router and ASA 5510 firewall.
On the router have subinterfaces created for the VLAN's Int FA0.0/41 for wirless VLAN setup with IP 10.10.41.100 Int FA0.0/60 for new Voice VLAN setup with IP 10.10.60.100 Internal network is 10.10.10.0/24 and LAN IP of router is 10.10.10.100 Have default route setup to push traffic from the router to the firewall ip route 0.0.0.0 0.0.0.0 10.10.10.251
On the firewall have added the new VLAN 10 (10.10.60.0) to the network object-group Have configured route inside command route 10.10.60.0 255.255.255.0 10.10.10.100 1 Have also added the NAT command nat (inside) 1 10.10.60.0 255.255.255.0
On the 2960 I have my laptop connected to port 45 and I have it configured as follows switchport mode access switchport access vlan 10
I assign my computer a static IP address of 10.10.60.84/255.255.255.0/10.10.60.100 with 10.10.10.11 as DNS server. When I do this, I can ping anything on the 10.10.60.0 network, I can ping anythign on the LAN 10.10.10.0 network. I am able to connect MSN messenger, I am able to do NSLOOKUP and get outside IP addresses to resolve. I am unable to browse the Internet though. I am not sure where the problem is at though. It doesn't make sense to me, as it is setup the same way as VLAN 41 which is the wireless network, and when users connect to that, they get out to the Internet with no issues.
Ok so one site i used to use regularly has for the last few month been either incredibly slow or totally inaccessible. Its a perfectly sedate site just a social forum, its this one. www.pandemoniumcarnival.com/ which is accessible to all my friends but seemingly not to me...So far i have changed DNS (to open DNS and Google, thinking my isp had blocked it for some reason)Tried Firefox (my usual browser) chrome, IE ...flushed all the settings etc in each no cookies etc. Tried "In Private Browsing" etcOddly i can get to the site if i use a site called "Hide my ***" a proxy server thing. But even then its not fully functioning due i think to the proxy setting (?)
View 8 Replies View RelatedI recently ( three days ago ) purchased a SRP 527w and have been using it in a mixed Mac/Windows network. The setup is currently primarily using defaults apart from enabling logging. While I was still able to access the internet with some applications, accessing web content appears to have blocked after approximately 48 hours uptime.
No web pages using port 80 were available and that included the router web interface. The router would respond to ping only.
On a different note. I have to say that I find it very strange that the supplied documentation doesn't advise setting up the router using the admin login. It was only after reading one of the comments on this site that I was alerted to this security problem. I also find it rather annoying that I appear to have to purchase additional support merely to be able to download firmware updates which are designed to give the device improved functionality.
i found WAN Miniport (IP) - in my windows xp and at the same time my Lan systems are not accessible.
View 1 Replies View RelatedI'm working on a small network (1 server, 6 workstations, stand-alone, not connected to the main Company Network) "reinstalling" a Workstation. Re-imaging from semi-generic Norton Ghost image (4 of the 6 Workstations run the same programs with different addresses). I then had to reset the IP, the Computer Name, and then the Domain (I did it in that order).
I'm using Windows Server 2003 as the domain controller, and the Workstation is Xp Pro Sp 2.
The Workstation is using the same IP, Name, User as before, and they were working with the server previously (a program had corrupted prompting the reinstall).
The problem is that if I open windows explorer and type in the Workstations IP (\000.00.0.1) I get access to the computer. But if I go there and type in the Workstations Name (\Computer01) I get a "you may not have permission to use this network resource" error.
If I go to the work station, and try the same thing except with the Server's IP (\000.00.0.100) and Name (\Server01) I get access.
This Workstation controls an I/O device that is used by a program running on the server (most of the time, not while I'm doing the install of course) and the program uses the Workstation's Computer Name to access it.
As far as I can tell all the settings on this Workstation match the 3 that are running the same programs, but I could have missed something.
I'm a bit stumped by this, I don't normally deal with the Server side of the computers. I usually just set up the workstations to whatever Name/IP the Net-admins give me. But my bosses put me in charge of this little network, mainly because the Net-admins din't want to deal with it.
I was trying to connect my computers on a home network so that I can access either one via the other.When I try however I get the message:
"***-PC is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
long failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a police restriction has been enforced.
That is the message from computer 1 to computer 2.
Computer 2 gives me the message:
Windows cannot access \***-PC
Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems, click Diagnose.
I can not access shared windows 7 c drive in windows xp. how can i view these system
View 3 Replies View RelatedI have a linksys router and i'm having quite a big issue. it's been since 2010 that I bought it and have no problems up until recently. I was playing/ going through all the security settings just to what all there was to secure my router. I noticed an ip setting and I 95% sure I did something which changed it; and now i am unable to access my router settings. Whenever I type the old ip address (192.168.1.1 or any of the few other ip addresses) it gives error page and says this page is non existent or it gives me a link to click on with the failed ip address to do a google search. My question is, is there any way that I can reset the router (like a system restore on a computer),
View 2 Replies View RelatedI have nated my 172.81.15.0 255.255.255.0 into my internal server 10.1.10.164 , i can ping the out side server but the internal server is not accessible from out side static (Database-Servers,interface-sms) 172.81.15.2 10.1.10.164 netmask 255.255.255.255icmp permit 172.81.15.0 255.255.255.0 interface-smsroute zemen-sms 172.81.15.0 255.255.255.0 10.131.199.201 1access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq 9090access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq wwwicmp permit host 10.185.62.144 interface-smsi can ping the out side server 10.185.62.144 with out a problem . from the server 10.185.62.144 i can ping untill 172.81.15.2 and it will not ping the natted server 10.1.10.164. as u seen the accesslist ping is permitted.
View 1 Replies View RelatedI am having some problems with WRVS4400N v2.We use it just for wired network (wireless is not in use, but it is configured). As a WAN we use PPPoE. Most machines do not use DHCP.After a while (few hours to few days after power up) the router freezes and it is not accessible. I cannot ping it or access to the admin page.I have the latest firmware version (V1.00.09-ETSI)I also called service and they suggested to reset it to factory settings and reconfigure it.
View 3 Replies View RelatedCisco ASA5505..Made a VPN connection (SSL or ANYconnect) with a domain notebook. After that via RDP (connect with domain user) to one of the PC's in the domain. Until now everything is ok.The mapped drives are there but I do not have access to them. Normaly when I logged in into the network no problem but only with VPN connection.I have to login to get access but when I do that get message unknown user.
View 1 Replies View RelatedIn my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.
we are not able to access [URL] (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.
We are accessing with ip address http://192.168.1.51:8280. and [URL] not working from inside.
But all works fine with old cisco RV042.
i have ASA 5510 with firmware version 8.4.2 and ASDM firmware 6.4.5 , it is a new system and there is no configuration other than inside network and HTTP server enable , allow my ip address to access http server.i am able to ping the firewall but no access throguh ASDM
[code]....
I have made a Nat Rule to access local IP in outer world with external IP on asa 5505 . Before creating nat rule external IP was directly given to server but after that I put server behind ASA. But now external IP is not accessible externally.
View 4 Replies View RelatedI have a fairly simple wireless home network. My main desktop machine is running XP Pro, and our family laptop is running XP Home. The laptop shares the My Documents folder for 2 of the 3 profiles. One of them works as it should. It is visible and accessible on the main desktop machine, but the other share is visible but NOT accessible. I get the following error message when I try to explore it from the main desktop machine:
<the share name> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Access is denied.
I'm not sure when this started, but remember that the other folder being shared is working just fine. I've double and triple checked the settings, share names, and basically anything I could possibly mistype. I've restarted both PCs, and refreshed the network explorer via both the file explorer and My Computer dialog. The My Computer dialog refresh the shares for some reason that the explorer wouldn't, but I'm still denied access to that one share on the laptop.
I have a Windows 7 machine that is wired to the router. I have Windows XP computer that is wireless in another room. Signal is showing 80% and internet is accessible and fast from both systems; but, I cannot access either computer from the other computer. I got the IP addresses of each machine and I cannot ping from either direction. Firewalls are turned off on both systems.When I type in \server, I get an error that say I should check my spelling or use the windows Search; but, that doesn't work.
View 5 Replies View RelatedI have a Motorola Affix and am using the app printershare to print from my phone to a network printer at home.. it works great.. but I want to know if there is a way to make the printer accesable from the internet so I can print from pt phone when im not home and connected to the network...accessible
View 2 Replies View Related