Cisco VPN :: ASA 5520 SSL Using Different IP Than Public

Nov 6, 2012

I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.

View 7 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
 
      public wan
          |
          |
       ASA-- public dmz
          |
          |
      private lan
 
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies View Related

Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?

interface GigabitEthernet0/1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdown
interface GigabitEthernet0/0nameif outsideip address 198.24.210.226

[Code].....

View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (201.148.156.193/28), one IP valid (201.148.156.194) have the Global NAT (all users LAN) and server FTP, but i need that IP 201.148.156.195 is used for VCSe, and the IP 201.148.156.196 is used for other server FTP.

View 5 Replies View Related

Cisco VPN :: 5520 - Use Public IP As Local Encryption Network

Mar 5, 2012

We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA.  We have multiple VPNs on this firewall. 
 
The issue with the latest one is they require a Public IP as the Local Encryption Network.  I've seen this question a couple times while searching but never really a definitive answer.
 
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient?  Or would this not work at all?
 
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66.  Would using X1.X1.X1.64/28 as the local encryption network make the connection?  Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
 
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
 
Edit:  Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool.  And make that our Local Encrypted Network?  I think this might be it, but could it cause IP overlapping?  Our webserver is part of this and I'm worried about causing connection issues.

View 8 Replies View Related

Cisco Firewall :: 5520 - Two Private To One Public Email NAT Going

Nov 8, 2011

How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.

View 1 Replies View Related

Cisco Firewall :: Changing ISP / Updating The Public IPs On ASA 5520

Jun 11, 2013

We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN.  We are changing ISPs soon and we will be getting a new block of public IPs   where do I even start to plan the migration and how?  Can I overlap somehow and do a slow migration or must I do it in one big swoop?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 8.6 Allow Publishing To Only One Range Of Public IP

Apr 19, 2013

Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
 
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
 
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Second IP Range On Public Interface For NATing

Jul 9, 2012

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
 
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Host 300+ Secure Websites Using Couple Of Public IPs

Jun 22, 2011

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
 
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
 
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

View 1 Replies View Related

Cisco VPN :: ASA Version 8.2(5) - Public-to-Public L2L / No Return Traffic?

Apr 2, 2013

One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.

Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
.ASA Version 8.2(5)
!
hostname ciscoasa

[code]....

View 4 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco :: Setup DMZ With All Public IPs

Apr 30, 2011

I'm trying to setup my DMZ so all my servers will have public IPs assigned to them. I'm currently trying to use two interfaces on each server, one with a private IP and then one with a public IP. All my internal traffic will go over the private interfaces...this is working. However, I'm having a problem trying to get it so the public interfaces work. Ultimately, these will be VM Hosts and have VM guests on them, each guest will have it's own public IP.

View 14 Replies View Related

Cisco WAN :: Second Public IP On ASA 5510

Apr 7, 2013

My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup?  Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.
 
This is what my current OUTSIDE interface looks like.
 
interface Ethernet0/0
duplex full
nameif OUTSIDE
security-level 0
ip address PUBLICIP1 255.255.255.224
!

View 7 Replies View Related

How To Use More Than One Public IPs

Apr 23, 2012

We have a T1 connection at our office with a block of 5 IPs. The external interface is simply one RJ45 jack. Currently we have a home spec router connected to the external interface, and then a switch connected to the router. Certain ports are forwarded to our server in the home spec router for things like OWA, etc.I would like to start putting our other IPs to use. Is this usually done by having a switch connected to the external device and then have multiple routers connected to the switch? Or is it one router capable of VLAN or is it something entirely differentReally, what I want to know is what the rest of the industry typically does to use their multiple IPs.

View 7 Replies View Related

Cisco :: Cannot Access Internal To Dmz With Public Ip

Jan 4, 2013

I cannot access Internal network to DMZ with public ip but i can access public servers in DMZ with External network.

View 1 Replies View Related

Cisco :: Presenting Public IP To ASA Over OSPF?

Oct 29, 2012

I will be provided with /29 public IP address from my ISP. The idea is to run OSPF between ISP and my ASAs over private IPs so /29 is presented to ASA. This is because I will be using 5 out 6 available IPs on my ASA so I cannot use them on the routers.I need to run HA in Active/Standby mode on ASA, terminate site-to-site and remote access VPNs on ASA, and use static NAT for kit in DMZ network I am trying to figure out how to present this public IP range on ASA. Should I create two subinterfaces on physical interface towards OSPF area and assigned private IP address on one of them for OSPF and public IP on another and then setup a failover on each subinterface.

View 4 Replies View Related

Cisco :: Port Forwarding (NAT) With One Public IP?

Feb 11, 2012

command for port forwarding to a few applications (inside hosts) when you only have one Static IP (Public) which is used for many to one NAT (Overloading)?This is the config for the many to one NAT.access-list 1 permit 172.16.0.0 0.0.255.255 ip nat inside source list 1 interface Dialer1 overload What command is necessary to forward ports to certain applications?

View 1 Replies View Related

Cisco :: Possible To Use 1 Private IP Through VPN And Same Mapped With Public IP?

Aug 25, 2011

Is it possible to use 1 private IP through VPN and same private IP mapped with Public IP? For example 192.168.0.1 is configured in VPN tunnel. i m able to ssh on both ends. ( VPN phase 1 and phase 2 gets completed)But when i map 192.168.0.1 with some public IP problem starts. when i try ssh i see public IP in my destination firewall logs. IPSEC: Received an ESP packet xx.xx.xx.xx "mapped public IP". The decapsulated inner packet doesn't match the negotiated policy in the SA, The packet specifies its destination as

View 2 Replies View Related

Cisco :: Multiple Public Subnets On Asa

Mar 2, 2012

I've currently got my ASA (5505) serving a /28 public subnet. I've ran out of IPs, so my DC has issued me an additional /24 subnet that they have routed to my ASA. What needs to be done on my ASA so be able to use these new addresses? I've been trying to search and not been able to find a good answer (some say I shouldn't have to do anything, everything else references NATing, which I currently don't do and would rather not do).The servers I assign these to, I'd like them to have the public ip assigned directly to them.

View 5 Replies View Related

Cisco :: Possible Public IP Can Be Automatically Routed To Another

Mar 20, 2013

is it possible that a public IP can be automatically routed to another public ip.For example I have two routers A and B. router B has a LanB in 10.0.0.0 network and the public ips are in the x.x.x.0 for internet access. router A is located at a remote location and has a public ip of y.y.y.0 network.

View 8 Replies View Related

Cisco :: Cannot Ping Static Nat Public Ip In ASA 8.4(2)

Jun 27, 2012

I have setup Cisco Asa 8.4 Lab in GNS3 to understand new Nat changes in asa 8.4 because im new to asa.

I have configured one of my internal webserver to static NAT with one public ip. Im able to access hosted webpage from static public ip 192.168.1.4 means NAT is working fine, the problem here Im facing i'm not able to ping to Mapped public IP 192.168.1.4 from outside interface sitting on pc (ip 192.168.1.100) which is also connected to same outside network and neither from ASA console but Im able to ping outside interface ip address which is 192.168.1.3 from pc (192.168.1.100) and from asa console.

This how my network topology

Inside Network 192.168.72.0/24 outside Network 192.168.1.0
inside ip 192.168.72.2/24---------------ASA8.4-----------------------outside ip 192.168.1.3/24 (connected to ADSL router 192.168.1.1)

[Code]......

View 3 Replies View Related

Cisco WAN :: Configuring 861 NAT With Multiple Public IPs

Jan 20, 2012

I've replaced my dead ASA5505 with a 861-K9.Our ISP provides a subnet of public address /29 (wan side)  by example: 200.200.200.xxx /29,we have 3 servers (lan side) in the example 10.1.1.xxx /24 is the same case than Johnatan, the only difference are the public addresses. [URL], everything is ok when NAT via the FE4 public address, but when do the same with other public IPs doesn't work.

View 7 Replies View Related

Cisco WAN :: 877 - Find Out What Public IP Was Yesterday?

May 3, 2011

I have a Cisco 877 at home and need to find out what it's public IP was yesterday.  I turn it off at night and usually I get the same public IP based on my ISP's lease, but can't be sure, anyway I can check this?

View 2 Replies View Related

Cisco Firewall :: 80 / 443 - How To NAT Public Address To DMZ

May 13, 2011

1. how do I nat a public address to a dmz address.

2. how do I open port 80/443 in the public to this address?

View 1 Replies View Related

Cisco WAN :: ASA5505 - Getting Multiple Public IPs?

Sep 20, 2011

For a branch office we have an ASA5505 connected to the ISP with an DHCP provided public IP "locked" to the local MAC This works ok!Now - the ISP may provide up to 5 public IP's (all DHCP assigned).Is it possible to configure 2-5 public interfaces in the ASA?? As IP's are DHCP assigned there must be something (a interface) to request the address.Would this be possible, and if so - what license would be required??NAT routing on the inside should be possible as well.

View 4 Replies View Related

Cisco VPN :: Public IP Address For ASA5505?

Sep 7, 2011

I have a ASA5505 that I need to allow IPSEC and SSL VPNs through. The ASA is connecting to a BT Business ADSL router, what address should I be using on the ASA outside interface that will allow the ASA to be reachable from the Internet?

View 1 Replies View Related

Cisco WAN :: Assigning A Public IP To A L3 Switch

Sep 17, 2012

Is it possible to assign a L3 switch port with a public IP? How do you rallow data from the Internet to the above port, if possible?

View 5 Replies View Related

Cisco WAN :: How To Configure 857 As Public Gateway

May 25, 2012

I have a set of public ip(/29) using adsl2+, is it possible to config cisco 857 as a public gateway so i can assign public ips to my computers?? before i upgrade to adsl2+ i was using cisco 678, it can be config as a public gateway without problem, but now i have ot use adsl2+, can't use cisco 678 anymore..

View 8 Replies View Related

Cisco Routers :: RV042G And Public IPs

Feb 6, 2013

I have an issue with routing public IPs on the RV042G.  I have been able to route the IP's in a couple of different ways, but there is always a nagging problem. 

I have a PPPoE Business Class account with 5 routable public IP's.  I would like to route the IPs and manage the private network using the RV042G. 
 
Here is what I have tried and the problem that arose: 1)  I used 1:1 NAT and the servers responded with no issue.  This would be a workable config however I use Kerberos for single sign-on for my clients.  To use this security protocol and bind the clients to the server, I must use a public IP on the server machines.  In this scenario however, everything else worked fine.  2)  I then tried using the DMZ and putting the servers on the DMZ port with a public IP entered in the network config of the machine.  That even worked fine and I was excited until I noticed that the servers were reporting the public IP assigned to the DMZ port as their IP when they sent mail.  I then ran a test and that is the case.  The servers - each with a public IP - are reporting the IP of the DMZ port.  I can't have that because the mail servers need to announce a correct IP so the reverse lookup will match.  Once again, a little gnat gets in the soup.

View 2 Replies View Related

Cisco VPN :: Single ASA5510 - Two Public IPs For Web VPN

May 5, 2013

We have an asa5510 running as an SSL VPN gateway using one public IP address (e.g. 1.1.1.1) as the target IP address for the users.

Now we need to run a 2nd public IP address on the same asa5510 as target IP address for a different set of users, e.g. 2.2.2.2.

NAT is not working, secondary IP address is not possible, sub-interface is not the right way. Is this really not possible?

View 1 Replies View Related

Cisco WAN :: 1921 - Cannot Ping Public IP

Aug 8, 2011

We have Cisco 1921 router with two ADSL connections on it. both ADSL public ip address working fine, they both send and receive packets. we can ping both ADSL public ip from inside but
 
we cannot ping both ADSL ip from outside it is some times with one ip and some times with another ip.

View 12 Replies View Related

Cisco WAN :: 1841 / Use 1 NAT Public IP For Server?

Nov 9, 2012

I got 1 public IP for router and 16 Public IP's for NAT from ISP. Both router IP in one range and the NAT IP's are in different range. I want to use 1 NAT public IP for one of my windows server.Am using cisco 1841 router, in which I ve configured the public IP provided by the ISP for router.

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved