Cisco WAN :: 1841 / Move All Traffic From Internet IP To One Of Internal Ips?
Aug 1, 2012
I am in trouble with my cisco 1841 configuration. The "what I want to schema":very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
Steps (this what I think should be done):
1. Find all packets from A by acl
2. Route finded packets throught cisco1841 directly to internal ip address
It should be easy but it doesn't.
View 2 Replies
ADVERTISEMENT
Aug 2, 2012
I am in trouble with my cisco 1841 configuration.The "what I want to" schema: very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
View 1 Replies
View Related
Jan 16, 2012
I used the GRE tunnel site to site VPN with 2 cisco 1841 routers. Behind one of the router R1, I used cisco ASA 5510, now my vpn is connect between two routers, but from R2 other site cannot access to LAN behind the firewall. From R1, also cannot route to local network, from local network can access to R1, I think cause of NAT . So how to configure to route internal network from R1 & R2 with VPN.
View 5 Replies
View Related
Jan 16, 2012
I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the outside interface
View 1 Replies
View Related
Apr 4, 2013
I am planning to deploye the fwsm with all this complexity, will this type of senario work or not means traffic will move from msfc to the core.. Is this right to create another svi int2 on msfc to move traffic from msfc to core-switch.
G0/1(cisco7613) Vlan10----Vlan10(inside)FWSM-(outside)vlan20---Vlan20(inside)(svi-int1)MSFC(outside)(svi-int2)Vlan30---Vlan 30G0/2(Core-Switch)-----internet--->
View 5 Replies
View Related
Sep 12, 2011
I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET
View 1 Replies
View Related
Apr 18, 2013
As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
View 3 Replies
View Related
Mar 14, 2011
I have configured a L2L VPN on a Cisco 1841 ISR. I am statically NATing some of my internal hosts to IP addresses that are included in the encrypted traffic. Please note that not all of the internal hosts are being NATed. I am doing this to hid some of the real IP addresses on the inside network. I have confirmed that the VPN works, as well as the NATing of the VPN traffic. I have traditionally configured L2L VPNs on Cisco ASA 5500 series appliances, and this is my first attempt with the 1841 ISR. I just want other to take a look a see if I missed anything, or, could I have done some of the configuration more efficiently. All comments are welcome.
VPN-RTR-01#show runBuilding configuration...
Current configuration : 9316 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname VPN-RTR-01!boot-start-markerboot-end-marker!! card type command needed for slot/vwic-slot 0/0logging buffered 51200 warningsno logging consoleenable secret 5 xxxxxxxxxxxxxxxenable password 7 xxxxxxxxxxxxxxx!no aaa new-modelip cef!!!!no ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!!crypto pki trustpoint TP-self-signed-2010810276 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2010810276 revocation-check none rsakeypair TP-self-signed-
[code]....
View 1 Replies
View Related
Jul 10, 2011
I have two ssid's on my 1130ag each with different security when I use wep I can get my email on my droid. When i connect to the second ssid and use wpk I can get to the in the Internet but my email will not move in Exchange.
View 3 Replies
View Related
Jan 17, 2013
My internet connection is definitely ok, i could surf the web etc, i can dl other things EXCEPT all online lectures from my uni's site. The download is stuck at a few kbs/sec and it wont move, no progress or anything but later on it automatically states that download is completed. And the file doesnt amount to its rightful size which is a few MB. I used to be able to dl without any problem, this occurred quite suddenly. It happen few months ago, I thought maybe to give it some time and it would be ok.ut Ive tried many times and I dont think it is anything with my uni's site because ive tried to dl the same file with another computer which is successful. I tried switching browers, reinstalling my browsers and turned off my firewall but they wont work.
View 9 Replies
View Related
May 9, 2012
We have an MPLS that connects our main office with our 7 branch offices. We have 3Mb coming into the main office and 1.5 into all of the branch offices. I would like to give rdp traffic the highest priority. We have a Cisco 1841 at all branches and a Cisco 2811 at the main office. Do I have to configure QOS on all routers or just the one at the main location?
View 5 Replies
View Related
Jun 7, 2011
im attempting to setup a L2L VPN between an 1841 and an NSA 2400, via the SDM.The Tunnel comes up, and when I test connectivity it shows as being successful, but I do get an error stating:-
"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."
From my reading this shouldnt cause all traffic to drop though, right?
Currently I cannot ping or telnet to services from one end of the tunnel to the other. I was able to ping momentarily from the Sonicwall end at one point, but this disappeared shortly afterwards (without my changing anything regarding the config).
All of the ACLs created were populated through the SDM.
View 3 Replies
View Related
Jul 29, 2011
i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
View 1 Replies
View Related
Jul 31, 2012
I have an RV042 router and I'm looking to monitor the total upstream and downstream traffic from within the router.
I know there is tons of software that I can put on a network computer to monitor traffic, but is there any software that I can put on the router itself that will monitor the traffic from within the router?
View 2 Replies
View Related
May 2, 2012
I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.
: ASA Version 8.2(1) !hostname ciscoasa104domain-name default.domain.invalidnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.104.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute! interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa821-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network DM_INLINE_NETWORK_1network-object 192.168.2.0 255.255.255.0network-object 192.168.4.0 255.255.255.0access-list outside_1_cryptomap extended permit ip 192.168.104.0 255.255.255.0
[code]....
View 7 Replies
View Related
Oct 23, 2012
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
View 7 Replies
View Related
Feb 28, 2013
I have created a new sub-interface on our ASA 5520 for guest internet access.
My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.
The order of the rules I plan to setup on the guest interface inbound are:
#1. <rules to allow access to specific services in the dmz>
#2. <block any ip access to the entire private network ip address space>
#3. <permit ip any any>
#1. These rules will give access to the guest user to services located in the dmz
#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)
#3. This rule is to allow access to any other services i.e. the internet.
Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?
(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)
View 2 Replies
View Related
Oct 25, 2012
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
View 15 Replies
View Related
Aug 30, 2011
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99)
When I check the NAT rule, it says:
Type Source Interface AddressDynamic any outside outside.
View 3 Replies
View Related
May 17, 2013
I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa(code)
View 1 Replies
View Related
Jan 6, 2011
I run a network that uses MPLS circuits to connect all of the companies different stores. Internet access is through a Cisco ASA5500 here at the corp headquarters.
To make all of this work, we use a little 1721 gateway router to move traffic as needed. All the clients in our corporate office use 10.10.99.1 (Cisco 1721) as a gateway. The 1721 routes the traffic either to the internet (10.10.99.106 Cisco ASA5500) or the MPLS router (159.61.54.30).
For some reason, anything that runs on Linux (Ubuntu server, ReadyNAS boxes, Thecus NAS) will not pass traffic beyond the 1721 gateway router.
I've poured over the config for that router, and I can't find anything that could be causing this not to work. Thinking that the 1721 was bad, I put an 1841 online in it's place, and it did the same thing. I'm a noob when it comes to Cisco configs, but am learning as I go along.
Ive attached a txt file of the 1721 config.
View 31 Replies
View Related
Apr 10, 2011
i am having 2 locations & having cisco 1841 & 2821 at both the end connected via a P2P link. Now when i trace location A from location B, the traffic is getting dropped at location A's Vlan HSRP IP address.there is no ACL in that Vlan, but still it is getting dropped.
View 1 Replies
View Related
Jan 10, 2013
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
Nov 26, 2011
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
View 19 Replies
View Related
Oct 2, 2011
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
View 6 Replies
View Related
Feb 13, 2011
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.
View 6 Replies
View Related
Apr 23, 2012
I have an ASA 5505 with the base license,When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
View 3 Replies
View Related
Dec 5, 2012
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
View 2 Replies
View Related
Jun 3, 2013
I have two 1841's, setting up a Lab WAN in Packet Tracer. I have one of the 1841's run to a DSL modem, then out to the cloud and the same setup on the other end... from the cloud to the DSL modem and to the 1841 on that end... I have all green lights, so that tells me layer 2 is up, but I'm trying to figure out
what IP to assign the routers to test pinging and getting traffic flowing. but the DSL Modem's have the public IP's and dynamically assign an IP to the routers? I've also tried setting up a static IP on the routers fa0/0 interfaces and the pings fail.. Wondering what I am missing to get these two talking.
View 2 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Jul 28, 2012
Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.Just so you know, the 1841 device already has a functioning VPN tunnel to another site. The peers I am concerned about are 141.0.59.x and 109.238.78.x.
View 12 Replies
View Related