Thank you so much! This helped the first part. I have tried this before and it never worked, but now it did...kind of weird.
Another question I had was that I wanted to allow only http traffic into the blackboard server. Would I set this up on the access rules? I think I know that, but wanted to verify. Thank you!
... View more
I will try and give as much information as I possibly can so that you can understand what I am trying to do. This is pretty tricky and I want to make sure that I am doing it the best way that I can.
I have setup a separate DMZ leg on my firewall on port GiEth0/1. I am connecting that to my Cisco 3750g with L2 only, VLAN 210 (to match DMZ IP address of 192.168.210.1/24) and have 2 ports connected to my 2 hosts that are part of my virtual environment. I have created a separate Virtual Switch that just has DMZ traffic on it. I wanted to separate this out completely. I then have 1 more port of my 3750g going directly to my firewall in port GiEth0/1. That VLAN does not reside anywhere else.
On the firewall I have setup PAT for all of my inside network to get out and that is all working well. My Firewall company gave us a /29 which means we have 5 IP addresses. I am creating a blackboard type server to put on the DMZ network (192.168.210.1/24) and I want to give it access to one of the 5 IP addresses that is NOT the normal outside address. I cannot figure out how to do this at all. I know you need a NAT statement (static) that points to the static IP of one of the external IP's, but I cannot seem to figure out how to do this from the DMZ. I want to do something like:
host 192.168.210.15 name blackboard nat (dmz,outside) static 184.108.40.206
It won't allow me to do this. What am I missing here?
On the Cisco ASA 5550: Software Version: 917-9-k8.bin
Interface GigabitEthernet 0/0 description Inside Network nameif inside security-level 100 ip address 10.20.13.2 255.255.255.0
interface GigabitEthernet 0/1 description DMZ nameif DMZ security-level 50 ip address 192.168.210.1 255.255.255.0 interface GigabitEthernet 1/0 description Fiber Connection nameif Outside security-level 0 ip address (fictitious) 220.127.116.11 255.255.255.248
... View more
I guess my biggest question is, Why do I need it? Can I set a route on my L3 switch so that the traffic knows where to go? It is just a different IP address space as far as anything is concerned. It is tunneled into my whole network. I guess I just don't understand why a NAT statement.
... View more
I have a Cisco ASA 5550 that I have all my static routes setup on and everything seems to work just fine. The issue I am having is with NAT and my Anyconnect VPN clients needing a NAT statement in order to go from an Internal Pool address into my network. The minute I take the NAT statement out even though I have given them access to the network, communication stops.
Here is what I have:
Client IP Pool: 192.168.209.0/24
Inside Network: 10.0.0.0/18
I have setup an access list saying access-list VPN_Access extended permit ip 192.168.209.0/24 10.0.0.0/18. I have also setup a split-tunnel to have access to the network (10.0.0.0/18)
Am I doing something incorrectly? Is it because it has nowhere to route? I didn't add a static route for these addresses unless it was from the inside going out.
Hopefully this wasn't too confusing.
... View more
I figured out what the problem was. I got a hold of NEC and they said I had to add a command to the switches, because...
"The Cisco Switch (or any Cisco Device) is performing an ARP probe which we know to cause many issues but one of which is causing the system to think it has a Duplicate IP Address, hence the Duplicate IP Alarm in the system.
Please see http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html on what can be done to resolve this, assuming their IT person wont already know how to disable this. Cisco refers to this I believe as 'IP ARP Probe' and that link should have information on disabling or at least making sure the Cisco devices do not apply this feature to the NEC System IP Addresses."
Thanks for the help! I hope that this helps someone else!
... View more
First off, thank you for your quick reply!
I have checked the ports and none are showing drops.
There are only 2 in the stack and it is running in whatever configuration it is between Port 1 -> 2, Port 2 -> 1. I have the same configuration for 2 of my C2960s's that are next to each other.
3750g's -> 15.0.2-SE9 2960s -> 12.2.55-SE5
... View more
I am encountering an issue with my NEC SV9100 Univerge Blade Phone System Connected to a PRI with calls being dropped or losing connection intermittently. I have my Layer 3 Switch as a Cisco 3750g-12S-e and my access switches are C2960s's. I have a server farm stack that are 3750g-24PS-E. The phone LAN is connected to the server farm switches.
The connections is as follows: Blade Server/VOIP connected on VLAN 16 to the Server Farm Stack -> Router (Cisco 3750g-12S-E) -> Access Switches (C2960s).
How do I properly setup QoS over the switches and router? Thank you!
Edit: I have the access ports setup as:
Interface GigabitEthernet 1/0/1 switchport mode access switchport access vlan 4 (Data VLAN) switchport voice vlan 16 spanning-tree portfast
... View more
So then for the last piece would I just do a no nat statement for the dynamic and then re-enter it again and it should put it at the bottom? Sorry for all the questions. I just want to be thorough. Sent from Cisco Technical Support iPhone App
... View more
Thank you so much for all your help! I figured it had to do with the NAT statements...it generally is where most of the problems lie. In my config can you tell me exactly where to fix this stuff? I don't want to mess this up any further... do you want the: object network obj_any nat (inside,outside) dynamic interface moved down? And if so where does it need to be. Like I said I am a novice and I am sure that is why it is messed up the way it is Thanks again for all your help! nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup nat (Guest_Wireless,outside) source dynamic obj_any interface ! object network obj_any nat (inside,outside) dynamic interface object network CamServer_HTTPS nat (inside,outside) static interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1 route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1
... View more
Marius Gunnerud wrote: 1) I currently have a guest network setup from the ASA 5505 giving DHCP from fa0/3 (on the ASA) and it is just going straight into one of my cisco 3550's and providing layer 2 only. I can't get it to go to the vpn.mydomain.com (I have setup this address to go to the outside ip address of the firewall and it works from everywhere else) to connect to AnyConnect, and when I ping it, it gives me the outside address that my firewall is, but it won't connect. I have tried access lists and cannot figure it out. I am not entirely sure I understand how you are trying to connect to the AnyConnect VPN. Are you connecting to the VPN from the internet and not able to access the DMZ network? Or are you trying to connect to the AnyConnect VPN from the DMZ by using the outside interface IP? So basically I have it setup so that my domain network can't talk to my guest network and vice versa as I have my internal network setup with dhcp helper on the switches and a Server 2008 DHCP server on the inside. My outside addresses only get the dhcp from the ASA 5505. The security level on the Guest Network is 10. With anyone else on the outside of my network, they can access the vpn just fine and connect, but from within my network on the guest network, they cannot reach it even though I have checked the box that allows for the vpn on that interface. I am trying to get them to connect to the outside IP address from the guest network and it doesn't reply. I don't know if this is what you were looking for but like I said, I am kind of a novice at this stuff. 2) I have been wanting to access my camera's web page from outside of my domain, and I didn't know the best way to do this besides just poking a hole in the firewall and allowing certain ports open for this one ip address (the camera server). I thought I had everything correct, but when I try to check to see if the ports are open from the outside it says they aren't, and when I try to do the packet trace, it says there is an access list error. Something about implicit....something or other. The best and most secure way to access your server would be to connect to the VPN and then from there connect to the server. If you insist on opening up a port from the internet and it is not working, we would need to see your ASA's configuration to troubleshoot further. Here is my config, as I don't really want them to have to connect to the VPN before they connect to the cameras from the outside. A lot of my users are not exactly saavy when it comes to all of this. ASA Version 9.1(3) ! hostname MYDOMAIN-firewall-1 domain-name MYDOMAINNET.local xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names name 10.0.13.1 MYDOMAIN-Inside description MYDOMAIN Inside name 10.0.0.0 MYDOMAIN_New_IP description MYDOMAIN_New name 10.0.0.0 MYDOMAIN-Old description Inside_Old name xxx.xxx.xxx.xx Hunter description Hunter_Wireless name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505 name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests ip local pool MYDOMAIN-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0 ip local pool MYDOMAIN-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address Cisco_ASA_5505 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address xxx.xxx.xxx.xxx 255.255.255.252 ! interface Vlan3 no forward interface Vlan1 nameif Guest_Wireless security-level 10 ip address 192.168.204.1 255.255.255.0 ! boot system disk0:/asa913-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.0.3.21 domain-name MYDOMAINNET.local object network obj_any subnet 0.0.0.0 0.0.0.0 object network MYDOMIN-Employee subnet 192.168.208.0 255.255.255.0 description MYDOMAIN-Employee object network Guest_Network subnet 192.168.204.0 255.255.255.0 description Guest Wireless object network CamServer_HTTPS host 10.0.10.5 description Uiquiti Cam Server object-group network Inside-all description All Networks network-object MYDOMAIN-Old 255.255.254.0 network-object MYDOMAIN_New_IP 255.255.192.0 network-object host MYDOMAIN-Inside object-group service Cam_Server_TCP tcp description All Open Ports Need for Camera Server port-object eq 1935 port-object eq 7080 port-object eq 7443 object-group service Cam_Server_UDP udp description Cam Server UDP Port port-object eq ntp access-list inside_access_in extended permit ip any4 any4 access-list split-tunnel remark New Address Space access-list split-tunnel standard permit 10.0.0.0 255.255.192.0 access-list split-tunnel remark Old Address Space access-list split-tunnel standard permit 10.0.0.0 255.255.254.0 access-list outside_access_in extended permit tcp any4 object CamServer_HTTPS object-group Cam_Server_TCP pager lines 24 logging enable logging buffered errors logging asdm informational mtu inside 1500 mtu outside 1500 mtu Guest_Wireless 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup nat (Guest_Wireless,outside) source dynamic obj_any interface ! object network obj_any nat (inside,outside) dynamic interface object network CamServer_HTTPS nat (inside,outside) static interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1 route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy action terminate dynamic-access-policy-record "Network Access Policy Allow VPN" description "Must have the Network Access Policy Enabled to get VPN access" aaa-server LDAP_Group protocol ldap aaa-server LDAP_Group (inside) host 10.0.3.21 ldap-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local ldap-group-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MYDOMAIN,dc=MYDOMAINNET,dc=local server-type microsoft user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http MYDOMAIN_New_IP 255.255.192.0 inside http redirect outside 80 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map Guest_Wireless_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Guest_Wireless_map interface Guest_Wireless crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER no validation-usage no accept-subordinates no id-cert-issuer crl configure crypto ca trustpoint VPN enrollment terminal fqdn vpn.MYDOMAIN.com subject-name CN=vpn.MYDOMAIN.com,OU=IT,O=My place,C=US,St=OR keypair vpn.MYDOMAIN.com crl configure crypto ikev2 enable outside client-services port 443 crypto ikev2 enable Guest_Wireless client-services port 443 crypto ikev2 remote-access trustpoint VPN telnet timeout 5 ssh MYDOMAIN_New_IP 255.255.192.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.204.10-192.168.204.254 Guest_Wireless dhcpd dns 18.104.22.168 22.214.171.124 interface Guest_Wireless dhcpd lease 86400 interface Guest_Wireless dhcpd domain MYDOMAIN interface Guest_Wireless dhcpd enable Guest_Wireless ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 ssl trust-point VPN outside ssl trust-point VPN Guest_Wireless webvpn enable outside enable Guest_Wireless anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 5 anyconnect profiles MYDOMAIN-employee disk0:/MYDOMAIN-employee.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes dns-server value 10.0.3.21 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value MYDOMAINNET.local group-policy MYDOMAIN-Employee internal group-policy MYDOMAIN-Employee attributes wins-server none dns-server value 10.0.3.21 vpn-tunnel-protocol ssl-client default-domain value MYDOMAINNET.local webvpn anyconnect profiles value MYDOMAIN-employee type user username MYDOMAINadmin password njLcVW6cA/2R64RV encrypted privilege 15 tunnel-group MYDOMAIN-Employee type remote-access tunnel-group MYDOMAIN-Employee general-attributes address-pool MYDOMAIN-Employee-Pool authentication-server-group LDAP_Group LOCAL default-group-policy MYDOMAIN-Employee tunnel-group MYDOMAIN-Employee webvpn-attributes group-alias MYDOMAIN-Employee enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:53142f41235815a80f44b50e1205aaa2 : end 3) Another very important piece of this is that I only have one static IP address to work with. The Firewall takes up 80 and 443, the cameras will need TCP 7443, 7080, and 1935. It will also need UDP 123. Are the cameras located on a seperate subnet than the camera server? Does traffic flow between the cameras and camera server? Will need more information on how your network looks and exactly what the problem is with regards to point 3. What license are you running on the ASA? You will need to have a security plus license to get this to work. The Cameras are located on the same subnet as the camera server. Traffic flows easily between the cameras and the server. Everything internal is great, it is the outside to inside that I don't quite understand. I am running the security plus license with 25 SSL VPN users.
... View more
Hello All, I am trying to make something work and can't seem to do it, and I don't know if it is because of the way I setup this firewall originally or what, but here are my issues: 1) I currently have a guest network setup from the ASA 5505 giving DHCP from fa0/3 (on the ASA) and it is just going straight into one of my cisco 3550's and providing layer 2 only. I can't get it to go to the vpn.mydomain.com (I have setup this address to go to the outside ip address of the firewall and it works from everywhere else) to connect to AnyConnect, and when I ping it, it gives me the outside address that my firewall is, but it won't connect. I have tried access lists and cannot figure it out. 2) I have been wanting to access my camera's web page from outside of my domain, and I didn't know the best way to do this besides just poking a hole in the firewall and allowing certain ports open for this one ip address (the camera server). I thought I had everything correct, but when I try to check to see if the ports are open from the outside it says they aren't, and when I try to do the packet trace, it says there is an access list error. Something about implicit....something or other. 3) Another very important piece of this is that I only have one static IP address to work with. The Firewall takes up 80 and 443, the cameras will need TCP 7443, 7080, and 1935. It will also need UDP 123. I know I haven't given you a ton of detail, but I am a novice at these kinds of things, so any help would be much appreciated as I am trying to learn how to take full advantage of these amazing cisco firewalls, and for the basic things I have done with it, it works, but I would like to add some functionality.
... View more