Sign up with Google...kRiLLin...
Active Member
- Joined
- Sep 19, 2013
- Messages
- 64
Hi Guys,
I need some assistance. we have a Cisco ASA as a perimeter firewall, and a our ISP has put down their CE router. We have been given an IP block, and the gateway.
The way I understand, and have configured previously is that We have a static route on the firewall, 0.0.0.0/0.0.0.0 Gateway IP which sits on the CE. This is done on all our sites.
At a new site, we have a different ISP and I have configured this. traffic out gets NATTED on the FW so thats ok. The problem that I have is that remote access to connect via ssh or ASDM, I have allowed for testing remotely, the Outside interface of the ASA. The problem is that all outside traffic shows the source IP as the CE's public IP, and not the actual source IP, meaning that if my public ip at home is 1.1.1.1. The ASA outside Interface ip is 5.5.5.5, and the default route configured on the ASA is 8.8.8.8, if I ssh to 5.5.5.5, and look on the log of the ASA, it gets denied because it sees traffic sourcing from 8.8.8.8 and not from 1.1.1.1. so now I have to allow 8.8.8.8 asdm and ssh access, which essentially allows the whole internet access to my FW as long as they have the password.
I dont know if that makes sense. On all the other ASA's it shows the actual source IP and not the ISPs public interface as the source.
I have an issue establishing an IPSec, and I have a feeling that this could be the culprit as well.
Any assistance would be appreciated.
K
I need some assistance. we have a Cisco ASA as a perimeter firewall, and a our ISP has put down their CE router. We have been given an IP block, and the gateway.
The way I understand, and have configured previously is that We have a static route on the firewall, 0.0.0.0/0.0.0.0 Gateway IP which sits on the CE. This is done on all our sites.
At a new site, we have a different ISP and I have configured this. traffic out gets NATTED on the FW so thats ok. The problem that I have is that remote access to connect via ssh or ASDM, I have allowed for testing remotely, the Outside interface of the ASA. The problem is that all outside traffic shows the source IP as the CE's public IP, and not the actual source IP, meaning that if my public ip at home is 1.1.1.1. The ASA outside Interface ip is 5.5.5.5, and the default route configured on the ASA is 8.8.8.8, if I ssh to 5.5.5.5, and look on the log of the ASA, it gets denied because it sees traffic sourcing from 8.8.8.8 and not from 1.1.1.1. so now I have to allow 8.8.8.8 asdm and ssh access, which essentially allows the whole internet access to my FW as long as they have the password.
I dont know if that makes sense. On all the other ASA's it shows the actual source IP and not the ISPs public interface as the source.
I have an issue establishing an IPSec, and I have a feeling that this could be the culprit as well.
Any assistance would be appreciated.
K
