Cisco WAN :: Have 2 ISP Connections On ASA 5510?
Sep 18, 2011
1 isp connection which splits into two. One plugs into 5510 with ouside ip and the other plugs into the other 5510 with outside ip address.
see diagram below:
Router routes are set as:
ip route 0.0.0.0 0.0.0.0 10.x.x.1
##
ip route 10.x.x.0 255.255.255.0 10.x.x.2
We will be introducing another isp into our network. We want to remove our current isp and switch. But we dont want to do the cut overnight. We will migrate into our new isp. so for a while we will have both isp connections.
What i am thinking of doing is taking one of the ports on 10.x.x.1 and configuring it for our replacement isp network and the same for 10.x.x.2. Will that work?
Can i have ASA 5510 configured for 2 seperate ISP connections? What kind of route will i set on my router?
View 1 Replies
ADVERTISEMENT
Nov 29, 2011
Context:1- My company has one ASA 5510 configured with Site-to-site VPN, Ip sec Cisco VPN and Any Connect VPN.2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the Na Ting for internal users to go out.3- A second link is coming in and we will be using ISP 2 to load balance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).4- A router will be deployed in front of the ASA to terminate internet links.5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2). Questions:How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?. Finally, which device should be doing the Na Ting? The ASA just like now or move Na Ting to the Router?
View 9 Replies
View Related
Apr 5, 2013
Is it possible to have a Cisco ASA5510 with two internet connections performing as follows.
Internet A---------All traffic except LAN to LAN vpn
Internet B---------LAN to LAN vpn
I cant find anything definitive on google to say it will or wont, i know it cant do policy based routing.
View 3 Replies
View Related
Jun 7, 2012
My ASA 5510 has stopped accepting connections today. I cannot connect with ASDM either. ASDM hangs at "Contacting the device. Please wait" and does not return an error or time out. I can telnet into the device but my CLI knowledge is elementary at best. I'm trying to determine how to view or enable the correct logging and view via CLI. I have looked at the client log from one of the users that cannot get in and have attached it. It looks like Phase 1 is not completing but I'm not sure how to view what the ASA is logging. I have run debug cry isa and debug cry ipsec but it just returns to the prompt and I'm not sure what I should expect to see or what command to run to view the results.
View 3 Replies
View Related
Mar 30, 2011
I have some remote locations that connect to my ASA 5510 cluster (Aktive/Passive) using the Cisco VPN Client, from which the connection gets disconnected at random intervals (could be 5 minutes, but sometimes after 15 minutes). However, some other remote locations do not have this problem. All locations have the same VPN client configuration (distrubited by pcf file).
I already disabled isakmp keepalive on the ASA but this did not work. If I read it correctly, the Cisco vpn client logging shows that the ASA initiates the ending of the connection.
Code...
View 2 Replies
View Related
Aug 1, 2011
We are in the process of getting two new connections pulled in that I would like to utilize in the following configuration.
DS3 - 45/45 I would like to use this circuit for all of our servers to NAT out of as well as our VPN tunnel to our remote site. It will be much more reliable than our cable line.
Cable Internet - 50/10 I would like to use this for all internet traffic that users generate. I would like to be able to fail over to the DS3 if this line goes down.
To get all traffic go out the cable line would take a dynamic NAT rule and a default route. How would I automate a failover to the DS3 with a backup route and dynamic NAT rule?
I understand that if the DS3 goes down it will take manual intervention to bring the tunnel back up and servers with static NAT will need reconfiguration.
View 1 Replies
View Related
Sep 12, 2011
normaly the agents has a persistent connection with the kaseya server (monitoring server),The connection re-established afther the next check-in of the agent, instead of a persistent connection. Now we need to wait to the next check-in before we can connect to the agent. This is a big performance issue, the check-in time of the agents are 3 minutes.I see a lot of the following messages in de syslog:
6Sep 12 201120:27:48302013customer site527985721Built inbound TCP connection 5418112 for outside:(customer site)/52798 (customer site/52798) to inside:kaseya server/5721 (outsideIP/5721)
6Sep 12 201120:29:09302014customer site527985721Teardown TCP connection 5418112 for outside:(customer site)/52798 to inside:kaseya server/5721 duration 0:01:21 bytes 45 TCP FINs
I create a normal static nat rule from the kaseya server to a public ip address, and i define the protocols in de secutiry policy.ICMP has been allowed.cisco asa details:System image file is "disk0:/asa824-k8.bin" This platform has an ASA 5510 Security Plus license.It's look like a connection time-out between the agents and our cisco asa.
View 8 Replies
View Related
Dec 5, 2012
Our Cisco ASA 5510 running 8.4(4)1 just started dropping packets and our AnyConnect clients are seeing horrible performance. The system is extremely slow compared to just a couple days ago.Nothing has changed on the system. I can post the configs if needed.
firewall# sho int
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: == WAN Interface ==
[code]....
I have done a "sho vpn-sessiondb detail svc" and I can see the dropped packets of the individual users, but cannot see why the packets are still dropping.how I can correct this and restore speeds?
View 1 Replies
View Related
May 22, 2011
We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)
View 1 Replies
View Related
May 29, 2012
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 8.8.8.8, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
View 2 Replies
View Related
May 19, 2012
We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside
[Code]....
And from the MPLS nodes, I can see a tcp request is made.
View 6 Replies
View Related
May 26, 2011
I'm trying to figure out how to get two 5510 ASA's to establish a Site-to-Site VPN.The version with two static IP's is working perfectly and stable but I haven't figured out how to get a VPN running between a static and a dynamic IP
View 12 Replies
View Related
Aug 7, 2011
best way to monitor delay, latency and jitter between sites connected by VPN? I have CiscoWorks LMS 4.0 but that doesn not seem to be able to do the job (or I just don't know how to to it in LMS) Even a 3rd party application will do. I would prefer not to have to place hardware at each location though.
View 2 Replies
View Related
Jul 25, 2011
What I Mean By "Two Connections On One PC".I Am A Youtuber So I Like To Play Games, Upload Stuff Etc.But The Problem Is That When I'm Uploading I Cant Play Games Because Of The Lag.So Is There A Way To Setup Two Connections (One For Uploading And One For Gaming Etc.)
View 1 Replies
View Related
Jul 3, 2012
I was simply surfing the net and installed a program. I then deleted the program and simultaneously i was unable to connect to the internet using wifi. Connecting to the internet is not a problem with the Ethernet cable plugged in. I have checked everything i can with the router and the wifi is still active. When i try to connect to the wifi, using the symbol on the taskbar, it tells me that there are no connections available.I also tried using my iphone personal hotspot and that was also undetectable.When i go into the device manager, the only icon that is flagged is the, network controller. I have un-installed it and rebooted, I have restarted it. Quite annoying i might add
View 1 Replies
View Related
Jan 23, 2013
At any moment I have almost a thousand connections from / to my network attached storage (NAS), it's from D-Link (DNS-320) from unknown outside IPs.
I have a home network, everything sitting behind a Linksys router with a DD-WRT installed on it (here I see these connections). You can see the output here: url...
There probably would be many more connections, but the modem only allows so many. Unfortunately, they all use a different port (otherwise I'd just block that one). Because of all of this, my internet is very slow (connections are saturated)
View 3 Replies
View Related
Feb 11, 2013
implement backup WAN links to complement the metro Ethernet links we currently use so we have some redundancy. These will most likely be a VPN over an Internet service but might be another Ethernet type service, the medium shouldn't really matter I wouldn't think. What I am looking for input on is what is the best way to implement this? Would I just set costs so that the backup is only used when the primary goes down, or should I create new OSPF area for the backup links?
Currently the core switches that are also our routers are 3750G stacks running ip services. We are getting ready to install new firewalls at each location that will become the gateways for the vlans currently on the core switches to give us much more control over segmentation, and because of this I am thinking that it may make sense to then move the OSPF instance from the core to the firewalls. In the drawing I did not show the access layer switches off of the core, and the MOE circuits actually terminate into a 3550-12T switch before the core. I think I will actually eliminate those 3550-12T switches and go straight into the core. This is a current state drawing, so does not include the backup links I am planning.
View 4 Replies
View Related
Dec 9, 2012
The past two days have been frustrating with my wifi. When I first got on it, I checked the internet access because I couldn't get onto the internet. The connections had "limited access". I restarted my router and modem, and it did nothing. I unplugged everything and plugged it back it and the wifi would show, but I couldn't get on it. I restarted the router and modem, and it worked. I got on Cisco Connect and the signal wouldn't show. I got off the computer and later, I couldn't get on the internet again. Later on, I could get on the internet again. I got on Cisco Connect, and it still says that there is no connection. I haven't a clue what's going on. My modem is CenturyLink, and obviously, my router is Cisco.
View 19 Replies
View Related
Aug 31, 2011
I have 881 router and it has 1 WAN port and 4 Fa ports. I want to know if it's possible to have 2 internet connections on that router? I found an interesting article about the load-balancing for two isp connections: [URL].
View 9 Replies
View Related
Sep 3, 2011
Hardware: Cisco 1841 with 2 adsl wic's
Software: Advipservices-k9 12.4 25b
Skill: Just started
I got 2 RFC1483 bridged connections wich i want to combine in the 1841. What i want is 1 subnet (if possible) route normal internet traffic out on ATM0/0/0 Route 1 server and Voip box out on ATM0/1/0 What is the best way to configure this if it is possible with the hardware.Tried different things allready but no luckPretty much in all configs when i connect 1 line it works fine but when i connect the second one all goes wrong.
View 3 Replies
View Related
Mar 1, 2012
We have a user who needs to access a vpn from his MAC through an ASA 5505. The user is getting an IP via DHCP and the outside interface of the ASA gets it's address via DHCP as well. The user states that when he is home or anywhere else but behind the ASA it connects fine, but once the ASA is added it times out. He is able to get to the internet from the machine without any issues. Looking over the config on the firewall it isn't set to deny any traffic and there is a global set on the interface and it is nat the inside interface. There is no global policy in place so I was considering implementing the following:
policy-map global_policyclass inspection_default inspect pptp
View 2 Replies
View Related
Jul 5, 2011
We have a PIX 535 with unlimited lisence, it has 1,048,953 in use connections because the timeouts have been changed to 24 hour. I am addressing this issue but was wondering why its so high when the max concurrent sessions is supposed to be 500,000 as listed in the product spec. Also when it reaches it max and cannot allocate a connection what PIX syslog error message number would it send?
View 1 Replies
View Related
Jun 3, 2012
192.168.1.10 --> ASA 1-----> ASA 2-------> ASA 3----> server (172.21.16.15)
We have opened 3389 , 80 & 445 ports on all firewalls ( ASA 1, ASA 2, ASA ) for server (172.21.16.15) from (192.168.1.10).We are able to see connection in ASA 1 under show connection for 3389, 445 ,80.
We are not able to see connections in ASA 2 & ASA 3 under show connection for 3389. But we are able to see hits in ACl.
View 3 Replies
View Related
Jan 28, 2011
One of our client has cisco 861 router and they have two internet connections from two different ISPs can we use them together as load balancing and as redundancy, As cisco 861 router has only one WAN port?how we can do that ?
View 4 Replies
View Related
Sep 12, 2012
On the ASA5520 we would like to create a report that gives us trending over 6 monthes for the amount of people logged in via the SSL VPN and for how long. Is there a way to do this on the ASA5520? Does it have this ability? Could I do this in SolarWinds? My boss mentioned a software package that Cisco has that will show a history - is this correct?
View 1 Replies
View Related
Jul 27, 2011
I have just deployed a 881 router at a clients site & configured it to allow remote IPSec VPN connections using the Cisco VPN Client software.
The router works fine except for the remote VPN connections.
Client VPN connections are not being allowed and I am sure the problem is the zone based firewall. I have had very little experience with this, most of my experience is with ACL based security.
View 2 Replies
View Related
Jul 31, 2011
The application here is a wind power project, built in two phases, without any effort to coordinate or integrate the two sites during the design phase. All operations activities for both phases are performed by one staff out of a common location. This is a rural area and Internet connectivity is mission critical due to contractual obligation with Electrical Utilities.
The client has a need to reconfigure a network which has grown over time in a layer by layer approach, whereas at every point in time that an additional T-1 or other changes occurred to address a specific need, no thought was ever put into integrating the entire site as a whole. It is at best a dysfunctional solution which somewhat accomplishes thier needs, and at worst, a kludgy, grossly security compromised, and difficult to use infrastructure. There is every kind of equipment one can imagine, each installed by some entity providing needed services on the site, but forced to make uninformed decisions because the client really has no IT department to coordinate with. Over time, every vendor just provided their own switch, router, or maybe figured out how to reconfigure another existing device to also provide the routing or access needed, To say the least, it's a mess.
The client requests a solution which provides a means to accomodate 6 internet connections (4 T-1 lines, and 2 satellite) in a manner which aggregates available bandwith and provides redundancy. The T-1 lines will be the main internet access, with the satellite connections only used if available bandwidth falls below some threshold, say 3Mb. There are many internal networks which need to be routed to and between, in total, about 20 subnets. There are 2 SCADA (Control) networks which have a mandatory requirement of 1Mb each, a VoIP system which does not use any internet connetivity as there are 6 POTS lines dedicated to it, an internal office LAN and a turbine manufacturers site LAN.
The T-1 lines, at 1.5Mb x 4 = 6Mb.
The 2 SCADA networks require a guaranteed 1Mb each, the remaining 4Mb is to be allocated between the office LAN and the turbine manufacturer site LAN. The satellite connection are only to be active in the event bandwidth falls below 3Mb.
There are 2 Cisco 2801 routers on site which could be reutilized if appropriate. Each T-1 has it's own Adtran CSU with Ethernet out. All T-1 lines are /29 IP Blocks. 2 of the T-1 lines are adjacent IP Blocks, for what its worth.
Everything here is open to reconfiguration. The client wants this finally integrated correctly with the ability to address emerging Electrical Utility cybersecurity requirements in the immediate future.
An ideal solution would be fully redundant to eliminate the single point of failure at the edge router. As to whether there needs to be separate edge and interior routers, I just don't know that. I would guess everything could be done with just a pair of redundant routers at the edge, but perhaps it is better to do the interior routing between subnets on a different router(s).
Again, the goal is a well integrated, redundant, and secure solution. My part is mostly complete, with the OSP part of the network finally at 100% after 5 years of stupid and careless misconfigurations and bad fiber splicing (by others).
I'm absolutely covered up in business at Layer 1 & 2 on these sites, as the physical plant and associated network elements are typically very poorly designed, specified, and implemented. The complexity of this job leads me to seek outside advice and ultimately a more qualified Cisco professional than me. I'm experienced enough with Cisco to know when I'm in over my head. I know a diagram would be nice, but at this point I've only got a very detailed diagram which reveals too much site identity information to make public. I'll wait to see a few comments and in the meantime work on removing site identity info so I can post a good diagram for everyone to see.
View 1 Replies
View Related
Apr 19, 2012
We have LMS opens SSH sessions to Nexus 5000 devices as part of some jobs.These SSH connections are not being released by LMS as soon as jobs are completed, which leads the N5K devices to hang without any way of managing them remotely.We see these connections as idle on the nexus devices (which also should kill these sessions, but this is not the issue).
We have found a known bug:
CSCty90928
LMS Pari jobs are not releasing SSH,telnet connections of the devices
Symptom:
Telnet/SSH connections are not released by LMS
Conditions:
Pari collections jobs are not releasing the connections after the Job completed
Workaround:
None
This bug is categorized as "2 – severe" and is in "Open (Postponed)" status.I have a few questions:
1.) What is the ETA to fix this bug?
2.) Are there any other known bugs matching what we see (documented public bugs, with bug ID's, internal bugs or even undocumented bugs).
3.) Is there any released or unreleased (even yet to be tested by TAC) patch we can use that should fix the issue?
4.) Is there any way to adjust LMS idle timeout of SSH/Telnet sessions (I couldn't find it in the GUI, but maybe there is a way to change this parameter using a perl script or modifying one of LMS properties files)?
View 1 Replies
View Related
May 20, 2012
Is there a way to limit number of concurrent SSH connections that Prime LMS 4.2 makes to devices? Periodically it occupies all of VTY lines. I know I can restrict access to particular VTY lines by 'access-class' command, but I'd rather want to limit number of simultaneous connections on Prime LMS. Is it possible?
View 2 Replies
View Related
Mar 22, 2011
I am using Cisco VPN client for windows 4.0.5 (C)I use the VPN client to connect to my office from home and to connect to a customer via their VPN connection.Is there any way that I can have these two VPN clients active at the same time instead of needing to diconnect one to connect the other ?
View 1 Replies
View Related
May 17, 2012
Telus cell phone usb connection and a Lan ethernet connection, was trying to use windows 7 to bridge the two networks.
View 6 Replies
View Related
Aug 7, 2011
I have a dual boot computer - Vista Home Premium and Windows 7 Home Premium. When booted into Vista I can map my Network and connect to the Internet, a network printer (ethernet) and a second Windows XP computer. When I boot into Windows 7 I can still access the internet and my networked devices but I cannot map my network. Also, the network system icon (bottom right-hand screen) shows erroneously that no connections are available - but clearly they are! The attachments show the status of my Vista and Windows 7 connections. The only thing that appears to be odd is that my Windows 7 system is set to 'Public' and my Vist system is set to 'Home'. I have tried all manner of things to change Windows 7 to 'Home' but to no avail.
View 14 Replies
View Related
Sep 10, 2012
It started when I couldn't connect to a specific website for 2 days. I had to change my IP to get on again, and when I did I got a message from the admin saying that I had been blocked automatically because my browser was using upwards of 200 connections at a time. He made me check all the browser settings for it, and everything was still set at default. I didn't download any program or add-on, I did nothing special. It started out of the blue. I did virus scans, I reinstalled firefox and opera (the browsers I use). At this point I have no clue what the problem is.
View 4 Replies
View Related
