Cisco VPN :: ASA 5510 / VPN Behind Another External Interface
Dec 23, 2012
i have an ASA 5510 My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)
Assume that non routable network is a.a.a.a and routable is b.b.b.b so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1 Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP) So the problem:For my international partners i need to provide VPN.So the traffic flow is the following:for exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1 The packet arrives to interface a.a.a.1 and............. Being discarded.7Dec 24 201211:09:477100051.1.1.162548b.b.b.110000TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000 I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.Am i right?Also i tried to setup a bypas policy, but no effect?
View 2 Replies
ADVERTISEMENT
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
Sep 18, 2012
I have an ASA 5510. (ASA 8.0(4) ASDM 6.1(3) I have 2 internet connections (only 1 is currently active) Currently all internet and VPN traffic go over 1 interface. What I want , is to move general internet onto the new internet connection but keep VPN traffic on the old internet connection. I can get the internet working but as soon as i do the VPNs go down. VPNs are site to site vpns.
View 4 Replies
View Related
Oct 13, 2011
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
View 13 Replies
View Related
Mar 10, 2012
I've got a Cisco 1811 router with FastEthernet0 plugged into a cable modem with 5 static IP's. I want to disable the ability for those IP's to be pinged externally except for certain addresses that I specify (I have some offsite servers that I use to monitor the ISP link for example). I also want the ability to be able to ping external addresses from the router as well as any of my inside subnets. [code]
I've tried varying ACL's and applied to Fa0, none of which work [code]
View 3 Replies
View Related
Mar 19, 2013
I've had some issues with my 892 router. [code] When match address is set to acl-net12, I can't ping my router on external interface and tunnel is working very bad (15%-20% packet loss).If I change match address from acl-net12 to acl-net12-new then I can ping my router on external interface and vpn si working fine.
I have also an acl (set on external interface) which allow ping but it seems that is not working when acl-net12 is used on crypto map. [code]
View 6 Replies
View Related
Mar 4, 2013
I have a ASA 5505 configured with three VLANs: Inside, Outside, and DMZ.I am running an exchange server on the Inside network and have configured NAT to allow connections to it from outside. This works fine. I can also happily connect to it using it's internal address from the inside. In the DMZ I have setup a linksys router to work as a guest wifi network. I configured the ASA to block any traffic from the DMZ to the internal network.This has been working fine for the last few weeks.Wireless users cannot access any internal resoureces, but can browse the internet etc.. etc..
My problem is that I want users to be able to connect to the wireless with smartphones, tablets etc..., if they do so, they can access the internet, but not get their email. From my (limited) understanding, the problem is that the ip address I am trying to connect to is the same ip that I am transmitting from. Is there any way to send the packets to the outside network and then loop them back to the exchange server?
View 3 Replies
View Related
May 2, 2012
I keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?
View 3 Replies
View Related
May 28, 2012
I'm trying to add some 2800 series routers to our monitoring environment, but I can't get them discovered.
On the Mgmt Server I need to go through a "discovery" process to add the 2800 to the system. For this I target the internal interface ( i) but the discovery fails. I'm assuming the packets are getting dropped on the outside interface (e). I know SNMP is set up correctly and works as I had PRTG installed on a local box (p) for testing purposes.
The intention is to do the data gathering via a proxy agent (p), so enableing SNMP on the outside interface is not going to do me any good.What do I need to do to let those discovery packets pass through? At least temporarily?
View 1 Replies
View Related
Mar 27, 2011
We have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
View 4 Replies
View Related
Aug 19, 2012
We have a strange issue for one of our customers that recently migrated to our internet service.They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out? They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute. [code]
View 1 Replies
View Related
Mar 2, 2013
I have installed a couple of SRP547W's and can't ping the external side of the ADSL interface.
Is there an option to turn on "respond to ping" and also are you able to forward to a internal IP?
View 3 Replies
View Related
Nov 26, 2012
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies
View Related
Oct 20, 2010
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
View 8 Replies
View Related
Sep 10, 2012
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies
View Related
May 6, 2013
I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.
View 1 Replies
View Related
Apr 5, 2011
i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
View 4 Replies
View Related
Sep 25, 2012
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
View 2 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
May 13, 2010
I have the following setup:
R--H1
|
F
|
H2
R: 3840
F: ASA 5510
H: Hosts 1 and 2
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).
View 4 Replies
View Related
Feb 20, 2012
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
View 10 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
Aug 7, 2012
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
View 3 Replies
View Related
Dec 9, 2012
I have an ASA 5510 running 8.4 with dual ISPs setup on 2 different interfaces: outside(primary),backup(backup). I also have a site to site VPN to another ASA in another city. The VPN is now setup on the outside interface and works fine. What I wanted to do is to make the VPN run over the backup interface only.
So, I modified the the crypto map on the remote side to use the backup interface IP and created a tunnel-group for it. I then created a crypto map for the backup interface and enabled ikev1 on it. The default route is set to use the outside interface so I created a static route that routes traffic bound for the outside interface on the remote side to the backup interface default gateway. I can get the tunnels to establish but no traffic is passing through them. I though then that I need a NAT for the tunnel traffic to I created a NAT as well but still no traffic passed. I tried the packet-tracer and it said the traffic was allowed and from the show crypto ipsec sa command I can see the tunnel setup but no traffic will go across it.
View 5 Replies
View Related
Mar 20, 2011
Have an ASA 5510. Setting up a new DMZ zone for wireless and it will only have Internet access. What are the steps so that users on this new DMZ subnet can VPN into the Outside interface on the same ASA?
View 4 Replies
View Related
Mar 1, 2011
I have a trouble with Cisco ASA 5510. I configured an SSL VPN with bookmarks to some application. When the users make access to the Web Portal they have to login twice: one for enter in the SSL and one for enter in the application.
How to bypass double authentication?
View 1 Replies
View Related
Mar 26, 2013
I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
sh run
: Saved
:
ASA Version 8.0(4)
[Code].....
View 7 Replies
View Related
Sep 14, 2011
I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100. In this URL, [URL], ASA is able to do that.
View 5 Replies
View Related
Sep 19, 2012
I have recently installed an ASA5510 at a site in South Africa to connect via VPN to a site in the UK (ASA5520). The VPN comes up fine with the 5520 in the UK, however, I can not connect to the inside interface over the VPN, but can access it from the internal LAN. All other hosts on the LAN are accessible over the VPN.
The 5510 also has another VPN to another site in SA and the 2nd site cannot ping the interface either.
View 10 Replies
View Related
Oct 5, 2012
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside access-list acl_outside extended permit tcp host ipremoved any eq 22 but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5)
View 7 Replies
View Related
Oct 11, 2011
I currently have an ASA 5510 setup with Dual homed ISP's and a remote access IPsec VPN setup to terminate at either interface. The first interface is named Outside and the second is simply called Outside-2. When outside the company(such as at home), the VPN client will connect on the Outside-2 interface and work normally. The problem is while testing on our DMZ, the VPN Client will not connect on the Outside-2 interface. It will try that interface fail to connect and then connect to the backup Outside interface. This isn't a huge concern because it still connects, but if we were ever to get rid of one of those connections, it would be nice to reliably test from our DMZ.
View 1 Replies
View Related
Aug 5, 2012
We recently upgraded our bandwidth and I have to change the ip address on our ASA 5510. I just want to make sure that I am doing it right. All I will need to do is open up the ASDM and under confiugration go to interfaces and make the needed changes to the outside interface. Then under routing I will make the gateway IP change on the outside interface.
View 4 Replies
View Related
Jul 17, 2012
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
:
ASA Version 8.2(2)
!
hostname fw-01
names
!
interface Ethernet0/0
[code]....
View 1 Replies
View Related