Cisco Firewall :: 5510 Security Plus To Terminate Client VPN Access For External Support Team
Aug 7, 2012
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
We have configured site to site VPN tunnel from offshore to client location using ASA5510 and accessing RDP from client location. Also configured remote VPN access at offshore location. But using remote VPN client we are able to get RDP from officeshore location but not able to access RDP from client location. Is there any additional changes required ?
On our ASA 5510 we already have one ISP link terminated on outside interface. There is correspoinding nat and global configured for outbound access to internet.
Now we need to terminate second ISP link on one of the DMZ interface to have redundancy for the primary ISP.
When primary ISP link or router is down we need to send all the traffic to secondary ISP router. How do we configure NAT and global for this condition that only when primary is down then only this NAT -Global should be used. Do we have anything like object tracking associated with the NAT-global.
So that as long as Primary RTR - object is up ASA will use the first NAT-Global pair. When primary ISP is down RTR-Object is not reachable then ASA will perform the second NAT-Global operation.
Also can we have default route pointing to Outside interface (primary ISP router) and in case of primary router failure it will point to secondary ISP. Do we have "track" in the static route commands on ASA.
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
I have a 5510 with me. I want to terminate two Internet links on that. The primary Internet Leased Line to access my DC network using Site-to-Site VPN, and the secondary ADSL connection to access my other location network via VPN and and for web browsing. How can I achieve these goals.
i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
I have a ASA5505 and I'm having trouble to achieve the following setup, block any kind of connection from outside except for IIS on port 80 and 443 but allow from the server to access any outside address, by domain or ip. Right now apps writen in C# on the server are throughing socket errors and Teamviewer remote control is not working, I would like it to replace remote desktop.
I have a ASA 5510 that uses Radius for Authentication. What I am trying to do is assign each user that logs into VPN to have a specfic static IP based on userid. I have about 30 to 50 users. I don't want to complicate this by having them select a different profile when logging into the ASA. What is a clean and simply way to assign user static ip and not use local database for login?
Does the ASA 5505 will allow the addition of a 2nd external link to its configuration? I know the device is capable of Redundant or Backup ISP Links, but that’s not what I need. I will have two different links for two different purposes. Currently we are using the ASA 5505 just for Internet access, so only the ISP link is connected, very basic configuration. We are planning a connection to a client’s global (MPLS) network and we need to be protected against any traffic coming from that network, ergo we need to use a firewall for connection to that external link.Now with the final configuration the Internet traffic must keep being routed to the ISP link, and some other traffic must be routed to the new external link. Can the ASA 5505 be configured for this scenario?
I am having an issue I need to have the outside interface terminate a ssl AnyConnect Client. I have several groups the will login and I need multiple inside interfaces to satisfy my security needs.
I have one group call ombudsman-mhdd and they need to go out interface g0/1.231 and another group called oet-router go out g0/1.232.This works on my 8.2 box but I am having trouble routing traffic out these interfaces.
I keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
I need remote access to certain programs on my home PC but I just cannot get it to work.
Program:- webcamXP
When I set the programs port preferences (i.e. port 8087), I can connect with"127.0.0.1:8087" and webcamXP work fine. But when I replace the localhost with my external IP (lets say 79.149.114.227, so that would be "http://79.149.114.227:8087".I tried port forwarding: I have added the port to my NAT in the router's setting so it should be fine, but it is not (numbers are fictual of course):
external port start 8085, external port end 8089, protocol TCP/UDP, internal port start 8085, internal port end 8089, server IP address 192.168.1.215)
I also tried disabling AVG Internet Security 2011's firewall temporarily just to check it it was blocking it, but got the same result.I checked if Windows own firewall was on, but it is off.I cannot find any setting in the router's own configuration screen to disable any build in (router's) firewall (if it has any).
I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).
I am deploying a small wireless LAN (192.168.1.xxx) at a remote site and would like to access a PC at LAN IP address 192.168.1.2 across the Internet via TeamViewer so as to monitor devices on that LAN. The wireless LAN uses about 12 Cisco Aironet 1310 bridges in a ROOT-NONROOT (I guess this is point-to-multipoint?) configuration.Our ISP has given us a single static WAN IP address, subnet mask, gateway, and two DNS server addresses.
My intent was to assign our static WAN IP address from the ISP to our RV082 router, plug the LAN devices (including the PC at 1.2) into the RV082, and then use Network Address Translation (NAT) to forward TeamViewer traffic to the PC at 1.2. But the RV082's user manual says NOT to use the router's WAN IP address in the NAT table.So I'm confused as to how to send remote TeamViewer traffic to the PC inside my LAN. Is NAT not the way to do this? Should I be using port forwarding instead?I guess another way of skinning this cat would be to put a second NIC in the PC and let the second NIC have the WAN IP address so that it would be the first point of contact from outside, but that defeats some of my purposes for having the RV082 in the first place.
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
If the 5510's support active/active ha. There is conflicting info. on the datasheet stating otherwise.
[URL]. As business needs grow, customers can install a Security Plus license, upgrading two of the Cisco ASA 5510 Adaptive Security Appliance interfaces to Gigabit Ethernet and enabling integration into switched network environments through VLAN support. This upgrade license maximizes business continuity by enabling Active/Active and Active/Standby high-availability services.
I've found that my clients can NOT access to my ASA 5510 with their Cisco VPN Client Ver 5.0 through IPsec over UDP.By comparing my new running config with the old one I found some strang following configuration: [code]
We have 3 diffrent IT expert who have access to our router and I think this configuration is cause of our VPN access problem.Is it really because of that or something else.Any way I want to know how can I get rid of these configuration?
I configured a dynamic vpn(easy vpn) in a cisco isr. But the vpn clients cannot access any of the lan devices. VPN pool is 10.0.0.1- 10.0.0.20 & internal netwrk add is 172.17.x.x. I tried to disable zone based firewall but no resultout[CODE]
We just set up the AnyConnect SSL vpn on our ASA. I am able to establish a connection fine using the Cisco AnyConnect client. I would like to use the native Windows VPN client though if possible. What configuration changes on either the firewall or the client I would need to make for this to happen?
if I can do the following deployment using a Cisco ASA5510 security plus.
At this moment I have two interfaces in use one (outside) with the IP: 172.16.21.254/24 and the other (inside) with the IP: 192.168.4.1/24. Now the customer needs to connect another network that works with the IP segment: 192.168.0.0/22.
The IP segment 192.168.0.0/22 goes from 192.168.0.1 to 192.168.3.254 that means that there is no a overlap with the network segment 192.168.4.0/24. My question is: If I configure another interface in the ASA that works in the segment 192.168.0.0/22 the routing table will auto-summary the network and merge it with the network 192.168.4.0 or will it leave the networks apart??
I don't user dynamic routing protocols but I cannot do the changes if I have doubts because the network 192.168.0.0/22 is a the Network for the Factory Automation Systems.
I am having asa 5520 in my head office and in branches 2811 routers.i connected two branches with my HO through VPN.now i configured remote vpn client in HO asa . now i need to access all the branches using this remote client.how i create route in HO ASA.
I'm configuring ASA 5510 Remote Access VPN, I can connect from Cisco VPN Client to the ASA VPN. I obtain from ASA some routes to inside networks, but I can't do any ping to those inside hosts. I have got those error in ASDM log file: [code]