Cisco WAN :: NAT / Access After Putting 5512 ASA Behind RV180 Router
Feb 12, 2013
Previously we had a 5512 ASA setup and working properly. We had several internal address static nat'd to external address and were able to access our servers externally. Unfortunatley, when it came time to setup our site to site vpn we found out our ISP was blocking the necessary traffic on the IP we were using for the ASA's outside interface. We ended up having to buy a RV180 to act as a dummy router to assign the restricted IP to on its outside interface and put the ASA behind it so we could assign it an unrestricted IP for it's outside interface for the site to site vpn.
The problem is our NAT and access rules are no longer working. Internet access works fine however. We haven't even set the site to site vpn stuff up yet either. What do we need to change in either the ASA or the router to get this working again. I don't even know where to begin with providing any pertinent information for diagnosing the problem.
How to restrict my Router by putting in a Pass word so my neighbours could be stopped using my highspeed internet and thus makinit weaker for my household.
I have a Dell Wireless Router, yes I know terrible lmao but was free a laptop I bought my sister. Anyways, it does not seem to be putting out a wireless signal.However if hook an ethernet cord from the modem, to my parents pc, eliminating the router completely, the internet works, this is how the set up usually is. I have my pc upstairs with a wireless card and have never had problems until now.When I hook up the wireless router, the internet light, lights up etc. But on the main computer that is hardwired, loses internet. It just has "Limited Connectivity".I tried resetting, powering off, restarting. I tried to set up a new wireless network and the computer cannot find any wireless devices. My computer upstairs cannot find a wireless network either.We also have a wireless "Roku" box which is netflix, this works off wi-fi, but this also cannot get a wireless connection.
Ive tried typing in the routers ip just guession that is the 192.168.1.1, I have tried a bunch of others but cannot get into my routers settings. I am trying to get into those router settings thru my browser, Im trying to figure out the ip. However if I hook my router up I lose internet so i am un-able to do that.I build PC's and service them, but networking is where my expertise end.
I have 2 static IP addresses that I'd like to point to 2 corresponding servers in my LAN. I've followed the Access Rule and One-to-One NAT instructions as best I can (screenshots of each for one of the static IP scenarios attached), but no luck. The static IPs bring the outside/WAN user to the RV180's admin login screen.
I have a static IP block and need to route to various servers. I know I can use 1:1 NAT or Access Rules and have success with each. The problem is my mail server. When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups. However, I cannot block any ports when I use 1:1 NAT. I have tried it every way I can think of and even some suggestions in the forums that did not work. No matter how I set access rules, all port stay open in 1:1 NAT.
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address. The reverse DNS does not match and mail server will bounce the mail.
I purchased a RV180 router, and would like set the Firewall Access Rules as below
- Action: Always Allow - Service: HTTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address) - Action: Always Allow - Service: FTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address)
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?
I have recently upgraded from a Cisco Pix 515E to a Cisco ASA 5512-X.
I am obviously having trouble considering the changes implemented in 8.2. I have set up the wan and lans appropriately, as well as the VPN's. Everything is working at my location, and the VPN's are established as well.
I would like to be able to have full access in between all three VPN's and my location considering our web, email, DVR, and database servers are here.
I can't seem to ping or access my off site routers GUI pages the way I can with the PIX.
When I establish the mirrored rules on the firewall, I am able to do these things, but I lose internet at my current location.
I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.
Server 1 192.168.10.1 -> 80.*.*.1 Server 2 192.168.10.111 -> 80.*.*.6
The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to [URL]. I get an " Error 107(net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:11:27:30192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN on interface inside and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6
Is it worth setting up a DMZ or can I get away with the setup I have?
rvl200 is not working with any new os/java. cisco is not fixing and telling us to move on.picked up a vpn server and placed it on the dmz for rvl200 (on 192.168.1.105). for the life of me, can not get traffic from the outside to go to this server. tried port forwarding on rvl200 (for 443) which is what the vpn server recommends. rvl200 is not allowing this. can not go through the ssl vpn on rvl200 since it does not work. looked at rv042 topics and it shows similar problems.
I am an administrator and my co-worker keeps on going on you tube during work. Is there any way to make his computer only use up 20KB per second instead of 150 KB per second?
I am using webauth and need to install a SSL cert to prevent the "There is a problem with this website's security certificate" message. I have a Wildcard cert that was issued by Network Solutions that I use on a couple web servers I run, and want to know if I can use that for the WLC? It's a pks cert and I think the WLC needs to use a pem cert, so I converted the wildcard to pem. Or do I need to purchase a cert that is not a wildcard and is in pem format?
I'm implementing and found out some issues are unresolvable on ACE4710. This network have been running on a server without LB. Now the second server comes up. We choosed to implement with Routed Mode.This network Peak @ 300Mbps. Now on we're doing the first context which is function as content web-farm. In near future, 2nd context which takes care of indexing web-farm when they buy more server.
From following diagrams.I browsed from internet into this service. "show service-policy" shown as '0' (counter was not running). I guessed that there is something wrong in FW configuration. So I isolated out FW. Then I plugged-in my PC into network 30 (192.168.30.X) in front of this LB, then browsed into LB's VIP (192.168.30.1). LB "show service-policy" came up BUT there is nothing return to my PC (client). "show conn" on LB as "SYNSEEN". What's SYNSEEN?! Some meaningful.
Then I tried to figure out with a PC running 'apache' and took the place of real server. "It works!" returned from LB/Server. "show conn" became 'Establish' Programmer guy said if I browse into web-farm (i.e. content web-farm) directly pkt will be redirected to indexing server. But they said it will be L7 redirection. Not LB/Network level.
Today I'm going to be re-organzing my network, kind of and I just wanted to get a second opinon. Right now I have an ASA 5510 and a Cisco 2911 and a Cisco 2960 (and I have two more 2911s and 2960s that handles our phone network).
Router 2911 is on the edge Gi0/0 has the public IP and Gi0/1 is not used and then I have 5 individual VLANs (Gi0/1.100, 1.200, 1.300, 1.400, 1.500) VLAN 100 is our internal network 10.10.18.1/24 (router is 10.10.18.1)And the 2960 is used for swichport access, the ASA is on the side and only used as a VPN.
What I want to do is put the ASA on the edge so I can dump all the access-lists and everything then 2911 will only be used to route the traffic. Now I know I will have to reconfigure the VPN, which isn't a problem. My question is when putting the ASA on the edge do I just put the public IP on the ASA's e0/0 and then plug the 2911 into the e0/1 of the ASA and give the Gi0/0 of the 2911 the ip address of 10.10.18.1 or do I just shut it down? The reason behind this is because I would actually like to use the ASA for more than just the VPN passthrough.
I have a problem putting a Cisco 1141 AP in repeater mode with a AP HP Procurve.Root AP is a the Procurve, but when try to put the Cisco AP with same SSID, Authentication, etc, I receive this error:
%DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: NO Aironet Extension IE
I try disable the Aironet Extensions and always get the same error all time. It's possible connect both APs?
I am trying to configure my network so that VPN traffic is only routed to a single physical port on the RV180 or to a certain subset of devices on a network.
I have a site-to-site vpn setup in a home office and am connecting to the corporate network. The user has a couple of devices running on the home network that need access to the corporate network.
We are hoping to leave his PC accessible to his home network as well as the corporate network, but restrict other devices from accessing the vpn.
I beleive I could do it by playing with the subnet but I can't get my head around it.
I just got a server cabinet from a friend and i am going to put all my networking stuff in there i want to put my router inside it too but im not sure if it will affect the signal the cabinet is made out of metal but not thick.
I would like to know if it is feasible to put those Aironet AP with internet antenna like AP1142 / AP1042 in a enclosure box (Like IP66 grade) box. Will those enclosure box absorb the Radio signal from the AP? or the Radio signal can still survive after passing the box but the Signal Strength be degraded only?
I am contemplating replacing my Juniper Netscreen 5GT with this new RV180.
serial number 161303LB RVC180 V01
However, it will not connect to my ISP (DSLExtreme) using the same settings I have been using for multiple years. DSLExtreme is using AT&T DSLAMS, as you likely know, and I am unaware of anything unique about how they serve DHCP?
The Cisco wizard sits on the WAN configuration check forever, and never connects. I have rebooted it and allowed it to sit for fifteen minutes trying. I think that is enough.
The 5GT WAN interface is configured for "DCHP Client" and that is how the RV180 is configured.
It is a standard 6MB DSL line, I have tried both the existing cable, as well as the provided one to connect to the D-Link 2320B modem/bridge, which, as I indicated, syncs almost instantly with the Netscreen. No difference when the cables are swapped.
I have a Catalyst 2950G when I activate the switchport port-security, but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative, here is the port configuration:
I want to ask if is possible to configure the RV180 behind my DSL Router to connect using QuickVPN. First I tried to connect to the PPTP server and worked fine, but when I tried to connect using QickVPN, seems to connect but when the client says "verifying network" after a while appears the message "network not responding..."
In my DSL-Router forwared this ports: UDP: 500,4500,443,60443 - TCP: 443,60443 (i don't know if tcp ports are needed but I opened for testing) and allowed protocol ESP (comes with the rule to allow IPSEC-L2TP)
wether the Cisco RV180 router model can be configured with a public IP address on the LAN interface? I'm planning to use it in the following setup:
Internet ------------- WAN port (public IP) RV180 LAN port(public IP)-------------- WAN(public IP) RV016 LAN (private IP)
Disabling gateway operational mode and switching to router should disable NAT and allow this setup but need to confirm if it works? I'm concerned if the web management interface actually allows a public IP to be set on the LAN side.
I have a couple of WS-C3750X-48T-L and a couple of WS-C3750X-12S-S, I want to stack all four of them together into a single stack. WS- C3750X-12S-S are running c3750e-universalk9-mz.122-58.SE2 whereas WS-C3750X-48T-L are running c3750e-universalk9-mz.122-55.SE3.I have got a couple of queries as under:What are the options to achieve putting all these 4 switches into a single stack? Can the LAN Base switches upgraded to IP Base?
I have a number of existing 4506 chassis type switches (the older non -E version) that I would like to roll out IP phones to. Instead of replacing the entire chassis, I would like to just replace the line cards in the switches with WS-X4548-GB-RJ45V. What or how much power supplies should I have in each switch to be able to power the 5 poe line cards (each port per line card will power an ip phone)?
IP 66.x.x.38 is assigned to the outside interface. I can set static nats to all the other ip's and they work fine yet a static NAT using the same address as the outside interface does nothing.
I've used object network centralpark-http host 192.168.1.227 nat (inside,outside) static interface service tcp http http
I'm looking to make a possible configuration for a customer. They need a device to provide :- firewalling- bandwidth limiting based on protocols, IP, users- web content filtering- good reporting to see which device/users are consuming most of the bandwidth.I used to use cisco ASA as firewall but it's a while I last installed on and I'm nt uptodate which current state.So I thought of using an ASA 5512-X but I'd like to know if it comply with all the requirements .Most important being the reporting and bandwidth limiting capability. It would be great to have some configuration example regarding bandwidth management.
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
My collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
I have a customer who needs a 5512-X set up with two ports on the "Outside" interface and act like a switch on the outside. This is very easy to do with the way the ASA 5505 works just by creating vlans and treating the ports as members of the vlan.
I am having soem difficulty getting documentation and setup procedures for the new ASA 5512-X (or X models in general) firewalls.I know the IPS sensor is a software-based one, but I'm not sure how much different the setup in than with a 5510 and IPS module.
I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool (which I have lots of connection licenses for "Total VPN Peers : 250".
* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
* Do I have to consider 3rd party vpn clients, outside Anyconnect?
