Is it possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel? I have to create 18 ASA5505 tunnels back to one ASA5510. Instead of having 18 subnets out there it sounds more efficient for my application just to have one. Sort of a CLOUD (there's that word) arraignment.
View 10 RepliesI need two vpn tunnels from one ASA5510 to two customer endpoints but with the same host on the remote side, the two tunnels are for redundancy reasons. Can I just configure two tunnels with the same host on the remote side and assume the ASA will understand to just use one of the tunnels when both active or the one left when one is down? Or do I need extra configuration for that.
View 1 Replies View RelatedWe want to deploy a NMS (Network Monitoring System), in this case SolarWinds, to monitor devices we have deployed at the customer site. We will make an IP VPN connection (ASA5510 with Cisco 800's) to the customer site. We have one primary NMS installation running in our datacenter. This NMS has to have a connection to all customer sites. We run into a problem when two customers use the same subnet. We want to use VRF-Lite to solve this problem but I am stuck in my design.
I have attached "VRF.jpg" to show the (basic) design I have made. The connection from customer to the router in the datacenter is not a problem. We can put the fa0.1 and vpn interface in the same VRF group. Via one physical cable we will go from router to NMS in which the NMS has multiple virtual interfaces. The datacenter router will route between the 192.168.x.x (NMS) and 10.1.1.x (Customer).What I can't seem to comprehend is how the NMS can decide how to get to Customer 1 or Customer 2. The customer can reach the NMS one-way but the NMS has no way to reply back because if it replies to 10.1.1.1 it can either use interface fa0.1 or interface fa0.2.
This question is in the context of servers sitting in a colocation environment behind an ASA5510 with security plus license.Our colo provider is going to be statically routing a /28 public subnet to our ASA5510 (say 1.1.1.0/28). We will also be getting a single IP (say 2.2.2.2/30) on a small router-to-router subnet (2.2.2.0/30) to which the 1.1.1.0/28 subnet will be statically routed to our ASA5510 from our colo provider.I will obviously set the outside interface of the ASA to be 2.2.2.2/30 so that the colo provider can route the 1.1.1.0/28 subnet to it. I will also set a default route to 2.2.2.1 which is the IP of our colo providers gateway (and the router that will be statically routing the 1.1.1.0/28 subnet to us).
We have various servers in the same rack as the ASA (connected via a 3750G switch). Some of these servers need to be exposed to the internet (web, email, etc servers) and some do not (database servers).I'm considering 2 different ways of designing the network but I have questions about both and not sure which way to go:
1) Scenario #1: Using NAT and private IP's for all servers.In this scenario where/how do I assign the internal network (say 10.1.1.0/24) and the public routed subnet (1.1.1.0/28)? I assume the internal 10.1.1.0/24 is an inside network assigned to the interface connected to the 3750G (to which all the servers connect). However, where do I assign the public routed subnet (1.1.1.0/28) since it is somewhat "nebulous" in that it has to reside somewhere on the ASA so that it can then NAT to the internal (10.1.1.0/24) IP's. Also, is it considered an outside or inside network - and on which interface? My confusion is that If its added to the outside interface then won't that conflict with the 2.2.2.2 IP to which the colo provider is routing our 1.1.1.0/28 subnet to? And if its on the inside interface connected to the 3750G then wont that conflict with the 10.1.1.0/24 private IP range of the servers?
2) Scenario #2: Using public IP's for all servers:This scenario seems more straightforward to me: I would want to assign IP's from the statically routed subnet (1.1.1.0/28) to my servers so that range would be configured as an inside network on the interface connected to the 3750G (to which all the servers connect). This would be configured on a specific VLAN (say vlan 50). I would then have another VLAN (say VLAN 100) on the 3750G that has a private IP range (say 10.1.1.0/24) so that non-public servers (database, etc) would reside on there. All public servers that need access to private servers would have a NIC on both VLANS (50 + 100). My question is is this the correct way of approaching this? I also like this because I dont have to worry about NAT and the ASA can act as a router/firewall and things are clear in terms of whats happening.
Ultimately I'm not sure which is the best way to go in terms of having all servers on a private IP range and just NAT to them (as per scenario 1), or implement scenario 2 where servers have two interfaces.The main thing thats bugging me from scenario 1 is I'm not sure where/how to assign the statically routed subnet (1.1.1.0/28) on the ASA? (inside? outside? which interface?).
I am using an ASA5510 for internal firewalling in my QA environment. How do I allow RDP from one subnet to those protected by the firewall? Preferably using the ASDM.
View 25 Replies View RelatedNot sure if my subject is a good decription of the problem or not.
I have an ASA 5520 at my home office and a SonicWALL NSA2400 at my remote office. The remote office has dual internet connections and I wanted to create two seperate VPNs between the devices using each internet connection on the SonicWALL.
I know how to configure this on the SonicWALL, the problem is on the ASA 5520
OK Basic network config
Main Office
ASA Public IP 1.1.1.1
ASA Internal network 192.168.1.0 (VPN source)
Remote office
Public IP 1 2.2.2.2
Public IP 2 3.3.3.3
Iternal network 192.168.2.0 (VPN destination on ASA)
If I have a VPN from the main ASA to either one of the SonicWALL's public IPs everything works fine
If I create 2 VPN tounels from the main ASA, 1 to each public IP on the SonicWALL, the VPN shows as up but no traffic flows.
how I can give endpoints on a SOHO router network Public IPs so I can access an Electronic Whiteboard over the Internet. Do I need to purchase more that one Public IP or is there something I can do with subnet masking?
View 2 Replies View RelatedWhat I am trying to do is I have one switch with say a 10.1.9.1 sub-net I need to have one of the ports to be trucked with two vlans one for DSL and the other for a local connection with the sub-net of 10.1.5.1 both of the sub-nets are configured in the core as 9 and 5 so I have port 0 set up as a trunk and it is set up as ge-0/0/0.0 vlan_5, vlan_192 on the 10.1.9.1 subnet switch. The DSL is working but the local is not pulling a 10.1.5.1 IP and has no connectivity. Everything looks as if it is configured correctly but still the DSl is working but not the Local connection.
View 2 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View Relatedi'm doing a project for my networking class and i need to know how to do subnetting within a subnet. it's a network with three routers, each of them being on their own subnet, but there are multiple departments for a store that each will have their own subnet (sales, management, warehouse, etc.) within the network subnet
View 5 Replies View RelatedI'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work. In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, what are the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn, This is an ASA 5505. Its on IOS 8.4.
View 1 Replies View RelatedWhy do we need them? Could we leave the LAN with a subnet broadcast packet (for instance with an address of 192.168.1.255 /24). Are those addresses used for something?
View 4 Replies View RelatedI have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later)
Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router) The server hosts 3 virtualized servers with the ecternal nic only shared with the tmg 2010 server.
So my problem is that when I connect to the 10.0.1.1 network as 10.0.1.2 I can only ping the internal network however the internal network is incapable of responding (pinging back) giving destination host unreachable. I know I need some kind of routing but im not sure where to apply it on the TMG server with the next hop as 10.0.0.10 or on the router.
The guest wifi is intended to bypass the network firewall and not allow access to the internal network. I've enabled ip routing on the cisco router and attached the config below.
I am doing Activity 6-1: Basic VLSM Calculation and Addressing Design (6.4.1) in the ccna book.the lab can be seen here: (mellowd - link removed) I've done the topology and assigned the addresses appropriately as shown in the first table. My question is on Task 2 Step 2."Assign the first available subnet to HQ LAN1."
View 4 Replies View RelatedLAN subnet conflicts with WAN subnet. My router is d-link 825 and my cable modem is Cisco EPC-3825. Op system is W7. Everything worked great with an older cable modem (Cisco 3000).
View 4 Replies View RelatedI'm trying to set up 2 subnet with two RV042 routers. One router will act as a gateway and both WAN ports will be used by two different isp connection. The first router (gateway) LAN IP will be 192.168.0.1/24. I would also like to set up another router behind the gateway with with separate subnet 192.168.1.X/24. And I would like clients on the 192.168.1.x subnet to use the internet through the gateway router and clients on the 192.168.0.x subnet to access resources on the 192.168.1.x subnet. Am I able to do this with two RV042?
View 6 Replies View RelatedBest subnet for wireless lan
View 1 Replies View RelatedI've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...
I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
New at VPN and have survived so far on cisco docs but this problem is evading me.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]....
The network topology is like this. Router with DHCP_Server on it.
VLAN 10
VLAN 20
VLAN 30
My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.
I want to calculate Subnet Mask for 3 Router Each one in separate building the First building need 60 host and the second building 25 host and the last one 25 host .
Knowing that the company currently reserved public class C network address 210.2.1.0/24 for internal address and subnet 210.15.10.0/30 for the connection to the Internet router.
I would like to set the subnet mask off the lan to 255.255.240.0 but the selection menu do not allow to do it.
View 8 Replies View RelatedI'm trying to configure a SG300 to be reachable beyond its own subnet. Its IP address is configured by DHCP to 192.168.2.2/255.255.255.0. It is possible to ping the switch from the same subnet but not from outside. The switch is set to layer 2 mode. All routing should be done by the gateway.
Here's what I have checked so far: The default gateway and netmask are set correctlyThe gateway can ping the switchHosts in the 192.168.2.0/24 subnet have connectivity to other networks through the gateway (i.e. gateway configured correctly)Administrative interface > IPv4 interface shows the correct ip address, netmask, and gateway (greyed out because it is assigned by DHCP)the switch can ping other hosts within the same network
Is there some kind of firewall setting that prohibits the switch to respond to ip packets from outside the subnet?
I have an RV042 with the PPTP server configured, which is working because I can connect with my iPad and droid phones, however, I'm unable to access resources on the RV042 side (192.168.1.X) when my local network is the same ip scheme (192.168.1.x). It works fine when I'm on a different network like 3G or someone else's Wifi network (192.168.11.X).
View 1 Replies View RelatedI'm trying to setup this router with my IP range 192.168.100.1 to 192.168.101.254 but if I try to enter a subnet mask other than 255.255.255.0 I get the error - Invalid subnet mask. It should be 255 for given class of IP address at 255.255.xxx.0.
Every other device on my network allows that subnet mask, why not this router, it's stopping access from my 192.168.101.x devices.
How do I change the subnet of a PPTP VPN network on an RV220w?
View 1 Replies View RelatedWe want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
Configuration:
: Saved
:
ASA Version 8.2(1)
[Code].....
I have RV042 Router, I'm using only one Internet conection, I'm using IP group like this 192.168.95.x, my DHCP setting use 192.168.95.120 to 192.168.95.240, but in this time I have 245 workstations (may be I will have 25 additionals workstations) and some times I see IP conflict message in my current work stations.
I had read about SUBNET like response about my problem, but I'm not sure about that and how to make subnet with my RV042.
I've setup a SSL VPN to a ASA 5505 and can connect.
VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.
I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
I've got an 1811 router running 15.4 IOS and a cable modem with 5 static IP's attached to Fa0. I would like to dedicate one of those IP's to a dedicated internal subnet (10.0.30.0/24) but I am not sure how to accomplish this?
What would be the best method to accomplish this? Unsure of where to begin..
I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-DVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
[code]....
I'm wanting to use the SRP527W (from Telstra) to route a block of assigned internet addresses (/29) over the WAN internet IP address. Is this possible on the 527W, or does it only do NAT routing?
View 6 Replies View RelatedI have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway)
192.168.0.0 (Primary facility, ASA is the gateway)
192.168.2.0 (Second facility, connected via Verizon point-to-point)
192.168.3.0 (Third facility, connected via Verizon point-to-point)
[Code].....
We connected to locations to the RV042 by setting up 2 Gateway - to - Gateway VPNs - both locations can communicate with the RV042 and devices within the local LAN of the RV042 - however at the moment it is not possible to send traffic from 1st VPN Location to the 2nd VPN location
View 1 Replies View Related