Cisco Firewall :: Creating Access Rules On ASA 5520 Platform
Aug 2, 2011
Our company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 184.108.40.206 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?
This is just a general question... is there a good way to organize the ASA's access rule list to increase its efficiency? Maybe by service or hit count (Top 10). I am using the Cisco ASDM 6.2 to manage our ASA 5520.
Looking at it looks very unappealing and I'm in the process of adding names and descriptions to all the Network Objects.
We have a pair of ASA running 8.0 (old) version. The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.But practically , this doesnt work, since the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?
I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
I'm encountering what I think is an issue on logging system on FW ASA 5520 - Asa Version 8.4(2), ASDM version 6.4(5). When I disabled the logging inside a rule from ASDM, or from console with the "log disable" option inside ACL, If I check in ASDM logging real time window I continue to see all the entry related to disabled rules. This is a correct behaviour about ASA logging ? How I can "hide" the entry related to disabled rules (this is what I need for troubleshooting purposes) ?
I have a static IP block and need to route to various servers. I know I can use 1:1 NAT or Access Rules and have success with each. The problem is my mail server. When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups. However, I cannot block any ports when I use 1:1 NAT. I have tried it every way I can think of and even some suggestions in the forums that did not work. No matter how I set access rules, all port stay open in 1:1 NAT.
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address. The reverse DNS does not match and mail server will bounce the mail.
I purchased a RV180 router, and would like set the Firewall Access Rules as below
- Action: Always Allow - Service: HTTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address) - Action: Always Allow - Service: FTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address)
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?
I'm having trouble setting up the correct rules on an ASA 5505 I'm using in my home office. I have a couple of IP Cams I need to access remotely.
I've tried setting up simple NAT(PAT) and/or Access Rules, but it hasn't worked. I have a single dynamic IP for the Outside interface. Call it 220.127.116.11 and I am using PAT. The CAM is setup to connect on port 80, but could be configured if necessary. I've tried setting up NAT Rules using ASDM as follows:
Match Criteria: Original Packet Source Intf = outside Dest Intf = inside
I'm afraid to use CLI only because I am not confident I'll know how to remove changes if I make a mistake.
Verifying the operation of the ASA when configured with Global access rules. Does the global rule overide the interface security levels? According to the ASA order of operations, the interface specific rule get's processed first and then the global rules, but It does not say anything about interface security levels. Observing an ASA in production that has global rules configured I see that an interface with a security level of 50 that has no rules applied to it, passing traffic to the outside interface (security level 0) drops the traffic. Syslog shows that it hits the global access rule implicit deny. Does the implicit permit any to any less secure interface not apply?
Setup firewall rules that will block all inbound Internet access to the web server except port 443, Setup firewall rules that will block all communication between the two internal networks, except ports 7000 and 1702
I'm running a IPSec VPN between a 5520 ASA and a 2811 router. The ASA has a static IP and the router has a DHCP interface.The VPN seems to work fine once I get done clearing old SAs, but each new IPSEC SA creates a new ISAKMP SA on the router? There are multiple subnets that need to create multiple IPSEC SAs. Eventually I can clear the older ISAKMP SAs and get all the traffic on one ISAKMP SA, but until I clear older SAs, new associations won't form. Why the router (initiator) would keep creating new ISAKMP SAs and not use an established one? Using PSK, aggressive mode and no PFS. ASA has another dynamic crypto map with lower priority than this one. Using FQDN for identity on the router. ASA version 8.2(5) and IOS is 12.4(20)T1.
Must be something I'm not understanding. The ASA says no established SA and drops the new SA attempt until I clear older ISAKMP SAs out of the router. Interesting, the first few IPSec SAs form when the tunnel initially comes up. I assume the initial requests are getting cached and work immediately after the first ISAKMP SA forms, but subsequent IPSec SA attempts will fail. Once all subnets are talking with 1 ISAKMP SA, rekeys don't cause any problems. Since the router subnets have to instantiate the new IPSec SAs, this is a real pain to go through anytime the WAN/VPN fails.
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 18.104.22.168:58141 => 22.214.171.124:23 with ip ident 0 (where 126.96.36.199 is the external laptop and 188.8.131.52 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?
We have an ASA 5520 in HA. (version 8.X upgraded to 9.1 (1))We used Wizzard to configure VPN clientless and portal. Also, configured manually we have the same issue: We can access to the portal using IP address of Lan interface but not with outsides (2 ISP). The clientless VPN is enable on the public interface and no packets rejected in logs.We try to modify the Crypto map created by default to replace "any" to "any" by "any" to "our public IP" (We see that is recommended by Cisco) It works for 10 minutes.(strange..) but after 10 minutes the active member crashs.. only a reboot with previous configuration was good.We try to investigate but each time we modify Crypto maps, the firewall is going bad.
I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:
-access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any -access-group OUT out interface outside
i added ports like www or 443 and it is not working to Internet access a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
I've got what is probably a very basic question - but i can't figure it out.I have: Internet (ADSL) -> 2851 (ADSL wic) -> 5520 -> internal LAN (192.168.1.x/24)
The asa has just replaced a Checkpoint firewall.I've set up the ASA to the point where all hosts on the internal LAN have internet access (using a dynamic PAT on that network). This all works well.
The problem i have is i am trying to allow access from the internet to an internal host on a specifc TCP port (as i had done on the Checkpoint) but i'm getting:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:184.108.40.206/52135 dst inside:192.168.1.252/5555 denied due to NAT reverse path failure
From what i have read i need to add a NAT exemption for this particular use case - to avoid the dynamic NAT i have setup, but im not sure how to do so.I'm running 9.1 on the ASA, no VPNs yet. Just this basic setup.
I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.