DNS resolution works and I can surf the web without fail. But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts. I can ping anything from the ASA without fail.
ASA Version 8.4(1)
!
hostname fw1-nat-ann
domain-name inmd.infoblox.com
enable password anWLNen9CTFp7B/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ASA is running 8.4.
Internal interface: 172.16.1.1
External interface: 172.16.2.1
Routing to 192.168.0.0 via internal host.I've got some static NATs, e.g:
object network obj-192.168.0.1
nat (inside,outside) static obj-172.16.2.1
object network obj-192.168.0.3
nat (inside,outside) static obj-172.16.2.2
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
But it's source remains unchanged.What am I missing?
I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
Here is the running config
Prem-ASA(config)# sh run
: Saved
:
[Code].....
I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]
View 8 Replies View RelatedI am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. [code]
View 2 Replies View RelatedI have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
GigabitInterface 0/2/0description DMZ interfaceip nat insideip address 10.0.0.1 255.255.255.0
GigabitInterface 0/3/0description LAN interfaceip nat insideip address 192.168.0.251 255.255.255.0
[Code]....
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
View 1 Replies View RelatedThe ASA5505 I am working with has this from the show version:
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs : 3, DMZ Restricted Inside Hosts : 10Failover : Disabled VPN -DES : EnabledVPN-3DES-AES : Enabled VPN Peers : 10WebVPN Peers : 2Dual ISPs : Disabled VLAN Trunk Ports : 0
This platform has a Base license.
Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?
One of our company guys always complaining that few inside PC's are frequently loosing internet and reconnecting after some times.The Connectivity is as mentioned below:
Inside: Switch -> Router -> ASA -> Router -> Modem ->Internet ------------VPN-------------------------
I have two hosts behind an ASA on a private network. Both hosts are NAT'ed (each has a unique public IP). I need Host A to be able to talk to Host B through their respective external IP's.
View 5 Replies View RelatedI want to upgrade "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy Security Plus license ( L-ASA5505-SEC-PL =) ) before activating ASA5505-SW-10-UL ?
View 3 Replies View RelatedI am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
The setup is:
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
[code]...
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies View Relatedconfiguring ASA 5505 to be able to ping remote host.Setup - We have a site-to-site (192.168.1.0/24 - 192.168.2.0/24) VPN setup with client VPN access (IP Pool, 172.16.50.0/24) on 192.168.1.0 ASA 5505.Issue - Not able to ping host on 192.168.2.0 from VPN client 172.16.50.0 but able to ping 192.168.1.0 host.
View 8 Replies View RelatedI'm having an issue where internal hosts cannot access the internet but I am able to ping external hosts when I console into the router. The router is a 2800 series. [code]
View 3 Replies View RelatedI have recently bought two 1800 cisco routers and have tried to connect them over wan serial link, but I am having problems when trying to access resources on the other side. I am a newbie to cisco and I wonder if the problem is with the configuration or the new routers or the serial link between the sites. Below is the show-running config results I have done on both routers; I can ping the serial interfaces from both sides and remotely, but I can't ping hosts or FE from other side.
View 8 Replies View RelatedI've set up a simple lab network of two cisco routers 2611XM and to each router I've attached a computer (host). I have set up a dhcp ip addresses for each host. I've set up a correct routing as well on each router. There are 3 networks: 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 The first network between the first host and first router, second is between two routers and third is between the second router and second host. If I use first host (192.168.1.20) I can ping to any ip address (192.168.1.1 (router 1), 192.168.2.1 (router 1), 192.168.2.2 (router 2), 192.168.3.1 (router 2)) except the second host ip address which is 192.168.3.20. When I sit on the second host (192.168.3.20) i can ping to 192.168.1.1 (router 1), 192.168.2.1 (router 1), 192.168.2.2 (router 2), 192.168.3.1 (router 2) but i can't ping to the first host which is 192.168.1.20. I've even tried with attaching a switch to a router and assign it an ip address of 192.168.1.3 and the ping was echoing to it.
View 5 Replies View RelatedI have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
ASA Version 7.2(4)
!
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
[Code]...
I think the subject gives a good first impression of what I'd like to achieve.Anyway i'll give a little more context.I'm running a Windows Home Server in my LAN and I would like to use it's functionalities (especially the streaming) features from "anywhere" using the same URL.My is a Linksys WRT160Nv3 running on the DD-WRT v24-sp2 firmware.I've already setup the necessary port forwardings, as most of the WHS sites run on ports 80 (http) and/or 443 (https) and my isp is blocking all ports < 1024 (I know it suck, but nothing to do about)Anyway, outside my network (friends home, work, ...) I can access my home server browsing to ://xxx.homeserver.com:10080 or https://xxx.homeserver.com:10443What I want is that this (external) DNS also works when i'm inside my network (so when I'm at home).
Is this possible?I want this because on the home page of the WHS web interface, I have some links (for example to sabnzb, or the webpage of my raid controller, etc etc, but they all point to http://xxx.homeserver.com:These url's (with the external dns) are not working when i'm inside my lan.I'm not an export but i'm quite sure it's a DNS issue.Some more info:When i do an nslookup xxx.homeserver.com I see the (external) static IP that has been assigned to my router.When I do a ping to xxx.homeserver.com I also get a reply from the (external) static ip that has been assigned to my router.
I purchased this router a few days after its release, and I was very impressed with its functions. I came from a DD-WRT flashed router with all the bells and whistles, and the E4200 lacked some features but I felt it was a fare trade off for the GHz & dual band.All was well with all my settings (quite a few to name QOS,forwarded, etc)I also updated the firmware when it came available and re entered same settings.
Approx 3 months after use I had 0 WAN connection via eth0 or WIFI, when I logged into router I was pulling a Public IP from my ISP. I could ping from inside the router but no connection on any hosts, very strange. Powercycling Modem/Router yielded same results.. I then backed up my vast amount of settings, and did a 30/30/30 reset.. With no configs I had no issue browsing on any host on my network. So I restored from backup and the issue was back again..So I did another 30/30/30 reset. Then went and reentered the exact same settings as before and the issue was gone.
I've got a new E4200 router, Everything works just fine, but I'm unable to ping any WiFi hosts from my LAN, I can ping LAN from any WiFi Host.If I disable NAT on the E4200 I'm able to ping WiFi hosts but then all WiFi Hosts are unable to talk to the LAN.
LAN - 192.9.209.0
WiFi - 172.16.1.0
Same config runs perfect on my WRTG54GL.
I've got a new E4200 router, Everything works just fine, but I'm unable to ping any WiFi hosts from my LAN, I can ping LAN from any WiFi Host.If I disable NAT on the E4200 I'm able to ping WiFi hosts but then all WiFi Hosts are unable to talk to the LAN.
LAN - 192.9.209.0
WiFi - 172.16.1.0
Same config runs perfect on my WRTG54GL.
I am just setting up a simple scenario with a 1841. Server @ 172.31.1.1 cannot ping 172.31.0.254 or 172.31.0.105. It can ping 172.31.1.250. The router can, on the other hand, ping devices on both networks. This is just for testing routing theory so I don't know why hosts on either side of the network cannot ping each other.
I am only using the FastEthernet interfaces on Router 1841.
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60 70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
My CSS is 11503
Version: sg0810106
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
how to storage the DHCP IP table in a external flash of a router. This is because the router is switched off and switched on everyday but I want that it remembers which MAC is associated with which IP when it starts again and avoid IP duplicate problems. The command "lease" doesn't seem useful here.
View 4 Replies View Relatedconfigure my Cisco ASA5510 (asa version 8.3.1) so that one of the host (e.g.192.168.8.20) behind management interface can ping to the other host (e.g. 192.168.2.246) behind OUTSIDEinterface. I tried modifying the ACLs, NATs and ICMP statement, but still failed[CODE]
View 19 Replies View RelatedI have two inside interfaces (both security level 100) inside and inside110. Inside is 192.168.105.3/24 and inside110 is 192.168.110.3/24. I have a PC on the 192.168.105.0/24 network. I cannot ping the 192.168.110.3 IP of interface inside110.
View 2 Replies View RelatedI cannot seem to determine exacly why I am not able to ping from the inside to outside using the standard 100/0 security levels respectively. I am dynamic natting the inside to the outside interface, something I don't usually do but cannot see why ICMP's are not passing through.
The Packet trace tool says there is something in the ACL but there really isn't.
Is there simply an issue of Natting to the WAN interface on a 5510?
