Cisco WAN :: ASA5505 / Setting Access Policies Dual Internet Connections
Jun 7, 2011
I'm trying to set up a S2S VPN between two ASA5505 SP units running ASA Version 8.2(1). I've ordered additional ADSL2 lines to handle this traffic and I'm having troubles with the configuration for the additional PPPoE connection. Here is are extracts from my current config; First the interface vlans
The result being that I can ping the OUTSIDE interface, but get no reply from the VPN interface. I've checked ADSL lines, they are up. The two PPPoE sessions are logged in and active. I can even see the ICMP packets hit the VPN interface, but there is no reply.
After updating the firmware of my WRVS4400N from V 18.104.22.168 to 22.214.171.124 all traffic was blocked for all machines, even some not included in the list of PCs. As the log was showing that all traffic was blocked by access policies, I disabled the only rule I had (blocking access to some sites to some MAC address list) and everything worked fine.I tried creating a new, simpler rule but after activation it blocked again all traffic for all the LAN.After many trials, I decided to roll back to the previous V126.96.36.199 which solved this problem.
i have come across this solution to dual internet connections, c2950-i6k2l2q4-mz.121-22.EA14.bin is the IOS and the router is a 2950 Dual Wan model. I don't know alot about this stuff I'll admit, but it is on the default configuration with IP 192.168.27.7 255.255.255.0, gateway at 192.168.27.8. The hostname below is something I don't know exactly what it means but my guess is its the line at the command prompt with the name.
It has VLAN1 with fa0/1-24, gi0/1 - 2.
This is the script but I don't know why its not taking the commands as at ip sla monitor 1 I get invalid command error. What do the ! mean are they comments and not entered?
My previous connections are : (1st) 100Mbps ISP connection, (2nd) 200Mbps ISP connection (fibre to home)
Before upgrade, my RV-042 worked very stable.
After using Migration Tools by exporting RV-042 current config and converted to V3 configuration, the converted configuration was imported to RV-042G.
In beginning, RV-042G woks fine after imported converted configuration file. Unfortunately, after around 1 hour of use, my iPad (through an Apple Airport Extreme Station) and wired PC could not browse internet.
But, port-forward to 3 IP-cam still be able to access by my iPhon4 through Carrier 3G connections.
After a reboot of RV-042G, internet connection comes back. But, after an hour of use, the same issue happened again.
RV-042G makes me fluctuated. I will fallback to RV-042 from now on and wait for any further firmware improvement from Cisco/Linksys.
My previous RV-042 and current RV-042G config:-
* WAN1 : 100Mbps ISP connection * WAN2 : 1Gbips ISP connection ( 200Mbps max throughput) * LAN1 : connected to Apple Airport Extreme * LAN2 : connected to Linksys 16-port FastEthernet switch * LAN3 : idle * LAN4 : connected to an Intel i7 PC * Dual WAN link mode with bandwidth management, all internet connection from PC will stick on WAN2
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 188.8.131.52 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 184.108.40.206, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
We have two device groups ASAs for VPN accessWireless ControllersThere are 2 AAA devices in each group.
We have 4 Identity Stores
ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAsExternal Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.We have mapped AD groups - this is used for allowing access for wireless users.LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation. Our requirements
We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.
I am trying to configure a Unified Wireless solutions with ACS 5.1 and am having trouble with the access policies. We have corporate laptops authenticating via PEAP and 7921 phones authenticating using EAP-FAST.
I have one access service configured to allow PEAP and authenticate against AD and another access service configured to allow EAP-FAST and authenticate the 7921 phones against the "internal user" database.
I have configured 2 service selection rules. Each one points to one of the access services. The only condition I have currently configured is the "protocol" field to be RADIUS. Because both the 7921 phones and the client laptops are generating RADIUS requests I can only have one EAP type working depending which rule is at the top. Because the RADIUS protocol field is always matched, requests never get past the first rule.
how I modify the rule to be able to distinguis between VoIP handsets on one WLAN and client laaptops on another so that correct access policy is used for each device?
Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.
For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.
We just upgraded to ASA 220.127.116.11 and the latest CSD image, 3.6.6203. We currently have a DAP set up to scan one group policy for a secific AV but wanted to start implementing this for all group policies and including several different flavors of AV (so anyone could connect from anywhere as long as a pre-approved AV is installed). We are going to allow about 20 different versions of different AV's and I've tested a couple already and they're successful.
My issue right now is trying to allow (or deny) AV that is installed on an Android tablet (and potentially Apple devices). The tablet has avast Mobile Security installed, and even if I select Vendor: Alwil as a whole, it still does not recognize it and denies the user. I have tested on a PC and it works fine. Is there something that I am missing or are mobile AV programs not included in the DAP policies? Is this going to be considered for future versions of CSD or ASA or are we going to continue to consider Android and Apple devices "secure" and not in need of an AV?
I'm trying to block internet access to a range of IP addresses using the Access Control function of the DIR-655 router. Unfortunately, the router does not allow me to block a range of IPs. Instead, I can only create policies based upon individual IPs or MAC addresses. I have over 60 machines I want to block Internet access and I'd hate to have to type them in individually. How do I go about blocking all Internet access (HTTP/FTP/email/everything) for a range of IP addresses? They will have to be able to continue to use the internal LAN.
I have an ASA 5505 with the Security License running 8.4 and 6.4.5 software, I have a fully working VPN solution on there using a ISP IP - works fine. My boss wants to split the lines/bandwidth to another ISP we have coming into the office. So what I want to acheieve if possible is this Say my current isp is 18.104.22.168, my internal network is 192.168.2.x and my other ISP is 22.214.171.124 - is it possible to use the ASA to accept VPN clients from both ISP's and use the internal network?
I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.Routing is working correct (connect to Internet from siteA is working trought 1st also second ISP) but IPSEC is working just trought the first ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets are just encrypting but not decrypting.
I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)
config site A: ########################################################################## ASA5505 Version 8.2(1) interface Vlan1 nameif inside security-level 100 ip address 10.4.1.65 255.255.255.248 ! interface Vlan2
for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans) Currently not using the 3rd vlan (dmz)
I have two ISP's and I want to channel specific traffic out of an interface based on traffic type. Will the ASA 5505 security bundle allow me to route specific traffic out through a specific interface?
I have setup an ASA5505 running 8.2 with dual ISP's
Primary link is the current live static route out and the backup picks up if the primary fails. That all works great However I have an issue with inbound NAT rules
I have configured an inbound static on the primary which works great
static (inside,primary) *.*.*.* 10.1.1.1 netmask 255.255.255.255 access-list outside_access_in line 2 extended permit tcp any host *.*.*.* eq 3389 (hitcnt=4)
Question? With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host 10.1.1.1 on the backup link?
If the primary fails users will need to be able to connect inbound to this service
When I try to set it up I got this error ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
So I tried that and got this error WARNING: All traffic destined to the IP address of the backup interface is being redirected. WARNING: Users will not be able to access any service enabled on the backup interface.
So what is the best practice for configuring inbound NAT for a dual ISP configured ASA
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet. [code]
1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them? [code]
2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80.whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?
I have configured ASA 5505 for remote access VPN to allow remote user to connect to the officce LAN from remote locations. VPN working fine, users can access offce LAN and sahred resource etc but once they connected to VPN, they can not browse the internet ? Internet browsing stop working as soon as their VPN client connnect with ASA 5505 t, once they are disconnected from the VPN , again they can browse the internet.
Does ASA 5505 blocks the internet browsing for VPN users ? Is there anything else I need to congfure to make sure VPN users can browse internet? Do I need to configure Split Tunnleing , NATing or routing for the VPN users?
I've been struggling with gaining access to the inter through our Comcast business gateway. We have had Comcast configure the device fro true static IP subnetting. Turned of local DHCP on the device etc. Here is my config.
I have and office that the cable modem tends to go down on the weekend. Can i setup my asa to support a second provider so that if the one connection is slow for some reason, my users could connect to the second provider instead? they would both be used at the same time most the time.
Context:1- My company has one ASA 5510 configured with Site-to-site VPN, Ip sec Cisco VPN and Any Connect VPN.2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the Na Ting for internal users to go out.3- A second link is coming in and we will be using ISP 2 to load balance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).4- A router will be deployed in front of the ASA to terminate internet links.5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2). Questions:How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?. Finally, which device should be doing the Na Ting? The ASA just like now or move Na Ting to the Router?
I have a ASA5505 and I'm having trouble to achieve the following setup, block any kind of connection from outside except for IIS on port 80 and 443 but allow from the server to access any outside address, by domain or ip. Right now apps writen in C# on the server are throughing socket errors and Teamviewer remote control is not working, I would like it to replace remote desktop.
We are connecting to a Cisco DPC3825 cable modem supplied by our ISP. It has been configured to act as a switch only. They have supplied us with 2 static IP addresses.
When each WAN port is connected individually, everything is fine. I see the IP addresses on the respective WAN port, and it is working fine.
When I connect both WAN ports to the modem at the same time, I see a large amount of traffic between the WAN ports, as indicated by the port LEDs, and the RV042G becomes completely non-responsive through its web interface.
How do I get the RV042G working with both WAN ports connected?
I am trying to provide internet access to public and private SSID's on Cisco AP541n using VLAN's connected directly to ASA5505. VLAN1 is inside interface (private) and VLAN12 is wlan interface (public SSID). The AP541n is plugged into switch port 0/7 on an ASA 5505.Port 0/7 is configured as trunk mode. I have internet access when connected to private SSID but no internet access when connected to public SSID. why I can't access internet on public SSID?
logging class ip history emergencies mtu inside 1500 mtu outside 1500
I have a cisco asa 5505 firewall, and I have a normal home ADSL broadband router, the router currently connects via wireless to my pc.What I would like to do is basically connect the asa to my pc, then my router to my firewall.what the best thing to do here, run the aa in transparent mode, OR routed mode and do NAT on the firewall to the private ip address range of my router. OR, would it be possible to get the outside interface of my asa to get DHCP from my broadband router so it will use a 192.168.1.x address on the outside, and then turn NAT off?
I just recently purchased a Cisco ASA 5505 ASA ver 8.2. I run a teamspeak server/ssh/dns and domain on the same server on the network. Before I switched to the asa, I have a regular DGL-4100 that ran with no issues. I have noticed that the connections are very unstable and disconnect frequently and when they do they take 1 to 5 minutes to be able to reconnect. I have done some cisco IOS but am fairly new to this. [code]
6Jun 24 201118:08:44126.96.36.19958623174.141.xx.xx25Deny TCP (no connection) from 188.8.131.52/58623 to 174.141.xx.xx/25 flags RST on interface outside I am getting this error in my asdm logs whenever I try to send an email with an attachment. Regular email go through fine. If I send a 1mb file it seems to go through after several attempts. If I send a 5mb file it might go through anywhere between 4-15 hours. It doesn't matter where I send from. Sometimes it will say ACK or RST ACK on interface instead of RST. The ASA is running 8.3.1 code. I have tried inspect ESMTP and removed it, tried sysopt connection timewait. I am at a loss.