Cisco VPN :: Forcing ASA 5510 To Follow Specific Route?
Apr 23, 2012
My setup has two firewalls to the internet, one is for all internal users who want to access the internet and the other is an ASA5510 acting as VPN terminaton to remote workers accessing using Anyconnect.
Each of the firewalls has a public interface on the same network (ex. 196.160.100.192/26).
We have a server with a public interface, and all traffic (internal and external) has to access via the public ip (again in the same network as above) and there are different profiles and access levels on that server depending if you are accessing from an internal IP or a public IP.
Well, when users are connected thrugh the VPN, although they have an internal IP address, as they are accessing the server on the public IP, the ASA sends the packets through its external interface (direct connected route) instead of sending it to the default internal gateway that is a "trusted" entry point on the server.
Any way to force the ASA to send that traffic to the internal default gateway instead of sending it to the external (direct connected) interface?
I have no access to the server (appliance under warranty) so I can't make any changes to it...
My setup has two firewalls to the internet, one is for all internal users who want to access the internet and the other is an ASA5510 acting as VPN terminaton to remote workers accessing using Anyconnect.Each of the firewalls has a public interface on the same network (ex. 196.160.100.192/26).We have a server with a public interface, and all traffic (internal and external) has to access via the public ip (again in the same network as above) and there are different profiles and access levels on that server depending if you are accessing from an internal IP or a public IP.Well, when users are connected thrugh the VPN, although they have an internal IP address, as they are accessing the server on the public IP, the ASA sends the packets through its external interface (direct connected route) instead of sending it to the default internal gateway that is a "trusted" entry point on the server.Any way to force the ASA to send that traffic to the internal default gateway instead of sending it to the external (direct connected) interface?
PS: I have no access to the server (appliance under warranty) so I can't make any changes to it...
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
I use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
We have a 5510 and I have a second ISP setup for a backup link. We have 4 ports connected to 4 different internal subnets. I want to force one of the ports to use the backup ISP link at all times. I'm having a little problem with where I need to make the changes in my ASA.
Interface "outside" is my main ISP Interface "building3" is my backup ISP.
I want to force the "Guest" network to use the "building3" link for all traffic. Here's a snippet of my config
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
Is it possible to set up a domain specific DNS on an ASA 5510?The problem I am having is that while the site to site VPN is up the DNS servers on the main site are serving ip addresses for the remote site. Main site is on CBeyond and remote is on Time Warner so when doing an nslookup at the remote site it returns one IP address and when the remote site uses google DNS servers it returns another. The main difference being download speed (weird that it relates) as using main site DNS it was 3 hours and google DNS it took 10 minutes. I am looking for a way to serve DNS for the main site domains and for all public domains use google DNS or Time Warner DNS.
I have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client side devices to go down the tunnel, but they are blocking all traffic that isn't being scanned. The problem is they are on an ASA 5510 with 8.2.2. You cannot add tcp ports into the nonat ACL, it errors out when you try to apply the nat (inside) 0 access-list nonat statement. We can define ports to go down the VPN in the interesting traffic ACL with out issue, but there is no way to send just the web ports down the VPN, and allow other ports out the regular overflow interface NAT. I have been looking into 8.4 and seeing if it allows a policy NAT (twice NAT for the VPNs) to define a port on an IP range (IE: nat (inside,outside) source static WEBINSPECT WEBINSPECT destination static any any ) but define that as web ports only.I don't have a test ASA to use, but i'm guessing that l2l vpn will be by IP only and I can't define a port to tunnel.
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
I do have one other question first. What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA? Can I do it? Or do i need to be consoled in or connected a different way?
ASA 5510: ASA Version 8.4(1) asdm image disk0:/asdm-641.bin asdm history enable http server enable http 10.1.1.83 255.255.255.255 inside http 10.1.1.82 255.255.255.255 inside
Shouldn't that right there be enough to access ASDM from either host .82 or .83? Because I cannot. But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.
I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose! I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.
I work from home, so also connect to our network using Remote Access VPN (any connect) to connect to the network at the data centre.
Just to be clear, here is my amazingly drawn network diagram:
[[my house]]-------------- <any connect VPN>------------[[ASA 5510 / Data centre]]-----------<site-to-site>-----------------[[Client network]]
The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the data center, then from there I can see the Clients network. Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cant seem to find anything that works. I've searched for this and cant find answers, even some sources saying its impossible.
I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100. In this URL, [URL], ASA is able to do that.
I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes
I am having a strange requirement. actually I am not sure it is strange or not. I am having ASA5510 with 8.4 sw version. Currently one ISP is connected to it. It is working fine. We have some servers that are directly connected to internet using another ISP connection. These servers having public IP addresses configured on their LAN settings. I need to move these servers in to the DMZ zone.
When i connect it to the ASA's DMZ zone,servers will get internet through the first ISP that is already configured on ASA. But i need to NAT the DMZ servers with the IP address provided by the other ISP, which even not configured on ASA.
So what should i do? In short my requirement is
1) need to NAT the server with the IP address provided by another ISP
2) Also note that the default route is configured for the first ISP only in ASA
so Do i need to configure another default route? Do i need to make it with larger AD? So i do it will act as the secondary route only.
I need to make the ASA up and running for two ISP, and servers in the LAN should be able to NAT with the IPs of first ISP and ,the servers in the DMZ zone should be able to NAT with the public IP of the new ISP.
We have a ASA 5505 and a 5510, that we are using site to site.I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces.when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.
I have an ASa 5510 and setup remote dial in users.
I wanted to use the windows 7 built in client and also the draytek site to site VPN options however when they connect VPN traffic will not work however when i use the cisco VPN client then everything works fine.
All the VPN's connect pretty quickly.In the syslog I a getting errors when i try and ping something: [code]
In the restructuration of my company network we install due ASA 5510 in failover for the management of internal network and DMZ. We configure the ASA in routed mode, we create the sub interface for server, client and dmz subnet and we connect the firewall ti the network. Everything works very good except the intervlan routin. If i try to send or receive a file in every protocol, ftp, http, smb o if i try to conne with rdp or vns to an host in a different vlan the connection goes very very slow. I particular a ftp connection between two host goes ti 15kb/s. I check all cable and port for some error on duplex ro speed, end all the uplink are 1gb and the single client connection 100Mb. I know that the main purpose of the ASA is not doing routing stuff but this behavior is very strange.
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
I've been tasked with breaking up a network that has run out of IP's, and have decided to use VLANs to accomplish this. I have to use an ASA5510 to accomplish all the routing between hosts in different VLANs.Port 48 is trunked to the ASA eth0/0 interface, with VLAN 99 and VLAN 20 tagging packets, VLAN 1 Untagged. Hosts hooked up to appropriate ports on Switch.
I am a complete newbie to Cisco equipment. So far I've been able to figure out how to do most of what I needed by using the ASDM but I have run into something that is a little more complicated that just opening a port. We currently have a connection to our remote site. This site has a T1 internet connection. Our connection is a site to site VPN with an ASA-5510 on this end and a ASA-5505 on the other.
We are upgrading this connection to a 75mbit hybrid microwave/fiber link. The provider is going to hand it off to us as an untagged VLAN. We made the decision to route all of the remote site's internet access through this location as to avoid having to split off part of the bandwidth of this link to dedicate to internet access.........
