We have an asa5510 running as an SSL VPN gateway using one public IP address (e.g. 1.1.1.1) as the target IP address for the users.
Now we need to run a 2nd public IP address on the same asa5510 as target IP address for a different set of users, e.g. 2.2.2.2.
NAT is not working, secondary IP address is not possible, sub-interface is not the right way. Is this really not possible?
I have a customer who wants to do a static mapping in order to prevent any downtime for one of his public web servers. Any good example to follow? FYI, the edge device is:
CISCO1941W-A/K9 (configured as a zone based firewall)C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(1)T
is it possible to set up a public and private password on a single router so that the public connection can be dissabled without having to turn off the private one?
I have some unruly housemates that like to try to take advantage and i only have one cat5 cable and that is already connected to a computer. i have 4 other devices that i use my wifi on and i want to be able to use them without letting my roomies use my connection. and only allow them to use the web during the day.
I have a i-ball 150M wireless-N ADSL2+ Router device in that , in the NAT tab, i have activated DMZ at my static ip with a private address 192.168.1.224 , so that that ip enabled device can be access to anywhere in public network.I want that using this single static ip , How to configure two private address devices in DMZ, so that both of ip enabled devices can be access in public network.
View 3 Replies View RelatedI have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8
My web server is out of public IPs. I requested more from my ISP and I got a different range with a different gateway. How do I handle the configuration on my Cisco ASA? Without any configuration changes to the firewall I saw the traffic hitting it and being blocked. I added an access rule to allow the traffic. I added a virtual interface on the ASA. I added a virtual interface on the web server. Using "Packet Tracer" the traffic flows from the outside interface to the new virtual interface. But I'm unable to access my web server and I don't see any traffic on that IP reaching the web server.Using Cisco ASA 5510.
View 8 Replies View RelatedI’ve been trying to figure out this for quite a while. I have a range of public IP addresses directly assigned on my dmz servers. The inside interface of ASA 5510 has one of those public IP addresses assigned (the default gateway for all dmz servers). Now I have a new range of public IPs that I also want to directly assign to new dmz servers. My goal is to have two distinct public IP ranges on dmz that should communicate between them. The inside ASA interface should be the default gateway for both networks.
View 1 Replies View Relatedwe have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
View 1 Replies View RelatedJust recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn.
Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completly lost. then we have to re-connect the session.
This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didnt have this issue, remote-desktops were never geting lost / reset with single timeout
We have a setup where clients on the internal network send/receive their emails through Microsoft Outlook client, while the Exchange server is hosted on the internet, outside the organization.The clients are connected to a Cisco switch, behind an ASA5510 Firewall. The Firewall is connected to an internet router, with double NAT (On the ASA and Router).
the outlook clients disconnect from the Exchange server, sometimes for hours, and then reconnect again. During these disconnections, the same client PCs are able to browse the internet normally. There are no restrictions for the traffic going from the inside to the outside. During the disconnections, if we try to connect using a public IP bypassing the ASA & router,.
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
.ASA Version 8.2(5)
!
hostname ciscoasa
[code]....
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedQuestion: how would STP or RSTP behave in a star topology with a hub in the middle?i.e. you have four switches all linked to the same central hub. Single links, no loops.Each switch would then get BPDUs from everybody.Going by theory, it should be OK since it still sees the root's BPDU and will see the link to the hub as the root port, despite presence of other BPDUs from other switches? No different from receiving an inferior BPDU from an upstream switch and a superior BPDU from a further upstream root switch.I guess I could lab it by turning off spanning tree on a switch to simulate a hub? I've never previously had to deal with STP issues where there are hubs that aren't strictly point to point bridging so to speak (ok they're not bridging but you get the drift).I've got a scenario I'm examining at the moment where this is the topology, except all switches have bpdufilter running hence effectively no spanning tree. I'm curious to know what would happen should I remove the bpdufilter.I realise there is zero benefit in spanning tree in this instance as I don't have any redundant loops to fall back on, but I'm reluctant to turn off STP on those vlans (since obviously theres stuff behind those switches). The BPDUfilter method seems like an elegant solution but I wonder if its actually necessary.(the hub is actually a VPLS mesh, most sites terminate PE to CE router but I'm playing around with switches as the termination points – run our own Q in Q, split vlans off before it gets to layer 3 as separation, etc.)
View 1 Replies View RelatedI have a client that requires a single router with POE for placement at an economical price. I was considering the Linksys WAPPOE12, but that is discontinued. What would work with that router?
View 2 Replies View RelatedWe are trying to upgrade our ASR1006 with single RP. We got an Warning message as "superpackage install over superpackage not allowed on active RP"
how to do the upgrade properly?
I have got a cisco 1841 router. I need to do many nat. I have got a lots of virtual interface on this router. How many nat inside and outside does it supports ? Can I do more than one nat insdie and outside in different virual interfaces on the same single router.
View 2 Replies View RelatedFirst and foremost, what I have are 2 x 7204VXR (Gateways), 1 x 4507R-E (Coreswitch), and our ISP have 7609.Got some issues with redundancy with our ISP.
7609
I I
I I
7204-A 7204-B
| |
| vrrp |
| |
-4507R-E-
|
|
internal network
Both outside interfaces of 7204 gateways are connecting to 7609 with different public ip block. I used VRRP for my internal nework and failover have been tested working.
Even tried to remove link of 7204-A and 7609, the failover works perfect. If I shutdown/ remove the link between my 4507R-E and 7204-A (primary gw_higher vrrp priority), vrrp redundancy/failover still works, but pings from internal network to internet is only 50% success....alternate 4 ping reply and 4 time out.
I have just set up a 881W appliance for a satellite office. At this time, we don't need a site to site vpn. However, I have EZVpn configured on it and working great so that I can connect from our main office for admin purposes. How can I setup up a firewall rule/policy in order for only our main office IP to connect to Ezvpn? I don't want to allow access to the VPN from any other IP other than our IP at our main office.
View 2 Replies View RelatedCan i Use 1 single IOS in all 3845 Router?
I have S384AESK9-124xx (T) version IOS in one of my 3845 router, can i copy the IOS and install it in my 4 x 3845 Router as i require (T) Version IOS to support HWIC-2FE module.
Like wise, i have Cisco 1800 IOS- S184AESK9-124xx (T) and Cisco 2800 IOS- S28NAESK9-124xx (T) installed in my routers, will there be any issues if i copy and use the same IOS in all my respective devices?
I have an SA 500 with the optional port configured as the DMZ. The LAN ports are running the 192 range and the DMZ is the 172 range.
I have seperate offices (A few hundred feet apart) that have been connected with 2 un managed switches up linked with a single wire. The 192 range stuff runs over this. I need to get the DMZ out to the second room and was asking about how to do this over the single up link and switches. (Trying not to run a second wire)
My lack of understanding had me draw up this diagram attached as a picture, to ask about. What it shows is me trying to get the DMZ through the up linked switches to the other room. I thought of using 2 routers, one on each end. I've been told this is incorrect and wont work.
Maybe a purchase of a second hardware and eliminate the switches? (up link the SA 500 to another device?) What should that device be?
I can get to anywhere I want on the web except one IP, and I can't ping it either. What can cause this? (Security off)...
View 6 Replies View RelatedAm trying to understand how we can have multiple IP addresses on a single NIC and what are the restrictions on the same. If i can have two IPs from two different networks present on a single NIC, then why would i ever get a new NIC?
Also, i want to understand the concept of virtual IP and how it fits into this picture.
I have a school running at the factory network and I was forced to find another ISP just for the school. How can I configure the router/VLAN to have the school in both factory network for exchange server and File server & and the second ISP just for internet.
View 1 Replies View RelatedI have an older DELL power edge 2800. Currently we have 2 NIC's one for the WAN one for the LAN. I wish to increase my users access speed. Can I team and or bond up to Four NIC's on the LAN side and leave the single NIC for the WAN? I am having trouble finding any info on the net for pulling this off. I have 67 users and throughput is getting a little rough.
View 1 Replies View RelatedI'm running into a strange problem and cant seem to figure it out. I have an asa running 8.2(1). I have an ipsec vpn setup and working great. I can ping hosts on the inside of the network and everything seems to be fine. However there is one single ip address that i know for a fact is live, but i cannot ping through the vpn. If i ping the address from the asa i get a reply, if i ping the address from inside the network i get a reply, but if i ping when connected through the vpn no reply.
View 4 Replies View RelatedI have a single DL 380 G5 server with 2 NIC , i have 2 applications which run on 2 separate WAN static ip addresses my query is that can i install both the applications on a single server ? secondly can i assign 2 different WAN static ips on the 2 NIC of the same server ? if yes then how it will be done i.e whether gateway will be given to both the NIC or only a single one
View 11 Replies View RelatedIs it possible to split data flows on a single T1. Say 1 Flow on time-slots 5-6 and another data flow on time-slots 10-14. If one was data and the other voice would this work?
View 6 Replies View RelatedI have a 1921 with 3 interfaces. One for the LAN and the other 2 are wan each with a public address. The 2 wan interfaces are used for redundancy. I would like to know how I can static nat the same port and inside address on both wan interfaces.So if the request comes in on one or the other it works. I know if I do a static nat to one of the wan interfaces and then add the same port and inside address to the other wan interface it replaces the previous configure.
View 5 Replies View Related