What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
Used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.
After connecting via anyconnect client 2.5, I cannot access my internal network or internet. My Host is getting ip address of 10.2.2.1/24 & gw:10.2.2.2
Following is the config
ASA Version 8.2(5)
!
names
name 172.16.1.200 EOCVLAN198 description EOC VLAN 198
dns-guard
!
interface Ethernet0/0
description to EOCATT7200-G0/2
switchport access vlan 2
[code]....
I have an ASA 5510 configured 3 interface Internet_AAPT, Internal_Network and Server_Network. The server network works fine as is able to connect to the internet and services like port 80 work from the internet in. But from the Internal_Network can only get to the server network but not internet (6May 13 201214:17:4030201310.153.111.21253663199.47.216.14880Built outbound TCP connection 42508 for Internet_AAPT:199.47.216.148/80 (199.47.216.148/80) to Server_Network:10.153.111.212/53663 (10.153.111.212/53663). The weird thing in logs i see a connection being made but for some reason its referring to the Server_Network interface? below is my current config...
ASA Version 8.2(5)
!
hostname ASA01
domain-name names
name 10.153.11.184 QNAP
name 10.153.11.192 exc2010
name 10.153.11.133 zeacom
[code]....
I have configured an ASA 5505 to connect a single internal network to internet, it is not working. I have attached the config
View 9 Replies View RelatedHow to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. configuration examples for both the edge router and the Asa?
View 3 Replies View RelatedCurrently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working. I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following: ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server.Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong. My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server. [code]
View 31 Replies View RelatedFor a config on a 2821 router with IOS 15.1?I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
[code]....
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
Apart from the ability to participate in BGP, is there any reason you should use a router on an internet edge rather than the SG-300 switch?
View 4 Replies View RelatedMy SIP provider is not convinced that my ASA and Edge Router is not altering the SIP packets. On the ASA I've removed the inspect SIP, and H323, what else needs to be done to make the firewall not mess with the SIP Traffic.
Packets are flowing in/out.
access-list hbg-outside-198_access_in extended permit udp host <SIP HOST> object sfipoffice_o eq sip
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o gt 49152
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o lt 53246
Here are my Policy Maps.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
[code]...
On the 3825 Its jsut a pretty simple config that jsut routes packets form one interface to another, all Public Addresses, so no NAT on it.
Any router (I'm considering ASR 1002 with 10GE SPAs) that can support the following:
-10GE interfaces
-can handle 1.5Gbps but scales up to 5-6Gbps different seasons
-take on full internet routes from 2-3 providers
-will live on the internet edge
Region : Poland
Model : TL-MR3220
Hardware Version : V1
Firmware Version :
ISP : Bite
Router TL-MR3220 works well on 3G network, but is not works 2G (edge) network. 3G network is not suported in my location, only 2G. My modem is Huawei E 173. In location 2G network Router show: 3G/4G USB Modem: Unplugged.
On a 2821 Router with 15.1(3)T1
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies View RelatedI now need to configure an ASA 5505 for a small server farm. It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works; I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.
View 7 Replies View Related I am having a problem getting my ASA to work properly. I attached a diagram for reference and most of the config is below. When I finally got it to route properly between 2 sub nets on the internal network, the NO NAT statement broke routing for the VPN Clients who rely on a NAT statement for the same sub net that is listed in NO NAT access list. I can get one of the 2 to work by replacing NAT statements but can't figure out a combination to allow routing for both the internal sub nets and the VPN clients to work.
It's been about 5 days of tweaking this thing just to get the internal routing to work correctly and when I finally did I broke VPN client access. To note, the VPN clients can still log in and get a session going, they just can't get anywhere once they are in. I also think there's a lot of stuff in this config that is not needed like a lot of the object groups, etc. but I am being very careful about removing anything. I took over support of this ASA after someone else put it in place and over this past weekend we moved it to a new building and new ISP and that is when I had to get it to route between sub nets. The main point of this move was to remove building 1's reliance on building 2 for Internet and outside email access in the event that building 2 is not available (it is close to water and this has happened more than once over the past year).
So that is why I can't go with the smartest option of just keeping the routes on the router in the other building. I also know the 1600s are ancient but they're all we have for now. I can provide those router configs also but they are VERY basic, all static routing. The IP for the Cisco router on the same sub net as the ASA is 192.168.42.254.
This is the statement that allows the routing to work between the 2 internal sub nets but breaks VPN clients: nat (INSIDE) 0 access-list NO NAT
This is the statement that allows the VPN clients to work but breaks the internal routing: nat (INSIDE) 0 access-list INSIDE_nat0_outbound
The rest of the config is below the diagram.
ASA Version 8.2(2)
host name Cisco asa
domain-name default.domain.invalid
enable password - encrypted
password - encrypted
names
dns-guard
[code]...
Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies View RelatedCisco ASA 5505 Cannot Ping Secondary Internal Network.
View 9 Replies View RelatedFor a customer I have configured a new ASA 5505 firewall with 8.42 software. I had to build 3 ipsec tunnels to different locations and firewalls. All tunnels are working except one. I have to translate the inside network 1 to 1 to a different private range before it is sent over the tunnel. Each host from network 192.168.133.0 /24 has to be translated to a 192.168.112.0 /24 host and then sent over the tunnel. (e.g. 192.168.133.22 translated to 192.168.112.22)
View 3 Replies View RelatedFrom My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
View 25 Replies View RelatedI have Zone Based Firewall running on a 2821 router and would like to configure Url Filtering with Websence . IOS running on that device is c2800nm-adverterprisek9-mz.150-1.M7.bin . Once you have ZBF config you cant configure url-filtering using classic way ( ip inspect ) and this has to be done using class , policy maps .For this to to happen it is required to have match protocol http command under the class map , it wont work using the match access-group command.[code]
Once I put match protocol http command browsing becomes dead slow , also without using match protocol command I cant continue to configure Url Filtering . Is this a problem related to IOS where match protocol command isnt working fine . I have checked CPU utlization of Router and it was roughly near 7 percent .
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies View RelatedI have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
I have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm
View 10 Replies View RelatedI have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
View 1 Replies View RelatedMy router just dropped the internet. I checked with ISP and confirmed that their modem is fine - I can connect direct into that - but the DIR-655 won't connect externally. I've tried wireless and wired and can connect fine to the router, but it is like the firewall has reset itself or something. at the moment I'm surviving because of a 30m long ethernet cable to the modem going out the window and round the house!
View 5 Replies View Relatedi just installed a pix515e ( ios ver 6.2) in my network. and the vpn users can connect to it from the internet successfully but they aren't able to connect to any of the internal resources. some other informaion: i configured nating between the internal network (10.0.0.0/24) and the internet and another static nat policy between an internal resource through another public ip address on outside interface. but right now i need to let the vpn clients to connect to my internal resources.
View 5 Replies View RelatedI am using a 6500 with FWSM. I need to separate an internal server/HQ network from 3 or 4 different external connections. The external networks do not necessarily need to be isolated from each other.I have the option of using a 3 layer model: L2 Access layer to SVIs on the Distribution layer and then L3 to the 6500.L2 Access, connecting directly to the 6500s, with the SVIs on the FWSM.Is it better to have the FWSM outside the MSFC or Inside? Am i correct in thinking that "inside" vs "outside" is determined by whether the SVI's are configured on the FWSM or the MSFC? is there any performance impact from having the FWSM doing the routing instead of the MSFC.If the vlans are all configured on the FWSM, what is the 6500 doing, other than providing switch ports?
View 1 Replies View RelatedI have created a VPN connection for ASA 5512-X by using the wizards and nothing seems to be wrong on the wizards's config.I am able to connect to the network by using the VPN but unable to ping internal network.Below is my config for your reference:
Result of the command: "sh run"
: Saved
:
ASA Version 8.6(1)2
!
hostname FAA-ASA-1
enable password crzcsirI44h2BHoz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code].....
ok i have setup a subnet on my uncles network on which i am running a domain with server 2008. i am using a dlink di 624 router and wanted to know if i upgraded to a 300mbps router would this increase the bandwidth within my network?i know i am limited to what i am receiving from my uncle who is also limited to what he is receiving from the ISP. im not worried about internet speed. i want to increase client to server speed for both lan and wireless.
View 1 Replies View RelatedI have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET