Cisco WAN :: Security Zones With Multiple Inside NAT Interfaces 2901
Jan 14, 2012
I am having big problems trying to get what should be a rather simple configuration to work.I have a Cisco 2901 Router and have setup Zone Based Firewall on this.Traffic from the 192.168.223.x network does not pass through to the 192.168.1.x network.my traffic appears to disappear down the big bucket...Interesting I can ping machine on 192.168.223.0/24 network from the 192.168.1.0/24,So the static routes setup on the router on the 192.168.1.0/24 appear to be routing ok.
View 4 Replies
ADVERTISEMENT
Nov 7, 2012
My corporate internal network is currently fire walled by an FWSM module on a 6513 switch. We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN. Is it possible to support fire walling between these zones within a single security context? The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license. We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.
View 3 Replies
View Related
Sep 23, 2011
I have an ASA 5505 running 8.2(1), that is configured with three interfaces as follows:
Inside (security 100) 10.0.0.0 /24
Inside 2 (security 100) 192.168.0.0 /24
Outside (security 0) internet
Inside is connected to my internal network, inside 2 is connected to the network of a sister organization, outside is outside.
I'd like to be able to route between from inside to inside 2, and have NAT translate me to inside2's address.
I have inter-interface traffic configured, and when I use a NAT exemption, I can route fine. But the resources on network 2 must see my request as coming from the inside2 interface IP.
View 2 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
May 13, 2013
I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24
Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?
View 3 Replies
View Related
May 4, 2012
I have two inside interfaces (both security level 100) inside and inside110. Inside is 192.168.105.3/24 and inside110 is 192.168.110.3/24. I have a PC on the 192.168.105.0/24 network. I cannot ping the 192.168.110.3 IP of interface inside110.
View 2 Replies
View Related
Nov 1, 2012
I have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies
View Related
Nov 9, 2011
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Oct 23, 2011
I have a Cisco ASA 5510 configured to access the internet, with an:
inside interface (ethernet 0/1) 130.130.0.254 and outside interface (ethernet 0/0) x.x.x.x
I have now configured another inside interface (ethernet0/2) on ASA with the IP 172.16.0.254 and I have connected it directly to another switch with a management IP 172.16.0.5.
The problem is that the two inside interfaces (130.130.0.254 &172.16.0.254) cannot communicate with each other thus the e0/2 172.16.0.254 interface cannot access the internet.
View 5 Replies
View Related
Mar 6, 2011
My customer is running an ASA5505 with 8.3 code.
The have a somewhat flaky proxy between their inside LAN and the firewall. I'd like to have a configuration as follows:
LAN > Proxy > VLAN 1 (eth0/2) on ASA
and
LAN > VLAN 1 (eth0/3) on ASA
So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.
This appears to be easily configured according to the documentation:
"The following example creates two redundant interfaces:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet 0/2
hostname(config-if)# member-interface gigabitethernet 0/3"
But these commands don't seem to be available on a 5505.
View 7 Replies
View Related
Dec 30, 2012
I have a Cisco ASA 5510 with 3 inside interfaces each connected to a 3750X switch port in a vlan. Outside interface is connected to external router with 209.155.x.x public IP. Static route exists for outbound traffic on outside interface.
3750X is configured for inter-vlan routing. VLANs 10, 20, and 30 have 172.16.x.1 IP address with static routes pointing to the each of the ASA inside interfaces - 172.16.x.254. Connected hosts are configured with gateways pointing to the appropriate vlan interface IP - 172.16.x.1.
Inter-vlan routing appears to be working - I can ping back and forth between hosts on different vlans, and I can ping each vlan IP.I can also ping each ASA inside interface from a host in the appropriate vlan, but I cannot ping internet sites (4.2.2.2 or 8.8.8.8) from hosts on the inside interfaces.
I can ping 4.2.2.2 from the ASA CLI. I can ping internal hosts on vlans 10,20,30 from the ASA CLI. But, no luck with pinging from inside host to internet hosts
View 12 Replies
View Related
Feb 20, 2013
Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2). I tried to ping from 192.168.1.2 to 192.168.2.2 Failed. But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8 So I checked the configuration shown as follow
<omitted>
interface ethernet0/1
nameif inside
[Code]....
View 3 Replies
View Related
Jun 29, 2012
I have a Cisco 2901 with the 4port gigabit ethernet switch module that I'm trying to get configured to have a seperate subnet for each port. So far I have it set up so each subnet is a vlan, then on each port I use the switchport access vlan command to tell it which subnet I want that port to be on. However, there is one port that I need to have 2 subnets on. The way I found to do that was to use switchport trunking on that port, but it doesn't seem to be working properly. how they would configure this? Right now I have vlan 101 as x.x.x.17/28 and vlan 103 as x.x.x.53/30. I think where I'm getting hung up is the proper association between the physical port and the vlan subnets.
View 5 Replies
View Related
Mar 7, 2013
I have an ASA connected to 2 ISPs.I am using object tracking for the default route so only 1 path is used at a time. I have a L2L VPN setup going out interface A. I would like to configure a 2nd VPN going out interface B with identical parameters.
(ASA software 8.2)
crypto map PATH_A 1 match address outside_1_cryptomap
crypto map PATH_A 1 set peer 10.1.1.1
crypto map PATH_A 1 set transform-set ESP-AES-128-SHA
crypto map PATH_A 1 set security-association lifetime seconds 28800
crypto map PATH_A 1 set security-association lifetime kilobytes 4608000
crypto map PATH_A 1 set reverse-route
[code]....
View 2 Replies
View Related
Apr 1, 2013
If I have a PI 1.2 system that has multiple interfaces configured I can upgrade to PI 1.3 and both interfaces remain and I can see both under the admin webpage under appliance interfaces. But if I do a fresh install of PI 1.3 I can only configure one interface. The commands fail from the cli to configure anything but gigabitethernet 0. Are multiple interfaces not supported in PI?
View 2 Replies
View Related
Jan 15, 2013
Having upgraded to 8.3 from 8.2 I and read much about the differences , it seems that 8.3 deals with NAT in a much more managed method.However I am confused on how one would NAT a network object to multiple interfaces? i.e I know you can specficy a NAT adddress within the network object howeveer this only allows you to specific a single IP address.What if I want to talk accross multiple interfaces how would I specify this?
View 5 Replies
View Related
Jun 16, 2011
We have an ASA 5510 firewall. There are 4 ports on it configured as 2 outside, one inside, and one DMZ. We have two cable modems attached to the outside ports. Our plan is to have the "inside" port directed to one outside port/cable modem, and the DMZ port directed to the other outside port/cable modem.
We have been able to get the "inside-to-outside" setup to work but not the "DMZ-to-outside" setup (at least at the same time).First off, is this possible? If so, what are we likely missing - some way to have a second default route for the DMZ?(My manager is the "Cisco person" here, not me, so I may not have enough info.
View 1 Replies
View Related
Aug 20, 2012
I am trying to enable a second WAN interface on our ASA.the end goal is to move all internet traffic to the new connection, but first i want to test it working.I have setup my computer as an object in the ASDM and the interface is configured correctly (same settings on a different router and that was working)I setup a route with a lower metric ( 1 lower than the default route which routes everything through current main internet interface) to route traffic from my computer out through the new interface but i am still connected on the old interface.I duplicated some of th NAT rules (but i would have thought if these werent working then i would have no internet connection anyway)
View 5 Replies
View Related
Feb 24, 2011
I am trying not to run before i can walk,.. so first thing I'm trying to do is ping out to a DNS server in the internet: 212.135.1.36 from my internal network.
- If I put a default gateway on my router, and set to 172.16.32.254 (Firewall Vlan100 interface) and ping,.. it works fine from my router.
- If put a default gateway on my switch below the router as 172.16.32.252 (VLAN100 interface of the router) and ping from the switch it doesnt work.
I assume its getting to the switch as I can ping the 172.16.32.252 from the switch so the router is dropping the packets... my question is why!?
Once this bit works,.. the intention is to route any external bound traffic that comes from VLAN100 to 172.16.32.254, external bound traffice from VLAN200 to 172.16.64.254 etc etc
[Code] .....
View 5 Replies
View Related
May 12, 2013
I have c3725 router that have two WAN interfaces, both of which I want to serve VPN clients. However, I have only one default route, say for WAN1, so how can I accept client requests on WAN2.
ps: I use vpdn and pptp, and I'm a newbie to Cisco router and IOS.
View 4 Replies
View Related
Apr 2, 2012
we use LMS 3.2 in our network. We have a couple of 6509-V-E Switches with mutiple interfaces (VLAN interfaces and Layer 3 interfaces) The problem is, campus manager discovers the switch by a interface randomly...one time its a lay3 Interface and another one its a vlan interface which none of them are in DNS hence no name resolution can be made.
Is there a way to "tell" CM to us for instance the VLAN Management IP of the switch?
View 2 Replies
View Related
Jan 24, 2011
I have 2 routers ( Cisco 3845's) both running identical IOS's. Each router has identical 5 networks on it with one network each being different.I have HSRP set up on the identical 5 networks.Your standard Fail over senario.ON one of the routers one network is not seeing the other router in the same network, Will not Ping or traceroute.And HSRP stopped working ( both were thinking they were active. which of course brought the network to a halt. Non of the interfaces has any ACL on them, They are plugged into a Brand new Cisco 3560v2 switch. I have switches out the cables to eliminate that as an issues.
View 1 Replies
View Related
Jan 3, 2012
I have a 5508-WLC appliance and configured multiple ap-manager interfaces to balance the join request from LAPs and the load.I went to console port from some LAPs and saw that there was that balance among multiple ap manager interfaces (Dynamic AP Management Interfaces). Then we torn down one of the ap manager interfaces and confirmed that the LAPs were moved to next ap manager interface automatically.But the question here is, how can I verify which ap-manager interface was used for a LAP from the WLC via GUI or CLI ?? or how can I see the amount of APs joined using that ap manager interface from WLC ?
View 2 Replies
View Related
Apr 10, 2013
I am trying to lab something up and I believe I am doing something incorrectly. My management VLAN works fine, the AP on port 7 finds the controller fine, but my VLAN 80 doesn't seem to be mapped to port 2. I mapped a test WLAN to the VLAN, and setup a DHCP scope, and a client can get on the WLAN, acquire an IP address, etc. I thought I coudl then map that VLAN (80) to port 2 and have it go out a cable modem. Doesn't seem to be working that way, however.
View 3 Replies
View Related
Feb 12, 2013
This is for an ASA 5505 with the base license...I have a situation where I will not have one interface in my outside VLAN, but instead I want to have interfaces 1-7 in my outside VLAN and interface0/0 in my inside VLAN.
Is this supported with the Base license, and if so how would I do this? Do I still just need to assign one IP address to the outside VLAN?
Or will I need to upgrade to the Security Plus license and put each interface in a separate outside VLAN, so in essence I would have 7 outside VLANs each with the same security level (0)?
My situation is that I have several partner networks that i want to "aggregate" thru my one ASA 5505. So each outside interface represents a separate partner (outside) network, each of which I want to get to from my inside network. Hence the many outside to one inside.
View 5 Replies
View Related
Nov 21, 2012
I have a virtualization server with 4 network interfaces and connected it to a SAN. There are few virtual machines which writes data to the SAN.
I want to connect to the SAN with multiple interfaces to speed up the network.
Is it possible to send data on multiple interfaces? How can I configure it?
Computers are connected to san through switch.
SAN: Equallogic PS 4100 E
Switch: Dell Power Connect
Computer: Dell T610
OS: Centos 5
Virtualization: Kvm
NIC: 8
I am not sure about network card brand now.
View 1 Replies
View Related
Apr 4, 2013
The network topology is like this. Router with DHCP_Server on it.
VLAN 10
VLAN 20
VLAN 30
My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.
View 5 Replies
View Related
Jun 23, 2011
NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.
object network obj-Inside-sub1
subnet 1.1.1.0 255.255.255.0subnet 2.2.2.0 255.255.0.0subnet 3.3.3.0 255.255.0.0nat (inside,outside) dynamic 199.246.5.2
View 5 Replies
View Related
Mar 9, 2012
I'm trying to get my ASA 5505 (IOS 8.4) to work, but got stuck on NAT because I would like to allow 3389 access for just a couple of WAN IP's. This is what I found so far:
(config)# object network Internal_RDS(config-network-object)# host 192.168.1.10
(config-network-object)# nat (inside,outside) static interface service tcp 3389 3389(config-network-object)# exit
(config)# access-list inbound permit tcp any object Internal_RDS eq 3389
(config)# access-group inbound in interface outside
But this will allow all WAN IPs to access 192.168.1.10 over port 3389 I guess? I would like to allow only some WAN IP's
View 4 Replies
View Related
Mar 20, 2012
I've got a question concerning the configuration of multiple AP manager interfaces on -for example- a cisco WLC 2504. I've read the configuration guide but I'm not sure whether this is the way the protocol works. Say I want to distribute AP's (and traffic) across various AP Manager interfaces on the WLC. I would configure the following:
Create one management interface (which will automatically also be an AP-Manager interface)Configure 1 (or more) Seperate ap-manager interfaces, assign them to a port number, and select "Enable dynamic AP Management". VLAN ID's will be the same.Create a WLAN and configure it's interface to "management" Is it correct if I state that the LWAPP protocol takes care of the discovery from the Access Point and sends information about the available AP-manager interfaces back to the AP and the AP knows which ap-manager interfaces are available, connecting to the least loaded one?
View 3 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
Jun 26, 2012
The PC I'm using right now was built almost six years ago (ASUS A8N-SLI Premium), but it has dual Gbit NICs. My home file server was built four years ago using an entry level server board (Tyan S5211G2NR) and it also has two Gbit NICs.
I never quite understood how to take advantage of the multiple network interfaces. Can it be done through a standard unmanaged Gbit switch?
I'm building a new desktop, probably using the ASUS P8Z77-V mobo, which has just one NIC.
View 9 Replies
View Related
Sep 17, 2011
I am wondering if xconnect L2TPV3 feature could be done on multiple SVI interfaces on 871 router and 2911 router with built in 8 port switch?Like I need to extend two ethernet interfaces and can I use two SVIs on router built-in switch module on each side?
View 2 Replies
View Related
