Cisco WAN :: 1941 No Internet Access Inside Network
May 19, 2011
I'm using a Cisco 1941 router with two WAN interfaces. One is directry connected to our ISP and one is connected to another router wich is then connected to another ISP. Hosts on the LAN cannot access the Internet at all but the router has Internet access, im guessing its something simple but i cant seem to spot the error, i have removed the ZBF configuration from the interfaces. [code]
I am working on pix 525, when connected through console I can access the whole internet but when i connect the pc to the inside interface i have no access to the internet. the pc can ping the pix inside interface and from pix i can ping the pc. My configuration is shown below.
i am not sure if this question has been raised before. My company recently bought a Cisco 1941 router and we have been using a Lynksis router connecting to our ISP using WiMax all along. I have configured the new cisco1941 to the best of my knowledge but something strange is happening on my network. I can open www.gmail.com from any machine but i cant open anything else even www.google.com . What could be causign that ?
My config is as follows :
Current configuration : 4478 bytes ! ! No configuration change since last restart version 15.1
I have setup a few Vpn clients but no ones able to access the inside network.The clients all get a Ip address from the pool and DNS servers Ip's. But cannot ping or connect to there pc's. I'm thining its somewhere in the ACL.
I have an ASA 5510 which works great except I'm unable to connect to the remote access VPN from inside the network (behind the ASA). Is there a special NAT exemption required? [code]
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
I have an issue accessing the inside network of my church from VPN. This only happens when I connect from my home network. I have no problem accessing inside network of my church if I'm connected from else where (my Clear Hotspot or someone else's house). Here is the hardware detail:
At the church, we are using Cisco ASA 5510 and we have so many VPN tunnels to different churches. At home, I 'm using Cisco ASA 5505. See that attached configuration for my home ASA5505.
I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.
I have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
I'm trying to make a very plain and simple network with the ASA 5505, I've strated from scratch over a dozen times triyng to find where I'm going wrong. My main goal is to simply create an IPSec VPN connection to my ASA 5505 and simply ping and connect to devices with the "inside network", so far I can easily create and establish a IPSec VPN Connection, but up to this point, I cannot successfully ping or access a single device on the ASA 5505 inside network.I've taken, create the IPSec profile with the ASDM wizard, add exemption for the VPN IP Pool, add access-list from this Cisco link, url...All this and I can't make a single connection to the inside network. [code]
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.I have attached running configuration for your reference.
I have easy vpn on my PIX 515e and working normally everywhere, except when my users go FRANCE, the vpn client connect, but, can't ping or access any inside network resources. when same user try any where here in EGYPT, it works normally.
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
I have a customer with an 877ISR with zone base firewall. They want to access two servers on the inside from the internet using RDP but with different ports.
Partial configuration.
interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables(code)
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24 Local network : 10.10.1.0/24 Transport network : 10.10.99.0/24
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.
I don't have access to my config at the moment and I haven't had a chance to get to the console of this router as of yet.A little background info:This is a Cisco 1941 router in which I have multiple NAT inside interfaces for internal VLANs. Before my current problem I was using one NAT outside interface for Internet access with another NAT outside connecting to our corporate network that was in a shutdown state.The router is performing router on a stick and had layer 3 subinterfaces for each VLAN. I have ACLs filtering on each subinterfaces allowing only the traffic I need through.I also currently only have one static NAT port for an FTP server.The time finally came when I had to connect our corporate network to this router via an access port on a 2950 which trunks to the router.The problem comes when I send any traffic to the subinterfaces on the corporate network which is the second NAT outside interface on the router. The main point for this connection is to do a static NAT from this interface to a web server on another VLAN. Any traffic to this interface including just pinging from the outside causes connection to the router to fail for about 3-4 min.Like I said I haven't ha the chance to get to the console yet Sony cant tell everything that happens. Nothing shows up in the logs after I can get connection back and the router didn't reboot as a "show version" says the router has been up for a long time.The CPU is also usually very low as not that much traffic flows through this router at a time.I built a very similar network in packet tracer and it works just fine.
I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN. At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.I've added the below to make sure traffic going to the IP is going across the VPN.
ip name-server 218.248.255.146ip name-server 218.248.255.212multilink bundle-name authenticated!!!license udi pid CISCO1941/K9 sn FHK144773MG!!interface GigabitEthernet0/0 ip address x.x.x.x 255.255.255.248 ip nat outside ip virtual-
[Code]....
when i configured access-list 2 permit any . Internet working on local systems but we are not able to connect telnet.
A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24
An ACL on the DMZ which looks like this:
access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any access list DMZ_IN deny ip any any access-group DMZ_IN in interface DMZ global (outside) 1 interface nat (DMZ) 1 192.168.8.0 255.255.255.0
Nat Control is not enabled (by default) There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.The question is: Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?
A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.
B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.
I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Here's my config below -
I am having an issue accessing the internet from a PC on the LAN. I have configured the PC with the gateway of the router infront of the ISP to test. I can ping from the router to google or any other internet IP. From the PC I can ping to the GIG0/1 (Inside LAN IP) and the GIG0/0 (Outside WAN IP going to ISP) but I can't ping the Next Hop IP of the ISP or anything past that. If I do a trace route from the PC to the google IP address it hits the GIG0/1 Inside LAN IP Address but fails from there. Here is a cut down snap shot of the router configure
I have a Cisco 1941 router configured using Cisco Configuration Professional... SSH management works from the LAN IP 10.0.1.254 and 10.0.2.254 Also, SSH management works from the LAN using the external domain name which resolves to the public IP address.
The problem i have is if I try SSH from the internet to the public IP.. nothing happens.
cisco1941#show config Using 18498 out of 262136 bytes ! ! Last configuration change at 13:57:49 PCTime Tue Feb 14 2012 by admin
I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.
Option 1 Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) get the assigned 5 Static IP addresses One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic) One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway Option 2Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
I am looking to add a new DMZ zone to our network with have a standard 1941 (1x LAN / 1 x WAN port) and so I need a 3rd routable L3 interface to create the DMZ.
Is the HWIC-1FE what I am looking for or is there another way to do this?
I have been recently asked to design a network. What I have for equipment is four 2960G's and one 1941 router. One switch is a root switch and the other three will have end devices on them.I have decided on three V lans to go with: VLAN20 Data, VLAN30 ISCSI, and VLAN99 Management each with seperate trunk links and redundancy (see picture below).
I have a seperate trunks for each V lan using the switch port trunk allowed. With exception to the Data V lan.My design has the Data V lan as the native because it is going to be receiving untagged traffic from the external network. I have set up inter v lan routing on the 1941 via sub-interfaces to allow them to talk to each other (or because of allowed they cannot?). I have one port coming from my router to my switch via Ethernet cable which is my bridge out. I have my external port doing a NAT translation for my inside addresses and a Default route set up ip route 0.0.0.0 0.0.0.0 gig0/0. I am using rapid- PVST to prevent loops and provide my zero downtime convergence when a link goes down. As it stands right now I cannot talk out of my network or inside of my network.
You can see it is highly redundant and I do not want to change it. This network is going to be deployed but there will never be anybody physically there to manage it which is why I made it as redundant as humanly possible.