Cisco WAN :: ASA5510 LAN To DMZ Communication Not Working
Oct 12, 2011
I have created a new DMZ and a LAN on my ASA5510.My Ethernet DMZ port is connected directly to a server (192.168.220.10) This server is able to get to the internet properly.Gateway ASA router: 192.168.220.222..My Ethernet LAN port is connected to a L3 switch, This L3 switch is connected to a server (192.168.210.11). This server is able to get to the internet properly.My issues is that I cannot communicate from my 192.168.210.11 server to my DMZ server 192.168.220.10. From my 192.168.210.11 server I can ping my gateway 192.168.210.1 and 192.168.210.222. But I cannot ping 192.168.220.222. [code]
View 7 Replies
ADVERTISEMENT
Aug 10, 2012
I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.
Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443.
What I am currently doing is settings the security level to 100 on each interface (including the DMZ).
Here is what I have:
interface Ethernet0/1.5
vlan 5
nameif Sub5
[Code].....
View 5 Replies
View Related
May 11, 2012
I've recently segmented my network and part of the process was creating a DMZ VLAN. I'm running ESXi 5 and have created two new VM's to add to this DMZ to begin the process of moving everything public facing to the new VLAN. At this point they new hosts will not communicate with each other, their gateway, and of course not the public internet. To get the first out of the way, they are configured according to VMWare's VLAN guide: I have created a new vSwitch port group on the host and assigned them to the VLAN id 11 for the DMZ VLAN, and have the switchport on the switch (3560) setup as trunk in dot1q mode with all vlans tagged. The management VLAN is also NOT the default VLAN 1, so that is not causing any issues. My other server segment VLAN is working fine on the same ESXi host/s, so this does not seem to be the issue.
On the network side of things I have my ASA connecting to a 3560 with two interfaces, one for "inside", one for "dmz."Is this below correct? I feel like the static route should be route dmz with a gateway to 10.0.1.1..
_ASA_
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
route inside 10.0.1.0 255.255.255.0 192.168.201.2 1 <- (192.168.201.2 is my 3560)
[code]....
View 9 Replies
View Related
Jul 20, 2011
when entering Remote group 0.0.0.0/0.0.0.0 to establish a VPN, and all communication is not working.You do not know how to set up-work?
View 1 Replies
View Related
May 22, 2012
I have recently upgraded a customer ASA5510 to version 8.3.
After upgrade web access etc is working fine however VPN is down. The config looks very different after the upgrade plus what looks to be duplicate entries.
I suspect its an access list issue but I'm not sure.
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
[Code].....
View 3 Replies
View Related
Feb 13, 2013
i contact Cisco support. They told me that VPN between a Blackberry and ASA5000 is not supported. Today 14 fév 2013 they don't have any date on when Anyconnect for Blackberry will be available. So we cannot use a Z10 because exchange server is beind the ASA. Protected with the ASA. Apple and Android work well with the AnyConnect and certificat.URL
View 2 Replies
View Related
Apr 6, 2012
I have open my 25, 110, 80 port on my Server from local i can telnet all those via my private ip but from public ip its not responding.
2nd thing I can ping both ips of My server through private ip and through public ip.
View 1 Replies
View Related
Jun 29, 2011
I am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4). I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.
But I can't telnet or ssh to the ASA itself.
I have an IP address on the inside vlan interface in each context, and can ping tthe IP in context 2 and context 3. There is an IP also in the admin context, but I am unable to ping this. I have tried putting it in the same vlan as the 2nd context, and putting it on the management interface, but since there is a global IP only in transparent mode, I don't think the management interface is used (even though it is in the admin contexts included interfaces).
Since I can't connect to the ASA, I can't easily get the running config to post it here, even though that would likely
To summarize:
- transparent mode
- multi-context
- trunking (dot1q) through Eth0/0 and Eth0/1, so each interface has four sub-interfaces, each in its own vlan
- these VLANs are in each of the contexts except the admin context
- the IP of each conext is able to be pinged, but can't telnet or ssh to it
- telnet and ssh are setup for allowing a /16 subnet range access, in each context
- access-list is setup for permit ip any any and permit icmp any any on the inside and outside interface of each context
- all thru-traffic is passing correctly, but can't manage the ASA other than sitting at the console of it
What I'm going to try now is putting the admin context into one of the vlans in the trunk and see if I can use it that way.
View 6 Replies
View Related
Mar 2, 2011
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
View 7 Replies
View Related
Feb 27, 2012
I not familiar with the ASA 5510 product. I having trouble since last 24 hours and still cant find out the root cause yet. Here is my scenario, my network should be
WAN --- ASA5510 (FW) --- SERVER (192.168.1.0/24)
Now I face the problem, all the NAT static 1-to-1 is working OK. All my public IP can be ping from outside internet. But the problem happen when I try to telnet to port 80 on each server. I had try telnet from my PC to public IP 124.xxx.179 80, it's work fine, but failed on 124.xxx.180 80, then on 124.xxx.181 80, its work fine.
Then I do try on my colleague PC, in same network as mine, I face another case where the public IP 124.xxx.179 80 cannot be telnet, but it's ok for 124.xxx.180, then failed on 124.xxx.181 80.
FYI.. all our PC can ping to the Public IP and no packet lose.
The scenario is very weird, I cant find any other solution as had review my configuration few times.
check does my configuration is working perfectly or not.
ASA Version 8.2(5)
!
hostname fw-asa
enable password xxx encrypted
[Code].....
View 8 Replies
View Related
Jan 15, 2012
An ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.
I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. [code]
View 11 Replies
View Related
Feb 29, 2012
I configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients
* Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5)
!
hostname xxxx
domain-name xxxx
[Code].....
View 7 Replies
View Related
Oct 11, 2012
I have a problem with an ASA5510 (8.0.4) firewall in South Africa (I'm in the UK).It's a replacement firewall that I am trying to configure remotely through a serial device with an internet facing connection, but the enable password is not working.I can connect to the device OK, type 'en' and when propted for the password whatever I use (blank, cisco, Cisco etc.) I get an 'invalid password' message.
View 2 Replies
View Related
Aug 7, 2012
Cannot access to cisco asa5510 asdm nor ssh thru anyconnect vpn, attached is the current configuration. user authetnicaties aaa locally and has admin service-type. When vpn session is established, it lets me go thru the certificate warning and when trying to install the asdm laucher its failing. ssh access is enabled but not working. i can access both asdm and ssh from the inside network, and from a pc on that network.
View 9 Replies
View Related
May 5, 2012
I set up Anyconnect on ASA5510 and enabled secure connect in CUCM. I did everything as written in jabber for android administration guide and end user guide. But when secure connect configured on my mobile, secure connect entry never created even though I entered all correct parameters such as gateway address, authentication group, username and password. Provided that jabber is working fine internally
ASA log says:
SVC message: 16/NOTICE: The user has requested to disconnect the connection.
SVC closing connection: User Requested.
WebVPN session terminated: User Requested.
I succeeded in connecting via Anyconnect app on iPhone. So I believe Anyconnect Vpn connection has no problem. License checked.
Anybody succeeded in implementing secure connect using AAA authentication?
View 1 Replies
View Related
Jun 15, 2011
My mail server is not in my network, it's over internet elsewhere.After installing the ASA 5510, i can not get my mails any more.
View 7 Replies
View Related
Mar 20, 2011
I have an ASA5510 that was working in a HA config that is now constantly rebooting itself. Here is a copy of the dump of traceback messages:
Booting system, please wait...
CISCO SYSTEMSEmbedded BIOS Version 1.0(11)5 08/28/08 15:11:51.82
Low Memory: 631 KBHigh Memory: 256 MBPCI Device Table.Bus Dev Func VendID DevID Class Irq 00 00 00 8086 2578 Host Bridge 00 01 00 8086 2579 PCI-to-PCI Bridge 00 03 00 8086 257B PCI-to-PCI Bridge 00 1C 00 8086 25AE PCI-to-PCI Bridge
[Code] .........
View 1 Replies
View Related
Mar 30, 2011
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
View 3 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jan 3, 2013
I have a customer who has vlan's and SVIs residing on a core 6509. the 6509 is connected to an ASA 5515 then out to the internet/sp edge deviceIP routing is not turned on. there is a static route on the 6509 that routes all ip's to the inside interface of the asa 5515 that the 6509 core is connected to.there is a set of vlans that are apart of a 192.168.128.0/19 subnet and all those vlans can "speak" to each other.
View 8 Replies
View Related
Sep 13, 2011
I am working on a Cisco 5510 with multiple interfaces and requirements. I have experience with Cisco IOS, but not too much with the ASAs. I seem to be getting a bit confused on the NATing and ACLs on a firewall that was started by another employee, who is no longer here. With my current config I can get the firewall in place (we are currently using an older PIX) and most basic functions work except for two key things: 1) communication from the finance interface to the inside interface. The finance subnet has some restrictions that you will see in the ACL- we are trying to limit connections to the those systems, but they need to be able access an e-mail server on the inside. 2) communication from the DMZ interface to the inside interface. Maybe related to the first problem?
View 2 Replies
View Related
Nov 30, 2011
I have a stack of SGE2010P switches with 3 vlans (1, 10 and 255) on it. Connected to it via a trunk port, I have a SF300-24P.On the trunk ports, I have vlan 1 untagged, vlans 10 and 255 tagged (on both sides, obviously).On the SGE2010 stack, I can set a ports primary vlan id to vlan 10, and workstations work correctly.On the SF300, if I set a port to type general, and the ports default vlan to 10 (on the port to vlan page), I cannot get any communication to work.This is my first time with a non-CLI switch, and am having real problems figuring out how to troubleshoot this problem.
View 1 Replies
View Related
Feb 5, 2011
I have a SA 520W with the following configuration:
-WAN port: Internet access for web browsing and QuickVPN access for remote users
-Optional port: Configured as WAN, for VPN access to another office (Office 2) in the same building throung a public network
-Ethernet ports: Computers on Main Office.
So far I have been able to configure communication between Main Office and Office 2 via VPN.Office 2 have no Internet access, so I need to share the Internet access from Main Office.QuickVPN clients have no access to Office 2, only to Main Office.
View 1 Replies
View Related
Nov 10, 2011
I have an ASA 5510 configured with two L2L VPNs from the headquarter to two different branches.I m using the ASA “outside” interface which is connected to the internet in order to establish and configure the 2 VPN connections. Branch 1 could communicate with branch 2 through the ASA?
View 1 Replies
View Related
Oct 24, 2011
How to successfully configured a Pix 501 to communicate to a LG Pheonix (I'm assuming android OS) via a L2TP/IPSEC vpn?
View 5 Replies
View Related
Nov 11, 2012
How can I allow passive ftp communication in PIX 6.3(5)106.
View 5 Replies
View Related
Aug 1, 2011
I have setup a hub and spoke VPN with communication between the spokes, the hub is also capable of receiving VPN clients connections using Cisco VPN client.
Is there a way to enable communication to the spokes using just the VPN Client connection to the hub?
Hub Static Ip / 10.0.0.1 DMVPN IP / 192.168.1.0 LAN
Spoke 1 Dynamic Ip / 10.0.0.2 DMVPN IP / 192.168.5.0 LAN
Spoke 2 Dynamic Ip / 10.0.0.3 DMVPN IP / 192.168.4.0 LAN
Spoke 3 Dynamic Ip / 10.0.0.4 DMVPN IP/ 192.168.2.0 LAN
Tunnels are up and running with communication between the spokes.
View 3 Replies
View Related
Oct 17, 2012
My company bought another company and moved them into our building. the company moved in but are on an entirely different network all together. wired separately, different domains.what i would like to do is be able to have them communicate with each other. have users on company A be able to use printers on company B's side of the network.
View 15 Replies
View Related
Jul 10, 2012
I have a network at home with 3 wired pc's and 2 laptops I usually connect through wifi and occasionally hard wire. The setup is one router, one switch and a wireless access point. I just added one new pc and I am having a specific problem with that pc and one of the laptops. The transfer speeds are really slow between this one pc (seemed capped at 30kbits) and the one laptop whether through wifi or hard wire and the issue is both ways. Both have absolutely no issues with any other computer on the network and transfer files without any issues. Both are win7 ultimate.
View 2 Replies
View Related
Jun 11, 2011
My router keeps on disconnecting?
View 1 Replies
View Related
Feb 25, 2013
Say I have a managed switch that supports VLANs. I have two computers and one server connected to the switch (I'll call them PC-1, PC-2, and SRV-1).Without routing, I want both PC-1 and PC-2 to talk to SRV-1 and vice versa, however I don't want PC-1 or PC-2 to talk to each other.I achieve this by making each port a trunk port. I make PC-1 a member of VLAN 2, PC-2 a member of VLAN 3, and SRV-1 a member of VLAN 4. The port that SRV-1 is on I make a tagged member of PC-1 and PC-2 (VLAN 2 and 3 respectively) and make the ports the PCs are on a member of the SRV-1 VLAN (VLAN 4).Everything tests OK (that is, the clients can't talk to each other, however the clients can individually talk to the server)
View 6 Replies
View Related
Mar 12, 2011
I configured ASA 5510 ...
Totally it had 5 ports..
How to provide communication between two different interfaces which had configured as same security level?
How many trunks will support ASA 5510 with base-license?
How to configure trunk to an interface with different VLNs( Router on a stick).
View 6 Replies
View Related
Apr 12, 2012
I have a Cisco 877w (configuration shown below) and i am trying to use a Photo Transfer App on my iPhone4s and iPad3 which allows transfer of photos and videos between the devices using WiFi, the only thing is i cannot get my devices to communicate with each other and i suspect that this is to do with the configuration of my router as the app works perfectly using bluetooth but obviously a lot slower. I cannot even ping the devices from my pc which is also on the same WiFi network. How i should tweak my config?
View 2 Replies
View Related
