RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: end
Hi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB
Similar Messages
-
Verizon 4G LTE Broadband Router - Does Verizon Issue You With A Public IP Address?
Hi,
http://www.verizonwireless.com/home-office-solutions/4g-lte-broadband-router-with-voice/
Regarding the above Verizon 4G LTE Broadband Router, does Verizon issue you with a public IP address that can be accessed from outside of their network or do they issue you with a private IP addresss just like they do with their JetPacks?
Thank you!That's an excellent question olimits7! It will be my pleasure to assist with your inquiry. Our voice and data services are transmitted using a 10-digit mobile number on our network. May I ask do you have the mobile number on your account? If you are interested in a private IP address then we can discuss options. Please advise so we can begin.
Thank you…
ArnettH_VZW
Follow us on Twitter @VZWSupport -
I had 2 MobileMe email addresses, but only went thru iCloud process with one (my main address). Now the secondary address is not working with iCloud. Did I have to go thru the process with each address? Can I still get that secondary address to work with iCloud?
It was totally separate. I just now went back to a previous email from Apple to that secondary address which urged me to transition to iCloud. I followed the link and it prompted me thru the process and the address is now able to send/receive emails. Thanks.
-
Controlling multiple Macs remotely behind a router with ARD
Greetings! My problem is that I cannot access more that one computer in ARD. I have ARD installed on my Macbook and the computers I want to control are at my parents house. Remote management and login are enabled of course but the router needs to be configured to forward ports 3283 and 5900. But as far as I know these ports can be forwarded for one local ip only meaning that I have to somehow change the default 3283 and 5900 to some other ports in order to access them.
So the question is, how can I change the default ports for remote management on os x snow leopard? Other than that, does ARD offer any other way to access multiple computers behind a router?
Many many thanks!In regards VPN, take a look at VPN-X from Birdssoft which is an easy to install and low-cost solution perfect for this purpose (among others).
Basically speaking, after having installed and configured VPN-X on your Mac and ONE remote Mac and opened the ports in the firewall you establish a connection between your and the remote network and gain complete access to the remote network.
Alternatively, you can use Teamviewer for giving support. -
How to configure an ASA with 2 Public IP address.
Hi, I have to configure a router ASA 5505 with 2 Publics IP, our ISP give us a 3 Public IP, and actually our configuration is like this:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 200.91.x.x 255.255.255.248
The problem is: If I create a new Vlan, the interface overlaps.
How can I solve that problem??
Thanks for your answers!!!Answered in duplicate post:
https://supportforums.cisco.com/discussion/12150111/how-configure-asa-2-public-ip-address -
How to configure ASA5512X DMZ with a Public IP address?
Hi;
I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x. I am thinking to give them the interface mac address of interface #3, however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it. -
New Asa 5505... Anyway to set up behind home router with no internal DNS?
Since the home router is the DNS server, the Asa has no internal DNS which is probably the cause of no internet. Is there any way around this?
Can you not simply use the ASA as the DHCP server and include the DNS server in your DHCP configuration ?
Jon -
How configure two nodes with one public one private network
... with distinct subnet and one physical NIC in vmware simulated two network?
which are the switch in sun cluster?
thanks.If your switch support VLAN tagging, you can use both NIC's for public and private using different VLAN ID's
-
Windows 10 reservation with one e-mail address on different devices?
I would say you can based on this information
"In order to register your install of Windows 10 an activation code will be created to uniquely identify your system. This is likely going to be some type of a hash code based on your unique system hardware configuration. It will probably use a combination of individual hardware ID’s for multiple items in your system like the hard drive, network card, video card. motherboard and possibly your Microsoft account to build this unique identifier."
http://winsupersite.com/windows-10/could-your-microsoft-account-and-windows-10-activation-be-connect...Dear colleagues,
I`m reading different posts for reserving and getting the new Windows 10 OS, but one thing is missing for me. If I have several laptops and home workstations, all running Windows 7 Ultimate / Windows 8.1 Pro, can I reserve a copy for each of this devices using one and the same mail address. The reservation will be made on every device.
Please apologise me if this info is written in this forum, i just can`t find it.
This topic first appeared in the Spiceworks Community -
How can i split Client Network traffic and My exchange traffic with two differnet ip address?
Hello Everyone
sorry for my bad English and also my bad explaine
here is my network looks like
all the client on one subnet and network is 192.168.0.0
i have Dsl router that connect to Tmg server
i have Tmg with two NIC
1-192.168.0.4
2- 2 Public Ip address
i want to do this
i want to split user's traffic and my exchange traffic
i mean i want to route user's traffic with one public ip addresss
and my exchange server's traffic with another public address
but when i add additional ip address at Tmg or create new NIC card
all of my traffic route with one public ip Address what should i do?Hi Uhan,
You need to use ENAT fuction on TMG to achive this
On the External NIC assing the Second IP as Additionl IP address (VIP)
Create a network Rule to NAT traffice From Exchange server IP address to the required Public IP which you need the E NAT.
Ensure you are creating rule only from Exchange server IP and not all INternal.
Look at the below Doc you step by step config
http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-One-to-One-NAT-TMG-2010.html -
Multiple DMVPN instance on the same router one public interface
I know it possible to run multiple instances DMVPN on a router with one public interface.
Question:
If I take one of my site and put it on a different tunnel from all other remote sites will it be able communication to the other site directly? I am running EIGP through the gre Tunnel
example of the hub site:
interface Tunnel100
bandwidth 100000
ip address 192.168.105.254 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
no ip next-hop-self eigrp 1
ip nhrp authentication L3GR@RD
ip nhrp map multicast dynamic
ip nhrp map group WAR-881-VPN1 service-policy output SHAPE->20M
ip nhrp map group PLA-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group LIV-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group BRM-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group ELP-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group RAN-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group LAB-2911-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group ORE-2811-VPN1 service-policy output SHAPE->5M
ip nhrp map group VAU-2811-VPN1 service-policy output SHAPE->10M
ip nhrp map group CAVAURTVP001 service-policy output SHAPE->10M
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp max-send 1000 every 10
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.87.0.0 255.255.0.0
load-interval 30
delay 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf PUBLIC
tunnel protection ipsec profile IPSEC-DMVPN
interface Tunnel300
bandwidth 100000
ip address 192.168.106.254 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 1 15
ip hold-time eigrp 1 45
no ip next-hop-self eigrp 1
ip nhrp authentication L3GR@RB
ip nhrp map multicast dynamic
ip nhrp map group CAVAURTVP001 service-policy output SHAPE->10M
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp max-send 1000 every 10
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.87.0.0 255.255.0.0
load-interval 30
delay 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf PUBLIC
tunnel protection ipsec profile IPSEC-DMVPN
Thanks the help in advance,
NigelHello Mr Manhurt,
I can help you. But first what is EIGP? -
QuickVPN - RV110W behind DSL Router
Hi all,
I have a Cisco RV110W behind an Actiontek V1000H DSL router supplied by my ISP.
I'd like to be able to make use of the Cisco QuickVPN client. According to my ISP placing the Actiontek into bridge mode cannot be done.
On the Actiontek I have forwarded the following ports to my RV110W's address:
60443/tcp
4500/udp
500/udp
On the RV110W I have ensured that remote management is enabled (on port 60443).
When attempting to connect with the client (using port 60443) - I get this far:
2012/01/30 11:16:21 [STATUS]OS Version: Windows 7
2012/01/30 11:16:21 [STATUS]Windows Firewall Domain Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]One network interface detected with IP address 192.168.245.164
2012/01/30 11:16:21 [STATUS]Connecting...
2012/01/30 11:16:22 [DEBUG]Input VPN Server Address = xx.xx.xx.xx
2012/01/30 11:16:22 [STATUS]Connecting to remote gateway with IP address: xx.xx.xx.xx
2012/01/30 11:16:22 [WARNING]Server's certificate doesn't exist on your local computer.
2012/01/30 11:16:23 [WARNING]Remote gateway wasn't reached...
2012/01/30 11:16:23 [WARNING]Failed to connect.
2012/01/30 11:16:23 [WARNING]Failed to connect!
Any suggestions? Is this configuration even possible?
Thanks!Hi, Rudi & Craig
I just tested another diffrent way, which way as Craig's book did, I set
Master's IP is DSL Router inside IP which same as "PUBLIC" Network Card's
IP address (10.0.0.101) when setting the MASTER's configuration in
iManager, it still working fine. Then it will be the best way if the ISP
change my static Public IP.
BTW, Craig, when you have chance, can you memtion this on your web site or
in your book (when you have new version book), BM38SP5 got a bug, the
vpn.jar cannot set Non-BM VPN Slave (I used Linksys router for Slave
server), I called Novell support engineer, he said Novell knew this error,
I have to use the vpn.jar which in BM38SP4_IR5 to setup Non-BM VPN Salve.
But there is another problem, the vpn.jar which in BM38SP4_IR5 cannot set
MASTER VPN server. The only way to do the job is install BM38SP5, setup
MASTER VPN server, setup C2S VPN, then copy the vpn.jar which in
BM38SP4_IR5 in, to setup Non-BM VPN Salve. I hope you can understand my
poor Engish.
James
> Rudolf Thilo wrote:
> Hello James.
>> In Craig's book, there is a sample
>> for VPN Slave Server behind DSL router.
>> But I don't know I can setup Master VPN
>> server behind DSL router or not.
> It works, starting with BM3.8. IIRC Craig has an example
> in his book? You will need to specify the DSL router's
> (static!!) public IP address as the MASTER's public IP
> when setting um the MASTER's configuration.
> Regards, Rudi. -
VERIZON 4G LTE Broadband Router with Voice
I am thinking of using this device in my vacation home to monitor and control a wi-fi thermostat. Can I leave it on 24X7 unattended for a few months at a time? Is it reliable or does it need constant rebooting. What kind of data usage might I expect?
Nope!
Nope, it will need to be rebooted.
Data usage is controlled by the users and equipment connection to the LAN side of the router. Otherwise, the router itself uses a negligible amount of data measured in kilobytes per month.
If long term reliability is your concern have a look at the Craddlepoint or Pepwave embedded modem/router M2M devices from the 3GStore.com.
However, if you expect to control this HVAC Wall mounted Wi-Fi thermostat, over the internet, then you’re in for another surprise: the lack of a public facing IP address. There appears to be three alternatives to this problem:
Try setting up a VPN client on your end through a VPN Server on the internet
Obtain a static IP address from Verizon Wireless for the one time fee of $500
Use another provider with a public IP address. -
Configure WRT54G Wireless Router with PUBLIC IP address and use DHCP for internal computers
Hi,I have an Internet online service with 5 public IP addresses. The router and the AP are connected to a switch. I would like to configure a WRT54G wireless router with one of this IP public Address and use DHCP (with private ip address) for the computers that will connect to the AP. As the AP is connected to the switch it is possible that other wired computers that are connected to the same switch can obtain an IP address from the DHCP ?
Thansk in advance
Thanks for your help. Please correct me if Im wrong. After connecte the equipments the way you suggestI setup a static IP address (The public IP) in the WRT54GI enable DHCP in the WRT54G with a range from 10.10.0.100 to 10.10.0.200 (as an example) The gateway is the Public IP address right ? How do I route the 10.10.0.x addresses to the public IP address. Thansk again
-
How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.
How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
JorgeHi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni
Maybe you are looking for
-
How to calculate the month difference between two date char. in Query?
Customers would like to see how many months passed between two date type of characteristics (e.g., the month difference between the current date and the scheduled delivery date in the record) and put the result into the column as KF. We would have t
-
Powerpivot add-in installation issue "Could not find a part of the path"
Hello, I got a Windows Server 2008R2 terminal server with Office 2010 and Powerpivot installed. I have an issue for some users, not every user get this error. When trying to add the Powerpivot add-in in Excel the following error message is displayed
-
How to set a variable in an attahced m.c.
testClip=mc1.mc2.attachMovie('mc3','mc3',nIndex++); testClip.testVar='cat'; In AS2 the code above would mean that from within the attached mc1.mc2.mc3 clip, i could access the testVar. eg... within the timeline of mc3, i could have the following trac
-
Automatically refreshed workspace and changes into LIVE
Hi, I've noticed that changes made directly into LIVE are immediately visible to automatically refreshed child workspaces. However the answer to the FAQ question "When sharing changes made in a child workspace with another child workspace, should I u
-
Every time i try and buy or 'purchase' an app it says "payment information required" and i dont want to use a credit card, just vouchers but i cant use my money on itunes and i also cant see how much i have in my account. Can Anyone Help?