Cisco Wireless :: ASA 5510 NATing 2 Internal IPs To 1 Public IP
Apr 27, 2013
I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
My current configuration for nat 1 internal ip to 1 public ip:
static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255 dns
View 1 Replies
ADVERTISEMENT
Sep 18, 2012
I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
Interfaces
ETH0/0 = outside = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15
[Code]....
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
View 5 Replies
View Related
Jul 9, 2012
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
View 3 Replies
View Related
Jun 3, 2012
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
View 1 Replies
View Related
Dec 22, 2012
i have asa901-k8.bin" in my asa firewall and downlaod liecnce from cisco,now i dont know how to allow internet to my user.?
View 1 Replies
View Related
Jan 4, 2013
I cannot access Internal network to DMZ with public ip but i can access public servers in DMZ with External network.
View 1 Replies
View Related
Oct 24, 2011
Is it possible to have more public addresses to more internal addressees? I have an internet provider which is in control of my router and he is telling me it is not possible. It's a Cisco router and I have static IP address.
View 1 Replies
View Related
May 1, 2013
I have a requirement to nat two public ip addresses to same interanl ip address. Is this possible on ASA version 9.1?
View 3 Replies
View Related
Dec 19, 2011
I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets. The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network. I have a DNS server on my internal network and it does resolve to the public IP correctly. NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly. I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress to the external (NATed) address is allowed.
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network. If I am outside my cisco then I can go to http://72.22.214.121 easily. [code]
View 1 Replies
View Related
Mar 26, 2012
setup my Foscam IP cam lastnight on the Wireless network using UnPn and was able to access it fine via the public IP , using another PC on the same network with no issues. However when I tried to access it from work it doesnt connect - Is there a firewall setting that im overlooking?
FYI im using a Netgear CVG824G
View 1 Replies
View Related
Oct 11, 2012
Is it possible to create a service which will forward public port 9010 to an internal IP address with port 23 ?
First of all, I do not like to open the public Telnet port to the inside so I would use another public port and second my ISP does not allow some public ports beneath port 80
View 2 Replies
View Related
Apr 7, 2013
My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup? Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.
This is what my current OUTSIDE interface looks like.
interface Ethernet0/0
duplex full
nameif OUTSIDE
security-level 0
ip address PUBLICIP1 255.255.255.224
!
View 7 Replies
View Related
Mar 16, 2011
we have hosted voip and would like have our internet as back for their router. We gave them public static ip so they can configure that in their router. How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.
View 4 Replies
View Related
Jul 22, 2012
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
View 9 Replies
View Related
Jul 30, 2012
I am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.
We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.
With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.
I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.
View 6 Replies
View Related
Nov 20, 2011
I have a peculiar situation where I need to assign a public ip to a computer without going through firewall (for testing purpose).
I have the leased line going through a 3750 switch to the ASA 5510(15.240.1.2/30) belonging to vlan 999. ASA has default route going to 15.240.1.1/30(ISP).
I have different public ip range for LAN and WAN My WAN ip is 15.240.1.0/30, LAN ip range is 15.240.2.24/27 nated by ASA..
I want to connect the PC to the switch port belonging vlan 999 and ip address of 15.240.2.26/27.
If yes, what will be the gateway for the computer?
View 3 Replies
View Related
Aug 31, 2011
i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.
New:
IP-adresses: 87.1.1.194 - 87.1.1.254
Default gateway: 87.1.1.193
Subnetmask: 255.255.255.192
Old:
IP-adresses: 200.1.1.34 - 200.1.1.46
Default gateway: 200.1.1.33
Subnetmask: 255.255.255.240
Config:
route wan 0.0.0.0 0.0.0.0 200.1.1.33 1
And statics like:
static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255
View 22 Replies
View Related
Sep 5, 2012
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
View 7 Replies
View Related
Mar 3, 2013
I have DMZ n/w 192.166.0.0/24 on which i have nated on public ip
-private ip : 192.16.0.201 (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2
View 13 Replies
View Related
Oct 17, 2011
We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from 172.16.3.251 to 1.1.1.1 we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside
172.16.3.251 /37166 dst outside:1.1.1.1/23
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?
View 13 Replies
View Related
Aug 16, 2011
how to configure public ip on router 1841 and ASA 5510. let me show you my issue that: i have router 1841 ( for F0/0 use pubic ip add 10.10.10.1 /30, and F0/1 use other rang public ip add 20.20.20.1 /24) and on ASA 5510 i use public ip add E0/0 20.20.20.2 /24 ) all this for public ip add and my lan ip is 192.168.0.1/24.
could you let me know how to configure on router 1841 and ASA 5510. for router 1841 if you use private ip we can use nat but for all public ip add how can we do it?
View 9 Replies
View Related
May 7, 2012
I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?
View 1 Replies
View Related
Oct 12, 2012
Is it possible to create a service which will forward public port 9010 to an internal IP address with port 23?First of all, I do not like to open the public Telnet port to the inside so I would use another public port and second my ISP does not allow some public ports beneath port 80?
View 1 Replies
View Related
Dec 14, 2012
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
View 5 Replies
View Related
Feb 19, 2013
Im having problems with google saying we generate to much traffic to [URL]
I need to know which machines on the inside are talking so much with google. Can this be done via ASA 5510? do i need a third party program for this?
View 1 Replies
View Related
May 14, 2013
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
View 1 Replies
View Related
Feb 5, 2012
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
View 6 Replies
View Related
Apr 13, 2013
I have a few devices that the manufacturer told us we have to set with a public IP (No Natting) We have Internet ->ASA5510-> Switch 3550 with 3 vlans. Up to now we have always use Natting to configure internet access to specific devices. I heard setting up a witch with one VLAN connected to the internet and all other internals is a bad idea. that was the only Idea we had.
View 3 Replies
View Related
Jan 30, 2012
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
Did I need to call my ISP?
View 3 Replies
View Related
Sep 27, 2011
we have a ASA 5510 firewall and i have created remote vpn user who connects the internal network via vpn any connect after connecting i want him to only access his internal PC via rdp and not access other internal website or shared folders without connecting to the RDP however now he can access the internal website wihtout connecting to RDP?
View 3 Replies
View Related
Jun 11, 2013
I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com
[Code].....
View 1 Replies
View Related
Mar 20, 2011
ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ. I've added the config, however i'm still unable to get to it from the outside. I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"
View 0 Replies
View Related
Nov 5, 2011
I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works.
When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows;
[code]...
View 14 Replies
View Related