Cisco Firewall :: ASA 8.4 NAT On Outside And Inside For Certain External Hosts?

Nov 21, 2012

ASA is running 8.4.
 
Internal interface: 172.16.1.1
External interface: 172.16.2.1
 
Routing to 192.168.0.0 via internal host.I've got some static NATs, e.g:
 
object network obj-192.168.0.1
nat (inside,outside) static obj-172.16.2.1
 object network obj-192.168.0.3
nat (inside,outside) static obj-172.16.2.2
 
 I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
 
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
 
But it's source remains unchanged.What am I missing?

View 3 Replies


ADVERTISEMENT

Cisco WAN :: ASA 8.4 Can't Ping External Hosts From Inside

Jun 9, 2011

DNS resolution works and I can surf the web without fail.  But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts.  I can ping anything from the ASA without fail.

ASA Version 8.4(1)
!
hostname fw1-nat-ann
domain-name inmd.infoblox.com
enable password anWLNen9CTFp7B/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

View 1 Replies View Related

Cisco Firewall :: Cannot Ping To Inside Hosts From ASA-8.2

Jun 8, 2013

I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
 
Here is the running config
 
Prem-ASA(config)# sh run
: Saved
:

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA5505 - Inside Hosts Limit

Feb 18, 2012

The ASA5505 I am working with has this from the show version:
 
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs                       : 3, DMZ Restricted Inside Hosts                : 10Failover                    : Disabled VPN -DES                     : EnabledVPN-3DES-AES                : Enabled VPN Peers                   : 10WebVPN Peers                : 2Dual ISPs                   : Disabled VLAN Trunk Ports            : 0
This platform has a Base license.
 
Does the Insides Hosts  :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505? 

View 9 Replies View Related

Cisco Firewall :: Upgrade Inside Hosts From 10 To Unlimited On ASA5505 BUN K9

Aug 17, 2011

I want to  upgrade  "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy  Security Plus license ( L-ASA5505-SEC-PL =)  ) before activating ASA5505-SW-10-UL ?

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Outlook Access For Inside Hosts

Apr 25, 2011

I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to  browse all internet sites like gmail and yahoo mail.
 
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
 
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Should SSH Sessions From Inside To DMZ Hosts Survive

May 22, 2011

This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
 
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
 
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
 
The setup is:
 
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
 
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
 
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
 
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database

[code]....
 
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."

View 2 Replies View Related

Cisco Firewall :: Inside Hosts Cannot Connect To Internet Through ASA 5510

Dec 4, 2011

I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
 
[code]...

View 5 Replies View Related

Cisco Firewall :: ASA 5505 8.4(1) - Map Multiple Inside Hosts Ports To One Public IP?

Jun 22, 2011

I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:

host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
 
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - Increase Inside Hosts License Count?

Feb 14, 2012

At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
 
Result of the command: "show activation-key"
  
Serial Number:  xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  
Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        
  
This platform has a Base license. 
 
The flash activation key is the SAME as the running key.

View 2 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Cisco VPN :: ASA 8.4 Cannot Reach VPN Clients From Inside Hosts

Jun 18, 2012

I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]

View 8 Replies View Related

Cisco VPN :: ISR 891 - Unable To Connect To Inside Hosts

Sep 27, 2011

I am able to  connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. [code]

View 2 Replies View Related

Cisco :: Allow Inside Hosts To Access A Specific Network?

Feb 10, 2011

I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.

View 1 Replies View Related

Cisco VPN :: Few PCs Inside Hosts Frequently Loosing Internet ASA 8.2?

Jun 7, 2013

One of our company guys always complaining that few inside PC's are frequently loosing internet and reconnecting after some times.The Connectivity is as mentioned below:
 
Inside: Switch -> Router -> ASA -> Router -> Modem ->Internet ------------VPN-------------------------

View 3 Replies View Related

Cisco WAN :: Allow To NAT'ed Hosts To Talk Via External IP Using ASA 5520

Aug 30, 2011

I have two hosts behind an ASA on a private network.  Both hosts are NAT'ed (each has a unique public IP).  I need Host A to be able to talk to Host B through their respective external IP's.

View 5 Replies View Related

Using External DNS Inside LAN?

Apr 19, 2012

I think the subject gives a good first impression of what I'd like to achieve.Anyway i'll give a little more context.I'm running a Windows Home Server in my LAN and I would like to use it's functionalities (especially the streaming) features from "anywhere" using the same URL.My is a Linksys WRT160Nv3 running on the DD-WRT v24-sp2 firmware.I've already setup the necessary port forwardings, as most of the WHS sites run on ports 80 (http) and/or 443 (https) and my isp is blocking all ports < 1024 (I know it suck, but nothing to do about)Anyway, outside my network (friends home, work, ...) I can access my home server browsing to ://xxx.homeserver.com:10080 or https://xxx.homeserver.com:10443What I want is that this (external) DNS also works when i'm inside my network (so when I'm at home).

Is this possible?I want this because on the home page of the WHS web interface, I have some links (for example to sabnzb, or the webpage of my raid controller, etc etc, but they all point to http://xxx.homeserver.com:These url's (with the external dns) are not working when i'm inside my lan.I'm not an export but i'm quite sure it's a DNS issue.Some more info:When i do an nslookup xxx.homeserver.com I see the (external) static IP that has been assigned to my router.When I do a ping to xxx.homeserver.com I also get a reply from the (external) static ip that has been assigned to my router.

View 3 Replies View Related

Cisco Application :: CSS11503 / Make NAT From Inside Addresses And Translate Into One External IP Address?

Dec 8, 2011

I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60  70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
 
My CSS is 11503
Version: sg0810106

View 2 Replies View Related

Cisco Switching/Routing :: 5520 To Redirect An External Address To An Inside Server

Mar 21, 2012

I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
 
This is what we have:  A wireless network with an SSID to serve visitors.  We also have an in-house web server which can be accessed internally and externally.  We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside.  The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server.  The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server!  The traffic then is sent to the outside interface of the ASA 5520.  The visitor who wants to access our web server cannot connect!
 
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?

View 2 Replies View Related

Cisco WAN :: Save DHCP Table Inside Of External Flash In 2801 Router

Dec 3, 2012

how to storage the DHCP IP table in a external flash of a router. This is because the router is switched off and switched on everyday but I want that it remembers which MAC is associated with which IP when it starts again and avoid IP duplicate problems. The command "lease" doesn't seem useful here.

View 4 Replies View Related

Cisco Firewall :: Max SNMP Hosts On ASA 8.2?

Nov 13, 2012

Seems like something simple, but can't find on Cisco.com. What are the max SNMP hosts allowed on an ASA 8.2 code? That would be Polls and Traps?                  

View 1 Replies View Related

Cisco Firewall :: ASA 8.3 - Migration Changes Hosts To Objects?

Sep 24, 2012

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.
 
I'm trying to understand why this change is made during the migration.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Accessing Hosts Over VPN?

Oct 31, 2012

I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Static Hosts Cannot Access Outside

Feb 9, 2013

I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.

View 2 Replies View Related

Cisco Firewall :: NAT Configuration To Allow Access To Two Hosts In The Same DMZ (RFC 1918)

May 16, 2011

I am using a three interface ASA config (Internet, DMZ, Inside).  The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts .  In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
 
The Web Server is hosting our corporate web site.  When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to.  A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
 
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?

View 1 Replies View Related

Cisco Firewall :: 5510 - Hosts Loosing IP Address

Dec 10, 2012

I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
 
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
 
Information:
     Lease length: 172800
     address pool: 134 addresses
     hosts: around 45 + mobile units 45

View 3 Replies View Related

Cisco Firewall :: Get DMZ Hosts To Access Internet Via Outside Interface Of ASA5505

Jun 19, 2011

How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.
 
Here is my configuration and it can be changed as needed.
  
User Access Verification
Password:Type '?' for a list of available commands.ciscoasa> enaPassword: *******ciscoasa# sho run: Saved:ASA Version 8.0(4)!
interface Vlan1nameif insidesecurity-level 100ip address 192.168.100.39 255.255.255.0!interface Vlan8no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.31.10.1 255.255.255.0!interface Vlan11nameif outsidesecurity-level 0ip address 24.172.82.xxx 255.255.255.252!interface Ethernet0/0!interface Ethernet0/1switchport access vlan 11!interface Ethernet0/2!interface Ethernet0/3switchport access vlan 8!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa804-k8.binftp mode passivedns server-group DefaultDNSdomain-name asaobject-group protocol DM_INLINE_PROTOCOL_1protocol-object udpprotocol-object

[code]...

View 10 Replies View Related

Cisco Firewall :: ASA 8.x Logging To Multiple Hosts At Different Severity Levels?

Jun 19, 2011

Is it possible to configure the ASA to:
 
log syslog informational to one host
and
log syslog critical to a different host
 
It seems that the ASA allows you to only specify 1 logging severity level for all syslog hosts..

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Cannot Ping Local Traffic And Hosts

Jul 24, 2012

I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.

I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.

I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out

ASA Version 7.2(4)
!
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
[Code]...

View 2 Replies View Related

Cisco Firewall :: RV180W / Multiple Hosts In DMZ In Small Business Router?

Aug 26, 2012

I've got an RV180W for my office, and so far it has been great.  I have two users that use a certain application that crashes all the time.  For some reason, they don't crash when put into the DMZ.  Is there any way i can put both of them in the DMZ? I can only figure out how to have one host in the DMZ at a time. 

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Create Network Object For Range Of Hosts?

Oct 25, 2011

I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
 
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
 
Is there a way to do a similar thing on the ASA 5520?
 
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - 106001 Syslog Events For Internal Hosts?

Jul 26, 2011

I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
 
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?

- What might be causing this?

- How can I turn it off!! (I guess that'd be fixed by point 2)

View 4 Replies View Related

Cisco Firewall :: ASA 5510 / Blocking / Shunning Hosts With Service Policy Rules?

Dec 20, 2012

I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
 
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing? 

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved