Cisco VPN :: ASA5505 - Multiple Distinct Inside Subnets And VLANs?
Nov 17, 2011
The ASA device is going to be the gateway for multiple distinct inside IP subnets. We can have have a unique outside IP address to correspond to each inside IP subnet if needed, but we need some means for a VPN client or a site-to-site VPN to have acess to a pre-definied IP subnet (i.e. if customer A establishes a VPN connection, they have connectivity to IP subnet X; customer B establishes a VPN connection, they have connectivity to IP subnet Y, etc.).Currently, the two inside IP subnets are 10.10.0.0/16 and 10.20.0.0/16. We will be adding more.The problem we are facing is that we cannot reach the VLAN 201 from the ASA we believe this is because. I have setup two addresses on port 0/1 Vlan1, 10.10.20.2 and 10.20.20.1 as an alias. How can we make traffic for the 10.10.0.0/16 subnet untagged and traffic for the 10.20.0.0/16 subnet tagged for VLAN 201.
View 1 Replies
ADVERTISEMENT
Jun 23, 2011
NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.
object network obj-Inside-sub1
subnet 1.1.1.0 255.255.255.0subnet 2.2.2.0 255.255.0.0subnet 3.3.3.0 255.255.0.0nat (inside,outside) dynamic 199.246.5.2
View 5 Replies
View Related
Apr 4, 2013
The network topology is like this. Router with DHCP_Server on it.
VLAN 10
VLAN 20
VLAN 30
My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.
View 5 Replies
View Related
Jun 17, 2012
I'm trying to setup a VPN connection for the two PC's in the graphic below. I have the link between the two locations setup and secured, now I just working with the routing elements.what I need to add to the firewall config in order to get this to work? Here is what I have:
SITE A------access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2 access-list mpls_vpn_sitea extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_siteacrypto map mpls_vpn 1 set peer 172.168.199.2 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
SITE B------access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1 access-list mpls_vpn_siteb extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0crypto map mpls_vpn 1 match address mpls_vpn_sitebcrypto map mpls_vpn 1 set peer 172.168.199.1 crypto map mpls_vpn 1 set transform-set ESP-3DES-SHAcrypto map mpls_vpn interface MPLScrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
do I need to specify a route between the two networks? What do I need to have for NAT statements?
View 10 Replies
View Related
Oct 28, 2011
I have been working on a configuration for single IP address (on outside ) of ASA5505.I am trying to utilize the outside address 192.168.0.249 to PAT/NAPT to 10 inside machines [code]
What I am not sure of (actually that could be considered all encompassing) is the mapped services/real services.Any constructive comments assistance?
View 5 Replies
View Related
Dec 4, 2012
You have to make 4 subnets for 4 VLANs, the router interface assigned to each VLAN is the LAST usable host on the subnet.so unless I'm really bad at networking the graph should be:
NET ID // HOSTS // BROADCAST ADDRESS // VLAN
192.168.0.0 // 192.168.0.1 - 192.168.0.62 // 192.168.0.63 // VLAN1
192.168.0.64 // 192.168.0.65 - 192.168.0.126 // 192.168.0.127 // VLAN2
192.168.0.128 // 192.168.0.129 - 192.168.0.190 // 192.168.0.191 // VLAN3
192.168.0.192 // 192.168.0.193 - 192.168.0.254 // 192.168.0.255 // VLAN4
So if I'd have to write down a single host configuration for VLAN2..I think it should be:
IP: 192.168.0.65
subnet mask: 255.255.255.192
default gateway: 192.168.0.126
Is this correct? I'm not sure whether the default gateway should be 192.168.0.255 (as would with normal subnets) or as I wrote down 192.168.0.126, this is the first time i've ever gotten assignments including VLANs and I havn't really gotten a solid explanation.
View 1 Replies
View Related
Oct 21, 2012
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
View 1 Replies
View Related
Sep 18, 2012
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
View 2 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
Oct 1, 2012
I have a pair of Core VSS 6509E SUP 2T. Two different LANs, two diff. Subnets. larger LAN has been connected to the VSS pair usng normal SVI and Post-Channles (has lots of closets 3750 stacks) and no problem. Second LAN, two closets, stacked and connected to each other via Port channel and trunk + SVI interfaces. Now, I have SVI interfaces for both LANs on teh VSS pair and that is causing traffic from one LAN to jump over to the other VLAN and rightly so because the VSS pair see both subnets as directly connected subnets. I was wondring if I delete the SVI for the second LAN and only keep the L2 VLAN this will be resolved> The reason for the second LAN to connect to the VSs pair is only that It has to go through the VSS pair to get to the WAN router (both LANs will go out through this Same WAN router) but WAN router is not my concern at this time. I need to isolate these two LANs/subnets traffic so no one VLAM traffic jumps over the other.I have also thought about VRF but at this point I am not sure if teh 3750 stacks supports VRF and if it does how to implement VRF on the second and samller LAN to just allow it go through the VSS pair in order to get to the WAn router.
View 13 Replies
View Related
Jun 12, 2013
I have 2 sub nets within my office: 172.16.1.0/24 and 172.16.2.0/24. All devices on each subnet are wired independently from each other into the server closet. Previously each sub net had it's own switch in the closet to connect to that sub nets servers. We are replacing the 2 switches with a single Dell 2816 managed switch.
Is there a benefit to setting up the switch with 2 VLANs over just letting everything pass through the switch in un managed mode?
My only security concern is this: 1 sub net has access to the internet while the other does not. Does setting up 2 VLANs provide additional security by preventing 1 subnet from accessing the other? In other words, if a computer with internet access gets hacked will it being on one side of a VLAN prevent the hacker from accessing the other subnet?
View 1 Replies
View Related
Mar 2, 2012
I've currently got my ASA (5505) serving a /28 public subnet. I've ran out of IPs, so my DC has issued me an additional /24 subnet that they have routed to my ASA. What needs to be done on my ASA so be able to use these new addresses? I've been trying to search and not been able to find a good answer (some say I shouldn't have to do anything, everything else references NATing, which I currently don't do and would rather not do).The servers I assign these to, I'd like them to have the public ip assigned directly to them.
View 5 Replies
View Related
Aug 26, 2011
I am setting up my home lab to practice and play around.I have VMWARE ESXi environment with two workstations as my servers.I would like to setup two domains with two domain controllers but i want each domain to have its own subnet.So this is my setup. I have Cable modem from cablevision , thay connects to my router which is Apple Airport which acts as the DHCP server. DNS server and default gateway. The network on the router is 10.0.1.xThen i have two switches . One is a 5 port unmanaged switch that connects to the three physical desktops .Then i have a Cisco small business switch SG200-08 that connects to my ESX servers and NAS. Now currently all is good and working but like i said all my machines physical or virtual get an IP that is 10.0.1.x and they get all this from the router. And i think i can setup two domains with two domain controllers without an issue and they will all get an IP address of 10.0.1.x. This is all good but i want to have one domain on one subnet and other on another so for example one domain will have 10.0.1.x and other 10.0.2.x. I am just not sure what i need to to get this setup like this. I know my SG200-08 supports vlans and i am pretty sure on the apple router you can only have one subnet i think. So can i do this with my current setup by setting up a DHCP server with two scopes ?
View 3 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Jan 22, 2013
Here's what I want to do with my RV042: I have a bunch of devices, including a server, inside my network at 192.168.1.100
I've set up VPN using PPTP. It works, but if my clients have their own remote DHCP set up to 192.168.1.x, they can't get to the server. If their home DHCP is 10.x.x.x., everything works
I am considering changing my internal network to something obscure.
My server has two NICs. So I thought, I why not set one address up to 10.x.x.x But the two nets can't ping each other. I tried using "multiple subnet" on the RV042, setting up 10.1.1.1, but no luck.
View 1 Replies
View Related
Jan 24, 2013
I have a Windows 7 Pro Desktop with an on-board Ethernet and an Axis USB To Ethernet adapter. The on board Ethernet is configured as dhcp and obtain the address 10.162.146.123 with 255.255.255.0 subnet. The Axis USB to Ethernet adapter is static ip configuration with 10.38.25.37 and 255.0.0.0 as subnet. Under the adv settings I have also another ip 11.38.25.37 with 255.0.0.0 subnet. When the Axis is communicating 10.38.0.1 network I can not access the internet using the on board Ethernet 10.162.146.123. I have to disable either one of the cards to access one network at a time.
View 3 Replies
View Related
Aug 5, 2011
We have 4 RV 042 routers and cisco router at HQ, we have Site to Site VPN tunnels in between, All branch offices are connected to HQ via S2S VPN tunnels
10.10.1.0/ 24 HQ
10.10.2.0/24 Branch 1
10.10.3.0/24 Branch 2
10.10.4.0/24 Branch 3
10.10.5.0/24 Branch 4
now lets say i am branch 1, i can access 10.10.1.0/24 network but cant access 10.10.5.0/24 network, means i dont have branch to branch connection, it should be through HQ, means my RV042 at brnach should fwd all traffic to HQ for another branches also. Under VPN tunnel if i try to configure remote destination 10.10.0.0/21 its not allowing me it says network overlaping with local network, how i can sole it, I know how to do in cisco, we can permit those networks in access lists.
View 1 Replies
View Related
May 23, 2011
I have an existing pair of PIX 515E that has two interfaces. One connected to the public internet via my ISP and one internal.
I recently ran out of IP's and had the ISP route an additional block to public IP of my firewall. This isn't working for some reason and I'm trying to figure out why.
The "ip address outside XXX" command defines the outside address and I don't see any way to add a secondary sub net.
I tried just adding a rule to the firewall for one of the IP's in the new subnet, but I can't seem to get traffic to pass though the device.
View 1 Replies
View Related
Feb 20, 2012
Is it possible to have multiple public IP addresses that are from different subnets going through one router? I have been told that this is not possible with most routers and that I would have to spend a lot of money on a router to be able to do it. I am still not totally clear on what defines a subnet even after reading up on them. What I am trying to achieve:
-My office has 10 computers.
-All would be connected to one router.
-My internet service provider has provided me with 10 public IP addresses, that are all very varied (which I asked for)
View 3 Replies
View Related
Sep 16, 2012
I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.
The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
[code]....
I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine
interface Vlan12
description Used only for guests access to the Internet - no access to the corporate resources
no forward interface Vlan1
nameif guests
security-level 20
ip address 192.168.2.1 255.255.255.0
My problem is that when I try to add NATing from the dmz to the outside I get a:
ERROR: Address a.b.c.d overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
with either:
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic interface
[code]....
Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work:
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic a.b.c.d
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic a.b.c.d
View 5 Replies
View Related
Aug 16, 2011
We have Point to point T1 environment where 3 additional WAN sites get internet access through our RV042. When we setup load balancing we have problems with https traffic, so we setup protocol binding for https and everything worked great from the local LAN. When trying to access https content from the remote LAN across the WAN the sites failed and I see no option to add additional subnets to the protocol binding. Is there a command line feature that supports adding additional subnets for protocol binding or is the local LAN the only option?
View 7 Replies
View Related
Jan 4, 2013
I have setup 15 x RV180W's so far for a particular client.They have requested that we add a Corporate Wireless VLAN for their laptop users (not guests) and add a Special Use WiFi VLAN for a particular mobile platform that is being deployed (in this case we need 2 separate WiFi VLANs to ensure compliance).Also, none of the VLANs can talk to eachother and they have their own subnets.I have the Wireless and VLANs setup, no problem... but I am having an issue wiht the VPN settings.I have the wired network's subnet working fine. But I do not know how to add the subnets for both Wireless VLANs to the traffic selection.The IP schemes will not allow me to just select a large subnet... here are some examples:
Wired VLAN: 10.10.x.y
Corporate WiFi VLAN: 10.15.x.y
Special WiFi VLAN: 10.18.x.y
x is the octet that defines the physical unit location (unit 1 = .23, unit 2 = .24, etc...) y is the octet the host.Since they are not in a contiguous block, I cannot just use a larger subnet mask.I can add multiple traffic selection rules to the ASA5515 at HQ, so that side of the tunnel is perfect... I just don't know how to add the three VLANs to the RV180. Is it as simple as using commas or semicolons?
View 1 Replies
View Related
Jan 5, 2012
I am new to Cisco products. We have currently got a Netgear FVX538 running in front of a few servers. We currently have 2 ranges of IP addresses provided to us on 2 separate subnets. We configured the netgear box with the first IP addresses of each subnet as the IP address of each of the primary and secondary LANs. This then allowed us to set the gateway addresses of servers on the network to either of those 2 addresses, depending on it's range.
This all worked fine - except for the fact that the Netgear box is incredibly flakey, so we decided to get a Cisco box.
We have gone for the SA520, which I have been trying to configure this afternoon. Unfortunately I am now having concerns as to whether it is possible to configure 2 separate subnets internally on this box in the same way we have done with the netgear box. ie - classical routing, one incoming WAN interface with multiple subnets?
View 5 Replies
View Related
Jul 3, 2012
We have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . make context's and separate each Inside and Outside alone?
View 1 Replies
View Related
Jun 29, 2012
I have a Cisco 2901 with the 4port gigabit ethernet switch module that I'm trying to get configured to have a seperate subnet for each port. So far I have it set up so each subnet is a vlan, then on each port I use the switchport access vlan command to tell it which subnet I want that port to be on. However, there is one port that I need to have 2 subnets on. The way I found to do that was to use switchport trunking on that port, but it doesn't seem to be working properly. how they would configure this? Right now I have vlan 101 as x.x.x.17/28 and vlan 103 as x.x.x.53/30. I think where I'm getting hung up is the proper association between the physical port and the vlan subnets.
View 5 Replies
View Related
Dec 20, 2010
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
[Code]....
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.
View 4 Replies
View Related
Sep 16, 2012
I have an ASA which is managing internet access from mutiple VLANs configured on a 3560 switch. I want to be able to limit the 100MB internet connection on the ASA on a per subnet (VLAN) basis for the multiple subnets configured on the switch..
so for example
VLAN10 - 10.0.10.0 - limit to 5MB
VLAN20 - 10.0.20.0 - limit to 10MB
VLAN30 - 10.0.30.0 - limit to 3MB
View 7 Replies
View Related
Nov 27, 2011
We have RV 042 deployed for internet access/firewall purposes. Due to growing number for Wireless devices and also to separate WLAN traffic from wired devices, we have created a separate VLAN/IP Subnet for the wifi devices. We are having trouble accessing the internet from the WiFi VLAN/IP Subnet. Cisco 3750 is layer 2 and layer 3 device. We have VLAN 1 (10.10.10.0/255.255.255.0), all wired devices and RV 042 are part of VLAN 1. Connectivity to internet from VLAN 1 is good. VLAN 2 (192.168.1.0 / 255.255.255.0) was created for wifi devices, 3750 does the inter-vlan routing, I have enabled the multiple subnet feature on the RV 042 and added 192.168.1.2 / 24 to the subnet list, we still have issues accessing internet from vlan 2 devices.
As a workaround, I shutdown vlan 2 and added 192.168.1.0/24 as secondary address to the VLAN 1 interface on 3750 and i was able to access internet from 192.168.1.0/24 network with wifi devices also on vlan 1, we want wifi devices to be on separate vlan / ip subnet. Looking at the documentation for RV series routers, it talks about supporting multiple subnets access to internet by enabling multiple subnet feature but it doesn't seem to work.Are there restrictions on having multiple vlans?
View 4 Replies
View Related
Jul 8, 2011
I currently have an out of the box ASA5505 and need to change the internal interfact from 192.168.1.1 to 10.20.3.1 so it fits in with the rest of the network.Tried using the ASDM Startup wizard (via 192.168.1.1) and it just seems to hang on "delivering the commands to the device".
View 16 Replies
View Related
Nov 29, 2011
i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static route another network i have that network id is 192.168.2.0 . 255.255.255.0.how i can add the route.
View 9 Replies
View Related
May 8, 2013
I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]
View 12 Replies
View Related
Nov 1, 2012
I have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies
View Related
May 8, 2011
Have a problem in config of my ASA5505 --> I can't access Internet from my new created vlan number 4 (Vlan4):
here my config:
ASA Version 8.4(1)
!
hostname FWWIB1
enable password OEIOH8Zv/vNvif8C encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
View 4 Replies
View Related
