Cisco VPN :: Reverse Route Injection With ASA5505?
May 25, 2011
My network consists of a router and a ASA5505. The router has a serial connection back ot HQ. The ASA has a VPN connection back to HQ. I want the network traffic destined for HQ to travel over the VPN connection until that connection is no longer valid (down). I've been told that RRI is the way to go but cannot get it to work. I get one of my routes to show up in the router but that's it (and not as a static route). Also I don't want the routes to be injected if the VPN connection is down. But I do want the VPN connection to be the preferred connection.
We have two ASA5510's connected to two different ISP's and both able to initiate a site-site IPsec connection to a remote site. Depending on the state of the ISP's either ASA may initiate this VPN.We use Reverse Route Injection into OSPF for VPN clients and it works fine with the route being distributed when a client connects and disappearing when there are no clients.So we thought we'd try it for our site-site VPN's. Unfortunately when we enable Reverse Route Injection the routes are distributed regardless of whether the VPN is up or not, so if one ASA has initiated a VPN it's reverse route is distributed (which is what we want) but the other ASA also distributes a route for it's non-existent VPN. The result is that our gateway routers see two OSPF routes and can't ascertain which route is actually up.
Is there any way to distribute the route using Reverse Route Injection (or any other method) only when a site-site VPN is actually up? For various reasons we can't use BGP or other gateway routing protocols.Our ASA5510 are currently running IOS 8.2(1)
Have a solution with PFR with two master controller in hsrp mode and two active border controller, betwen the MC and the BR i'm running EIGRP. The two BR have BGP to the ISP but i have default router for the parent route. Same weeks ago i notice some problems in reaching to specific public ip addr. During the trobleshooting i found that the two border controller have dynamic-pbr applyed to the inside interfaces and one of the satement on the dynamic route-map is setting the next-hop for the destination public ip addr yhe inside interface on the two border routers. This way the traffic is looping betewn the two BR. It's possibel do disable the PIRO (PBR) and only to use static route injection betwen the MC and BR.
I want to know the return path between my IP and a server. I know that trace route gets some information about the hops from my IP to a server (for example www.google.com) but this info is about the forward path. But I want to know what is the path from the server to my PC, what is the reverse path (return path)? What are the middle hops? In other word, I want to know where is the forward and reverse path when I ping a server? I can find the forward path using trace route, but what about the return path?
customer's WAN solution, instead of buying routers, purchasing department bought ASA's (don't even get me started!). So I have 5 ASA 5505's for the branch offices and one 5510 for the Head Office. I am trying to get them to behave like routers and pass the traffic across. I set up a lab with a 5505 and the 5510 using an ethernet cable for both Outside interfaces since the WAN links are going to be MetroEthernet Layer 2 anyway.
I tried static routes, dynamic routing, I followed examples from other persons who did it and it doesn't work. I attached the configs here to show I have the default routes, specific static routes pointing the traffic out, any any rules configured as well. I cannot ping from the internal lan of the 5505 to the internal lan of the 5510.
i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static route another network i have that network id is 192.168.2.0 . 255.255.255.0.how i can add the route.
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
I would hereby like to inform if it is possible to configure the Cisco ASA5505 firewall to route internet via an external VPN, while a laptop and smartphone connect to the firewall via Cisco AnyConnect VPN.
The configuration would result into: Laptop on public internet -> Cisco ASA5505 VPN -> External VPN (Unix server) -> internet.
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www access-list 101 deny tcp host 10.0.2.2 any access-list 101 permit tcp any any
route-map proxy-redirect permit 101 match ip address 101 set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
I have 2 data centers conencted via WAN and each has their own Internet conenction. One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections. The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.
So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet. That way it is routed back to the proper firewall. I am able to do this with the following code, but this code only works with a static one to one NAT. I am limited in public IP addresses, so I want to NAT on a per port basis. Each time I try to change the any any to a specific port, it fails.
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
After upgrade to 9.0.1 from 8.4 I have problems with reverse dns resolving, like this:
named[2679]: DNS format error from 193.0.9.1#53 resolving 82.64/27.195.26.72.in-addr.arpa/PTR for client 127.0.0.1#37124: question section mismatch: got 90.64.195.26.in-addr.arpa/IN/PTR
Only solution I found is to disable inspect dns, which is not very good.
i am on pc i want same outlook on mac no delete on main xp pro home office pc. would like to received and send email from new mac book pro: fully synced between both?
I'm new to working with the ASA 5505 ,VPN and reverse NAT.
The basic setup is as follows. I'm trying to setup a IPsec site to site tunnel with reverse nat on the remote side.
I have as the tunnel up and it passes traffic. I have setup reverse NAT for 172.x.x.1 to translated IP 216.x.2.101 my ASA also has an IP address of 216.x.2.102.
Any connection from 172.x.x.1 to 216.x.2.1 should appear to be comming from 216.x.2.101
When I ping or telnet from 216.116.86.1 to an open port on 216.x.2.101 I get the banner from 172.x.x.1, seems like it is working.
However in my setup I'm only given a singel IP that of the NAT address 216.x.2.101, so when I remove the IP address assigned to the inside interface 216.x.2.102. all conductivity is lost.
When I set the inside interface to 216.x.2.101 and I setup a static NAT rule for 172.x.x.1 to 216.x.2.101, I get a message that says all traffic will be redirected and I will be unable to connect to the ASA.
Once thats in place, and I make any connection from 216.x.2.1 to 216.x.2.101on any port I get a connection but then it's reset, I no longer get the telent banner I was expecting.
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s): DATA-BACKUP Name of interface Redundant1.10 DMZ Name of interface Redundant1.900 GUEST Name of interface Redundant1.990 HOSTING Name of interface Redundant1.100 Infrastruktur Name of interface Redundant1.20
I've got a 5520 running 8.4(1).I've setup a simple NAT: [code] Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.What do I need to do to allow the reverse packets to get through the ASA back to the host ?
We have a router that was installed a few months ago which has the following version: 15.1(3)T
I am unable to reverse telnet to a new ASA firewall, however when I move the console to a second older router with an older version of code I am able to reverse telnet
Are there any known bugs, issues with version 15.1. I use the following command as normal: telnet x.x.x.x 2001
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25 212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
I have the need to do an outbound NAT redirection. So what I mean is this. I have a custom program that uses SSH to port 22 from a server inside the ASA firewall. This goes out to a server on the Internet over port 22. The ISP of the SSH server told me that they changed their SSH port from 22 to 2102. So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102.
so for example:
The server is at 192.168.0.2 and it uses a program to initiate SSH traffic to 205.246.1.1. The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 205.246.1.1.
It is a Cisco ASA 5510. The server at 192.168.0.2 does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc. Lets pretend that was at 64.18.23.60.
I have some legacy (read: old) audio equipment that used leased lines to run, no way to convert them to IP internally. They have x.21 and v.35 interfaces on them.
Is there a way i could use something like an old 2600 series router and run it in reverse, like just using them as a media converter to shove the v.35 over into IP land?
I'm not interested in buying newest latest greatest (these audio codecs are upwards of $5k a pop to replace, x2 for a complete link), i'm just curious if i can turn a WIC-1T into the interface for these boxes and do a direct route to another 2600 on the other end with the same configuration.
This would essentially turn the WIC portion into the local side and the ethernet into the WAN side.
I have Cisco VPN 3000 in main office which provides VPN tunnel to the remote site (PIX 506). In main office we have Domain Controller as well as DNS/DHCP servers.I ran into the issue where DNS reverse lookups are not working from main office to the remote computers:
ping remotecomputer.mydomain.org - works fine from main office and resolves to appropriate IP address ping -a IP address - from main office returns nothing.attdns.com
From the remote computers, both forward and reverse lookups are working fine.
i got my samsung galaxy s duos...i wanna connect my mobile to laptop for internet using wi fi and also i have mts data card so how to connect frm lap to my mobile for internet using mts data card.??
This may sound ignorant but I cannot get either of the antennas off my 615. They are listed as removable reverse SMA but they are so tight I am afraid of damaging it. This is my second 615 after not being able to get one of the antennas off the first. D-link said they should just unscrew but I cannot get either of them to budge. D-link support said the one I had first must have been manufactured wrong so I returned it to new egg and got a new one. Same issue. I need to have an external antenna on the unit.
Any work around to enable reverse NAT or similar functionality on the EA6500? I recently upgraded from a Dlink that did support reverse NAT to my internal devices through a dynamic dns service. Now I have to know the IP address for all the devices.
I have a new 877 that I am using for internet traffic for 3-4 internet only devices.I also have a clean network that i want to insure no cross contamination. However I plan on rolling this out to many sites, but for management I was hoping to set up a reverse telnet to the console port from our one of my clean switches. which should allow me to keep the units seperated and allow me to manage changes etc remotely. Unfortunatly there is no Aux port on the clean switch (3560). Is there still a way to acheive this? can i configure one of the ethernet ports to connect to the console of the 877?
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
I have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2). I have build the configuration on both devices [URL] . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connections with Cisco VPN Clients are possible.
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
