Cisco WAN :: ASA 5510 - Configuring Router To Access Two Servers With Same Name
Jan 25, 2012
I have a old server that has custom apps developed by a bankrupt company that we can't replace yet. We are being tasked with upgrading the Operating System and security patches, while preserving the existing live server. I was able to accomplish this by virtualizing it, then cloning the virtual machine. Where I got stuck was, the custom app requires a specific host name. So, I got the idea to have the two servers live on different sides of the firewall until the test platform is accepted and the old live one can be retired.
My problem is that I have no experience with configuring a real firewall like this asa5510.
Servers are:
CM1 live server
CM2 test platform
ADS Active Directory and File and Print
[code]....
I've started to carefully poke around in the Cisco ASDM-IDM, but haven't figured out how to access the DMZ from the outside (so far just testing with http as I don't have my certificate to setup https just yet). Am I missing something to get through to the DMZ from the WAN side?
View 2 Replies
ADVERTISEMENT
Jun 26, 2012
We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.
View 1 Replies
View Related
Mar 19, 2012
We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect.
View 4 Replies
View Related
Mar 27, 2011
I have successfully installed and configured VPN Client - Version 5.0.07 to connect to ASA 5510 from a remote workstation. Here is the problem, I cannot ping any of the servers or workstations after I successfully connect. I can ping the ASA 5510 using its internal LAN IP, but no other nodes will respond on the remote LAN.
View 2 Replies
View Related
Mar 13, 2012
I am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
View 2 Replies
View Related
Jan 12, 2011
How do configure win2008 server to bring up a password prompt box when access via a workgroup pc on lan.
View 1 Replies
View Related
May 18, 2012
I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.
View 2 Replies
View Related
Apr 20, 2011
I am configuring Remote Access IPSEC VPN in IOS Router 12.4T.I am able to establish IPSEC VPN from VPN Client 4.0. But I am able to access all the LAN machines from this client connected.I want to restrict access to only one server in my LAN rather than accessing all the servers in Datacenter.For example
-Group FTP should be able to access only FTP Server with ip addess 10.1.1.21 on Port 21
-Group WEB should be able to access only WEB Server with ip address 10.1.1.80 on Port 80
View 11 Replies
View Related
Nov 1, 2012
I'm having trouble configuring with EZVPN on ASA5510. EZVPN uses the local LAN as the source IP, now since the EZVPN is configured on the ASA, it will use its local port 2.2.2.1 as the source local LAN. The actual local network is behind a firewall and i need the tunnel to extend to the 10.10.10.10 network. Is there a way to extend the tunnel to use the 10.10.10.10 as the source LAN? How to do it via the GUI?
View 3 Replies
View Related
Mar 26, 2012
We have network that uses a Cisco router and use a WAP54G to access the network wirelessly.
We use static IP address so if someone wants to use the wireless an IP address has to be assigned to it and be manually configured for IP Address, Gateway, Sub Net Mask and DNS.
This is becoming unwieldly, but it is safe. Is there any way to config the WAP54G as a router that would automatically assign an IP address in a range just for wireless devices.
Therefore the wireless devices could be set up as DHCP and we would use WPA/WPA2 encryption with a passkey, instead of just assigning static IP addresses.
View 1 Replies
View Related
Oct 16, 2012
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
View 1 Replies
View Related
Aug 19, 2012
I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (192.168.1.0/24)
- incoming ssh port 2202 goes to node 192.168.1.2
- incoming ssh port 2203 goes to node 192.168.1.3
- handle incoming https (443) requests
- handle incoming www (80) requests
- cannot see Network-B or Network-C
Network-B (10.0.0.0/16)
- ssh to nodes on Network-A
- incoming ssh port 22 goes to node 10.0.0.20
Network-C (192.168.2.0/24)
- ssh to nodes on Network-A
- incoming ssh port 2210 goes to node 192.168.2.2
ASA-5510
- sends logging to syslog node 192.168.1.3 on Network-A
- there are DNS and NTP servers located outside
View 1 Replies
View Related
Mar 26, 2013
I have a Netgear N300 and am using a linksys wrtg54g flashed with dd-wrt as an extender. I would like to setup my wireless network to limit various devices (laptops, iPod touch, etc) to certain times of the day.
How do I configure both devices to limit connectivity? I've got it down pretty much on the NetGear using a MAC address filter and scheduling the services, but I am not sure how to get the extender to do the same.
View 3 Replies
View Related
Jan 15, 2013
Need configuring Client to Site IP Sec VPN with Hairpin on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IP Sec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make traditional Hairpin model work in this scenario.
Following is the Running-Cong with Normal Client to Site IP Sec VPN configured with No internal Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel:
ASA Version 8.2(1)
!
hostname ciscoasa
[ code ].......
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
What needs to be done here, to hairpin all the traffic to internet coming from VPN Clients. That is I need clients connected via VPN tunnel, when connected to internet, should have their IP's Nattered against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16).
View 7 Replies
View Related
May 28, 2011
I just purchased 2 E2000 routers at BB and was assured the second one could be configured as a repeater access point. Some current messages indicate this is not possible.Will a Cisco moderator please confirm and clarify repeater options.
View 2 Replies
View Related
Feb 5, 2012
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
View 6 Replies
View Related
Apr 17, 2013
Recently moved into the hardware firewall space and have a ASA 5510. Having some issues trying to get traffic through the box to my 4 dedicated servers. all the servers have static IP's and are connected to a private switch into one of the ethernet ports on the firewall(0/2). Public internet connection into another(0/0). 1 of my servers has a connection to the management port, and the public switch, and this is the one im trying to do the configuration on.
Im unsure what to set the IP address of my "outside" interface as. need to have RDP,FTP, HTTP traffic going to each of the 4 servers independently, pretty sure i can get the rules in place to allow this, but cant seem to get any traffic to go through the firewall to any of the other 3 servers.
View 6 Replies
View Related
Sep 18, 2012
I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
Interfaces
ETH0/0 = outside = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15
[Code]....
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
View 5 Replies
View Related
Sep 13, 2011
I got the charge of a ASA 5510 running with 8.3(1) version.Found that this is simple config with Patting for inside host and couple of Static Nat for web servers and FTP server as well.
There is lots of other configuration being done,I assume for the purpose of just R&D by the previous administrator.I need to understand if the following Nat statements holding any relevance?
Where we are running Only NETWORK_OBJ_192.168.0.0/23 subnet at inside and there is no other subnet defined in rest of the statements.i.e 10.0.0.0/27 and 192.168.1.128/27 doesn't exist at all.
View 1 Replies
View Related
Jan 3, 2013
I have a tplink acess point TL-wa5110G . I have WISP ( wireless internet service provider). I have configured the acess point on wisp client router mode and wan type to pppoe gave the username and pwd..Now i want to share internet wirelessly. now my question is that can i connect the aces point to wan port of the wirless router to share internet wirlessly? Because i have seen the instruction figure in tplink access router where they have shown that u can connect it with with unmanage able switch to share it to wired lan.i want to ask can wirless works to share internet if i use wireless router to access point.
View 1 Replies
View Related
May 14, 2012
So, we've been trying to get our network ipv6 compatible and had to upgrade the IOS on our ASA 5510 to 8.4/Little did we know that upgrade to 8.4 would need me to change all out NATs and Access-lists. We have a 1-1 NAT configuration that I need to keep with a bunch of regular rules to different servers (http, ftp, rdp, etc..)
I've been able to change all of that and was able to test it out successfully in our test environment. But, when I moved this to our prod env, the servers aren't able to connect to the internet. I haven't changed any routes - no changes in IP's - just changing the ASA. [code]
View 9 Replies
View Related
Mar 12, 2012
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
Here are some configurations on the ASA:
static (INSIDE,Outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
[code].....
Outside with 4.4.4.4 as the public ip traffic gets NAT'd do dynamically Inside with 10.1.1.x network on it.The ASA is running 8.2
View 2 Replies
View Related
Feb 17, 2013
I've been having a strange intermitent problem with my E1500 wireless router. When we first bought and installed it everything was working well with no known problems. After several months no one using the router was able to access certain websites as well as a game server that we play on. No one had made any changes to the router settings and I assumed at first that it was an ISP problem. After talking with our ISP tech support they finally suggested plugging my PC directly into the modem rather then the router. I did and found that the websites and servers that previously wouldn't connect while using the router were now reachable. Any changes to the router settings since installation.I decided that just in case someone unauthorized had made changes to simply revert the router to factory settings and reinstall the software. After doing this I found that I could again reach the websites and servers that I previously could not. So time went on with no problems until a few months later when the same websites and servers were again unreachable by anyone on our router. I again reset the router to factory settings and changed passwords as a precaution, but this time the websites and servers were unreachable even though I had just reset the router.
View 7 Replies
View Related
Jun 20, 2012
I am setting up a network that will use the 1941 router with a cellular card (HWIC) to connect to the Internet for communication with remote stations in the field. The 1941 has a static IP address (166.142.xxx.yyy) on the Internet provided by the ISP (Verizon). The 1941 is connected via ethernet to the ASA5510. The end goal is to have the field cell routers (Digi Transport WR-44-R, also static IP) connect to the ASA5510 via VPN tunnels for communication back to the servers behind the firewall. I'm not sure exactly how to configure the 1941 so that the remote router can connect to the ASA using the public IP of the 1941 router. I have the 1941 working stand alone and can connect to the Internet and pass traffic, but I tried a static NAT to translate the public IP to the private IP of the ASA and cannot pass traffic. below is part of the 1941 configuration: [code]
Do I need to use VLAN bridging to accomplish the task or am I missing something with the NAT?
View 3 Replies
View Related
Dec 5, 2012
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
View 2 Replies
View Related
Jun 30, 2011
How do i access an MS Access backend with a front end without using SQL or share point
View 3 Replies
View Related
Feb 5, 2012
We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.
But, we can't access the ASA by it's public IP.
DSL Modem → RV082 router → Switch → LAN
(69.x.x.x) ↑ (192.168.0.0)
Cisco ASA 5510
(outside: 64.x.x.x, inside: 192.168.0.172)
View 16 Replies
View Related
Dec 10, 2012
I'm configuring remote access on my cisco 881. Protocol PPTP was chosen.I've configured PPTP VPN access on my router, but there's an issue with accessing my LAN. I can access my Internet connection and open web sites, but I'm not able to access my local resources.I can only Ping my router's interfaces (192.168.2.10, 79.104.14.62) and Internet resources. For example, I can not ping switch, directly attached to the router, with address of 192.168.2.2 and other hosts on LAN.
View 1 Replies
View Related
Dec 22, 2011
I have dozens of Cisco Aironet 1100 access points, each is managing its own wi-fi with DHCP. I had to disable dhcp on them because they are on a wired subnet where I am using the static IPs and don't want my wired clients to get DHCP addresses, nor someone to be able to plug the wire into own laptop and get on the network. It's been working fine with one exception - I need to be able to ping my access points from the central site, and I can't. What IOS command would enable ICMP echo on my access points in this case?
View 8 Replies
View Related
Dec 18, 2011
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies
View Related
Jun 11, 2013
How to configure ssh in all access points ( cisco 3500 Access points ) under wlc 5508 ?
View 3 Replies
View Related
May 29, 2012
I has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan? I has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan?
View 6 Replies
View Related
Apr 16, 2011
does not accept my password
View 1 Replies
View Related
