I need to open a port in a Cisco 2911 router to permit the conexion to an equipment that is inside the LAN, but I my configuration doesn't workt.
I have 3 interfaces configured: two WAN interfaces (one is a backup of the other) and a LAN interface. The configuration is this (public IPs are changed):
track 1 ip sla 1 reachability
!
!
interface GigabitEthernet0/0
description backup
ip address 176.55.25.25 255.255.255.252
ip nat outside(code )
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
i am trying to upgrade the firmware in my C2960 switch to 15(1) SE2, and i get the error: Failed to execute the command archive download -sw /overwrite /http iosFile.
In my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.
we are not able to access [URL] (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.
We are accessing with ip address http://192.168.1.51:8280. and [URL] not working from inside.
What is the configuration for allow port from Outside to inside( 80,21,https...) and i want to allow traffic from outside to inside only 80,https and 21.
I need to permit the connection from outside to inside in a 2911 Cisco router, only from an Public IP Address (suppose 1.1.1.1) to some local private IPs.
The "global IP" can be the Public IP from where the connection starts (in this case 1.1.1.1)? or it must be the Public IP assigned the the Router interface connected to the Public Network.
I am using Cisco 2911 router , i configured remote client in that . i need to provide the static ip to the remote users instead of providing from the dhcp pool. is it possible? if it is how we can do that.
Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
I have a Cisco 2911 router and a Cisco 2960 switch at a remote location.I have a user who will work out of this office a few days out of the week and will need to obtain the same IP address everytime the user visits this office. This office has no file server, no dhcp server. I have the user's MAC address and for now, the user is getting an IP address that is leased for 30 days. I'm trying to find the best way to configure either the router or switch or both so that each time this user connects to this office, that user device will always pull the same IP address and of course no other device will use that IP.
I've did some research in creating a small vlan possibly, and assigning it specifically to the port# that the user's desk is at, but not sure if that's the best way or exactly sure how it'll work. I'm currently studying for my CCNA so this is all new to me and I'm trying to do research and test without obviously causing production issues especially given this is a remote site and I access these devices via putty. I can however drive to the site if needed for testing, but I'd like to have a good grasp on what method I'll be using that will work before I actually make the trip.
I have inherited an ASA 5520. In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP. I am trying to understand the purpose of this route or why a route would be setup this way.
Example Static Route: Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)
We have two sites: 192.168.100.x and 192.168.101.x currently connected via IPsec VPN. On each end we have a Cisco ASA 5505. However, each site also has an MPLS VPN with intentions to move all traffic to this link. Will this work on the ASA? We need to make sure traffic can hit the ASA @ site A on the inside interface and trafiic will forward to the MPLS VPN router which then handles the traffic. Too, will it cause any problems in bi-directional flow between the two sites?
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
I have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
I'm trying to configure hairpinning on my Cisco 887VA VDSL router, so all LAN users can connect to the server using SMTP port 25 which is also in the same LAN subnet, using external router address, which is assigned to dialer1 interface.Traffic comming in from outside works fine.
External IP: 1.1.1.1/29 PC address connecting to the server: 192.168.101.28 Server address: 192.168.101.200 IOS: 15.1.4M1
[code]....
I'm running tcpdump on the server on port 25 and... nothing happens. The traffic is not going through.One thing that I've notices in debug ip packet is this line:
s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt
shouldn't source be internal vlan1 IP - 192.168.101.1?
I am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
Today I installed the 1.0.2.6 Firmware on a RV180W. I only have now two problems regarding the Static DHCP support in the GUI.
1. Via the Networking > LAN (Local Network) > Static DHCP I have no buttons to Add a new static Lease. 2. Via the Networking > LAN (Local Network) > DHCP Lease Clients I can thick a Lease and click on Make Static IP. The result is an error: Operation failed.
I have a nat statement to nat a subnet to a host address. Only the host address is allowed to traverse the VPN. However when I use a route map to do this, I cannot see NAT being performed and my VPN does not come up. When I use a static NAT for a 1 to 1 host translation I can see nat being performed and the VPN comes up. Using the route map method, the other party said our source IP is 0.0.0.0 0.0.0.0.
I have a situation which requires some non best practice stuff to be done. There is a box behind an ASA that has a lot of code that references public DNS names and therefore needs access to itself and a number of other boxes on the same subnet via the public DNS names (that obviously resolve to public IPs). This traffic is dropped on some pretty fundamental ASA characteristics.I know this isn't really ideal, and it should be handled by DNS nstead, but I'm in somewhat of a bind and need to know if the ASA can allow this traffic.I figure I could match the traffic and exempt it from state-checking and that would probably work, but it's not a very graceful solution.
why the command "source cpu rp" has been removed from IOS15.0(1)SY1. I can succesfully configure the following ERSPAN on 12.2 SXJ3 but not on ios 15.x. Did not understand why cisco has descoped this command.
monitor session 10 type erspan-source shutdown source cpu rp rx (--- 15.0 has no such option on 6500 ) destination
I have configured my Cisco 881 and it is quite stable but now I am working on some minor details.
I have several Public WAN IP addresses which are NATing to internal web server. When I go to the WAN IP at port 80 from the Internet, the NAT works fine and it maps perfectly to the internal Web server. However, when I try the same same WAN IP from the LAN which contains the web server, the Router blocks the traffic and I get nothing back.
I have verified that I can get to the Inernet from the LAN but it seems that I cannot go bfrom the LAN to the Internet and back into the LAN via NAT.
we use the latest LMS version (4.2.2). Under Monitor->Performance Settings->IPSLA->Devices i see all devices. When creating a IPSLA collector not all devices are listed in the source section but in the target section. Why is this happening?
I need to change the source IP of a packet for one of my NAT's.I currently have an Cisco 1812.I have an PPPoE connection as Dialer 0.I have another VLAN that is connected to an Netscreen SSG5 VPN gateway via another Cisco switch.I have a vlan trunk between the switch and the 1812. What I would like to achive is the following :-For any traffic going to the following three ranges make it apear as if it was coming from the VLAN50 address [code]I can ping my netscreen on 10.27.30.255 fine from the Cisco 1812. But any other PC fails, as for some reasion the traffic has a source of my Dialer 0 interface.How can I write a nat to change the source just for the tree destitnations ?
I have been trawling the interenet looking for an answer to the i but to no avail.Can you change the source port that windows uses when it makes a connection to another host. [code]...
Every year I attend a local motorsport event and I am usually responsible for providing a live online video broadcast of the event which I do using a website such as ustream.tv or similar. The event is non-profit so spending as little money as possible or none at all is the best option for us. We use a 3G card/dongle and a laptop with 2 or 3 webcams for the video feed....The results/scoring system in use at the event is controlled by the organisers and they have setup a VNC server where teams can connect with their laptops via a wireless network to view results, what I would like to do, is to include the results screen in my video feed. So somehow, I need to trick my computer into thinking that the VNC viewer software is a video input device.I have looked for something similar last year but didn't have much success, If separate laptops are needed, I have 3 windows laptops at my disposal and a macbook pro which will be on the same network. Whichever one will be most suitable for the task will be used.
I have router which has two physical interfaces Gi0/0 and Gi0/1. G0/0 connects to metro over ethernet and Gi0/1 is configured a s router on a stick, which has many defined. All those interfaces have IP addresses assigned. EIGRP is configured between other metro sites. Here is a sample IP assigment for this site, let's say Site.