Cisco Firewall :: 2811 Not Allowing ICMP To PBX Through Same Interface
May 31, 2013
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
I am having some issues with my ASA 5510 (running ASA 8.2) dropping ICMP unreachable-fragmentation-required-but-df-bit-set type messages coming in on the outside interface. I have the following entry in the ACL for the outside interface:access-list outside_acl extended permit icmp any interface outside and there are no other entries in that list that should take precedence and drop the packet. Pings from outside to the ASA work when this ACE is present and do no when it is absent so it is clearly taking effect. I see the following entries in the debug log when sending a large non-fragmentable packet (that would cause an intermediate router to send back this ICMP response) out to the internet through the ASa,As far as I can tell I am not running ICMP inspection; I don't want it to do any stateful magic here since the outgoing traffic would have been ordinary data from another protocol and would not have caused an outgoing ICMP connection to be built to match against.
I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.I do not see any debuging info in the logsI successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
I have a cisco 2811 router set up as a nat/firewall gateway for my network. I've configured it for CBAC on using ip inspect and an access list.What I want is to use audit-trail to record network traffic (which means sending syslog messages to a server) concerning established sessions from my own network to locations in the outside. If i configure this using ip inspect audit-trail and no ip inspect alert-off, the configuration looks like this: [code] which works just fine, but there is the matter of icmp packets.
Since i use polling software that needs to check some machines in the outside part of the network, it is only natural that several icmp sessions are established through the Inspection Rule per minute. The problem is that since these sessions are recorded along with everything else, my syslogs are flooded with these (since i am using logging trap informational) to the point that more messages are generated about icmp than all other traffic combined, especially in non-working hours.What I am asking is a way for the audit-trail to be selecively disabled for icmp, so that the outgoing (echo) &incoming (echo reply) sessions can be established without generating syslog messages.
I've got a Cisco 1811 router with FastEthernet0 plugged into a cable modem with 5 static IP's. I want to disable the ability for those IP's to be pinged externally except for certain addresses that I specify (I have some offsite servers that I use to monitor the ISP link for example). I also want the ability to be able to ping external addresses from the router as well as any of my inside subnets. [code]
I've tried varying ACL's and applied to Fa0, none of which work [code]
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
We recently reset a 4400 controller in a school. Although all access points associated, clients could not get the Internet. On investigating we suddenly lost connection to the web interface. We tried hyperterminal connections to reset, but found that the managament interface had the ports "unconfigured". We finally reset the configuration, and when we tried to start from scratch it now does not allow a port designation. It asks for 1 or 0 but says both are invalid when entered.
I am in the process of installing a 3750x (IOS 12.2 (53r) SE2 IP Base) Cisco Catalyst switch in a new network of just 2 PC's (2 hosts, OS windows7 64Bits). I have enabled SVI interfaces with the both hosts installed in 2 different network segments. We then start connectivity test. The response time for the PING command between both hosts remain below 1 millisecond, whereas the response time between the hosts and their correspondent SVI interface is variable, and at all time is higher than 1 millisecond, sometimes it reaches 17 milliseconds. (Note that the switch CPU usage is only 8% at the time of testing) We have performed this same connectivity test changing the 3750x switches and in two different locations obtaining the same results.
I'm seeing on an IOS VPN Tunnel interface which keeps going down and then back up...
We have a Cisco 2811 acting as a VPN Hub router on the backbone, which connects to various client sites over VPN. Of the 7 VPNs configured so 6 work well and are generally trouble free. The VPN interface on the other VPN keeps going down ,multiple times throughout the day, just recently the client has been noticing loss of connectivity. The remote router is managed over the VPN so there is always some kind of traffic over it.
*Sep 7 06:40:53.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to down *Sep 7 06:41:23.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to up
I've recently had to move an AS400 system behind an internal ASA firewall and now users are unable to browse to it.The ASA is running Version 8.2(5)? I get these messages: Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137?Is there a way to enable these ports without enabling NAT?No VPN's involved, just an inside and outside eth interfaces?
So I have my shiny new (used, but new to me) 5510 finally working and installed in my Dev network. I need to have icmp (ping and trace route) available from the inside network. I Google and found a few articles on how to do it. I tried modifying the class maps, but it looks like there are changes in the commands in 8.4 and the articles I found evidently were for 8.2 and lower. I tried doing it with access lists, again from examples and traffic stopped in all directions (not good) so I am back to being functional and how to do it in 8.4. Documentation seems sparse on the net with 8.4
I've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:
I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone: LAN --> WAN zone security LAN zone security WAN ! class-map type inspect match-any Internet-cmap match protocol dns match protocol http match protocol https [ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
We had an ASA 5510 as a firewall in our environment, and there is a requirement to access an ftps server from our location. Currently from the server location they configured everything by allowing our public ip to their server and gave the following details to access ftp.Please suggest which traffic needs to be allowed in our ASA to access the ftp server address as mentioned above. From my initial analysis, it's found that 989 port is also enabled for the access, but that was not mentioned by them.
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log access-list 101 extended permit ip any any access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
I have the following: redundant ASA5520s on v8.2(1)proxy server/web filter for blocking access to websites for staff/studentsusers who want to use SkypeCisco Catalyst 4507 corea dozen VLANs for staff/student/WiFi etcCisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN Windows desktops have direct proxy settings in IE .Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?
I have an ASA 5550 at our main site with an external ethernet interface to our ISP for internet access. I would like to allow 10.100.41.x/24 http / https access but block this network's access to all other internal networks including 172.17.x.x,, 10.100.1 - 40.x, and others. I'm having trouble identifying what IP address to use as the desitination for the permit rule for access to the internet. The rule that comes after the permit is to deny 10.100.41.x/24 access to internal network addresses.
I currently have a Cisco 2621 powering a network at our co-location facility... It's a simple setup and is working well. The colo provides a redundant HSRP uplink, so I have their two uplinks going into a Dell switch. From that Dell switch I have a uplink into FastEthernet0/0 on the 2621, configured with my routing network, and then FastEthernet0/1 gets an address from my block of routable IP. FastEthernet0/1 then plugs into another Dell switch where I have all my servers connected. The servers get public routable IP addresses and use the address on FastEthernet0/1 as their default gateway.
It's time to upgrade off the 2621, so I aquired a Cisco 2811 which has two FE interfaces, as well as a modular HWIC-4ESW switch. My question is, can I get rid of the Dell Switch A in the setup above and just use the internal switch on the 2811 to accomplish the same thing? And I if I did this, would my two uplinks from the colo plug into ports 1 and 2 of that HWIC, and then port 3 would physically connect into FE 0/0? Or can I logically do that via configuration in the Cisco? I'm not sure how all this works and haven't received the new router yet, so I thought I'd get a head start and reach out to the experts.
My second question is unrelated, but each port on the HWIC switch cannot be configured as a network interface right? I'm pretty sure they can't as they aren't considered network interfaces but just thought I'd ask.
I have ASA 5510 with soft version 8.4(5) installed. There are two interfaces:
IP 1.1.1.1/24 - inside IP 2.2.2.1/24 - outside
I have configured PAT, so network 1.1.1.0/24 gets NATted to 2.2.2.2 address. Everything works fine, except I can't reach 2.2.2.2 via ICMP from the internet.
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
We've had this firewall in place for years, and there haven't been changes to it in the past few months. Last week, however, we started having problems accessing one of our networks through the PIX, and after working with Microsoft, we determined it was an MTU issue. The maximum sized packet to the PIX and through the PIX is 1020 bytes, and it doesn't matter if the packets are sourced from a server or the PIX itself. From the server, we can ping 1500 byte packets to the core switch with no issues. All interfaces are set for 1500 byte.
