Cisco WAN :: ASA 5505 Access Wan Interface From Lan
Jun 12, 2013
Few week ago we purchase Cisco ASA 5505 as replacement broken Dlink DFL800. I try to configure all setting like it was on DLink, and all work fine with exception of one thing.
We have some resource like terminal server, that placed in internal network with configured static nat on ASA, some users use it from internal network and some from internet, but both of them use one DNS name for it like terminal.%company_name%.ru. all work fine for internet users when they try to reach server from internet with but internal users unable to use external ip, they even unable to ping external ip address from internal network. Yes i know that one way to solve this problem, is just to use internal DNS server so it can resolve terminal.%company_name%.ru in to internal ip address, BUT i want to know does exsist any way to "loop" trafic this way?
In DLink config there was 3 string in config that solve this problem
<IPRule Name="RDP_Terminal" Action="SAT" SourceInterface="any" SourceNetwork="all-nets" DestinationInterface="core" DestinationNetwork="InterfaceAddresses/wan1_ip" Service="rdp"
[Code].....
View 5 Replies
ADVERTISEMENT
May 25, 2011
I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network) Those networks (10.132.0.0/16) come from the DMZ interface.
View 12 Replies
View Related
Jul 26, 2011
I am having a problem configuring my ASA 5505 for NAT.
View 3 Replies
View Related
Jun 8, 2011
I've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?
View 1 Replies
View Related
Sep 10, 2012
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies
View Related
May 1, 2012
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
View 2 Replies
View Related
May 16, 2011
I need to configure one interface in failover because the client has 2 ISP.[CODE]
View 2 Replies
View Related
Feb 21, 2010
I have an ASA 5505 configured to get a DHCP'd IP address from the ISP on it's outside interface. The problem I am seeing is when the ISP renews their IP address, the ASA 5505 is still holding on to the old IP address information. I have to either manually renew the IP or reload the ASA. I have the potential of rolling out hundreds of these devices and I would not like my customers to have to reboot their ASA everytime the ISP's DHCP lease experies. I am using an easy vpn autoconnecting to an ASA 5520. Static IP's are not an option on the outside interface of the ASA 5505's.
View 8 Replies
View Related
Dec 10, 2012
I want to creat sub int on ASA 5505 but when I am trying below command it show error.
------------------------------------
config t
int f0/0.3400
------------------------------------
My ASA software version is 8.2(5).
View 5 Replies
View Related
May 13, 2009
Can we make sub interface on Cisco ASA 5505 model and if its possible then do that interface need to be upgraded into Trunk Port.
View 8 Replies
View Related
Feb 23, 2011
We have many new and very small remote sites that will be connecting via an ASA5505 using easy VPN. Works without an issue and we've got the configuration and process nailed down.
The challenge I was presented with today involve non-standard remote sites where I need to configure a third interface on an ASA 5505 and allow it to pass directly to the Internet and not go through the VPN. Configuration of the third interface, assignment and configuration of the ACLs / NAT(PAT) are straight forward.
The challenge I face and haven't been able to find a direct answer to is if it's possible to have the traffic bypass the easy vpn network extension process. At this time the traffic is going down the tunnel which isn't what I want.
I fear I'll have to build classic site-to-site VPN configurations which isn't a huge issue though it breaks all maintenance/operations methods, processes and I'll have to spend time training the support team how to detect the differences.
View 2 Replies
View Related
Sep 9, 2011
I setup a site-to-site VPN tunnel at the remote ASA5505. I am able to asdm to the outside interface but not ssh. I switch to telnet and still not allow me to access. I added an ACL to allow telnet any to the outside interface but still not working. In ASDM I see the log Here is the second issue. When I want to change the telnet back to ssh using ASDM I got the following error.
View 2 Replies
View Related
Jul 27, 2011
I'm new to working with the ASA 5505 ,VPN and reverse NAT.
The basic setup is as follows. I'm trying to setup a IPsec site to site tunnel with reverse nat on the remote side.
I have as the tunnel up and it passes traffic. I have setup reverse NAT for 172.x.x.1 to translated IP 216.x.2.101 my ASA also has an IP address of 216.x.2.102.
Any connection from 172.x.x.1 to 216.x.2.1 should appear to be comming from 216.x.2.101
When I ping or telnet from 216.116.86.1 to an open port on 216.x.2.101 I get the banner from 172.x.x.1, seems like it is working.
However in my setup I'm only given a singel IP that of the NAT address 216.x.2.101, so when I remove the IP address assigned to the inside interface 216.x.2.102. all conductivity is lost.
When I set the inside interface to 216.x.2.101 and I setup a static NAT rule for 172.x.x.1 to 216.x.2.101, I get a message that says all traffic will be redirected and I will be unable to connect to the ASA.
Once thats in place, and I make any connection from 216.x.2.1 to 216.x.2.101on any port I get a connection but then it's reset, I no longer get the telent banner I was expecting.
My running config is,
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Aug 13, 2011
I have a problem where my outside interface stops passing traffic and the only way to resolve the issue is to reload the ASA, the interface never is down it just stops passing traffic. The inside interface never stops allowing traffic to pass as I can get to all my internal servers and shared drives.
The firmware is:
asa821-k8.bin
Running Config
: Saved:ASA Version 8.2(1) !hostname f1domain-name somedomain.co.ukenable password w1Y.GBKFyC5NqO3M encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
View 4 Replies
View Related
Jan 6, 2011
We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.
View 3 Replies
View Related
Nov 6, 2011
I'm using asa 5505 with 8.4(2) and have the following problem.I have 2 Networks. each Network has it's own externel Internet-Ip and also Mail-Server.
[code]
Now I want a communication between the two Mailservers with their external Ip-Address.I did a static NAT from ipnt any to int any or also from int routed to int routed, but nothing worked.Packet tracer showed at NAT-Lookup where the externel adress of the second Mailserver is passed: Info Static translate Network1 to Network1
But it should show a translation from network1 to network1-external.Due to Security reasons, I cannot paste the whole config.Under 8.0 I did the same configuration with Policy-Nat and it worked.
View 1 Replies
View Related
Nov 21, 2011
I've been running a cisco asa 5505 for quite some time and it has been running fine, now all of a sudden it starts to renew it's outside dhcp adress like every 2 hours. I dont think it's the ISP since I have another device connected also using dhcp to the same ISP and it doesnt renew itself, it's just the ASA. Rebooting it, makes it pick up an adress straight away. The interface seems to be up, the GUI just reports "no ip adress" and then the ASA get's a new IP after about 10-15 min without one. Pressing the renew IP adress button in the GUI throws an error.
View 10 Replies
View Related
Nov 21, 2011
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now. But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
My configuration is:
ASA Version 8.2(1)
!
hostname cisco
[Code].....
View 4 Replies
View Related
Nov 14, 2011
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network I have looked for ASA documentation through the internet and still got nothing.
the config are:
: Saved
:
ASA Version 8.2(1)
!
[Code].....
View 2 Replies
View Related
Aug 9, 2012
I'm trying to set up a Guest VLAN for wireless at a client site, and I feel like I'm missing something small in the configuration, since I can't ping any of the VLAN interfaces from my laptop when the address is statically set to something in the 172.20.100.x range.
I've pasted the configs for the ASA 5505 and the 6 switches below for convenience. Near as I can tell, all should be well. The ports are in trunking mode, the "show cdp neighbors" command returns the proper information, VLAN 100 exists on all the switches, etc.
Code:
ASA Version 7.2(4)
!
hostname ASA
domain-name xxxx.local
enable password Cj3LF.ehxXN3xVkxWcxd encrypted
passwd Cj3LF.ehxXN3xVkWcxd encrypted
[Code] ......
View 17 Replies
View Related
May 7, 2012
How can I achieve this. I am obviously a novice cisco user and really fight my way around. I just want to grant access to a vendor to connect to his vpn. What ports need opened and what else do I need to do?
View 1 Replies
View Related
May 10, 2011
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies
View Related
Apr 23, 2012
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
View 3 Replies
View Related
Aug 17, 2011
I have an ASA 5505 running 8.2
I used the ASDM wizard (6.3) to set up a remote VPN. After slightly adjusting the wizards configuration the VPN is working well.
Now I need to change the Outside interfaces IP address. When I do that the VPN no longer works. If I change it back to the original value the VPN works again.
What configuration changes do I have to make regaurding the remote VPN after changing the outside interfaces IP address?
View 11 Replies
View Related
May 2, 2013
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
View 8 Replies
View Related
Dec 14, 2011
I am trying to configure two ASA-5505 as a failover pair. Software 8.2.5 and ASDM 6.4.5.206 Using the wizard i get to step3 .. then nothing happens. Trying direct in asdm but the only interface i can choose is "--None Unnamed-"
View 1 Replies
View Related
Dec 12, 2011
I have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
View 4 Replies
View Related
May 30, 2011
I enabled snmp config ASA 5505 with Version 7.2(4), the NMS/reporting system can give graphs for CPU & Memory usages. But I can't see any elements about physical interfaces.
View 1 Replies
View Related
Jul 21, 2012
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description
305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers
172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved
:
ASA Version 7.2(3)
!
hostname [redacted]
[code].....
View 5 Replies
View Related
Feb 12, 2013
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
View 1 Replies
View Related
Apr 12, 2011
If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
View 2 Replies
View Related
Apr 6, 2011
I have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
View 2 Replies
View Related
Oct 26, 2012
I have ASA 5505 with base license. I created 3rd vlan on it.it was created. but i am unable to assign IP to it. i assign ip address it takes it. But when i do sh int ip brief it does not show any ip.
Code...
View 7 Replies
View Related