Cisco VPN :: ASA 5510 - Set Up Domain Specific DNS?
Feb 17, 2013
Is it possible to set up a domain specific DNS on an ASA 5510?The problem I am having is that while the site to site VPN is up the DNS servers on the main site are serving ip addresses for the remote site. Main site is on CBeyond and remote is on Time Warner so when doing an nslookup at the remote site it returns one IP address and when the remote site uses google DNS servers it returns another. The main difference being download speed (weird that it relates) as using main site DNS it was 3 hours and google DNS it took 10 minutes. I am looking for a way to serve DNS for the main site domains and for all public domains use google DNS or Time Warner DNS.
View 3 Replies
ADVERTISEMENT
May 21, 2013
I have RV042 router which is connected to the internet by both the wan ports and I want to use it as a load balancer so that both of my internet connections can be utilized evenly. But now I have an issue in this scenario as my remote application gets logout whenever the communicating IP address changes. Is there any way out so that I can specify the wan port used for a particular public IP address/domain name?
View 1 Replies
View Related
Dec 9, 2012
I have configured my ASA 5510 to establish an SSL VPN Tunnel.I am using the AnyConnect client 3.1. The authentication is made by Radius Server with OTP.All works well, I'd like to customize the AnyConnect client to remember the domain name that cames after the username in this way: xxxxxxx@my domain.com..Where xxxxxxx is the variable username inseted by the user, and the @mydomain.com is the constant part the remain still the same.
View 2 Replies
View Related
Apr 18, 2013
I have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client side devices to go down the tunnel, but they are blocking all traffic that isn't being scanned. The problem is they are on an ASA 5510 with 8.2.2. You cannot add tcp ports into the nonat ACL, it errors out when you try to apply the nat (inside) 0 access-list nonat statement. We can define ports to go down the VPN in the interesting traffic ACL with out issue, but there is no way to send just the web ports down the VPN, and allow other ports out the regular overflow interface NAT. I have been looking into 8.4 and seeing if it allows a policy NAT (twice NAT for the VPNs) to define a port on an IP range (IE: nat (inside,outside) source static WEBINSPECT WEBINSPECT destination static any any ) but define that as web ports only.I don't have a test ASA to use, but i'm guessing that l2l vpn will be by IP only and I can't define a port to tunnel.
View 8 Replies
View Related
May 14, 2013
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
View 1 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Mar 16, 2013
I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
View 6 Replies
View Related
Jan 24, 2013
I do have one other question first. What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA? Can I do it? Or do i need to be consoled in or connected a different way?
ASA 5510:
ASA Version 8.4(1)
asdm image disk0:/asdm-641.bin
asdm history enable
http server enable
http 10.1.1.83 255.255.255.255 inside
http 10.1.1.82 255.255.255.255 inside
Shouldn't that right there be enough to access ASDM from either host .82 or .83? Because I cannot. But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.
View 2 Replies
View Related
Aug 28, 2012
I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]
View 3 Replies
View Related
Jan 18, 2013
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
View 1 Replies
View Related
Jan 30, 2012
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
Did I need to call my ISP?
View 3 Replies
View Related
Dec 5, 2011
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
View 3 Replies
View Related
Mar 6, 2012
How to force traffic back out the same interface from whence it entered. Review the following topology.
Internet ---> ASA 5510 ---> Static IP1 ---> F3.1 ---> 1811 F0
|-------> Static IP2 ---> F3.2 ---> 1811 F5 ---> VLAN Int
ASA F3.1 10.1.254.9/30
ASA F3.2 10.1.254.13/30
1811 F0 10.1.254.10/30
1811 F5 10.254.1.14/30
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
View 1 Replies
View Related
Apr 23, 2012
My setup has two firewalls to the internet, one is for all internal users who want to access the internet and the other is an ASA5510 acting as VPN terminaton to remote workers accessing using Anyconnect.
Each of the firewalls has a public interface on the same network (ex. 196.160.100.192/26).
We have a server with a public interface, and all traffic (internal and external) has to access via the public ip (again in the same network as above) and there are different profiles and access levels on that server depending if you are accessing from an internal IP or a public IP.
Well, when users are connected thrugh the VPN, although they have an internal IP address, as they are accessing the server on the public IP, the ASA sends the packets through its external interface (direct connected route) instead of sending it to the default internal gateway that is a "trusted" entry point on the server.
Any way to force the ASA to send that traffic to the internal default gateway instead of sending it to the external (direct connected) interface?
I have no access to the server (appliance under warranty) so I can't make any changes to it...
View 1 Replies
View Related
Dec 6, 2012
We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only.
View 15 Replies
View Related
Aug 12, 2012
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
View 6 Replies
View Related
Apr 19, 2010
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
View 12 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Oct 25, 2011
I use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
View 2 Replies
View Related
May 24, 2011
ASA 5520 running 8.0.4
ASDM v.6.1
Need assistance understanding how in ASDM/Configuration/Site-to-Site VPN/Connection Profiles/ "Any Entry" I can specify that I only want to offer an IKE Proposal of pre-share-aes-256-sha?
The IKE Proposal field has a number of possible options including: pre-share-aes-256-md5, pre-share-3des-md5, pre-share-aes-256-sha, pre-share-aes-192-sha, pre-share-3des-md5, pre-share-aes-sha and pre-share-3des-sha.
I am able to pick a specific IPSec Proposal w/o issue but when I attempt to do the same for the IKE Proposal, and click OK the choice does not "stick" but rather returns to the entire list as defined above.
View 2 Replies
View Related
Jul 1, 2012
Is it possible to enable an absolute value rate limit using QOS on a HP ProCurve 5406 switch for a particular IP range on a specific port? Is there a way to configure our HP 5406 with an absolute rate limit on "WAN" port for that server's IP range? I would like to limit it to only being capable of sending 1Mbps worth of traffic over the head end at once.Everything in the documentation points towards priority queues, which as far as I can tell, isn't really what I want.Baring accomplishing this goal using rate limiting is there a better way to prevent our services from accidentally saturating this connection?i thimkong about somthing like that:
class ipv4 rate-limit-port-A1
match ip 10.136.0.0/16 any
exit
policy qos port-a1-ratelimit
class servers-to-be-slowed action rate-limit kbps 1000
exit
interface A1 service-policy port-a1-ratelimit inI'm not sure about this.
View 4 Replies
View Related
Dec 18, 2012
I have a Router 2801 with the run conf :
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp excluded-address 192.168.1.192 192.168.1.254
!
[code]....
I want to assign a specific IP to a specifig host by MAC .. for example i want the ip 192.168.1.10 to be assign to the host "client1" by mac.I've been creating a new dhcp pool static:
!
ip dhcp pool static
host 192.168.1.10 255.255.255.0
hardware-address xxxx.xxxx.xxxx
client-name client1
!
but the "client1" is still taking other ip.
View 10 Replies
View Related
Feb 16, 2012
We relocated several servers to our DMZ and, without a domain controller in the DMZ (we plan to put a RODC in the DMZ later when we mvoe to Windows Server 2008), i punch through the standard recommended TCP ports. ports 88,135, 389, 53, etc.) to the internal network located DC. I am double hopping to the DC (I hope thast doesn't matter) as the DMZ located web server communicates to another IP address in the same DMZ network and then I NAT that address to the internal IP address of the DC. Everything seems to be working for the servers we moved to the DMZ but i think i don't have all the necessary TCP/UDP ports punched through because we have found that logging into the DMZ servers is taking an extended amount of time, sitting on the “applying settings” screen. For 2-34 minutes. Also, we noticed that our applciations fols have to now add the fully qualified domain names when making calls to servers that just needed the domain name. When i open the access-list up completely without opening specific TCP/UDP ports, the issue is resolved.
View 4 Replies
View Related
Nov 8, 2012
I have a 891 router setup as the local DNS server and external lookups from connected devices (and the router cli) work fine. I'm having problems getting internal host lookups working though.
this is relevent part of the config, router ip address is 192.168.100.9:
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
[Code]....
If I put rearswitch. (i.e. add a single full stop at the end of the hostname) it resolves fine. The same behaviour happens with other hosts defined with the ip host command. Is it possible to use local hostnames without a domain name or full stop?
View 1 Replies
View Related
Oct 10, 2012
I just wanted to know that can I install LMS 4.0 on a domain server.
View 1 Replies
View Related
Jan 18, 2012
l have a new ACS v 5.2 appliance and l´m trying to join to my domain, but l haven´t could, the acs shows me the Clock skew error, and l was checking some documents about it doesnt work. the acs have the same timezone and time that my domain, but the problem persist
View 7 Replies
View Related
Mar 22, 2012
I have a Active Directory user that cannot log onto any computer that's on my organizational domain. The error is "You cannot log on because the logon method you are using is not allowed on this computer"
View 5 Replies
View Related
Mar 27, 2012
How to add .scr screen saver from domain ( Group Policy)
View 1 Replies
View Related
Apr 4, 2012
I had to set up security connected directly to laptop but when I connect the WAP4410N to the domain network I can not access it using url...What can I do to access this box before I put in its final location, on top of the office. is there something that needs to be set for it to communicate inside the domain network?
View 3 Replies
View Related
May 28, 2013
I have a WLC 2504(code 7.0.235) installed and two AP 3502 (local mode). RADIUS Server is a IAS runnning on my AD server.
I had a domestic AP before Cisco solution, using the same RADIUS server and everything was ok. After migration Windows 7 domain clients and Apple devices connects without issue. However when I try to connect non-domain windows 7 clients into wireless network (802.1X) and got failure. Apple devices out of domain can connect, certificate pop-up appears and connection flows.
I check certificates and everything looks ok for me. I remove a windows 7 client from domain and test it too, an got the same error. Certificate are install on windows 7 clients.
Could Cisco controller interfering in this authentication process ?
View 1 Replies
View Related
Feb 3, 2013
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies
View Related
Dec 12, 2011
this is what happens when I try to join an acs 5.3 to the domain. On two other acs appliances, it works.
View 1 Replies
View Related
May 28, 2012
Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.
View 1 Replies
View Related