Hi Paul, Thanks for the reply im half way there, however hit a snag with these commands: ip nat destination list 100 pool UniFi-WiFi ip nat destination list 101 pool Pi-Hole ip nat destination list 102 pool 3cx-Jenners It gives me an error: SteveHome(config)#ip nat destination list 100 pool UniFi-WiFi ^ % Invalid input detected at '^' marker. SteveHome(config)#ip nat destination list 101 pool Pi-Hole ^ % Invalid input detected at '^' marker. SteveHome(config)#ip nat destination list 102 pool 3cx-Jenners ^ % Invalid input detected at '^' marker. )#ip nat ? Stateful Stateful NAT configuration commands create Create flow entries inside Inside address translation log NAT Logging outside Outside address translation piggyback-support NAT Piggybacking Support pool Define pool of addresses portmap Define portmap of portranges service Special translation for application using non-standard port sip-sbc SIP Session Border Controller commands source Source address translation translation NAT translation entry configuration Which way shall i proceed?
... View more
Hi Again Karsten! You’ve helped me before on an ASA. Thanks for the suggestion but I can’t use it as for certain reasons i need ALL DNS traffic to go through the server on 172.16.9.5, so having the server on Cisco can’t be a route I take. Good idea though. Any other suggestions?
... View more
Hi, I’ve been looking around and can’t find a suitable solution or one I can understand and get the commands right and work. The short of it is I’m hosting 3 VM’s at my house behind a 887vam. Outside the LAN I can access the services fine. Inside the lan I can not access them via the public DNS name but can via the internal IP. What I need is to go to http://domain.com and get the page required when inside the LAN. As mentioned I’ve searched before asking but I can’t seem to get it right! Someone please help? Config: Building configuration... Current configuration : 5567 bytes ! ! Last configuration change at 20:30:23 UTC Wed Aug 14 2019 by cisco ! NVRAM config last updated at 20:30:25 UTC Wed Aug 14 2019 by cisco ! NVRAM config last updated at 20:30:25 UTC Wed Aug 14 2019 by cisco version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SteveHome ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! crypto pki trustpoint TP-self-signed-875695804 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-875695804 revocation-check none rsakeypair TP-self-signed-875695804 ! ! crypto pki certificate chain TP-self-signed-875695804 certificate self-signed 01 30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38373536 39353830 34301E17 0D313930 38313432 30303331 375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3837 35363935 38303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B0570E37 FD347B08 6F3C47BF 7DF5FAF7 B7A6C7D0 3BCD34F0 AF879EAB 0FB1A8D5 FA5317B2 793A6D1E 7E18CDF5 5EAF6986 0CC06777 D7BEEC38 CC7473AC 496A6953 7F4E645D 7DE56AA1 5777E9B9 37DDA0E8 007E98D0 7451D6C9 5F16BB21 2542F547 734F5A02 8F68BFEE A32E60A5 BA763D8F D2081E72 DB3C08A2 8251997E 1D50EB67 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 1680146B B9B8EF57 863D2423 A4A44994 E0158811 B87EE630 1D060355 1D0E0416 04146BB9 B8EF5786 3D2423A4 A44994E0 158811B8 7EE6300D 06092A86 4886F70D 01010505 00038181 006AE881 C98C21DC BC5E9F0F 47D2F6B3 AAC4E5AB FA62E70B 53481C6F 7DAA77C7 78DDB109 89279362 8E27488A 0AF7C802 AF372C07 82F58987 09A73DA0 4F22BDD3 69171808 CCDFCBC2 EF810176 C570B7BB 6CFA4100 C16B79E4 8B8EE297 28B7607E 7201522A 168178DE 4B3956E7 6E393C9D 05B20901 EB744369 197268B6 F96DCBD3 53 quit ! ! ! ip dhcp excluded-address 172.16.9.1 172.16.9.20 ! ip dhcp pool Home import all network 172.16.9.0 255.255.255.0 default-router 172.16.9.1 dns-server 172.16.9.5 18.104.22.168 22.214.171.124 lease 0 8 ! ip dhcp pool UniFi host 172.16.9.4 255.255.255.0 hardware-address 000c.297d.69ff ! ip dhcp pool pi-hole host 172.16.9.5 255.255.255.0 hardware-address 000c.29d3.1af5 ! ! ! ip name-server 172.16.9.5 ip name-server 126.96.36.199 ip name-server 188.8.131.52 ip cef no ipv6 cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! username ****** privilege 15 password 0 ****** ! ! ! ! ! controller VDSL 0 ! ip ssh version 2 ! ! ! ! ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 172.16.9.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Dialer1 mtu 1492 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp authentication pap chap ms-chap callin ppp chap hostname ******* ppp chap password 0 ****** ppp ipcp address accept no cdp enable ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ! ip nat pool Pi-Hole 172.16.9.5 172.16.9.5 netmask 255.255.255.0 type rotary ip nat pool UniFi-WiFi 172.16.9.4 172.16.9.4 netmask 255.255.255.0 type rotary ip nat pool 3cx 172.16.9.6 172.16.9.6 netmask 255.255.255.0 type rotary ip nat inside source list NAT interface Dialer1 overload ip nat inside destination list 100 pool UniFi-WiFi ip nat inside destination list 101 pool Pi-Hole ip nat inside destination list 102 pool 3cx ip route 0.0.0.0 0.0.0.0 Dialer1 permanent ! ip access-list extended NAT permit ip 172.16.9.0 0.0.0.255 any ! ! access-list 100 permit tcp any any eq 8080 access-list 100 permit tcp any any eq 8443 access-list 100 permit tcp any any eq 8880 access-list 100 permit tcp any any eq 8843 access-list 100 permit tcp any any eq 8883 access-list 100 permit tcp any any eq 6789 access-list 100 permit udp any any eq 3478 access-list 100 permit udp any any eq 1900 access-list 100 permit udp any any eq 10001 access-list 100 permit udp any any range 5656 5699 access-list 101 permit tcp any any eq www access-list 102 permit tcp any any eq 443 access-list 102 permit tcp any any eq 5060 access-list 102 permit udp any any eq 5060 access-list 102 permit tcp any any eq 5090 access-list 102 permit udp any any eq 5090 access-list 102 permit udp any any range 9000 10999 ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 exec-timeout 600 0 password ****** login local transport input telnet ssh transport output telnet ssh ! scheduler allocate 20000 1000 ntp source Dialer1 ntp server 0.uk.pool.ntp.org ntp server 2.uk.pool.ntp.org ntp server 1.uk.pool.ntp.org ntp server 3.uk.pool.ntp.org ! end
... View more
I'm actually finding it's happening across the board to be fair.
Server A can't access any other server via public IP
Server B can't access any other server via public IP
Server C can't access any other server via public IP
Server D can't access any other server via public IP
ALL can talk internally fine. Somethings definitely not correct. t's only since going to the ASA, so its 100% with that.
... View more
I have an ASA 5512 running 9.4(4).18 here's my issue.
Server A on lan range 10.10.1.0/24.
Server B on lan range 10.10.1.0/24.
From the outside world i can access mydnsname.com and reach services on server B fine. Server B has internet access. Server B can talk to server A and server A can talk to server B.
From server A if i browse to mydnsnme.com it fails. They're both windows server 2012 R2. I've done netstat and can see i get a SYN_SENT from Server A, Server B shows SYN_RECEIVED from the public IP of server A so i know traffic is getting there.
However i can't see any return traffic happening from server B to server A and i'm not sure why. Any hints where to look? Packet tracer shows it should work fine.
... View more
I have the following device:
Cisco Adaptive Security Appliance Software Version 9.4(4)18 Device Manager Version 7.9(2)
Compiled on Thu 29-Mar-18 22:10 PDT by builders System image file is "disk0:/asa944-18-smp-k8.bin" Config file at boot was "startup-config"
Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores) ASA: 2048 MB RAM, 1 CPU (1 core) Internal ATA Compact Flash, 4096MB
Short and Simple, i am NOT a cisco guy. I'm a level 3 IT technician and i work with Dell Sonicwall's and Fortinet Firewall's. However due to IP limitations we've migrating to Cisco so we can have 32+ Public IP's used on the firewall. Now, I have the device on and in our datacenter and googling the hell out of everything i'm trying to put a config together so i can go down and essentially migrate config from the current Fortigate to the Cisco ASA.
I've been to the datacenter 5 times and cannot get it right by guessing the command line. I f someone could go over my config please and see what i'm doing wrong? We basically have a bunch of virtual servers running on multiple VLAN's so what I'm trying to accomplish is the following:
Private IP A out to internet showing Public Address A.
Private IP B out to internet showing Public Address B.
Private IP C out to internet showing Public Address C.
Public IP A Port 80 forwarded to PrivateIP A port 80.
Public IP B Port 80 forwarded to PrivateIP B port 80.
Public IP C Port 80 forwarded to PrivateIP C port 80.
If i can get those parts done, it's only VPN's to do which I'm sure i'll figure out in ASDM wizard, but i cannot leave the Cisco in live until all our services are working via it, and they are down while I test it out. This is the latest script i'm going to test. I think this is right, but could do with a yes or no you need to change to this.
======================== OBJECT CREATION BEGIN ===============================
object network PUBLICIP_CPANEL_SERVER
object network PRIVATEIP_CPANEL_SERVER
======================== PORT FORWARDING BEGIN ==========================
object network PORTFORWARD_CPANEL_TCP20
nat (inside,OUTSIDE) static PUBLICIP_CPANEL_SERVER service tcp 20 20
access-list CPANEL_TCP20 permit tcp any host X.X.X.X eq 20
======================== RANGE FORWARDING BEGIN ============================
object network PORTFORWARD_CPANEL_RANGE_IN
nat (inside,outside) static PUBLICIP_CPANEL_SERVER
access-list CPANEL_IN_RANGE_TCP permit tcp any host X.X.X.X range 30000 50000
access-list CPANEL_IN_RANGE_UDP permit udp any host X.X.X.X range 30000 50000
======================== OUTBOUND IP BEGIN ===============================
object network PUBLICIP_OUT_CPANEL_SERVER
nat (inside,outside) source dynamic PRIVATEIP_CPANEL_SERVER PUBLICIP_CPANEL_SERVER
Thanks in Advance!
... View more
Hi Karsten, You were exactly spot on! After adding that line into 102, i can now ping from UK to Abroad. Do i need to add another line for: 2 deny ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255 To allow communication both ways or is that enough to work now? The list currently shows: access-list 102 deny ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255 access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any
... View more
Hi Karsten, Thanks for the pointer. 1) I have removed the permit as stated. 2) I wasn't aware of that, so thank you, makes perfect sense, i shall try and access a PC there. 3) Please could you look at the below and advise? By the looks of it im assuming its not excluded: ! ip nat pool PORTFWD <LAN MACHINE> <LAN MACHINE> netmask 255.255.255.0 type rotary ip nat inside source list 102 interface FastEthernet4 overload ip nat inside source static tcp <LAN MACHINE> 25 <WAN IP> 25 extendable ip nat inside source static tcp <LAN MACHINE> 110 <WAN IP> 110 extendable ip nat inside source static tcp <LAN MACHINE> 3000 <WAN IP> 3000 extendable ip nat inside source static udp <LAN MACHINE> 30000 <WAN IP> 30000 extendable ip nat inside source static udp <LAN MACHINE> 30030 <WAN IP> 30030 extendable ip nat inside source static tcp <LAN MACHINE> 5003 <WAN IP> 5003 extendable ip nat inside source static udp <LAN MACHINE> 5003 <WAN IP> 5003 extendable ip nat inside source static tcp <LAN MACHINE> 5090 <WAN IP> 5090 extendable ip nat inside source static udp <LAN MACHINE> 5090 <WAN IP> 5090 extendable ip nat inside source static tcp <LAN MACHINE> 6001 <WAN IP> 6001 extendable ip nat inside source static tcp <LAN MACHINE> 6100 <WAN IP> 6100 extendable ip nat inside source static udp <LAN MACHINE> 6100 <WAN IP> 6100 extendable ip nat inside destination list 100 pool PORTFWD ip route 0.0.0.0 0.0.0.0 <GATEWAY IP > ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN> ! access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any I'm assuming i need to 1) Remove ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN> 2) Adjust source-list 102 with a deny of some sort? Thanks again
... View more
Hi All, I'm not cisco trained nor ever worked with cisco, im a complete newbie when it comes to Cisco platforms. We are a IT Support MSP and we've recently taken on a customer who has an office abroad using a Cisco 881 device with a Draytek router in the UK. Site to site connectivity is required. I've looked around and watched some youtube videos on how to setup the VPN and believe i have this in place using the below config on the cisco: crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key ******** address ******* ! crypto ipsec transform-set sha3des esp-3des esp-sha-hmac ! crypto map VPN 1 ipsec-isakmp set peer ********** set transform-set sha3des set pfs group2 match address UK ! interface FastEthernet4 ip address <WAN IP> <WAN SUBNET> ip access-group netbios in ip access-group netbios out no ip proxy-arp ip nat outside ip virtual-reassembly in no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable crypto map VPN ! interface Vlan1 ip address <WAN IP 2> <WAN SUBNET> secondary ip address <LAN IP> 255.255.255.0 ip access-group netbios in ip access-group netbios out no ip proxy-arp ip nat inside ip virtual-reassembly in no ip route-cache cef no ip route-cache ! ip access-list extended UK permit ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255 permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255 The VPN shows it up and active but there is no traffic flow between the two and i have no idea why... Crypto session current status Interface: FastEthernet4 Session status: UP-ACTIVE Peer: <REMOTE WAN> port 500 IKEv1 SA: local <LOCAL WAN>/500 remote <REMOTE WAN>/500 Active IPSEC FLOW: permit ip <REMOTE LAN>/255.255.255.0 <LOCAL LAN>/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip <LOCAL LAN>/255.255.255.0 <REMOTE LAN>/255.255.255.0 Active SAs: 2, origin: crypto map So it all looks fine, however if i try and ping the remote sites router over the remote LAN ip i get the following: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to <REMOTE IP>, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) I also cannot ping from remote site into the Cisco lan. I believe this is down to the cisco end, the Draytek is a basic router and no routing is able to be configured. It does it automatically. So the VPN is up, no traffic flow.. Please can someone point me in the right directoin? Thank You
... View more