Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)
OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch?
Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
The ASA is connected to a checkpoint sub interface
Any help would be beneficial as im new to cisco ASAs
Thanks
Mark
Mark
If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
HTH
Rick
Similar Messages
-
VPN Server with two router local network
I just got a Mac Mini Server 2011 to set up as a home server. One of the main features I want to use is a VPN so I can access my files on my local network when I'm away from home. I live in Japan and I have a Japanese optical connection to the internet that runs through two boxes before I can use it in any form: some sort of modem, and a "gateway" which I literally just found out is also acting as a router and serving DHCP addresses. In addition, I have a 2TB Time Capsule that, until just recently, I had been using in the "Share a Public IP" mode because I didn't realize the gateway was also issuing DHCP addresses. I cannot simply plug my TC into the modem in place of the gateway - both are required to access the internet.
Until today I had both routers using DHCP on the local networks they each created. Under that environment, I had finally configured Lion Server to file share (easy), manage network accounts (moderate), and serve Profile Manager (difficult). But despite my best efforts at mapping the ports on the Time Capsule, I just couldn't get the ports open using tools like canyouseeme.org, so the VPN was a no-go. That's when I realized the gateway could be a router too, so with some creative google searches, and extensive use of google translate, I was able to figure out how to open ports on the gateway. It does it pretty differently from the Time Capsule and other routers I've seen. It asks you define the host on the LAN (what i assume to be the target IP), the protocol (TCP vs. UDP), and then a range of ports for it to open. I plugged in the IP of the Time Capsule, opened all the UDP ports (since it was an option to just open all, and I figured 1) the TC would still protect my network and 2) it would just be a test), but I still couldn't see the ports as being open.
So then I got desperate, and I switched the TC back to Bridge Mode, reconfigured the Server and my MBP (my client Mac) to the new IP addresses being served by the Japanese gateway, and tried again. I think I reconfigured the DNS settings in Server Admin properly to account for the change in IP, and then updated the services in Server.app, but now I can't even get to my server homepage (the apple placeholder page) using either its IP or its .private domain, and to make matters worse, I STILL can't seem to get the ports open (yes, I changed the port mapping to send it directly to the server IP as the target after the change).
To add insult to injury, the wired ethernet connection I had been running from my TC to the MM Server is now reporting a cable unplugged (it's not), even when I plug it directly into the gateway, though I am able to connect wirelessly.
Does anyone have any idea what's going on? Why can't I get these ports open? (By the way, I called my ISP and they said they aren't blocking any of the ones I'd want to use for VPN.)
What is the *better* set up - using the TC as a second LAN, serving its own DHCP addresses, or using it in Bridge mode?
Why did these changes sever my wired connection?
I was getting even more problems (like loss of internet connectivity on all devices) using the TC in bridge mode, so I decided to go back to the dual network setup.Hello Eric,
As I mentioned above.
For external Internet access, I would create a Generation
1 VM
and use 2 Legacy Network Adapters for
the Interfaces . Connect it to the External and Internal network, and then install VM Linux IPFire (How
to install) and
configure IPFire with RED and GREEN interface.
You don't need router or any firewall.
I have the same set-up that you are trying to do in your lab and it's working great.
All my VMs / computers on the LAN have their gateway the Linux VM.
Hope this help.
Regards,
Charbel Nemnom
MCSA, MCSE, MCS, MCITP
Blog: www.charbelnemnom.com
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Configuring Cisco Router for use with Syslog Server
Configuring Cisco Router for use with Syslog Server:
Does anyone know of a good doc for this?
-AshleyStart with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
And if you need more informations, just ask what you want to achieve.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Include multiple sub-interfaces in Cisco ASA for VPN tunnel
I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site. -
Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007
I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
home to connect via their Outlook clients from home. OWA is working from the outside... Help please...Hi,
Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected] -
How to configure Cisco ASA 5500 to work with the iPhone
We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
I noticed that many people are having these problems.
Please do not post to this topic if you have ANY OTHER Cisco device.
Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
Thank you!
Oleg RWe found the solution and a bug in Cisco firmware (seems to be a bug).
First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set iphone esp-3des esp-sha-hmac
crypto ipsec transform-set iphone mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
crypto map outside_map 10 match address vpn
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
group-policy iphone internal
group-policy iphone attributes
wins-server value <insert ip> <insert ip>
dns-server value <insert ip> <insert ip>
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value <insert domain name>
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory2
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key <insert pre-shared key>
For iPhone you have to be using IPSec tab for configuration.
We tried to set up this config using the wizards, but it would not work.
Later it turned out that wizards by default set this setting:
"crypto isakmp nat-traversal 20"
equal to zero and there is no way to change it from the GUI.
Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
Please let me know how it works out for you.
Message was edited by: Rogik
Message was edited by: Rogik -
Cisco jabber for mac over fortigate vpn problem
Hi all,
We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
Calling and other features working properly. Jabber IM also working fine.
But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors. (Help > Detailed Logging enabled) (Help > Report a problem)
Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in. If Jabber cannot resolve the DNS name, it will not know where to connect to.
If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer. -
Configuring cisco 857 for BM39
I know that I'm doing something wrong. Tried to follow example in appnote
http://www.novell.com/coolsolutions/appnote/7971.html
but once I turn on the "crypto map static-map" - I can no longer ping the
router from a PC connected to the router. I'm preparing a Cisco-857 as my
first attempt to run a site-to-site vpn using BorderManager v3.9.
I'm pasting the relevant portions of the cisco config below. Would greatly
appreciate your advice.
TIA....Gregg
ip dhcp excluded-address 192.168.255.1
ip dhcp pool sdm-pool
import all
network 192.168.255.0 255.255.255.248
default-router 192.168.255.1
lease 0 2
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key xx-my-key-xx address 192.168.19.13 255.255.255.252
crypto ipsec transform-set vpn-wvtwp esp-3des esp-sha-hmac
crypto map static local-address Vlan1
crypto map static 1 ipsec-isakmp
set peer 192.168.19.13
set security-association lifetime seconds 7200
set transform-set vpn-wvtwp
match address vpn-static1
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.19.14 255.255.255.252 secondary
ip address 192.168.255.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
crypto map static-map
ip route 172.16.0.0 255.255.248.0 192.168.19.13
ip route 192.168.0.0 255.255.0.0 192.168.19.13
ip access-list extended vpn-static1
permit ip 192.168.255.0 0.0.0.7 172.16.0.0 0.0.7.255
permit ip 192.168.255.0 0.0.0.7 192.168.0.0 0.0.255.255Gregg,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Cisco asa 5505: No traffic lan to wan with IPv6
Hello everybody,
I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
This is my configuration.
interface Vlan1
nameif inside
security-level 100
ip address PRIV-Saturn1 255.255.255.0
ipv6 address fc00::1/7
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address PUBLIC26 255.255.255.248
ipv6 address xxxx:yyyy:67:36::2/64
ipv6 enable
ipv6 nd suppress-ra
access-list Dynamic_Filter_ACL extended permit tcp any6 any6
ipv6 route outside ::/0 xxx:yyyy:67:36::1
Am I omitting anything?
Thanks in advance for the help.
Jos PSince you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT. -
Cisco ASA not returning traffic when wccp peering with Bluecoat.
Experts,
My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.
We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?
Regards,
Nikhil Kulkarni.Nikhil,
Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.
The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.
At this point you may turn on the WCCP debugs and run some "show WCCP" commands.
I hope it helps
Luis Silva -
Cisco Jabber for Windows 10.5 search Contact with two lastnames
Hey Guys,
I have a little problem with the contact search feature of the cisco jabber for windows (Version 10.5.37889)
In my environment I have some Users (secretary phones and users too) which have two lastnames.
Exampleuser1: Firstname: Thomas Lastname: Meier Cisco ....
If a user is searching for Exampleuser1 by lastname (Cisco) the correct contact won't be listed
If a user is searching for Exampleuser1 by firstname (Thomas) the correct contact will be listed
If a user is searching for Exampleuser1 by lastname (Meier) the correct contact will be listed
is there a workaround or something else for resolving my problem?
thanks for reading my question :)Workaround: "Cisco Meier, Thomas"
Have you looked at enabling wild card searches in jabber-config.xml? -
Cisco ASA 8.4.2 acl hitcount issue
Hi,
I have some peculiar issue that my acl hit count is not getting increased. not bale to ping the public ip's
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-group inside_access_in in interface inside
icmp permit any inside
icmp permit any outside
im able to ping my inside interface but not able to ping internet. from asa im able to ping internet
my packet tracer output below.
packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 detailed
ASA# packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x6e1ef600, priority=500, domain=permit, deny=true
hits=171641, user_data=0x8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA#
my nat is like below
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
Any suggestion really appreciated.Hello,
Add the following
fixup protocol ICMP
If this does not make the difference do the following:
1) Check the Ip address on your PC, make sure the ASA is the default gateway?
2) Ping the ISP address ( The default gateway of the ASA)
3) Share the complete output of show run nat
Let me know the result -
Mar-2015 firmware for hp 8620 solves my issue with 6x4 paper not being picked up
I had continual problems with my hp 8620 not picking up 6x4 photo paper.
I tried a number of fixes as suggested elsewhere on forums. I had the most success with the "scan and copy 99 blank a4 pages" workaround, but half the time the printer would still fail to feed the 6x4 on the first go.
Good news though, the latest firmware dated Mar 17 2015 has resolved this for me, and maybe it will improve it for others with the same problem.
The firmware says:
"This firmware upgrade is for HP Officejet Pro 8620/8625 e-All-in-One Printers.
File name: OJP8620_R1502A.zip
Release details
Released: Mar 17, 2015
Version FDP1CN1502AR
Fix and enhancements
Improvement to connectivity robustness
Improvement to paper-path reliability"
The link is here: http://support.hp.com/us-en/drivers/selfservice/HP-Officejet-Pro-8620-e-All-in-One-Printer-series/53...I just spent several hours troubleshooting this printer. My rollers were all clean. I then used a bright flashlight and monitored thru the front what it was doing when trying to load paper.. There is a grey wheel that is lowered to the paper and rotates pulling the sheet in. It simply just isn't getting lowered enough because its just spinning on top of the paper. I've tried a dozen different types of paper from heavy/thick to thin. I've tried fanning the paper and I've tried not fanning the paper. I've tried a full stack of paper down to a few sheets and everywhere in between. This is just a flawed printer and based on the hundreds of people I see having the exact same issues with this printer so soon afte purchase is an eye opener. {Content Removed: no legal discussion permitted} I'm simply this fed up with my last several HP printer purchases. Anyone else that is as fed up with me please {Personal Information Removed}. I'm going to start tracking down as many people as I can. I'll likely move this discussion to a third party forum, hopefully one with a very high volume of traffic so if this post mysteriously disappears google search for it.
-
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
How to configure CISCO ASA 5510 for internal remote desktop ?
Helo,I have a client that want to install new ASA (5510) in their network.
and then I did some experiment to implement it. the topology is like this :
--------configuration---------
2800 router :
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.11.3 255.255.255.0
duplex auto
speed auto
ip route 192.168.12.0 255.255.255.0 172.16.1.2
1841 router :
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ASA 5510 :
: Saved
: Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
ASA Version 8.2(1)
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
name 192.168.12.0 Branch
dns-guard
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
tcp-map mssmap
synack-data allow
invalid-ack allow
seq-past-window allow
urgent-flag allow
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location Branch 255.255.255.0 inside
no asdm history enable
arp timeout 14400
static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside Branch 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ***** password ***** encrypted
class-map mymap
match access-list inside_access_in
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map myPolicy
class mymap
set connection advanced-options mssmap
service-policy global_policy global
service-policy myPolicy interface inside
prompt hostname context
Cryptochecksum:a605d94f29924e5267644dd0f4476145
: end
I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
"1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
"1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
please help, any suggest would be great .
thanks .
sincerley yours
-IAN WIJAYA-ear Ian_benderaz,
Thank god i am not alone on this ,
Me too having the exact same problem , i can ping to the host ,but no remote desktop .
Somebody please help me on this , how enable remote desktop on asa 5505
Thanks
Maybe you are looking for
-
Mac Pro Late 2013 USB problems / freezing
I have a quad-core CPU Mac Pro late 2013 (Model Identifier: MacPro6,1). MacOS X 10.9.5. I have had all sorts of USB devices hooked up to it. At any one time, I usually have all 4 ports filled. I have a 3TB USB 3.0 disk that stores my large files,
-
Pass HTML snippet TO JSPX page
Hi I have a backing bean. In page's backing bean I have a small HTML snippet (that is small MenuBar functionality) that has come OUt of database. How can i pass this HTML snippet FROM this backing bean TO the jspx page ? Meaning this HTML snippet sho
-
Account not exit in company code`
H
-
i have created a number of groups while in Bridge. later, i need to ungroup the photos. to do this, i right click on the group, and then "Stack>Ungroup from Stack" and all is well, ie., the pictures are no longer stacked/grouped. but then, if i go
-
The import weblogic.utils.collections.MultiMap cannot be resolved
Hi, I imported a project from weblogic to eclipse. I'm getting the below mentioned error "The import weblogic.utils.collections.MultiMap cannot be resolved " Added the necessary weblogic jar files to the project in eclipse. Kindly help me. Thanks in