Cisco 2911 and ASA 5512 remove double NAT

Greetings,

I have 2 subnets on Cisco 2911 router

192.168.3.0/24 and 192.168.1.0/24

3rd network 192.168.4.0/24 is natting internal interface to the modem for internet access. creating 2 NAT (NAT in router) and NAT in Modem

I just bought Cisco ASA 5512, no chance I could remove the Cisco 2911 router NAT and set the default gateway for Cisco ASA?

Yes you are right...

You must ensure that you get the routed LAN traffioc to hit inside the interface ASA in ASA, you can do PAT/NAT to access...

Concerning

Knockaert

Tags: Cisco Network

Similar Questions

  • Cisco 2911 and web control

    Hello

    I 2911 Cisco router with security license and want to allow or block specific (like Facebook) areas for some users. Is it possible to authenticate users to Active Directory sort and create firewall rules that will block the traffic for them?

    I know that the best option is to install (or use cloud) server proxy but I would like to know if I can do it this way.

    Thank you.

    I'm afraid that you can't do in native mode in the router. You can use the connector of cloud. You could do this with an ASA though.

  • Router and Modem terms as device NAT Double - Solutions?

    Two questions I have about DSL/PPPoE

    (1) look in these forums, it is said that if you have a DSL modem, then you need to change your IP 192.168.2.1 could someone tell me why just for my own knowledge?

    (2) another question I have is what I use PPPoE if I have a DSL modem? Changing automatic DHCP to PPPoE willl solve my problem with my xbox not finding online games?

    (3) what I need to change my router in Bridge mode and is the same thing as mixed? If not how can I change due to bridge mode I've read that my router and modem are could act as a double NAT that could cause problems for the xbox?

    Any help would be welcome because I don't have any idea how to solve this

    Problem solved! Combination of mode Bridge and address static ip assigned to the xbox. Thank you guys

  • Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

    Hello

    Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

    PS.

    I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

    Thank you

    The default password is marked as disabled after expiry

    I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

    CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

    After you install this hotfix, you get an option to the user authentication settings is:

    -Disable the user account

    -Expire the password

    When the expiration period is exceeded

    If password is expired then user will be asked to change password next authentication

    Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

  • tunnel from site to site between router IOS and ASA

    I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note

    My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.

    Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.

    I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic

    Is displayed normally with the

    Cisco VPN 3000 correspondent

    message hub: no proposal

    Chosen (14). This is a result of the

    being host-to-host connections.

    The configuration of the router has the

    IPSec proposals ordered so that the

    proposal selected for the router

    with the access list, but not the

    peer. The access list has a larger

    network including the host that

    a cutting traffic.

    Make the router for this proposal

    hub to router connection

    first in line, so that it corresponds to the

    specific to the host first.

    but that didn't work either.

    Thank you

    Bill

    Bill,

    Take a look at this

    000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH

    000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH

    000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

    000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

    000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400

    000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH

    -Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

    000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

    It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key

    Please implement the command:

    ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth

    Thank you

    Gilbert

  • VPN between 878 router and ASA 5505

    Hello world

    I struggled for a few days now to get a VPN connection works.

    The situation

    Two offices needs to be connected to eachother with a VPN. The two parties have a WAN connection.

    The tunnel between locations rises very well but the communication fails in almost any way.

    The host cannot ping each other and also the inside of the router and ASA pings fail.

    The only ping works is from inside Site2 to the inside interface of the router side 1 (192.168.1.100 to 192.168.0.250)

    NAT works very well on both sites behind the router / asa.

    I think I'm doing something wrong with the roads or access lists but after 7 days, many refills, restores, driving from one end of the State to the other to reset stupid moves break and resolder my cable from the console and things completely with default start for 10 times, I'm through, I honestly don't know where to look for more...

    Tech Specs:

    Site1: has a cable modem that gives a WAN IP with DHCP address

    This modem connects to the Cisco 878 (Fastethernet0) router

    The router acts as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office

    Site2: has a cable-modem/router (Cisco 3925), which made the NAT, this modem/router gives an IP private class-C (192.168.178.x)

    This modem/router connects to a Cisco ASA 5505 (Fastethernet0)

    The ASA also server as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office.

    Online, it looks like this:

    Office 1--> Cisco878--> WAN Cloud<---cablemodemrouter><--- asa5505=""><--- office="">

    IP address ranges:

    Office 1

    Network 192.168.0.0

    Subnet mask 255.255.255.0

    Gateway 192.168.0.250

    IP WAN XXXX

    Office 2

    Network 192.168.1.0

    Subnetmak 255.255.255.0

    Gateway 192.168.1.1

    IP WAN XXXX

    On the location of office 2, there is a NAT between ASA and WAN router. between 192.168.178.x 255.255.255.0

    The modemrouter is a Cisco 3925, on which IPSEC passthrough is enabled.

    Configs:

    Site 1:

    CISCO 878 router

    Site 2

    ASA 5505

    I hope someone has a chance to look through my config and tell me what I did wrong this week

    Even if you can not help me but still read here: Thank YOU!

    (As my problem has been resolved, I removed the configs of this post. If for any reason, you want to work for these devices configuration, please send me a PM)

    Post edited by: taaa lijf - reason: problem solved, removed configs and stuff private for obvious reasons ;)

    Hello

    Ping client customer site 1 site2 and make sh crypto isakmp his and sh crypto ipsec his on the router.

    If sh crypto isakmp gives QM_Idle and ping fails and you have no package in the HS cypto ipsec his and then do a debug crypto ipsec

    If sh crypto isakmp gives MM_NoState can do a debug crypto isakmp

    One note however, you should have ip addresses static at least on the side, initiating the tunnel, otherwise it will not work when ip address changes.

    Kind regards.

    Alain.

  • Cisco IPS and SSL Inspection?

    We recently purchased a Cisco ASA 5512 - X and I'm just curious to know if there is anyway for the ASA tool or a 3rd away work with the ASA, to control traffic SSL Decode/encode? Otherwise, anyone can simply access a web site with ssl for example https://www.youtube.com and bypass the IPS together?

    Kind regards

    Craig

    It won't work with EPI because who can not decrypt the traffic. The new way of "native" to inspect the SSL traffic is to use the ASA-CX:

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/...

    Sent by Cisco Support technique iPad App

  • CISCO Anyconnect and using TLS V1.2

    Hello

    I ran an anyconnect VPN Service that uses SSLv3, after POODLE, we moved on TLSv1, which worked well, but I have recently been informed that TLSv1 is also vulnerable to POODLE.

    I upgraded to the latest version of the software firewall (it is a 5512 ASA) and TLSv1.2 - which stopped the work VPN was allowed, once it has been activated customers started anyconnect have reported that they were behind a captive portal, despite the fact that he is certainly no captive portal. I get the same problem with TLSv1.1 - How can I get this to work - I'm really stuck and not an expert CISCO.

    Thank you very much

    Hi James,

    What is the version of ASA and anyconnect here? Only anyconnect 4.x support TLS 1.2 and ASA 9.3 (2).

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

    Kind regards

    Kanwal

    Note: Please check if they are useful.

  • Configuration of VLAN 'Wi - Fi comments' on ASA 5512

    I'm trying to configure a new vlan on my Cisco ASA 5512 running version 8.6 (1) 2.  This vlan will give access to AP Wireless 'invited' into my network.  I have the configuration of vlan comments through my switches, I am able to devote a switch port to 40 VLANS and acquire an IP address in the network 10.40.10.0/24.  Below is an extract from what I think is relevent to the config information.  I try to carry the traffic of comments on my ' outside' interface.

    Obvious to me miss me another command here.  Any help would be appreciated to greatling. If more running-config is required please advise.  Thanks in advance!

    _________________________________________________________

    interface GigabitEthernet0/1.40

    Description comments Wireless Network

    VLAN 40

    nameif guestwireless

    security-level 50

    IP 10.40.10.5 255.255.255.0

    Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP address to X.X.X.X)

    access extensive list ip 10.40.10.0 guestwireless_access_in allow 255.255.255.0 interface outside

    guestwireless MTU 1500

    Access-group guestwireless_access_in in the guestwireless interface

    dhcpd address 10.40.10.50 - 10.40.10.250 guestwireless

    dhcpd dns 8.8.8.8 interface guestwireless

    guestwireless enable dhcpd

    ________________________________________________________

    Here is the part of the killing

    interface GigabitEthernet0/0

    ISP Interface Description

    nameif outside

    security-level 100

    To take

    interface GigabitEthernet0/0

    security level 0

    You do not want the more precarious with the higher level hehe safety interface

    Looking for a Networking Assistance?
    Contact me directly to [email protected] / * /

    I will fix your problem as soon as POSSIBLE.

    See you soon,.

    Julio Segura Carvajal
    http://laguiadelnetworking.com

  • Question about authentication SDI on AnyConnct and ASA

    Hi all

    I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.

    My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.

    I understand that ASA provides two modes to allow authentication SDI.

    Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
    RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.

    I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.

    So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).

    The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...

    I found the following information of CEC.

    ==========
    When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
    ==========

    This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?

    Your information would be appreciated.

    Best regards

    Shinichi

    Shinichi,

    I had a quick glance at the data sheet

    http://www.RSA.com/node.aspx?ID=3481

    I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)

    Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)

    Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.

    Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.

    Marcin

  • VPN Cisco 2911

    Hello

    I am thinking purchase 2911-SEC/K9 Cisco router.

    IM wondering witch VPN types can I use to participate in the network? I think that I read that IPsec site-to-site is not a problem but im wondering PPTP or something like that. What type of VPN solution customer, I can use. IM thinking on the use of the premium Anyconnect if this is possible with the 2911 router. I also wonder how much the cost for this will be user and connection.

    Best regards Tommy Svensson

    Hi Tommy,.

    With a 2911 and the licensing of security for the IOS, you can use IPsec VPN or SSL VPN (AnyConnect).

    Traditionally IPsec VPNS allow remote clients to connect by using a client software and also helps the Site-to-Site connections other peers (ASAs, IOS devices, third party, etc.).

    SSL VPN now offers over HTTPS, which you don't need to worry about encryption at the network layer (as in IPsec).

    It will be useful.

    Federico.

  • Garage double NAT &amp; DHCP - bridge Possible issue error

    Help...

    So it's my game on a yacht...

    I have a MacMini (run bootcamp Windows 7 Pro), so actually it's a PC.

    • I use internal WiFi adapter of the MacMini to get my internet connection of various different Marina I could stay in
    • I then share the connection with the internal LAN adapter WiFi adapter WiFi
    • This allows me to share the WiFi port with other devices on the yacht

    Then I have an AirPort Extreme-

    • I then run an Ethernet on the MacMini Port CAT6 cable
    • on port WAN on AirPort Extreme
    • AirPort Extreme now has an internet connection (from the marina, WiFi)
    • I then activated the WiFi on AirPort Extreme to create a WiFi network on the yacht
    • and it gets its internet connection from the WAN port, which comes in turn the MacMini, which in turn comes from the Marina WiFi

    Connected to the AirPort Extreme are-

    -iPhones, iPads, MacBook, Apple TV, Smart TV, etc etc.

    -Some devices are connected using the LAN ports and AirPort Extreme cable

    -Some devices are connected by WiFi using WiFi airports

    I want DHCP to be handled by the AirPort Extreme-, mode I set as "DHCP and NAT".

    What is the problem-

    • AirPort Extreme shows an error
    • "double NAT and DHCP.
    • and suggested I turn it in Bridge mode
    • but I don't want to do that

    Any thoughts?

    Concerning

    Tim

    Would help if we could get the exact message you see.  You will probably need to change the DHCP-range on the AirPort Extreme to a different value, and then use the option 'Ignore' the Double NAT then the airport will show a green light.

    You will have to live with the Double NAT if you want AirPort Extreme to act as a remote router that provides a private network.

  • Strange double NAT, although there is only a single router

    My ISP (RCN) changed my modem at a speed greater than one.  Although a router built-in, I told them that I didn't use their router, only my Time Capsule, so they disabled.  However, my Time Capsule kept gives me an error message Double NAT and amber flashing against Green, even though everything seemed to work (wireless and wired) and said that I should switch DHCP and NAT to bridge mode.  Correction of the error, but I do not understand what caused the Double NAT if there is only a single router.  The ISP Technical Support people confirmed their control center is not the router feature on in the new modem, I ask.  They also said that their network supports DHCP, although they have other who use the Bridge Mode, although they do not support.   And they knew nothing about it, he said to ask Apple.  They also offered to switch back, but because this modem is faster at the same price.  (He called a bypass gateway 3-in-1).  Many people online told not to use his router, it's why I unplug it and only use the time Capsule.

    So if someone can give me feedback, I'd appreciate it. I must:

    1. keep running the new modem and my Time Capsule in Bridge Mode.

    2. run the new modem in DHCP mode, as they put in place and do not worry Time Capsule seeing amber / flashing Double NAT error.

    3 swap back to the previous modem, which was 50 Mbps against it with (theoretically) 155 Mbit/s (it's only works in 50-70).

    I'm not really all that, but I hope that one of you maybe.  Thank you!!!

    Although a router built-in, I told them that I didn't use their router, only my Time Capsule, so they disabled.

    ISPS often make the mistake of simply turn off the radio on a modem/router...which service does not disable the router function of the device. You still have a wired router when ISPS are making this mistake.

    However, my Time Capsule kept giving me an error message Double NAT

    This confirms again that the ISP has not disabled the function of the router to your modem/router.  On some modems/routers or gateways, it is not possible to get the device to act as a simple modem.

    The ISP Technical Support people confirmed their control center is not the router feature on in the new modem, I ask.

    The fact remains that you wouldn't see a Double NAT error unless the ISP system acted as a router... Despite what people of PSI say. You may need to get a 2nd or 3rd person-level support, who knows what they are doing.

    1. keep running the new modem and my Time Capsule in Bridge Mode.

    Yes, if you want to avoid the mistake of NAT Double... what you are doing. But, the time Capsule will not be your router.  The device of the ISP will be.

    2. run the new modem in DHCP mode, as they put in place and do not worry Time Capsule seeing amber / flashing Double NAT error.

    This only if you willing to accept the fact that the ISP did not correctly change your gateway to make it work as a simple modem only.  You might be able to get away with a Double NAT error on a simple network, but there is no reason more complicate things with a misconfiguration in unless whether there are a few reasons to do it and it can't be avoided.

    3 swap back to the previous modem, which was 50 Mbps against it with (theoretically) 155 Mbit/s (it's only works in 50-70).

    Your decision if you want to run a simple modem with time Capsule, or accept the fact that the time Capsule won't have your router when it is configured in Bridge Mode, or you see a Double NAT error on the network.

    If it were me, I would go back to what I know will work properly... the simple modem and time Capsule as the router.

  • Airport Extreme Double NAT / AT &amp; T NVG510

    My Internet connection has worked very well for several years, until recently, when the simple DSL modem (a Motorola 2210-02 - 1ATT) provided by AT & T began to experience intermittent outages. Initially, the DSL modem would lose the line for a minute or two at a time. But within 48 hours, the line started to drop during the hours in a row (synchronization failed line DSL). Whenever the modem has lost the line, my Airport Extreme (the router on my home network), shows a "Double NAT" alert. But whenever the modem 2210-02 DSL connection has been restored, alert the Airport Extreme's "Double NAT" disappeared.

    After a day and a half problems, the line is down for so many hours that I finally called AT & T to check the status of our range. So, AT & T sent a technician who concluded fairly quickly the 2210-02-1ATT was the problem and replaced it with a modem/router combo (manufacturing date 11/2014) NVG510 (with router function disabled in the settings).

    The speed that results and the quality of the connection via the NVG510 were good, so the tech packed 2210-02 in his bag and left. But now I get that alert "Double NAT" once again on my Airport Extreme, even if the home network is apparently working as well as it ever did.

    The only setting I changed was on the NVG510 - as soon as the technology has left, I turned off the WiFi on the NVG510 function because I want the Airport Extreme to my router, same as always.

    So far so good. After 24 hours with the NVG510 in place, the network worked well with no major hiccups, the only exception being the status of "Double NAT" alert displayed in Airport utility. In fact, had I have not bothered to watch Airport utility, I don't know that there was a "Double NAT" alert

    Everything on the side of the NVG510 LAN is identical to what was in place with the 2210-02...

    Airport Extreme 802.11ac works as "router" with the WiFi signal on another floor via an Airport Extreme 802.11n wireless (5th generation).

    The WiFi signal provides web access to some desktop Mac, AppleTV, devices, mobile phones, tablet computers and a laptop (laptop is the only device that uses a VPN).

    The network on the Airport Express 802.11ac, who serves as router, is "DHCP and NAT." and the "5th Gen," which extends the wireless network, set mode "bridge."

    After hours of searching online, I understand that this problem is surely the result of the NVG510, and that this problem exists for at least five years. I've read at least a few tens of different ways to try a fix via adjustments to settings, but none reached the level of a real solution.

    Although my network is no problem at the moment, I'm afraid that "Double NAT" alert is a sword of Damocles that will eventually crash my network, a situation I like to avoid. I dared not yet connect the laptop with a VPN to the router, but out of fear that will bring down the whole network.

    I'd rather solve the "Double NAT" proactively.

    Is there a a way to eliminate the Double "Nat" by adjusting the parameters of the NVG510 and/or the Airport Extreme?  Or, my fears of future problems and a VPN disaster are unfounded?

    Thank you

    According to your comments, the NVG510 has not been reconfigured as a bridge and is providing routing functions (NAT & DHCP).

    To resolve the Double NAT is the new Motorola NVG510 or AirPort Extreme needs to be reconfigured under a bridge. The simplest solution would be to reconfigure the extreme. In this way, the NVG510 can handle NAT & DHCP services required by clients of network connected to the extreme to access the Internet.

    To reconfigure the extreme as a gateway, use the AirPort Utility, as follows:

    • Run the AirPort Utility and then select the extreme.
    • Click on Extreme and then, select Edit.
    • Click the network tab to select it.
    • Change the router Mode to: Off (bridge Mode)
    • Click on update and allow extreme restart.

  • Question about the issue of the Double NAT...

    Hah I posted for a little.  I have a question about Double NAT.  Is it wise to launch?  Reason why is that I have a WRT54G v6 router and the Zoom ADSL X 4 Modem/Router/gateway and it seems that sites take just a little more time to respond to Web sites.  I just want to know I have to turn off (i.e., go in with my router bridge Mode) or what.  Or leave it alone.  Now one last thing: that the problem of slow could actually be AT & T but I have the feeling that this isn't.

    What configuration options you have on the Zyxel to fill? What have you tried exactly?

    The basis for the first option is:

    * Bridged Zyxel.

    * Linksys configured for PPPoE with your user name and password for the internet connection.

    Instructions to fill the Zyxel are here or here depending on the exact model of Zyxel.

    The second option is:

    * Zyxel doing business as the router. I assume here that the Zyxel is on 10.0.0.2 with a subnet mask 255.255.255.0.

    Unplug the Linksys to the Zyxel. Connect a computer to the Linksys. Open the web interface of the WRT to http://192.168.1.1/

    On the main Setup page:

    1. change the LAN IP of 192.168.1.1 address 10.0.0.1.

    2 disable the DHCP server.

    3. save the settings. You will lose the connection. Unplug the computer.

    4. wire one of the numbered LAN ports of the Linksys for the Zyxel. Do not use the internet port of Linksys!

    Now you should be able to open the Linksys web interface to http://10.0.0.1/ all devices connected wireless of Linksys or connected to one of the three LAN ports must have a connection to the internet via the Zyxel.

Maybe you are looking for