Cisco Firewall :: 5510 - Can’t Access External IP From Within LAN

Oct 20, 2010

Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.

View 8 Replies


Cisco Firewall :: ASA 5510 - Enable External Access To Server On DMZ

Apr 5, 2011

i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address
i have on server ssh ( on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)

View 4 Replies View Related

Cisco Firewall :: 5510 - How To Allow Access From LAN To Server Using External FQDN

Feb 20, 2012

I may have phrased the topic not too clearly, but I have an external domain name of , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.

View 10 Replies View Related

Cisco Firewall :: 5510 Security Plus To Terminate Client VPN Access For External Support Team

Aug 7, 2012

I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?

View 3 Replies View Related

Cisco Firewall :: Allow One External IP To Use NAT On ASA 5510 Sec Plus

May 2, 2012

I keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?

View 3 Replies View Related

Cisco Firewall :: ISP Migration With ASA 5510 And External Router?

Nov 26, 2012

My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block.  So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses.  We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP.  My big concern is for the ASA 5510.  Can I setup a second outside interface on the new IP range?  Then migrate my VPN tunnels over one-by-one?  A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with.  If it's not possible, we have in our budget to get another 5510 next year as a redundant unit.  I may be able to get that early and just migrate from one firewall to another.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Two External Subnets On The Same Interface

Oct 21, 2012

I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them and Default routers are and respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.

View 5 Replies View Related

Cisco VPN :: 5510 - Remote Access With / Without Split Tunneling Using External DNS

May 6, 2013

I've set up a remote access group for Anyconnect on a 5510 running 8.4.5.  Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something).   How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.

View 1 Replies View Related

Cisco Firewall :: Assign Several IP Addresses To External Interface ASA 5510?

Oct 13, 2011

How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.

View 13 Replies View Related

Cisco Firewall :: ASA 5510 - Connecting To External IP Of Internal Server

Sep 25, 2012

I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network.  I have already set up dns doctoring for dns lookups, and everything is working fine there.  We have an application inside the network that tries to connect straight to the external Ip of another internal server.  where to look in the ASDM 6.4?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Preventing External SNMP Response

May 13, 2010

I have the following setup:
R: 3840
F: ASA 5510
H: Hosts 1 and 2
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).

View 4 Replies View Related

Dell :: XPS Ultrabook 13 - Can’t Access Internet In Normal Mode

Aug 20, 2012

I recently bought a new Dell XPS Ultrabook 13 with i7 processor. It worked fine for about three weeks, then all of a sudden it refuses to connect to the internet. I am still connected to my wifi network, but the network and sharing centre shows the connection as dropped between the hub and the internet. Troubleshooter offers no answers. I know other Windows7 users have experienced this and so I have ALREADY done the following:

Tried accessing the internet in safe mode with networking. This works, so it is not a hardware issue. I can definitely access this web in this way.Rebooting my wireless router etc. I know this is not the issue though, as other devices such as my iPhone can still access the web through it (and the XPS, in safe mode)

Possible spy/mal ware. I think this is unlikely. A) the laptop is new b) I am extremely careful on what I download c) I have run repeated full system scans with both my preloaded AV software (McAfee) andMalwarebytes anti-malware. Neither has unearthed anything at all. Not a single item, and they both are checking against the latest databases.

I ran msconfig and deselected all startup programs and services except MS ones. I also downloaded and did similar through ccleaner. No joy.I checked devices through device manager. All devices seem to be working normally. No conflicts. I disabled and enabled the network wifi miniport adaptors. Again, nothing.The most frustrating thing is that I haven’t actually made any system or setting changes recently, so I don’t understand how this could suddenly have just happened. My only suggestion is that I downloaded the usual round of MS updates the other day.

View 1 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Cisco VPN :: Configuring L2TP IPSEC VPN On ASA 5505 / Can’t Ping Or Access Resources

May 2, 2011

I’m configuring a L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA.

Master# sh run
: Saved
ASA Version 8.2(2)
hostname Master
domain-name service.local


View 2 Replies View Related

Cisco Firewall :: 2801 Cannot Access External Websites That Use FTP

Dec 26, 2012

I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall.

View 13 Replies View Related

Cisco Firewall :: 8023 / External Access To Internal Router Via ASA

Dec 31, 2012

I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Access Current Server Using External SNAT IP

Dec 8, 2012

I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Allow External Traffic To Access Internal Computers

Mar 22, 2012

We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address!interface Vlan2nameif outsidesecurity-level 0ip address!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a- network a- network ext-serversnetwork-object host host host network ecomm_serversnetwork-object


View 10 Replies View Related

Cisco Firewall :: 5505 - Users Unable To Access External Email Servers ASA?

Nov 28, 2011

I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using  ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA.  I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!

View 2 Replies View Related

Cisco Firewall :: 5505 - Construct An Access List For Outside Interface Using External Address?

Sep 10, 2012

I'm configuring a 5505 for a remote office.  Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall

Feb 26, 2013

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show  running-config
: Saved


View 9 Replies View Related

Cisco Firewall :: How To Configure Firewall Access For ASA 5510

Nov 4, 2012

This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address, with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.

View 9 Replies View Related

Cisco Firewall :: ASA 5510 - Cannot Access To Dmz From Outside

Jun 26, 2012

I have a new ASA 5510 firewall, the objective is to set up a DMZ zone. my problem is I can't access to the web server in the DMZ from outside
DMZ ==========> outside OK 
INSIDE ==========> DMZ OK 
DMZ ============> Inside OK 
OUTSIDE ==========> DMZ  NOK "FAIL"
I put in attachment the running-config file.

View 6 Replies View Related

Cisco VPN :: ASA 5510 / VPN Behind Another External Interface

Dec 23, 2012

i have an ASA 5510 My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)

Assume that non routable network is a.a.a.a and routable is b.b.b.b so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1 Physically this  network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP) So the problem:For my international partners i need to provide  VPN.So the traffic flow is the following:for exaple a client with public ip using cisco VPN client trying to connect to b.b.b.1 The packet arrives to interface a.a.a.1 and............. Being  discarded.7Dec 24 201211:09:477100051.1.1.162548b.b.b.110000TCP request discarded from to internet:b.b.b.1/10000 I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.Am i right?Also i tried to setup a bypas policy, but no effect?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Cannot Access Asdm

Oct 5, 2012

Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them.

View 5 Replies View Related

Cisco Firewall :: Access Of Asa 5510 In Standby

Feb 28, 2013

Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Get Internet Access From DMZ

Nov 14, 2011

I can't seem to get internet access working from the DMZ network through our ASA 5510. PCs on the DMZ can ping the ASA but can't get out to the internet.I will attach a (cleaned) configure.

View 3 Replies View Related

Cisco Firewall :: SSH Access On Outside Interface On ASA 5510?

Oct 5, 2012

I need the ssh access on my ASA outside interface and have added
ssh ipremoved outside access-list acl_outside extended permit tcp host ipremoved any eq 22 but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5)

View 7 Replies View Related

Cisco Firewall :: No Internet Access On ASA 5510?

Oct 29, 2012

I can get access to the internet from the ASA 5510 itself and that is confirmed via pings. However, anything behind the ASA does not have internet access, on any VLAN/sub-interface. I've attached my running-config.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Need To Allow Public IP (OWA) Access To DMZ

Mar 3, 2013

I have DMZ n/w on which i have nated on public ip
-private ip : (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2

View 13 Replies View Related

Cisco Firewall :: Getting Internet Access On ASA 5510

Feb 27, 2012

the set-up is: a DSL modem in half bridge (it does all the PPPoE connection) passes our static IP (55.167.x.x) to the ASA's outside interface ... (the modem has an IP of, but not sure this matters)
then I have one inside interface on, which connects to a server and we have a working site-to-site VPN between this server and a client.. so I know most of it's set up right ... nothing else is on the network.
the management interface is on so it's out of the way and incidentally connected to a dedicated PC, which also has console access via the blue serial cable.
the last interface Main_Network is on the network and it's this that I'm trying to get to work... at the moment I just have one Windows PC connected directly (does it need to go through a switch?) into the ASA for testing with a static IP (, but I can't ping anything outside from the PC... only the ASA's interface (at I have the gateway on the PC set as by the way.
The ASA can ping all the inside machines and anything I like outside.
Here's my config ... the static routes are there for when this replaces the current modem/router and the whole network plugs into the ASA.
ciscoasa(config)# show running-config
: Saved
ASA Version 8.2(5)
hostname ciscoasa


View 4 Replies View Related

Cisco Firewall :: ASA 5510 8.4 DMZ Cannot Access Internet

Dec 1, 2011

I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config
ASA Version 8.4(2)
hostname xxxx
domain-name xxxxx
enable password xxxx encrypted
passwd xxxx encrypted


View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Cannot Access Web Server

Mar 23, 2013

I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:

Nat Section:
nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>


View 4 Replies View Related

Copyrights 2005-15, All rights reserved