i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static route another network i have that network id is 192.168.2.0 . 255.255.255.0.how i can add the route.
View 9 Replies
i have asa 5505 , so i wanna my inside network to access to the internet. my internet gateway is 155.155.155.1
: Saved
:
ASA Version 8.2(1)
!
interface Vlan1
[Code]....
I have an issue accessing the inside network of my church from VPN. This only happens when I connect from my home network. I have no problem accessing inside network of my church if I'm connected from else where (my Clear Hotspot or someone else's house). Here is the hardware detail:
At the church, we are using Cisco ASA 5510 and we have so many VPN tunnels to different churches. At home, I 'm using Cisco ASA 5505. See that attached configuration for my home ASA5505.
I'm trying to make a very plain and simple network with the ASA 5505, I've strated from scratch over a dozen times triyng to find where I'm going wrong. My main goal is to simply create an IPSec VPN connection to my ASA 5505 and simply ping and connect to devices with the "inside network", so far I can easily create and establish a IPSec VPN Connection, but up to this point, I cannot successfully ping or access a single device on the ASA 5505 inside network.I've taken, create the IPSec profile with the ASDM wizard, add exemption for the VPN IP Pool, add access-list from this Cisco link, url...All this and I can't make a single connection to the inside network. [code]
View 7 Replies View RelatedI am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
[code]....
I currently have an out of the box ASA5505 and need to change the internal interfact from 192.168.1.1 to 10.20.3.1 so it fits in with the rest of the network.Tried using the ASDM Startup wizard (via 192.168.1.1) and it just seems to hang on "delivering the commands to the device".
View 16 Replies View RelatedI am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]
I have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies View RelatedHave a problem in config of my ASA5505 --> I can't access Internet from my new created vlan number 4 (Vlan4):
here my config:
ASA Version 8.4(1)
!
hostname FWWIB1
enable password OEIOH8Zv/vNvif8C encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
I have the following config below on my ASA5505, where I want to be able to access remote computers who are VPN'd into the inside network, for support purposes.I want to be able to ping the VPN ip from the LAN, and be able to connect to these computers via the VPN ip. [code]
View 4 Replies View RelatedLet me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
The ASA5505 I am working with has this from the show version:
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs : 3, DMZ Restricted Inside Hosts : 10Failover : Disabled VPN -DES : EnabledVPN-3DES-AES : Enabled VPN Peers : 10WebVPN Peers : 2Dual ISPs : Disabled VLAN Trunk Ports : 0
This platform has a Base license.
Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?
I just try to ping a internal Host but it want to go.
Laptop<===>ASA5505
Connected is the Laptop at Ethernet 0/2 Inside
My running-config is a clear config, only VLAN 1 has a IP and Ethernet 0/2 is up.
But If I try to ping to the Laptop I get the followed:
asa5505# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa5505#
From the Laptop to the ASA5505 I can Ping successfully.
I have Cisco ASA 5505 installed and use as default gateway. I go to Internet through the ASA5505 Here is my Problem.I can not ping from ASA prompt(ASA#) to my Laptop connected to the ASA, but i can ping the ASA inside interface from laptop i can not use ASDM and the VPN Tunnel is not working between the sie
ASA# ping 10.10.10.12
???????????
100% lost
Laptop c
C:/ping 10.10.10.1
!!!!!!!!!!!!!!!!
Here is the Topology
INTERNET .<=========================>ASA<===============================> LAPTOP
I disabled window firewall on the Laptop , but no goof result.
I have inherited an ASA 5520. In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP. I am trying to understand the purpose of this route or why a route would be setup this way.
Example Static Route:
Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)
We have two sites: 192.168.100.x and 192.168.101.x currently connected via IPsec VPN. On each end we have a Cisco ASA 5505. However, each site also has an MPLS VPN with intentions to move all traffic to this link. Will this work on the ASA? We need to make sure traffic can hit the ASA @ site A on the inside interface and trafiic will forward to the MPLS VPN router which then handles the traffic. Too, will it cause any problems in bi-directional flow between the two sites?
View 3 Replies View Relatedcustomer's WAN solution, instead of buying routers, purchasing department bought ASA's (don't even get me started!). So I have 5 ASA 5505's for the branch offices and one 5510 for the Head Office. I am trying to get them to behave like routers and pass the traffic across. I set up a lab with a 5505 and the 5510 using an ethernet cable for both Outside interfaces since the WAN links are going to be MetroEthernet Layer 2 anyway.
I tried static routes, dynamic routing, I followed examples from other persons who did it and it doesn't work. I attached the configs here to show I have the default routes, specific static routes pointing the traffic out, any any rules configured as well. I cannot ping from the internal lan of the 5505 to the internal lan of the 5510.
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
I want to upgrade "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy Security Plus license ( L-ASA5505-SEC-PL =) ) before activating ASA5505-SW-10-UL ?
View 3 Replies View RelatedThe ASA device is going to be the gateway for multiple distinct inside IP subnets. We can have have a unique outside IP address to correspond to each inside IP subnet if needed, but we need some means for a VPN client or a site-to-site VPN to have acess to a pre-definied IP subnet (i.e. if customer A establishes a VPN connection, they have connectivity to IP subnet X; customer B establishes a VPN connection, they have connectivity to IP subnet Y, etc.).Currently, the two inside IP subnets are 10.10.0.0/16 and 10.20.0.0/16. We will be adding more.The problem we are facing is that we cannot reach the VLAN 201 from the ASA we believe this is because. I have setup two addresses on port 0/1 Vlan1, 10.10.20.2 and 10.20.20.1 as an alias. How can we make traffic for the 10.10.0.0/16 subnet untagged and traffic for the 10.20.0.0/16 subnet tagged for VLAN 201.
View 1 Replies View RelatedUsing an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
[OK] object network SBS-HTTPS
object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
NAT unable to reserve ports.
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
I have installed ASA5505 in the network. Port forwarding has been done for one of the server in our LAN. Public users are able to access the server successfully. I am trying to access from inside using the same Public server IP, but unable to access it. Can I have this feature in ASA5505(I think it is loopback configuration). If so, may I know the configuration detail?
View 4 Replies View RelatedI recently added a business cable modem to relieve some of the congestion I was getting on my T1 for our MPLS network. There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffic coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well. Internet setup was cake. The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks. I have one MPLS with AT&T and one MPLS with EarthLink. My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS. I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.
Here's the topology I'm working with
Internet
|
Cable Modem
|
ASA 5510 10.52.120.23
[Code].....
My network consists of a router and a ASA5505. The router has a serial connection back ot HQ. The ASA has a VPN connection back to HQ. I want the network traffic destined for HQ to travel over the VPN connection until that connection is no longer valid (down). I've been told that RRI is the way to go but cannot get it to work. I get one of my routes to show up in the router but that's it (and not as a static route). Also I don't want the routes to be injected if the VPN connection is down. But I do want the VPN connection to be the preferred connection.
View 2 Replies View RelatedGot a problem routing trafic to my L2L tunnel...
Got an ASA5505 Sec+ with ip 10.45.10.1 on inside interface. Firmware 8.3(1). Got another Cisco router (From my ISP) with ip 10.45.10.254 - This one creates an L2L tunnel - To the 10.45.20.0/24 net.
On the 5505 ive got "route inside 10.45.20.0 255.255.255.0 10.45.10.254 1", and trafic is being directed to 10.45.10.254 as it should.
I know cause I can ping everything one the 10.45.20.0/24 net - But thats it... Cant RDP, connect to fileshare... Nothing.
When i test a PC and set it to gateway 10.45.10.254 I can access everything on the remote network. Do I need some NAT command or an access-list? I've setup AnyConnect VPN on the ASA and I can connect to both networks without any problems.
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
View 7 Replies View RelatedI have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
GigabitInterface 0/2/0description DMZ interfaceip nat insideip address 10.0.0.1 255.255.255.0
GigabitInterface 0/3/0description LAN interfaceip nat insideip address 192.168.0.251 255.255.255.0
[Code]....
I have been working on a configuration for single IP address (on outside ) of ASA5505.I am trying to utilize the outside address 192.168.0.249 to PAT/NAPT to 10 inside machines [code]
What I am not sure of (actually that could be considered all encompassing) is the mapped services/real services.Any constructive comments assistance?
I would hereby like to inform if it is possible to configure the Cisco ASA5505 firewall to route internet via an external VPN, while a laptop and smartphone connect to the firewall via Cisco AnyConnect VPN.
The configuration would result into: Laptop on public internet -> Cisco ASA5505 VPN -> External VPN (Unix server) -> internet.
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.
View 11 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View Related
