Netopia 4686XL USA Public IP address to Linksys WRTU54G-TM for Netflix USA IP

Similar Messages

• Using a second Public IP Address:

  Guys, 
  My client has been allocated 2 Public IP Addresses from the ISP, but we always just used one of them because there was never a need to use the second. Well, we now have a situation, where we need to port forward port 5060 to two different local IP addresses. The obvious solution would be to use the second public IP Address and port forward it to 5060 and then call it a day. I just don't understand how that works on a cisco router. Does the router know about all of the Public IP's because when I added the main public IP Address on the WAN port, I put the subnet mask in that accounts for the 2 IP's? How do I make the Router aware of my second Public IP Address? 
  Thanks in advance for all of your help,  

  You won't be able to port forward the same port on the same public IP to different local IPs  because the router will have no way of knowing which local IP it is meant for.
  But what you could do is use your existing IP for one of the translations and the second IP for the other eg.
  ip nat inside source static tcp 192.168.5.10 5060 interface gi0/1 5060
  where gi0/1 is the outside interface and then
  ip nat inside source static tcp 192.168.5.11 5060 <unused public IP> 5060
  In terms of how it works with the second public IP the ISP has a router with an IP from the same public IP range. So when traffic gets to ISP router inbound from the internet the ISP router requests the mac address of the public IP.
  Your router performs proxy arp for that public IP so it responds with the mac address of it's outside interface.
  This means that traffic for that IP is sent to your router.
  Jon

• Extremely Slow Internet From Linksys WRTU54G-TM

  Hi all,
  I'm hoping someone can help me with this issue. I got the Linksys WRTU54G-TM for T-Mobile's @home service. According to the store employees, I should be able to just plug it in and it should work. I got it home, disconnected my old router (a Linksys WRT54G) and plugged it in. After a few minutes, the phone was up and working and sounds good; however, the internet coming off of the router is extremely slow (both wired and wirelessly). So slow that pages won't load. The title bar will tell you where you're trying to go; however the page will not load.
  Before calling for help, I contacted my internet provider (Cox Cable in Phoenix) and verified that the network was working and that my modem (Terayon brand) was good. When I hook the modem directly to the computer I get my full connection (around 20 megs down). Then I called T-Mobile and was connected to Linksys since the router was connecting and providing phone service.
  I spent an hour on the phone with Linksys. We flashed the firmware to the latest build, reset the modem to factory settings, reset the modem via the button on the back all the while power cycling the whole setup numerous times. The rep had me check some settings on my computer and I was able to ping from the cmd prompt. In the end, she felt that I received a bad router and said I should return it. She never mentioned cloning the MAC address; however, I saw that on the T-Mobile forums and tried it - no luck.
  I took the router back to the T-Mobile store and the rep happily exchanged my router for a new one. I got it home, plugged it in and have the same problem. Phone works, internet doesn't pass through the router properly.
  I went ahead and flashed the new router and reset it factory settings and that did not help (all the things I did with the Linksys rep with the first router). I'm going to be calling T-Mobile/Linksys again tomorrow but I wanted to see if there was anything anyone in these forums may know what I could try.
  With the second router, I did try plugging it into my old router (modem - old router - new router), the phone worked and the internet worked (both wired and wireless); however, the internet is not as quick as going through one router and I do not want to have two routers set up.
  Secondly, I looked at the configuration of my old one and set the new one to the same exact settings; however, one setting could not be matched. My old router is set to an operating mode of GATEWAY, the new one is set as ROUTER. The only options on the new one are router and bridge. Could this be the issue?
  It was recommend on the T-Mobile forums to run a speed test and post the results, which I can do tonight after I get home from work. 
  I've searched these forums, Google, the T-Mobile forums, the Cox forums at dslreports.com, and tons of other places and cannot find an answer. Based on the size of Cox, it's hard to believe I'm the only one with this issue. Any help would be appreciated. I have until Sunday to return the router and cancel the service without any termination fees.

  Try the following settings on the router...
  Change the Wireless Channel to 11-2.462GHz under Wireless tab...Under Advance Wireless Settings,Change the Beacon Interval to 75,Change the Fragmentation Threshold to 2304, Change the RTS Threshold to 2304.Under Security tab,uncheck the option "Block Anonymous Internet Requests "...Power Cycle the router and check..  

• Can't access webacc on server public ip address

  This is new server with a fresh SLES11sp2 OES11sp1 install with GW2012 sp2.
  All is working well except even a local workstation cannot access webacc using the server public ip. Server is behind a router. Makes no difference if firewalls are on or off. Same issue from a remote workstation on another network, i.e., cannot connect to webacc using the test server's public ip from a browser. Just one nic in the server and one private ip.
  FYI, same issue exists for imanager, i.e., no public ip address access even from a local workstation, so I am thinking it may be a SLES network card configuration issue, but that's just because I seem to remember under Netware 6.5 I had to make some inetcfg configurations to relay through the router. Router is an older Linksys WRT610N as this is just a test system for the time being.
  I started an SR and they couldn't suggest any fixes other than to tinker with the router. I have both the to default values and open in the router's port forwarding section.
  Ideas? Including switching to a newer router (I'm trying to keep it under $300.00) if you have any suggestions. This server will be for no more than 10 workstations local (mixed wireless and wired) and/or remote workstations for very trusted users.
  Help Mr. Wizard!!!
  thanks.
  johnb

  On 10/04/2013 16:26, jbeuhler wrote:
  > The sp2 is not a typo. I had a SR with a GW2012 sp1 problem during
  > install, encountering a "line173 error" involving a python subdirectory,
  > even using the --text switch. The engineer (the SR went up) gave me the
  > link to try sp2. It installed okay, still a little glitch but I figured
  > out how to get around the line 173 error by installing all of the GW
  > products one after another without configuring in between product
  > installs and then going back to do the product configurations, instead
  > of install, configure, etc for each product. The SR said the line 173
  > install error is a known error but not currently under review for a
  > fix.
  >
  > If you would pass this post on the beta reporting or send me that
  > direction I would appreciate it.
  >
  >
  > I am assuming from your response that my problem is not a recognized
  > problem?
  I wouldn't assume that but since you're running software that's not
  publicly released I'd go back to your SR/contact with this issue.
  HTH.
  Simon
  Novell Knowledge Partner
  Do you work with Novell technologies at a university, college or school?
  If so, your campus could benefit from joining the Technology Transfer
  Partner (TTP) program. See novell.com/ttp for more details.

• Public IP address requirerement for a Public facing SharePoint 2013 website.

  I am planning to implement a public facing website on SharePoint 2013 platform. Following are the proposed server setup.
  2 x Web Front End (WFE) hosting SharePoint 2013 (Load Balanced)
  2 x  Search and Application server hosting SharePoint 2013 (Load Balanced)
  2 x Application Server (non-SharePoint with separate .NET web applications linked through SharePoint site)
  2 x SQL 2012 Servers (Clustered with two instances for SharePoint and .NET applications)
  I understand that SQL servers will not require a public IP.  What about other servers?  Also, there is no tight integration between the Application (# 3) and SharePoint servers.  It is just a hyperlink provided on the WFE website.  In
  this scenario, do we need public IPs for # 2 and 3?
  Thanks in advance!
  LM

  Hi,
  In your scenario, if your Application servers run apps that need to be accessed from the Internet, these need to be published as well. Your Search And Application hosting SharePoint 2013 (SharePoint app servers) don't need to be connected to the internet.
  So all in all, make sure you publish your WFE's (using your load-balancer IP) and your Application (Non-SharePoint, through load-balancer).
  The best way to do this is using a reverse proxy to publish your SharePoint and application servers. This means you only need 1 public IP address in this scenario.
  If you need more guidance, let us know.
  Nico Martens
  SharePoint/Office365/Azure Consultant

• Create public facing web site of SharePoint intranet portal with Public IP Address

  Hi,
  I did below steps to create public facing URL and to access outside domain network (Internet).
  1. Got a public IP Address.
  2. Created an extending web application to existing Web Application (default zone - intranet) and Zone selected to Internet and host header given test.contoso.com.
  3. Went to IIS and edit binding of Internet site. Provided public IP Address in 'IP Address' textbox and given host name as test.contoso.com. 
  Above are the 3 steps used to get access http://test.contoso.com in internet. But unable to access it and not seen any relavant message.
  Please help me and provide me steps to achieve.

  Did you actually register the contoso.com address on the Internet?  And is it associated with the public IP Address?  To access SharePoint from the Internet you are going to use http://test.contoso.com.  The Internet DNS servers need to be
  able to resolve that to your Public IP in order to find the SharePoint server.
  Second, did you bind your external IP address to one of the network cards on your SharePoint server?  Or is your Firewall or other gateway device forwarding traffic to the SharePoint server at that address?
  Another problem you may have is whether that Internet IP address is even reachable on your internal network from the Internet.  Most companies have Firewalls inplace to keep external users from accessing addresses inside your network.
  It sounds like you've done all the SharePoint configuration correctly, but you also need to make sure that TCP/IP is correctly configured.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• How to assign a private IP address to a public IP address

  Hello.
  At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

  Hello.
  At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

• MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

  Hi All,
  We are configuring an ASA 5510 for remote VPN users using Any Connect.
  Our question is:
  We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
  Any suggestions on how to best achieve this requirement.
  Regards,

  What are the different groups used for? Are that different companies or just different departments of one company?
  There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
  One "typical" way to configure different VPN-settings for different users is the following:
  You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

• Multiple public IP addresses

  ASA newb here.  This question has been asked before but the configurations seem to be different so they don't really answer my question.  I think mine is pretty simple but I can't find a clear "this is what you do" answer.  I've been reading the Cisco doc's trying to figure it out but they have so many different scenarios and examples that its a little overwhelming.  Plus none of the seem to match mine 100%.
  ASA 8.4
  I have 6 public ip addresses and want to use 2 of them.  I have two servers running an application that needs port 1234 accesable externally for updates.   Can't change port numbers and obviously can't route 1234 two different places. 
  Say my range is 4.4.4.4 to 4.4.4.10.  I want to use 4.4.4.4 and 4.4.4.5.  My network currently looks like so:
  4.4.4.4 <--> ASA <--> 192.168.0.0/24
  I want:
  4.4.4.4,4.4.4.5 <--> ASA <--> 192.168.0.0/24
  Any ideas?

  none taken.
  Let me make sure i've got this right.  I'll describe what i see in ASDM.
  Line 1:  Source Intf - inside, Dest Inft - Outside, Source - server2, Destination - any, Service - tcp/1234, Source - server2-outside, Destination - --Orginal--, Service --Original--
  Line 2:  Source Intf - outside, Dest Intf - inside, Source - any, Destination - server2-outside, Service - tcp/1234, Source --Original--(S), Destination - server 2, Service --Original--
  I'm not entering your server1 info because I already have that setup and working.
  ACL:  Source - any, Destination - 192.168.1.5, Service - tcp/1234, Action - permit
  Server2 = 192.168.1.5
  Server2-Outside = 4.4.4.6 (my other external address)

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• (ASA 5510) How do assign multiple public IP addresses to outside interface?

  Hi,
  I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
  PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
  Any help much appreciated as I really need to get this sorted by Sunday night!
  Jan

  ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
  In regards to static NAT, which version of ASA are you running?
  For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
  static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
  For ASA version 8.3 and above:
  object network obj-192.168.0.3
       host 192.168.0.3
       nat (inside,outside) static 123.123.123.125
  Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
  For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
  For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
  Hope that helps.

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• RA VPN into ASA5505 behind C871 Router with one public IP address

  Hello,
  I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
  PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
  The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
  version 15.0
  no service pad
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname router
  boot-start-marker
  boot-end-marker
  enable password 7 xxxx
  aaa new-model
  aaa session-id common
  clock timezone UTC -8
  clock summer-time PDT recurring
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.2.1
  ip dhcp excluded-address 192.168.2.2
  ip dhcp pool dhcp-vlan2
     network 192.168.2.0 255.255.255.0
     default-router 192.168.2.1
  ip cef
  ip domain name xxxx.local
  no ipv6 cef
  multilink bundle-name authenticated
  password encryption aes
  username xxxx password 7 xxxx
  ip ssh version 2
  interface FastEthernet0
  switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description WAN Interface
  ip address 1.1.1.2 255.255.255.252
  ip access-group wna-in in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  interface Vlan1
  no ip address
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Vlan10
  description router-asa
  ip address 10.10.10.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list nat-pat interface FastEthernet4 overload
  ip nat inside source static 10.10.10.1 interface FastEthernet4
  ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
  ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
  ip nat inside source static esp 10.10.10.2 interface FastEthernet4
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  ip route 10.10.10.0 255.255.255.252 10.10.10.2
  ip route 192.168.2.0 255.255.255.0 10.10.10.2
  ip access-list standard ssh
  permit 0.0.0.0 255.255.255.0 log
  permit any log
  ip access-list extended nat-pat
  deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  permit ip 192.168.2.0 0.0.0.255 any
  ip access-list extended wan-in
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.255.0.0 0.0.255.255 any
  deny   ip 255.0.0.0 0.255.255.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip host 0.0.0.0 any
  deny   icmp any any fragments log
  permit tcp any any established
  permit icmp any any net-unreachable
  permit udp any any eq isakmp
  permit udp any any eq non500-isakmp
  permit esp any any
  permit icmp any any host-unreachable
  permit icmp any any port-unreachable
  permit icmp any any packet-too-big
  permit icmp any any administratively-prohibited
  permit icmp any any source-quench
  permit icmp any any ttl-exceeded
  permit icmp any any echo-reply
  deny   ip any any log
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  no modem enable
  line aux 0
  line vty 0 4
  access-class ssh in
  exec-timeout 5 0
  logging synchronous
  transport input ssh
  scheduler max-task-time 5000
  end
  ASA:
  ASA Version 9.1(2)
  hostname asa
  domain-name xxxx.local
  enable password xxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxx encrypted
  names
  ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
  interface Ethernet0/0
  switchport trunk allowed vlan 2,10
  switchport mode trunk
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Vlan10
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.255.255.252
  ftp mode passive
  clock timezone UTC -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name xxxx.local
  object network vlan2-mapped
  subnet 192.168.2.0 255.255.255.0
  object network vlan2-real
  subnet 192.168.2.0 255.255.255.0
  object network vpn-192.168.100.0
  subnet 192.168.100.0 255.255.255.224
  object network lan-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
  object network vlan2-real
  nat (inside,outside) static vlan2-mapped
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 10.10.10.1 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.2.0 255.255.255.0 inside
  ssh 10.10.10.1 255.255.255.255 outside
  ssh timeout 20
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  group-policy vpn internal
  group-policy vpn attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn-split
  default-domain value xxxx.local
  username xxxx password xxxx encrypted privilege 15
  tunnel-group vpn type remote-access
  tunnel-group vpn general-attributes
  address-pool vpn-pool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  ikev1 pre-shared-key xxxx
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
  : end

  Hi,
  I think, that you want control all outbound traffic from the LAN to the outside by ASA.
  I suggest some modifications as shown below.
  C871:
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.2 255.255.255.0
  no ip nat inside
  no ip proxy-arp
  ip virtual-reassembly
  ip access-list extended nat-pat
  no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  no permit ip 192.168.2.0 0.0.0.255 any
  deny ip 192.168.2.0 0.0.0.255 any
  permit ip 10.10.10.0 0.0.0.255 any
  ASA 5505:
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  Try them out and response.
  Best regards,
  MB

• How to configure ASA5512X DMZ with a Public IP address?

  Hi;
  I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
  Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x.  I am thinking to give them the interface mac address of interface #3,  however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

  What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
  Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
  SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.