Cisco Firewall :: 5510 - Can’t Access External IP From Within LAN
Oct 20, 2010
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
View 8 Replies
ADVERTISEMENT
Apr 5, 2011
i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
View 4 Replies
View Related
Feb 20, 2012
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
View 10 Replies
View Related
Aug 7, 2012
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
View 3 Replies
View Related
May 2, 2012
I keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?
View 3 Replies
View Related
Nov 26, 2012
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies
View Related
Oct 21, 2012
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
View 5 Replies
View Related
May 6, 2013
I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.
View 1 Replies
View Related
Oct 13, 2011
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
View 13 Replies
View Related
Sep 25, 2012
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
View 2 Replies
View Related
May 13, 2010
I have the following setup:
R--H1
|
F
|
H2
R: 3840
F: ASA 5510
H: Hosts 1 and 2
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).
View 4 Replies
View Related
Aug 20, 2012
I recently bought a new Dell XPS Ultrabook 13 with i7 processor. It worked fine for about three weeks, then all of a sudden it refuses to connect to the internet. I am still connected to my wifi network, but the network and sharing centre shows the connection as dropped between the hub and the internet. Troubleshooter offers no answers. I know other Windows7 users have experienced this and so I have ALREADY done the following:
Tried accessing the internet in safe mode with networking. This works, so it is not a hardware issue. I can definitely access this web in this way.Rebooting my wireless router etc. I know this is not the issue though, as other devices such as my iPhone can still access the web through it (and the XPS, in safe mode)
Possible spy/mal ware. I think this is unlikely. A) the laptop is new b) I am extremely careful on what I download c) I have run repeated full system scans with both my preloaded AV software (McAfee) andMalwarebytes anti-malware. Neither has unearthed anything at all. Not a single item, and they both are checking against the latest databases.
I ran msconfig and deselected all startup programs and services except MS ones. I also downloaded and did similar through ccleaner. No joy.I checked devices through device manager. All devices seem to be working normally. No conflicts. I disabled and enabled the network wifi miniport adaptors. Again, nothing.The most frustrating thing is that I haven’t actually made any system or setting changes recently, so I don’t understand how this could suddenly have just happened. My only suggestion is that I downloaded the usual round of MS updates the other day.
View 1 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
May 2, 2011
I’m configuring a L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA.
Master# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname Master
domain-name service.local
[code]....
View 2 Replies
View Related
Dec 26, 2012
I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall.
View 13 Replies
View Related
Dec 31, 2012
I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.
View 2 Replies
View Related
Dec 8, 2012
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
View 1 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
Nov 28, 2011
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
View 2 Replies
View Related
Sep 10, 2012
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies
View Related
Feb 26, 2013
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
View 9 Replies
View Related
Nov 4, 2012
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
View 9 Replies
View Related
Jun 26, 2012
I have a new ASA 5510 firewall, the objective is to set up a DMZ zone. my problem is I can't access to the web server in the DMZ from outside
DMZ ==========> outside OK
INSIDE ==========> DMZ OK
DMZ ============> Inside OK
OUTSIDE ==========> DMZ NOK "FAIL"
I put in attachment the running-config file.
View 6 Replies
View Related
Dec 23, 2012
i have an ASA 5510 My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)
Assume that non routable network is a.a.a.a and routable is b.b.b.b so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1 Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP) So the problem:For my international partners i need to provide VPN.So the traffic flow is the following:for exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1 The packet arrives to interface a.a.a.1 and............. Being discarded.7Dec 24 201211:09:477100051.1.1.162548b.b.b.110000TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000 I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.Am i right?Also i tried to setup a bypas policy, but no effect?
View 2 Replies
View Related
Oct 5, 2012
Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them.
View 5 Replies
View Related
Feb 28, 2013
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
View 1 Replies
View Related
Nov 14, 2011
I can't seem to get internet access working from the DMZ network through our ASA 5510. PCs on the DMZ can ping the ASA but can't get out to the internet.I will attach a (cleaned) configure.
View 3 Replies
View Related
Oct 5, 2012
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside access-list acl_outside extended permit tcp host ipremoved any eq 22 but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5)
View 7 Replies
View Related
Oct 29, 2012
I can get access to the internet from the ASA 5510 itself and that is confirmed via pings. However, anything behind the ASA does not have internet access, on any VLAN/sub-interface. I've attached my running-config.
View 2 Replies
View Related
Mar 3, 2013
I have DMZ n/w 192.166.0.0/24 on which i have nated on public ip
-private ip : 192.16.0.201 (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2
View 13 Replies
View Related
Feb 27, 2012
the set-up is: a DSL modem in half bridge (it does all the PPPoE connection) passes our static IP (55.167.x.x) to the ASA's outside interface ... (the modem has an IP of 192.168.1.1, but not sure this matters)
then I have one inside interface on 192.168.43.1, which connects to a server and we have a working site-to-site VPN between this server and a client.. so I know most of it's set up right ... nothing else is on the 192.168.43.0/24 network.
the management interface is on 200.200.1.0/24 so it's out of the way and incidentally connected to a dedicated PC, which also has console access via the blue serial cable.
the last interface Main_Network is on the 192.168.0.0/24 network and it's this that I'm trying to get to work... at the moment I just have one Windows PC connected directly (does it need to go through a switch?) into the ASA for testing with a static IP (192.168.0.72), but I can't ping anything outside from the PC... only the ASA's interface (at 192.168.0.30).. I have the gateway on the PC set as 192.168.0.30 by the way.
The ASA can ping all the inside machines and anything I like outside.
Here's my config ... the static routes are there for when this replaces the current modem/router and the whole network plugs into the ASA.
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]......
View 4 Replies
View Related
Dec 1, 2011
I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config
ASA Version 8.4(2)
!
hostname xxxx
domain-name xxxxx
enable password xxxx encrypted
passwd xxxx encrypted
names
[code].....
View 3 Replies
View Related
Mar 23, 2013
I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:
Nat Section:
==================================================================================
Dynamic:
nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
[Code].....
View 4 Replies
View Related