Cisco Firewall :: 5510 Trace-route / Antispoofing On Not Default Route
Jun 24, 2011
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
View 1 Replies
ADVERTISEMENT
Oct 15, 2012
We have a ASA 5505 and a 5510, that we are using site to site.I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces.when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.
View 12 Replies
View Related
Aug 12, 2012
I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
What I have is this:
Internet<----->ASA<-->router<-->4507(layer3)
| |
| |-Vlan1
[Code]......
View 1 Replies
View Related
Jun 10, 2013
I changed from a Linksys E4200 to a 5505 and when I use trace route, it doesn't return a DNS name for each hop. I can see the hops shown as asterisks. Do I have to add something to inspect for this to work?
View 1 Replies
View Related
Jun 6, 2011
I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute [v0.75]
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.
View 14 Replies
View Related
Nov 14, 2011
I am having a strange requirement. actually I am not sure it is strange or not. I am having ASA5510 with 8.4 sw version. Currently one ISP is connected to it. It is working fine. We have some servers that are directly connected to internet using another ISP connection. These servers having public IP addresses configured on their LAN settings. I need to move these servers in to the DMZ zone.
When i connect it to the ASA's DMZ zone,servers will get internet through the first ISP that is already configured on ASA. But i need to NAT the DMZ servers with the IP address provided by the other ISP, which even not configured on ASA.
So what should i do? In short my requirement is
1) need to NAT the server with the IP address provided by another ISP
2) Also note that the default route is configured for the first ISP only in ASA
so Do i need to configure another default route? Do i need to make it with larger AD? So i do it will act as the secondary route only.
I need to make the ASA up and running for two ISP, and servers in the LAN should be able to NAT with the IPs of first ISP and ,the servers in the DMZ zone should be able to NAT with the public IP of the new ISP.
View 2 Replies
View Related
Dec 29, 2011
I want to know the return path between my IP and a server. I know that trace route gets some information about the hops from my IP to a server (for example www.google.com) but this info is about the forward path. But I want to know what is the path from the server to my PC, what is the reverse path (return path)? What are the middle hops? In other word, I want to know where is the forward and reverse path when I ping a server? I can find the forward path using trace route, but what about the return path?
View 7 Replies
View Related
May 7, 2012
I am trying to track down a device that's blocking a certain port I know there are programs out there than will do a trace-route that's on TCP but is there any programs that allow you to specify a port?
View 6 Replies
View Related
Nov 14, 2011
Will ASA5510 support default route failover mechanism by giving two different AD value in the route outside command?
View 1 Replies
View Related
Jul 19, 2012
Have win7 system, cisco WIRED 1720 router, ~1.5mb frame relay via C&WPanama, nortons antivirus installed. IP config dump is at the bottom, but in this event, I don't think my problem is local.An important work-related chat quit working today, and I have narrowed down the issue to not being able to connect to the provider website from my current location. (I can connect via US proxy, but cannot run the java applet via the proxy, it seems it is still trying to go from here to there).
The site I am trying to reach is host7.parachat.com, IP 64.13.158.24
I can load this page (just a landing page comment) as well as their main pages via us proxy, but time out trying to load directly. Fiddler returns a 502 error, socket connection failed.
have tested on 3 machines (all on same router), then on a laptop which hadn't been booted or updated in over a year (also on same router). Trying to find a free wireless network to test with the laptop, but that hasn't been found yet.
[code]....
View 3 Replies
View Related
Mar 24, 2013
when i make a trace route on an ASR 1001 router to 172.23.30.7 I get the following output:
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.99.192 0 msec
192.168.99.191 1 msec
192.168.99.192 0 msec
2 172.23.30.243 1 msec 1 msec 1 msec
3 172.23.30.7 1 msec 1 msec 1 msec
Is there a loop between 192.168.99.191 and .192 (this are two routers with hsrp .190) or is this normal behavior when using trace route on an asr 1001?
View 2 Replies
View Related
Jan 21, 2013
I have an E4200 and have added it to my network with a new static IP and DHCP and firewalls off.It runs off my cable modem and router (Virgin Media Superhub) that has DHCP.When I tell it to do a firmware update, traceroute or ping it fails, just wont do any of them.
View 9 Replies
View Related
Nov 14, 2011
I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;
route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
How can I achieve outside per individual bridge-group?
FWSM context config:
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
[code]...
View 2 Replies
View Related
Sep 14, 2011
I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100. In this URL, [URL], ASA is able to do that.
View 5 Replies
View Related
Nov 15, 2011
I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes
View 37 Replies
View Related
Jul 21, 2011
In the restructuration of my company network we install due ASA 5510 in failover for the management of internal network and DMZ. We configure the ASA in routed mode, we create the sub interface for server, client and dmz subnet and we connect the firewall ti the network. Everything works very good except the intervlan routin. If i try to send or receive a file in every protocol, ftp, http, smb o if i try to conne with rdp or vns to an host in a different vlan the connection goes very very slow. I particular a ftp connection between two host goes ti 15kb/s. I check all cable and port for some error on duplex ro speed, end all the uplink are 1gb and the single client connection 100Mb. I know that the main purpose of the ASA is not doing routing stuff but this behavior is very strange.
View 1 Replies
View Related
Sep 21, 2011
Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.
I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.
All interfaces are on the same security level of 100 except Outside which is 0.
Office 1 Interfaces ASA 5510
VLAN 1 vOffice1Data 10.40.1.0/24
VLAN 3 vOffice1Video 10.40.2.0/24
VLAN 5 vInterOffice 10.40.5.0/24 (QOS connection Between Offices)
[Code]....
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
View 2 Replies
View Related
May 15, 2013
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
route isp2 0 0 yy.yy.yy.yy 50
route isp1 0 0 xx.xx.xx.xx 31 track 1
route isp1 0 0 xx.xx.xx.xx 32 track 2
route isp1 0 0 xx.xx.xx.xx 33 track 3
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
View 1 Replies
View Related
Mar 3, 2013
I recently added a business cable modem to relieve some of the congestion I was getting on my T1 for our MPLS network. There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffic coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well. Internet setup was cake. The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks. I have one MPLS with AT&T and one MPLS with EarthLink. My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS. I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.
Here's the topology I'm working with
Internet
|
Cable Modem
|
ASA 5510 10.52.120.23
[Code].....
View 8 Replies
View Related
Jul 1, 2012
I want to leak default internet route to CE VRF as common service.Since we having two ASBR, can I point next hop to PE itself instead of either of the ASBR?I tried to point NH to loopback of the PE itself but it failed.
View 6 Replies
View Related
Sep 3, 2011
I'm working on a practice lab and am having the following issue. I have a customer router connected to two different ISP routers. Each ISP router must advertise a default through BGP to the customer and one of the default routes must be preferred over the other. Given if the preferred route interface is shut down the other default route is inserted into the routing table and when the preferred default route interface it turned back on that path is used again. The catch is I cant alter the customer router only the the two ISP devices. I tried doing some route maps but I'm lost. I have deleted all my route maps and have posted the BGP portion of the ISP routers.
router bgp 300
no synchronization
bgp log-neighbor-changes
[Code]....
View 13 Replies
View Related
Jan 19, 2013
Looking through the SPROUTE course material they state on several occasions that an ABR will announce a default route in to a standard NSSA area, same as a stub area, because LSA5 external routes are not allowed.
View 8 Replies
View Related
Feb 26, 2013
I bought a WRVS400N v2 to be used as an access point. Currently it is hooked up on my switch via a trunk port and is able to communicate with my gateway. Whenever I try to access an IP subnet other then the local IP address of the WRVS, I get a network unreachable error. To fix this for my local networks, I added the appropriate static route to cover my local LANs and that seems to work now. I tried to add route 0.0.0.0/0.0.0.0 using the web interface for internet access, but somehow it does not recognize this as a default route (quad zero!?). Does any know how I can set the default gateway in this router? Maybe, but hopefully not, I have to use the WAN port to create some kind of uplink and use one of the LAN ports to connect using the trunk port and route traffic for the clients over the WAN port .
View 1 Replies
View Related
Jun 5, 2013
I have an 877 router which has a DSL WAN interface. The DSL service at this site is unreliable, so the company have purchased a separate 3G router to be used as a backup. This device maintains 3G connectivity at all times and has a static IP on the internal subnet (for arguments sake let's say 10.0.0.253).
What I want to do with the Cisco router is to track the DSL interface and if it is up, install a default route pointing to it. If it is down, I want the default route to be the 3G router.
I am thinking the best way to do this is to set up a track and then set 2 default routes; one which is installed if the tracking is up, the other has a higher admin distance and points to the 3G router and thus should only be used if the track is down. For example:
track 10 interface Dialer0 ip routing
delay down 30 up 30
ip route 0.0.0.0 0.0.0.0 Dialer0 track 10
ip route 0.0.0.0 0.0.0.0 10.0.0.253 100
Is this likely to work or is there a better way to do it?
View 7 Replies
View Related
Feb 18, 2012
i have 2811 router can, i use the below image on it , i m thinking to run bgp with ISP to accept just default route.
View 1 Replies
View Related
Mar 18, 2012
Is it possible to send all traffic through site to site VPN using SRP521W (on the other site ASA) ? Lets say, traffic to Internet from branch through HQ - site to site VPN between branch and HQ. I've tried to set up destination crypto policy entry to 0.0.0.0 0.0.0.0 but it's not accepted. Firmware version is 1.01.26 (003)
View 4 Replies
View Related
Aug 16, 2012
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
View 4 Replies
View Related
Nov 30, 2012
I have this topology: ( I use OSPF instead of EIGRP for routing between PE CE. The customer vrf name is cusA, they have 4 sites: CE from site 3 have 2 links to 2 PE ( one for backup). CE from site 3 has exist point to internet and how can i choice 1.1.1.2 is next-hop for default-route
View 2 Replies
View Related
May 8, 2011
My 2811 is connected with two ISP,s as below and have VPN with Central branch.I want to set DSL as primary and WiMax as secondary but problem is that routes learned via BGP get precedence over default route as they are specific one.I think i may need to put all static specific routes of central branch over DSL along defautl but I want any idea if my default route stay active and when it down then BGP neighborship can be establish (like ip sla tracking.)
View 3 Replies
View Related
Jan 3, 2013
How to configure my DIR-615 (Hardware Version E1 - Firmware Version 5.00NA) to:
1. Assign/Reserve IP address for 2 machines.
2. Route a web browser to a server on the first machine (port 80) as a default when another computer or smart-phone or device joins my open wireless network.
I am hoping to eliminate any changes to the IP address of the first two computers so that the server's IP address and port are static. I would also like anyone who joins the network to merely open their browser and be presented with the http interface from my server.
View 2 Replies
View Related
Sep 5, 2012
I have a MPLS cloud in our data center. I want one network coming into our core router to have a different default route than the other networks coming in. I'm getting hits on the acl but the route isn't applied and goes to the default route that is configured in the router. I have other PBR for setting local-preferences and as-paths and they are working fine.
The router is a 7206 Version 12.4(11)T3
!
ip route 0.0.0.0 0.0.0.0 1.2.3.4
!
ip access-list extended 2nd_Default_Route
[Code].....
View 1 Replies
View Related
Jan 24, 2013
I have a Cisco 2960 ( WS-C2960-8TC-S) running 12.2(46)SE C2960-LANLITEK9-M image.I would like to set an ip route 0.0.0.0 0.0.0.0 87.101.156.97 but the current image does not allow.Will ip default-gateway 87.101.156.97 work or do I need ip routing ?The ISP has provided a /30 address and we are using an additional /29 for our network devices. I dont think this image can be upgraded. I need to forward routes directly out to ISP. [code]
View 5 Replies
View Related
Mar 18, 2013
We have a Nexus 7010 running version 6.1(2).
I'd like to use IP SLAs and object tracking to define static routes for specific source/destination traffic across some WAN links we have. I've done this in IOS and it's worked fantastically, but I've not found where/how to do this on the Nexus 7010 platform (or any Nexus platform) as of yet. I could have sworn that this was going to be introduced in the 6.x code? Below is an example of how we do this in the IOS world:
track 11 ip sla 1 reachability
delay down 15 up 15
ip sla 1
[Code]....
Esentially this gives us the option of using a "failover" default route. I've attached a basic diagram to explain what we are trying to do with IP SLAs and object checking. The tracking should be configured against an SLA that uses icmp and the static routes should be configured against the tracking.
View 3 Replies
View Related
