Cisco WAN :: Asa 5510 With Private Ip Address On Wan

Feb 8, 2012

i recently get high speed link for my compagny to replace the old frame realy.the internet service provider gave me a non routable range to set on my asa  like this : [code]then the ISP tell my public ip wan range was x4.23.209.166/29.i made this kind of configuration works when i put a cisco routeur in befor the cisco asa like this: [code] it is possible to make this works on cisco asa 5510 without putting a router in front ?if it works problem can happen to establishing vpn from the outside interface having a private ip ?

View 6 Replies


ADVERTISEMENT

Cisco :: Private Address Block 172.16.0.0 - 172.31.0.0?

Apr 11, 2011

how the address stops at 31 in the second octet. I'm not even completely sure how it starts at 16 for the first address (172.16.0.0). are we dealing with subnets?

View 10 Replies View Related

Cisco Firewall :: Map Public IP To Private In DMZ In ASA 5510?

Jul 22, 2012

I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and  another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.

View 9 Replies View Related

Cisco Firewall :: 5510 NAT Public Ip To Private

Sep 5, 2012

We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.

View 7 Replies View Related

Cisco WAN :: ASA 5510 / Cannot Access Internet From Private Network?

May 1, 2013

I'm setting up a Cisco ASA 5510.I did the setup for my public and private interface.From the management software I can ping any outside domain using my public interface, but when I try to do that from my private interface I cannot.Also for some reason my ip phone connected to the private interface work (I'm able to make and receive call), but any computer that I connect to the private interface I cannot access the internet.

View 1 Replies View Related

Cisco VPN :: 5510 Unable To Ping Any Off Private IPs At HQ From New Branch

Jun 25, 2012

We have had a successful site to site vpn working for several months now. It is an ASA 5510 at HQ to a ASA 5505 at a branch office in another state. We just added a second site to site vpn in another state this time from HQ to a Sonicwall TZ100. After plugging in the Sonicwall to the Qwest modem in bridge mode the tunnel came right up. I was unable to to ping any off the private IPs at HQ from the new branch, but was able to use remote desktop into the servers and workstations at HQ. Also all the computers show up when browsing the network from the new branch.
 
At the first branch we are able to ping both ways and use remote desktop both ways.When using packet tracer in ASDM on the HQ ASA and pinging from one of the IPs in the HQ protected network to an IP in the new branch network NAT-EXEMPT looks good, but when it hits the first NAT it matches on the "dynamic translation to pool 10 (10.1.255.254) [Interface PAT]" (which is the default route for all the vlans to get to the Internet.)The next NAT (subtype - host-limits) looks better and this one going to the IP address of the outside interface of the HQ ASA 5510, but then the third NAT (Subtype - rpf-check) reverts back to the "10 (10.1.255.254) Interface PAT]" and the packet is DROPPED. Also there is no VPN step in Packet Tracer after NAT.[code]
 
Is the problem possibly due to the fact that my 2 new ACLs for "encrypt_acl-30" fall after "access-list global_mpc extended permit tcp any any" in the config and it is running into the implicit deny all?

View 8 Replies View Related

Cisco VPN :: ASA 5510 / VPN Client With Overlapping Private Networks?

Jun 6, 2012

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
 
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
 
Can this work if their are no duplication of IP addresses?

View 25 Replies View Related

Cisco WAN :: 1941 Cannot Translate Private To Public IP Address Using NAT

May 4, 2012

I have 5 workstations with 2 servers but the backup server (black) is shut down intentionally.I have 1 cisco gigabit unmanaged 8 port switch and 1 cisco 1941 vpn router.The cisco 1941 vpn router is configured for IPVPN connection to other branches.
 
Challenge:

1. Configure NAT to enable the 5 workstations to be connected to the internet thru the router to the ISP.
2. Configure NAT to enable the server to be accessed from outside using the public IP address provided by the ISP. [code]

Verification:

1. I can ping other pc on 10.71.5.0/24 network.
2. When I typed in the ISP's public ip address on the browser, i got into the modem user interface for configuration.
 
I still can't connect to the internet. When i do tracert, it stops on the 192.168.15.1 hop and didnt continue. This shouldn't be the case since i want to connect using the GE0/1 outside port for the internet.

View 6 Replies View Related

DHCP Server And Automatic Private Address?

Sep 7, 2011

I'm a heavy PC Gamer, I play games such as World of Warcraft, Borderlands, Call of Duty, Steam Games, I also know my way around fixing internet issues, But this one just seems to have gotten me off guard, Recently, 1-2 days ago, I was browsing the internet like a normal day, and It was late, so I decided to go to sleep, Turned my computer off, Woke up the next morning, Turned it on, It then shows that I kept getting kicked off the LAN for some reason, It was like this[CODE]

View 2 Replies View Related

Cisco WAN :: 2960 Physical IP Address Of Server Is Private Range

Aug 3, 2012

I have Internet connection in Ethernet Medium connected to a L2 Switch (Cisco 2960). I have 2 Routers (Cisco 2900). I have a webserver to be accessed from Internet. The physical IP address of the server is Private range.
 
I have configured Stateful NAT as below
 
157.220.100.61 is Static NAT to 10.1.1.3 using redundancy
 
Though HSRP is working good, when RTR-1 is down, I am not able to reach Webserver (10.1.1.3) using RTR-2
 
We found in the that ISP Switch, that even when RTR-1 is down, the MAC address for 157.220.100.61 is still present one pointing to RTR-1 and other pointing to RTR-2. There are 2 MAC address entries for 157.220.100.61

View 5 Replies View Related

Domain Name Registrar Pointed To Home Web Server On Private IP Address Behind

Jun 6, 2011

I have purchased a domain name through a registrar. I currently have a hyper v lab set up at home with a domain controller/dns server and am thinking of starting a web server on either Apache or IIS on a different virtual machine. I want to point my domain name to my home web server.What do I do I have to do at my domain name registrar? I have to point a type of dns record to my home server's public IP and maybe vice versa.I have a static IP at home. Do I have to create some DNS records pointing from my domain name registrar to my server at home using my PUBLIC ip address? If possible please provide specifics on which records I should point to my home server PUBLIC ip address and if any DNS changes need to be made within my domain. Also if any records on my home domain (windows ad domain setup)

I seem to be able to find a lot of info on Apache and IIS but not a whole lot of info on how your web domain name registrar relates to your own web server . I'm not really interested on IIS or Apache specifics but more interested in the fundamentals of how a domain name registrar (GoDaddy, or any other registrar/host) needs to be pointed to your web server and vice versa. I know a lot of people on forums tend to point to links or tell me to go to google but I find it hard to learn that way.

View 3 Replies View Related

Cisco Switching/Routing :: Telnet Can't Login 2911 Router With Private Address

Jan 7, 2013

We have a cisco 2911 router configured with password for telnet login, but I always failed to login use telnet, does any one know any place need to be modify?

View 6 Replies View Related

Cisco VPN :: ASA 5510 - NAT Destination Address Through VPN?

Feb 25, 2012

I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
 
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
 
example config
access-list FROM_INTERNET extended permit esp any any
access-list FROM_INTERNET extended permit ah any any
access-list FROM_INTERNET extended permit gre any any
 access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1
access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
 
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.

**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.

View 1 Replies View Related

Cisco VPN :: 5510 External IP Address Not Controlled

Aug 19, 2012

We have a strange issue for one of our customers that recently migrated to our internet service.They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
 
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of  udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out? They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute. [code]

View 1 Replies View Related

Cisco VPN :: 5510 Summary Address In ACL Rather Than Having Five Lines

Jan 4, 2012

I have setup a site to site VPN with an ASA 5510 (8.4) and a Cisco 2811. The tunnel is working fine, however both sites have 5 different contiguous networks. The crypto ACL between sites states only one subnet.Is it possible to state a summary address in an ACL rather than having five lines for the ACL?The tunnel works when the router uses an ACL of 10.2.200.0 0.0.7.255, however if a summary address of all the subnets on the inside network of the ASA are stated in an ACL - 10.1.200.0 255.255.248.0 - then the tunnel does not come up.Is it possible to state a summary address on a crypto ACL on the ASA?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Single Address NAT From VPN

Jan 17, 2012

We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
 
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
 
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
 
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
 
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
 
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
 
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
 
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.

View 4 Replies View Related

Cisco Firewall :: How To Filter By MAC Address With ASA 5510

Mar 3, 2013

I am using an ASA 5510 firewall in routed mode.How can I filter incoming traffic by mac address on the AS 5510 ? I have already setup a static access rule for rdp users on the outside to access a terminal server on the inside.Now, i would like to further limit access from specific computers only.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Server's NAT Address Not Changing

Nov 16, 2011

I added a new server and created a new static NAT assignment on the ASA 5510 to the server's IP.  When I browse to the web to check what public IP it's reporting, it shows the wrong IP.  I disabled the network interface on the server, ran "clear xslate", reenabled the network interface, ran "sho xlate" and while the correct translation was in the table, the server still reported the wrong IP address.I even ran a packet trace and it showed the IP address being correctly translated to the proper public IP, but when I browse to the web I get the same erroneous public IP. [code]

View 8 Replies View Related

Cisco VPN :: 5510 - Multiple L2L Ipsec To Same Destination (ip Address)

Jan 23, 2012

im lookin to establish a a multiple L2L ips  tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?

View 6 Replies View Related

Cisco VPN :: 5510 Unable To Resolve Server Address

Mar 27, 2011

I am using the Cisco VPN Client 5.0.06.0160 - and am having an issue connecting to my ASA 5510 via VPN.  This issue is happening on 1 of our laptops.  All other laptops connect just fine.  So the problem is not in the ASA.  I have double checked the client setup and config and it too is correct.  The interesting thing is, we are connecting to an IP Address and not a host name.

View 1 Replies View Related

Cisco VPN :: 5510 Remote Vpn Users Having Address From Pool 2

Apr 5, 2011

can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?

View 7 Replies View Related

Cisco Firewall :: Add IP Address For SMTP Services ASA 5510

Nov 28, 2012

We have hosted spam filter service with 3rd party vendor.  My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service.  I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]

View 2 Replies View Related

Cisco VPN :: Remote Access Address Pool ASA 5510

Mar 17, 2013

Is the following sysntax correct in removing a remote access vpn address pool and inserting a new one on an ASA5510?
 
(config)# NO ip local pool BWCVPN 192.168.200.1-192.168.200.128
(config)# ip local pool BWCVPN 192.168.300.1-192.168.300.128
(confif)# tunnel-group BWCVPN ciscovpn general-attributes
(config-general)# address-pool BWCVPN

View 5 Replies View Related

Cisco Firewall :: 5510 - Hosts Loosing IP Address

Dec 10, 2012

I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
 
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
 
Information:
     Lease length: 172800
     address pool: 134 addresses
     hosts: around 45 + mobile units 45

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Address Translation Through Internal Network

Jan 19, 2013

Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).

Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.

View 11 Replies View Related

Cisco VPN :: 5510 - Changed Public IP Address / No Access On Native LAN

Jul 11, 2012

i'm running a 5510 asa and the vpn has been working great for a while.   We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on?

View 9 Replies View Related

Cisco Firewall :: ASA 5510 - Two Separate Address Pools On Same Interface?

Dec 25, 2012

We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP.  The addresses are not contiguous.  Is there a way to configure an interface on the ASA to handle both sets of public address pools?  If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool?  Then just NAT/PAT to my heart's content?   At that point I would want both to route to our inside network.  So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network...  Right now the outside interface is configured with our first set of IP addresses.  We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool.  Hence the question.  I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?

View 4 Replies View Related

Cisco Firewall :: 2nd Public IP Address On 5510 That Points Nowhere Internally

Mar 15, 2011

Will I break anything if I create a second IP address on the physical external interface of our ASA 5510?  I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.

View 9 Replies View Related

Cisco Firewall :: 5510 - Duplicate IP Address With ASA Inside Interface

Apr 5, 2012

We've had issues with our Exchange 2010 server (running on ESXi 4.1) since its default gateway was changed to our new ASA 5510.  They manifested as frequent Outlook client connection dropouts or as IP address conflicts whenever Exchange was rebooted.  The temporary fix was to disable the Exchange server NIC, bounce the ASA and enable the server's NIC again.  We saw poor performance from Exchange after a while again, but after some research and testing I realised that disabling proxyarp on the inside interface fixed the problem permanently.
 
However I've now realised that the client VPN no longer routes properly because proxyarp is disabled on the inside interface, so I still have a problem.

View 10 Replies View Related

Cisco Firewall :: 5510 - Filter Internet IP Address Allow To Initiate VPN Connection

Apr 10, 2011

Using Cisco ASA5510 Security Plus (Post May 2010) with 8.2(1)
 
I was trying to limit the number of internet IP Address that can initiate Remote Access VPN connection to the firewall. I have plan to only allow internet IP Address from few ISPs for control.
 
However, blocking AHP, ESP, ISAKMP, NON500-ISAKMP, and IPSec Over TCP Port Assigned in the firewall outside interface doesn't work. But it works by putting the ACL in the router before the firewall. It seems that the  firewall have a "hidden" process VPN first before user entered ACL (or explicit rule), similar to Checkpoint FW's implied rule. How to get around it?

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Data Center Move / IP Address Change

Nov 4, 2012

We will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.

View 5 Replies View Related

Cisco WAN :: ASA 5510 - Allow Local Network To Access Public Internet Address On DMZ

Mar 14, 2013

I have a Cisco ASA 5510 I am using ASDM 6.1
 
I have a LAN and a DMZ and an internet connection. I am using one of the internet connection IPs to host a HTTP service on a server in my DMZ.  (its the same interface as my internet connenction but a different IP to the one used for internet connectivity)
 
so say my LAN is 192.168.1.x
and my DMZ is 172.168.1.x

I can access DMZ from Lan and vice versa. when i try to access the public IP (or URL) from a pc in my LAN i get nothing.
 
I have enabled DNS rewrite (doctoring) but it is still not working. the HTTP service is available from other sites.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Static Map - Outbound Flows Through Global Address

Nov 30, 2011

I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
 
Here are what I believe to be the relevant configs.
 
interface Ethernet0/0
description New 6mb circuit
speed 100

[Code]....

So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved