Cisco WAN :: ASA5505 Doesn't Route Any Traffic
Apr 23, 2012
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
View 7 Replies
ADVERTISEMENT
Jan 2, 2012
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
View 2 Replies
View Related
Nov 14, 2012
customer's WAN solution, instead of buying routers, purchasing department bought ASA's (don't even get me started!). So I have 5 ASA 5505's for the branch offices and one 5510 for the Head Office. I am trying to get them to behave like routers and pass the traffic across. I set up a lab with a 5505 and the 5510 using an ethernet cable for both Outside interfaces since the WAN links are going to be MetroEthernet Layer 2 anyway.
I tried static routes, dynamic routing, I followed examples from other persons who did it and it doesn't work. I attached the configs here to show I have the default routes, specific static routes pointing the traffic out, any any rules configured as well. I cannot ping from the internal lan of the 5505 to the internal lan of the 5510.
View 1 Replies
View Related
Nov 29, 2011
i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static route another network i have that network id is 192.168.2.0 . 255.255.255.0.how i can add the route.
View 9 Replies
View Related
May 25, 2011
My network consists of a router and a ASA5505. The router has a serial connection back ot HQ. The ASA has a VPN connection back to HQ. I want the network traffic destined for HQ to travel over the VPN connection until that connection is no longer valid (down). I've been told that RRI is the way to go but cannot get it to work. I get one of my routes to show up in the router but that's it (and not as a static route). Also I don't want the routes to be injected if the VPN connection is down. But I do want the VPN connection to be the preferred connection.
View 2 Replies
View Related
Feb 14, 2011
Got a problem routing trafic to my L2L tunnel...
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
View 2 Replies
View Related
Feb 6, 2013
I would hereby like to inform if it is possible to configure the Cisco ASA5505 firewall to route internet via an external VPN, while a laptop and smartphone connect to the firewall via Cisco AnyConnect VPN.
The configuration would result into: Laptop on public internet -> Cisco ASA5505 VPN -> External VPN (Unix server) -> internet.
View 4 Replies
View Related
Mar 20, 2013
I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.
View 11 Replies
View Related
Mar 4, 2013
I am advertising the 172.16.10.0 network from R5 to R1 via EBGP. The problem is that on the Router R1 I see the route 172.16.10.0 whith show ip bgp command but in the show ip route don't appear.I thinked that the problem was SYNCHRONIZATION,so that will activated synchronization on the routers R1 and R4 but don't work. Furthermore the routers R2 and R3 neither receive the route via OSPF.
View 11 Replies
View Related
Feb 6, 2013
I'm trying to sort out someone else's 800 series router config IOS 12.2 that was just added onto for years and never cleaned up. There are about 10 route map statements near the end. As far as I can tell, only two are being used. Doesn't a route map statment have to be called(referenced) in another statement in order to actually be used such as either under an interface or in a nat statement?
View 2 Replies
View Related
Mar 23, 2013
I have setup a remote access VPN to an ASA5505
I have a directly connected server behind the ASA and I can ping the server without a problem.
The VPN client reports packets being encrypted and decrypted
However when I try to RDP to the server the encyrpted packets keep incrementing but the decrypted packets do not.
I am also not seeing any RDP traffic hit the server (verified by ethereal)
I have done a packet tracer and it suceeds but ends with an IP spoof which I believe is correct as it is vpn traffic and not actually being encrypted.
This is the debug from the RDP session, I am confused by a Denied ICMP on line 2 as I am able to ping the server?
%ASA-6-302013: Built inbound TCP connection 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) to internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)
%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.146: no matching session
[Code].....
The only logical bit to this is flow closed by inspection? Does this mean the server has not responded?
And the decrypt packets not increasing when trying to RDP Does this mean that I have reached the end of my ASA knowledge on this one!
View 6 Replies
View Related
Nov 15, 2012
Configured cisco 881, WAN has static IP address and LAN is nothing fancy. I can ping out to url... or anywhere from the router but cannot from LAN client computers. [code]
View 4 Replies
View Related
Jan 24, 2011
I have a Cisco router 877. I am trying to configure a backup with ISDN.The primary line is an ADSL over pppoe. The problem is that despite the primary line fails, doesn't change the path and continue going by the main route.I have a very similar setup, also with a cisco 877, but with a normal DSL and it works perfectly.I solved the problem by activating a tracking but is slower than the other method.
View 2 Replies
View Related
Jun 10, 2013
I changed from a Linksys E4200 to a 5505 and when I use trace route, it doesn't return a DNS name for each hop. I can see the hops shown as asterisks. Do I have to add something to inspect for this to work?
View 1 Replies
View Related
Dec 11, 2011
My network has two connections to a third party via links on two seperate ASA , one in location A and one in location B. The link in location A is the primary connection and the other in location B should be used by only two terminals (term1, term2) in location B. ASA are running OSPF and are redistributing static routes as metric-type 1 in OSPF. In order to achive the aforementioned goal, I have configured a route-map on ASA location B, that sets the metric for the route towards the third party to a high value (100). This way, all routers, even those in site B prefer the exit through location A (metric about 24).
I have checked that my routers correctly have the route to the 3rd party through location A, and the OSPF database has records for the network from both locations.In location B, I have configured the following route-map (on 6509)
route-map PREFER-LOCAL-ROUTER permit 10
match ip address XXX
set ip next hop locationB-ASA
int vlanYYYY
ip policy route-map PREFER-LOCAL-ROUTER
[code]....
From the terminals (term1 and term2) I have tried a traceroute towards the 3rd party's subnet, but I don't get any match neither on the access-list nor on the route-map. Unfortunately I have no other way to test that my configuration is correct, since the application on the terminals, that should access the 3rd party network, is not currently running.
I also addedd the statements below to the access-list, because of the test with tracert:
permit icmp host term1 route_to_3rd_party 0.0.255.255
permit icmp host term2 route_to_3rd_party 0.0.255.255
Nothing changed...Is there something wrong with the above config? Is there a chance that there is a problem with the IOS, that simply doesn't show any hits?
View 9 Replies
View Related
Apr 19, 2010
I have a 2821 router with two T1 WICs and have the need to route FTP down one T1 and all other TCP traffic down another T1. All traffic is going to the same remote IP address. The remote sites are in different states, and I assume that the remote subnet is being bridged between the states. It's kind of a weird set up, but it's not my design.
Anyway, can I use a route map to split off FTP traffic to host A and send it down one T1 and have the rest of the IP traffic to host A go down the other T1? I also need to be able to have all traffic use one T1 in case the other T1 goes down.
My first thought was to static all IP down T1-1, then route map FTP traffic down T1-2, then have a floating static for all IP traffic down T1-2 with a higher metric. But something would have to track the T1 interfaces and I'm not sure if route maps or static routes can do that. Any thoughts on this?
View 2 Replies
View Related
Feb 23, 2011
I have a router that supports wireless network. I have 2 desktop computers that connect through LAN, 3 Laptops that connect using WiFi. Lot of them use utorrent. I want to block it. They use it to download movies. I have warned them of consequences but they simply dont listen. I dont know how to implement QoS in my router. Mine is UTStarCom.
View 1 Replies
View Related
Sep 12, 2012
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
View 14 Replies
View Related
Feb 18, 2012
The router passes the Interface test for the WAN port in CCP but it still we cannot access the internet. Here is my configuration:
Building configuration...
Current configuration : 3663 bytes
!
! Last configuration change at 09:29:52 Chicago Mon Feb 20 2012 by fbcpekin
version 15.1
[Code].......
View 5 Replies
View Related
Jun 27, 2012
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
Code...
View 1 Replies
View Related
Jun 6, 2011
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network
10.252.x.x
-------------->
FIREWALL
a.a.a.1
INTERNET
RV042a WANa <<------------------------------->> WANb RV042b
a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
View 1 Replies
View Related
Jun 29, 2011
I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies
View Related
Jun 15, 2012
I'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
View 1 Replies
View Related
Jan 30, 2012
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
View 21 Replies
View Related
Dec 12, 2010
i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]
View 4 Replies
View Related
Jan 5, 2012
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
These are configuration lines:
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000
[Code]......
View 1 Replies
View Related
Aug 21, 2011
I am using OPEN VPN in order to connect to a Canadian VPN server.I want ALL internet traffic to ONLY use the VPN connection and no traffic shall pass through my local ISP under any circumstance.In the event the VPN disconnects, I DO NOT want any internet traffic automatically sent via my LOCAL ISP connection. Can I simply disable my LAN network adapter in windows AFTER the vpn is connected? (since vpn uses its own TAP adapter?)
View 2 Replies
View Related
Apr 5, 2012
I have a media player wired to my dir-655. I have a wrt300 on the same network to use for vpn. I live in Canada, and to use Netflix etc, from the US, I need to use the vpn.Is it possible to have the media player routed through the wrt300, rather than discovering all the IP addresses for Netflix etc and routing each one?
View 3 Replies
View Related
Jan 25, 2013
I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]
View 6 Replies
View Related
Nov 27, 2011
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies
View Related
Nov 15, 2011
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut
[Code]....
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
View 5 Replies
View Related
Jan 29, 2012
We are going to be setting up a remote access VPN to a Cisco ASA 5505, once connected to the VPN the internet traffic from the client will then go back out to the internet from the ASA (for web browsing), but Is there anyway to force the traffic through an AV server at the head office site before the traffic goes back out to the internet?
View 5 Replies
View Related
May 20, 2012
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
View 3 Replies
View Related
