I think the subject gives a good first impression of what I'd like to achieve.Anyway i'll give a little more context.I'm running a Windows Home Server in my LAN and I would like to use it's functionalities (especially the streaming) features from "anywhere" using the same URL.My is a Linksys WRT160Nv3 running on the DD-WRT v24-sp2 firmware.I've already setup the necessary port forwardings, as most of the WHS sites run on ports 80 (http) and/or 443 (https) and my isp is blocking all ports < 1024 (I know it suck, but nothing to do about)Anyway, outside my network (friends home, work, ...) I can access my home server browsing to ://xxx.homeserver.com:10080 or https://xxx.homeserver.com:10443What I want is that this (external) DNS also works when i'm inside my network (so when I'm at home).
Is this possible?I want this because on the home page of the WHS web interface, I have some links (for example to sabnzb, or the webpage of my raid controller, etc etc, but they all point to http://xxx.homeserver.com:These url's (with the external dns) are not working when i'm inside my lan.I'm not an export but i'm quite sure it's a DNS issue.Some more info:When i do an nslookup xxx.homeserver.com I see the (external) static IP that has been assigned to my router.When I do a ping to xxx.homeserver.com I also get a reply from the (external) static ip that has been assigned to my router.
DNS resolution works and I can surf the web without fail. But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts. I can ping anything from the ASA without fail.
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 184.108.40.206 / 220.127.116.11 18.104.22.168 / 22.214.171.124 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 126.96.36.199 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
how to storage the DHCP IP table in a external flash of a router. This is because the router is switched off and switched on everyday but I want that it remembers which MAC is associated with which IP when it starts again and avoid IP duplicate problems. The command "lease" doesn't seem useful here.
I'm trying to configure hairpinning on my Cisco 887VA VDSL router, so all LAN users can connect to the server using SMTP port 25 which is also in the same LAN subnet, using external router address, which is assigned to dialer1 interface.Traffic comming in from outside works fine.
External IP: 188.8.131.52/29 PC address connecting to the server: 192.168.101.28 Server address: 192.168.101.200 IOS: 15.1.4M1
I'm running tcpdump on the server on port 25 and... nothing happens. The traffic is not going through.One thing that I've notices in debug ip packet is this line:
s=184.108.40.206 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt
shouldn't source be internal vlan1 IP - 192.168.101.1?
Been reading up on IPSs some and some sources say the IPS goes inside the FW some say it goes outside. I know the inside is easier to tune and more secure, what are ya'll's oppenions on where it should go and why? (I will say most of them say IPSs on the inside and outside, but I figure that's something of a marketing ploy)I kinda like inside the FW to keep it a bit more safe and to avoid the stuff the FW will kill by default that's out gunking up the internet.
I'm seeing a TON of traffic in my ASA logs (via ASDM) indicating the following:"Duplicate TCP SYN from inside: (valid internal address of one of our laptops)/50164 to inside: (address on our other subnet, still trying to trace it)/9100 with different initial sequence number"This looks like an attack to me, likely someone's downloaded something they shouldn't have and got an infected laptop. Why it's trying to "call home" to something inside our network is what puzzles me, though.Is there any VALID reason I would see these sort of messages in my log?
I have a 891 router I have been testing some things on. I have been able to successfully telnet to it in the past with no problems. Just yesterday I was trying to set an interface to have an IP of 10.10.10.2 which I realized was an IP I had forgot to exlcude from DHCP and it was handed out to the computer I was using to telnet in. So I wrote in the exlcude commands and did an ipconfig -release ipconfig -renew on my PC that had the 10.10.10.2 IP. After the renew I was given 10.10.10.7 (put in a few more excludes).However the release dropped my telnet connection and afterwards I was completely unable to telnet in, getting the error that says I cannot open the connection on port 23. I had made some changes to my entire config beforehand which had it switch to use a new public IP. I never saved the changes and did a hard reset by unplugging the router to get my old config back and see if I could telnet after that. Still could not get in, same error. Well I went through and remade my entire config to use the new public IP. My 10.10.10.7 PC can access the internet, DNS, ping the router, all just fine. Still can't telnet. I remade my line/vty config and made sure it matched up with a config I had on another router. Still can't telnet. Last thing I did was go in and manually clear all open line connections. All that is left is an idle 0 con 0 line that it wont let me close. Still can't telnet.What the **** is going on with this thing? I am completely at a loss to explain why I cant telnet. It must be something in my ACLs that I am missing?
I have inherited a PIX 525 environment and I need to document a lot of stuff to catch-up on what is going on. I was gathering IP address information and ran "show interface outside" and "show interface inside" and noticed the same IP assigned to both. I checked the MAC address and they are different. This IP is also listed as the Management IP. So I am sort of confused. What condition would warrant both the inside interface and outside interface along with the Management IP having the same IP?
The PIX and the hosts it comms it monitors do live in a VLAN controlled by a Brocade switch which also is our gateway out.
I have an internal server 172.16.1.202 that is PAT to 220.127.116.11 to allow RDP connections. - This works fine from the internet.I have now been asked to allow our guest wireless (192.168.100.0/24 - DMZ) to access this same external connection.We have 2 cisco controllers, with the guest controller "anchored" in the DMZ.I cannot get this to work.Both the DMZ and inside NAT their internet connections to 18.104.22.168.
I want to transfer big fiiles from PC to another PC, and it has happened frequently, I was wondering is there any way that I can send them directly with high speed if they are connected to the same router (my Router),I got an Desktop with Windows 8 64bit.The target PC (to transfer files) Laptop Windows 7
configure my Cisco ASA5510 (asa version 8.3.1) so that one of the host (e.g.192.168.8.20) behind management interface can ping to the other host (e.g. 192.168.2.246) behind OUTSIDEinterface. I tried modifying the ACLs, NATs and ICMP statement, but still failed[CODE]
I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205. Have a new basic config, nothing special at this time. I just cannot seem to get from the inside to the outside. From the outside interface I can ping, so I have a good Internet connection. [code]
i have cisco router 1811 , i make port forwarding for my mail server , so from outside i can access to the mail server via my mobile but inside lan i cannot because i use my global ip address at my mobile config .
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
I have a Netgear wnr3500 for my home network. I have certain sites blocked from inside it, for instance.I even blocked it by exact url. Still gets through then blocked yahoo.com and it was immediately Netgear blocked.It seems this site is fooling my router.
I'm setting up a VPN in order to share files between two locations. I'm not sure it's the best solution, but he insists on using his Cisco ASA 5505 Firewall via a clientless VPN. His set-up is a simple residential cable modem (Motorola SurfBoard/TimeWarner) set in DMZ mode, the Cisco ASA, and an Ubuntu server.
The Clientless VPN is set up, as are the user groups, and bookmarks. I'm able to browse to the firewall's internal interface IP (https://192.168.1.1) and log in to the Clientless VPN portal, and from there, I can access all of the plug-ins I've configured (CIFS, VNC, etc). The problem is that I cannot connect from outside the local area network.
I think it's something very basic that I'm missing, like a NAT rule. I've tried adding some, but they always seem to interfer with the NAT rule allowing users to connect, via the internet, to the Apache web server (port 80) running on the Ubuntu machine behind the ASA Firewall.
Like I said, I'm not sure this is the best solution for him. Using an ASA seems like overkill for something that can be accomplished with some software, but he and I are both fans of Cisco, and, as I said, he is adament about using this set-up. If it comes down to it, I'd like to be able to honestly tell him that I exhausted every resource in trying to find a way to make this work for him before giving up and going to "Plan B".
We have a remote office that needs to be connected to the central office through a site to site ipsec VPN.At the central site there is a 2811, and at the remote site there is 1841.Most of the traffic will be VoIP traffic and small amounts of data.
I need to setup some QoS that would firstly prefer the VPN traffic over internet access and then inside the VPN I need some QoS that will preffer VoIP over data.
I have deployed a read only domain controller in our DMZ as part of a domain-related project. That machine needs to be able to reach domain controllers on our internal network. To do so, it should traverse our ASA 5510, going from the DMZ Interface (security level set to 60) to the Inside Interface (security level set to 99).
I've created an ACL as following (alerting hostnames in the example):
access-list dmz_access_in extended permit ip host dmz.rodc.domain.local object-group int-domain-controllers
I've read in various spots that you have to create a NAT when traversing security levels, going from a less trusted interface (DMZ) to a more trusted one (internal.) Since this link will carry domain traffic, we do not want to create a real translation. Thus, I created a stand-in NAT that points to its own IP as follows:
Long story short, the connection fails. I'm able to access other hosts in the DMZ and on another interface configured with the same security level (which I've explicitly allowed), but trying to go from the less-trusted DMZ to the more-trusted internal fails.
A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24
An ACL on the DMZ which looks like this:
access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any access list DMZ_IN deny ip any any access-group DMZ_IN in interface DMZ global (outside) 1 interface nat (DMZ) 1 192.168.8.0 255.255.255.0
Nat Control is not enabled (by default) There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.The question is: Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?
A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.
B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.
I have a PIX-525 with an UR license. I was trying to get my VPN to work from my iphone over the weekend but to no avail. I then changed the interface to the inside to see if my iMac could connect and bingo! It worked. I then tried to connect via inside interface with my iphone and it worked.
I connected a PIX-515e and, using the same settings, can connect to the outside interface via my iPhone.
Now, to answer the pressing questions, yes I changed the server IP address in my IPSEC client settings to reflect the outside and inside interfaces as I was testing each one. I was using a preshared secret. Yes, the secret was entered correctly and they all matched...yes, the tunnel name was entered correctly. I was using local user database for authentication with username/password (i.e. no certificate authorization to make things simpler for debugging). I changed the syslog to debugging and I see absolutely no errors when trying to connect my iphone to the outside interface (i.e. turning wifi off so I'm on my 3G data network). The only thing I see is where my iphone hits the outside interface and it does a teardown (or whatever its called) but that's it.
Why would this work like a charm with my PIX-515e and not my PIX-525? Could the VPN accelerator card in the 525 be at fault? The 515e does not have the aecellerator card. why I can esablish a VPN connection on the inside interface but not the outside?
I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Here's my config below -
I have a simple isp topology built in GNS3, for testing (pppoe) dialers:cisco router(R1) connected to my pc network card, doing NAT translations for all the devices in the topology.I know how to configure NAT for spesific ip range, but i can't find out how to configure NAT for networks which are learned through ospf (or any other dynamic way).
I currently have an out of the box ASA5505 and need to change the internal interfact from 192.168.1.1 to 10.20.3.1 so it fits in with the rest of the network.Tried using the ASDM Startup wizard (via 192.168.1.1) and it just seems to hang on "delivering the commands to the device".
I have a 5505 with the security plus license. I have a web server in the DMZ that needs to talk with a server on the inside network but it doesn't seem to be able to. Im guessing there is something I need to do to enable the DMZ to talk to the inside network.
The network topology is like this. Router with DHCP_Server on it.
VLAN 10 VLAN 20 VLAN 30
My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.
I have setup a few Vpn clients but no ones able to access the inside network.The clients all get a Ip address from the pool and DNS servers Ip's. But cannot ping or connect to there pc's. I'm thining its somewhere in the ACL.