Cisco Firewall :: 2821 Way To Allow Return Traffic From Internet For NAT Host

Jan 5, 2012

On a 2821 Router with 15.1(3)T1
 
I have an IPSec VPN and NAT configured.  Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host?  Note: As a test, removing the deny entry on the WAN ACL allows return traffic.

ADVERTISEMENT

Cisco Firewall :: ASA5505 Return Traffic Is Blocked By System

Jul 23, 2012

I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.Everythings work except one major point, the return traffic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communication is not allowed.I've only found two workaround:

-allow inside trafic with static rules, and I say NO ;

-disable the zone based feature by settings all zone to the 0 level…
 
How I'm supposed to make my state-full firewall work with zone based feature?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Static To Indirect Subnet / Return Traffic Without Default Route NAT?

Aug 12, 2012

I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
 
 What I have is this:  
 
Internet<----->ASA<-->router<-->4507(layer3)
|                           |
|                           |-Vlan1

[Code]......

View 1 Replies View Related

Cisco WAN :: Return Path For NAT'd Traffic - 857 And 877

Nov 14, 2011

I have a problem with the return path of NAT'd traffic on a Cisco 877W router. Here's the network setup:
 
gatekeeper1 (192.168.0.1) is a Cisco 857gatekeeper2 (192.168.0.253) is a Cisco 857gatekeeper3 (192.168.0.251) is a Cisco 877W 
The default route is 192.168.0.1 on all devices, however there are some static route defined so that traffic to certain IP addresses bounce off to 192.168.0.253 and use that Internet connection instead. This new connection is designed so that traffic aimed for a certain internal IP address (192.168.0.190) comes via this third internet connection in order to take the load off of the main line. NAT is all configured and appears to be working when .251 is the default route but as soon as I set it back to .1, the traffic appears to come in but doesn't go out again.

View 1 Replies View Related

Cisco VPN :: ASA 5505 - No Return Traffic Is Being Encrypted

May 26, 2012

I've configured an ASA5505 to be  Lan to Lan VPN tunnel endpoint, peering with a linux box.  The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets.  It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
 
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)

[code]....
 
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN.  The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post.  I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa.  The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.

View 4 Replies View Related

Cisco Switching/Routing :: Catalyst 6500 - Cannot See Return Traffic On SPAN Session?

Jan 31, 2012

On a Catalyst 6500, we configured a SPAN session with VLAN 300 as a source. We configured the session bi-directional ("both" keyword). We connect a sniffer on the SPAN destination port.
 
Strangely enough, we only see the traffic from the VRF to the firewall, but not the reverse traffic ! What can be the problem ?

View 2 Replies View Related

Cisco Firewall :: ASA5505 8.4.2 NAT To Forward SMTP And RDP Traffic To Internal Host

Nov 26, 2011

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
 
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?

View 19 Replies View Related

Cisco WAN :: 2821 When Traffic Is Less Error Rate Is Low But With High Traffic It Is Increasing Drastically

Dec 11, 2010

We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]

View 8 Replies View Related

Cisco VPN :: ASA Version 8.2(5) - Public-to-Public L2L / No Return Traffic?

Apr 2, 2013

One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.

Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
.ASA Version 8.2(5)
!
hostname ciscoasa

[code]....

View 4 Replies View Related

Cisco Firewall :: E4200 Trace Route Doesn't Return DNS Name

Jun 10, 2013

I changed from a Linksys E4200 to a 5505 and when I use trace route, it doesn't return a DNS name for each hop.   I can see the hops shown as asterisks.  Do I have to add something to inspect for this to work?                  

View 1 Replies View Related

Cisco Firewall :: Traffic Limit For Internet Traffic Usig ASA 8.2

Nov 27, 2012

I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation  
 
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is  applied to outside interface (called internet in my case)  for incoming traffic
  
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
  
service-policy Internet-policy-web interface Internet
 
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco Firewall :: 2821 Internet Edge Router From Internal Network

May 8, 2013

What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.
 
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.

View 2 Replies View Related

Internet Browsers / All Return With Cannot Locate Remote Server?

May 3, 2011

Recently, I have had issues with several Internet browsers. All, return with cannot locate remote server issue. I've flushed the DNS through command, and have turned on/off the firewall, reset the network connections, reset the router, uninstalled mozilla, IE, chrome, and opera, and still haven't been able to get any resolutions. I have a bare minimum connection at the moment.

View 10 Replies View Related

Cisco VPN :: 2821 - Nat Web Traffic From Tunnel

Jan 23, 2012

i have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?

View 1 Replies View Related

Cisco WAN :: 2821 / Route FTP Down One T1 And All Other TCP Traffic Down Another T1

Apr 19, 2010

I have a 2821 router with two T1 WICs and have the need to route FTP down one T1 and all other TCP traffic down another T1. All traffic is going to the same remote IP address. The remote sites are in different states, and I assume that the remote subnet is being bridged between the states. It's kind of a weird set up, but it's not my design.
 
Anyway, can I use a route map to split off FTP traffic to host A and send it down one T1 and have the rest of the IP traffic to host A go down the other T1?  I also need to be able to have all traffic use one T1 in case the other T1 goes down.
 
My first thought was to static all IP down T1-1, then route map FTP traffic down T1-2, then have a floating static for all IP traffic down T1-2 with a higher metric. But something would have to track the T1 interfaces and I'm not sure if route maps or static routes can do that.  Any thoughts on this?

View 2 Replies View Related

Cisco Firewall :: 5550 ASA To Host On Sl100 For Internet Access

Apr 24, 2011

I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside.  I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
 
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
 
My DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well.  Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any.  This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.

View 2 Replies View Related

Cisco :: 2821 / EEM - Monitor Interface Traffic In / Out?

Nov 2, 2011

i want to monitor interface traffic in/out by eem and the if the values is overer than some value i will change the policy. for example my router is 2821 is have 2 fastEthernet port , i want to monitor the traffic on fasE1/0 if traffic over than 80Mbps i will change some configuration ( example: change next-hop on static route) for via traffic to interface fasE1/1 for reduce the traffic on interface fasE1/0?

View 6 Replies View Related

Cisco WAN :: Shape Output Traffic 2821

Mar 8, 2012

I have a Cisco 2821 with ios Version 12.4(21). On that router I have a WAN link that is 550mbit dual. The interface is 1000FD so i need to shape my output traffic to max 550mbit - otherwise my ISP policing is dropping the traffic.
 
I've looked at this document url... and i'm trying to use this interface command:traffic-shape rate
 
But the router wont accept rate value 550000000 that should be 550mbit in bits/s
 
Is it not possible to shape the traffic to 550mbit on the 2821 router?

View 10 Replies View Related

Cisco WAN :: Http Traffic Hanging Through 2821 Router

Mar 28, 2011

I'm using a Cisco 2821 router to provide temporary Internet access for a private network of about 300 users for a conference at a hotel.  The hotel has provided me a public IP address for the WAN side.  On the LAN side I have a 10.x.x.x /8 subnet with the router providing DHCP and NATing (overload) across the WAN interface.
 
Users can pick up an IP address and access the web.  Light web pages such as Google tend to load without issue, however if a user does something that takes more time, such as streaming a Youtube trailer or opening an RDP session, the connection will freeze.
 
It doesn't appear to be related to bandwidth availability.  Pings return on average 10-15 ms.  However, I will get a request time out about every 10th continual ping.  Steaming video will load about 4-6 seconds worth of data, then will appear to freeze without dropping.  Doing something like speedtest.net will send a large amount of data then will hang, without ever ending the conversation.
 
This doesn't happen when I plug a laptop directly into the hotel public Internet line.  They also don't have issues with their network similar to this.
 
I do not have any ACLs, etc. loaded.  The router is basically wide open as far as I can tell.  I don't see the router resources getting used much at all.

View 1 Replies View Related

Cisco WAN :: 2821 - Split Outbound Data Traffic

Feb 29, 2012

I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1.  I am having an issue where the users on the network are not able to use the internet when using the following config:
 
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50

[Code].....

View 11 Replies View Related

Cisco WAN :: 2821 - Lost Traffic When Multilink Drops T1

Feb 14, 2012

MPLS customer with 4 T1s in a multilink. If one of the T1s drops there is a brief delay in traffic picking back up and I actually lose packets from premise back to CO. You can see this loss both with pinging across the circuit and with techs on either end running JPerf. It can take as long as 6 seconds for the reconvergence to actually happen on the multilink and traffic picks back up. In my experience this is normal behavior for Mulitlinks

I'd also like to note that it is indeed much quicker reconvergence when you physically pull the T1, any of the T1s, rather than administratively shutting down one of them and I understand that the hardware is quicker than software and that's a good thing, obviously. I've tried this with and without ppp mulitlink fragment disabled on either end and every other combo between the two. Each of the 4 serial interfaces are on line timing and I tried free-running just on the off chance that it could imrpove the loss, but it gets worse.....back to line timing. I've even tried this on other CPE platforms like two different versions of Adtran CPEs and I get the same thing. Currently I have a new 2821 CPE in place and still get the same thing. Still see a brief amount of traffic loss up to 6-7 seconds or so at times.
 
7600 side:
 
interface Multilink592
ip vrf forwarding ******************
ip address *************************
load-interval 30
no peer neighbor-route
ppp multilink
ppp multilink group 592
ppp multilink fragment disable
no cdp enable
service-policy output VPN-TEMPLATE-2(code)

View 6 Replies View Related

Cisco Firewall :: SSM-4GE Firewall Has 5 DMZ Segments And Specific Segment For Internet Traffic

May 23, 2013

I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
 
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
 
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
 
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?

View 6 Replies View Related

Cisco WAN :: Layer 2 Traffic From Host To Router - 887va

May 6, 2013

i have set up a layer 2 tunnel on my 887va router and the traffic transmits accross this to my second 887va. unfortunately, I do not seem able to get the layer 2 traffic from my host PC and down the tunnel.
 
I believe the problem to be the router settings for the fastethernet aqnd forwarding this data out of the dialer port.
 
Here is my config:
 
Building configuration... 
 
Current configuration : 3973 bytes
!
! Last configuration change at 13:03:15 UTC Thu May 2 2013

[Code].....

View 6 Replies View Related

Proxy Server / Host File - Redirect Traffic

Feb 16, 2012

So I have a proxy server in my home that all the computers use to access the internet (XP Pro). I edited the host file on the proxy to redirect traffic for various reasons (ad blocking, etc.) But I have noticed that it doesn't seem to affect the computers that use the proxy. For example one entry in the host file could be 127.0.0.1 abc123.com so that abc123.com would loopback to the localhost. For some reason this isn't working. Is there anyway to get this to work without changing the host file on each individual computer?

View 3 Replies View Related

Cisco VPN :: ASA5505 Tunnel Some Traffic (public Host) From Remote Site

Feb 6, 2012

On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]

View 1 Replies View Related

Cisco WAN :: C3750 - Mirror Switch Port Traffic To Remote Host IP Address?

May 31, 2013

Is there any way to Mirror a CISCO C3750 Switch Port Taffic to a remote Host IP Address?I know Port Mirror (SPAN/RSPAN) can copy one Interface Packet to another Interface. But I am looking for a way to miror Switch Port Packets to a remote Host (having Public IP Address and running Wirehark). Is it possible?

View 9 Replies View Related

Cisco Firewall :: 5505 Allow SSH Traffic From Internet To DMZ

May 24, 2011

I'm trying to allow SSH traffic from the Internet to my DMZ. I gave my remote guy my ip and he can see the ASA 5505 but not get into the DMZ. The outside is 70.165.19.137. The DMZ server is 192.168.60.2. I have the inside talking to the DMZ fine. [code]

View 9 Replies View Related

Cisco Switching/Routing :: 2821 Periodically Stops Routing All Traffic

Oct 3, 2010

We've got a cisco 2821 router which periodically stops routing all traffic. It seems to happen about once every 2 weeks, and I can't find anything that could be causing it. There are no entries in the log and the router stays up and running but requires a restart to begin processing traffic again. We're running 12.4(13r)T11.Any thoughts, or troubleshooting steps to track this down?

View 7 Replies View Related

Cisco :: Block Internet Traffic On The PC Using ASA5501 Firewall?

Jul 7, 2011

Is it possible to block internet traffic on the PC using ASA5501 firewall which is used in transperent mode.The DHCP pc is working fine we just need to pass through ASA to block the internet on the pc however intranet should be available.

View 3 Replies View Related

Cisco Firewall :: ASA5510 Not Routing Traffic To Internet

Sep 2, 2012

I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).

View 2 Replies View Related

Cisco Firewall :: Cannot Get 5510 ASA To Reach Internet Traffic

Nov 30, 2012

I have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
 
 Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24 
 
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / QOS For VOIP Traffic To And From Internet

Apr 20, 2011

We are using an ASA 5510 as our gateway to our ISP.  All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls.  Our pipe to the Internet is 100Mbps metro ethernet.  I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing.  However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device.  I could police traffic on the inside interface of the ASA.  However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection.  I could police this incoming (from the Internet) traffic on my outside interface of the firewall.  This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped?  Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.

View 1 Replies View Related

Cisco Firewall :: 5510 - CSC SSM Slows Down Internet Traffic

May 17, 2011

We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this, It the computer is bypassing the CSC, it gets This was done when there's very low traffic on the LAN and CPU is low usage on the CSC. The CSC has been re-imaged also but still doesn't solve the problem.

View 6 Replies View Related

Cisco Firewall :: 5520 Can't Get Traffic From Inside To Internet

Nov 27, 2011

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]

View 10 Replies View Related

Cisco Firewall :: ASA 5510 - 2 Internet Interfaces Without Traffic

Jan 15, 2013

I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:

ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....

View 9 Replies View Related

Cisco Firewall :: 5510 Split Traffic Between VPN And Internet Using Different ISPs

Aug 25, 2011

What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.

View 1 Replies View Related

Cisco Firewall :: 5510 Load Balance For Internet VPN Traffic

Jun 28, 2011

We are now using a ASA 5510 firewall and we would like to configure a internet load balance traffic in our environment.For example, some IP addresses go through local gateway for internet routing but some address go through VPN tunnel gateway.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Dual Internet Connections / Routing DMZ Traffic

May 29, 2012

I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside".  I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection.  Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected.  Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed.  Our end users begin using the new connection for thier internet browsing.
 
However, our FTP server, in the DMZ, completley loses outside access.  It cannot ping to 8.8.8.8, or resolve DNS queries.  The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses.  I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being.  The only problem I am having is the DMZ connection.  I am currently "rolled back", so no one is using the new connection until I figure this out.  I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5505 / Block Internal LAN And Internet Traffic Except LogMeIn Site?

Sep 12, 2011

I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected  to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic. 
 
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside  >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET

View 1 Replies View Related

Cisco Firewall :: ASA5550 - Implement Traffic Shaping / Policing Primarily For P2P Traffic?

Mar 10, 2011

We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.

View 1 Replies View Related

Cisco Firewall :: 2821 - High Latency With IOS Url Filtering Enabled

Aug 20, 2011

Im notice after configure the trend micro url filtering on a Cisco 2821 high latency on Http navigation, the latency on the ping for the requests shows a 245ms latency, but if i disable this feature on the router, returns to normal navigation and decrease the latency up to 70ms.

View 5 Replies View Related

Cisco Firewall :: 2821 Router - Can't Configure URL Filtering Using Classic Way

Aug 16, 2012

I have Zone Based Firewall running on a 2821 router and would like to configure Url Filtering with Websence . IOS running on that device is c2800nm-adverterprisek9-mz.150-1.M7.bin . Once you have ZBF config you cant configure url-filtering using classic way ( ip inspect ) and this has to be done using class , policy maps .For this to to happen it is required to have match protocol http command under the class map , it wont work using the match access-group command.[code]
 
Once I put match protocol http command browsing becomes dead slow , also without using match protocol command I cant continue to configure Url Filtering . Is this a problem related to IOS where match protocol command isnt working fine . I have checked CPU utlization of Router and it was roughly near 7 percent .

View 2 Replies View Related

Cisco Firewall :: 2821 - ZBF - Inspection Slows Down HTTP Downloads

Mar 8, 2011

I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).

View 11 Replies View Related

ADVERTISEMENT