Cisco Firewall :: 5520 / 4510 - ASA Is Blocking For Returning Traffic

Apr 2, 2012

My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.

Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
 
is there any way to traffic will go via same Firewall & comeback on same firewall port?

View 1 Replies


ADVERTISEMENT

Cisco VPN :: Some Traffic Not Returning - Is NAT Culprit / 1801

Sep 27, 2011

I have two offices - see attached diagram.  They use 192.168.0.0/16 for private IP addreses.They're connected via site-to-site VPN.  Mostly works well, except some traffic doesn't return and I think it's due to NAT?When a workstation in remote office tries to access web servers in the local office which using private IP addresses (e.g. .64.40), traffic never returns.  The web servers in question are also accessible publically - the Cisco 1801 in local office has a static route:

Local1801#   ip nat inside source static tcp 192.168.64.40 80 111.111.111.2 80 extendable
  
The problem seems to be with the local 1801 router.  tcpdump confirms that return traffic exits out of ods1's external interface and tcpdump confirms that traffic does not come into remote workstation's interface (neither with .64.40 as source IP nor 111.111.111.2 as source IP)
  
Remote887# show ip nat translations - none.
 Local1801# show ip nat translations
Pro Inside global             Inside local                Outside local                    Outside global
tcp 111.111.111.2:80       192.168.64.40:80      192.168.10.254:54990     192.168.10.254:54990
  
What I don't understand is why a nat translation entry is created.  My understanding is that it should  only happen when ip packets are sent to 111.111.111.2:80   I don't see that any packets would be sent to this IP address when accessing the site across the VPN - in fact the VPN peer address used is not this one.I cannot figure out why on earth this website cannot be accessed via private IP.  I have tried clear ip nat translation * on both routers with no luck.
 
Relevant Cisco config snippets included below: 
 
Local1801 VPN and NAT config
------------------------------------------ 
crypto map VPN-MAP 1 ipsec-isakmp
description "Local-Remote VPN"
set peer 222.222.222.222
set transform-set VPN-TRAFFIC
match address 101

[code]....

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Blocking In / Out Emails

Feb 26, 2013

I've configured a Cisco ASA5520, i can access to internet and other applications in my office but when i sent an email from inside to outside and vis-versa, i can't receive emails in both side

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - CSC Blocking Using IP / Users

Jan 17, 2012

I am new at ASA 5520 and CSC module (version 6.3). I would like to know what configurations are possible for my network users if i use the CSC trend micro blocking using IP address or AD users, I know that i could select users/groups from the windows  AD or select the IP addresses that i want to use for blocking or permit HTTP traffic (URL, etc).

My question is on the client side, how the CSC knows what AD users is the one that is requesting certain HTTP pages, or if i user a proxy server, i lose the IP/users options on the CSC??..or i could use authentication options on the proxy for example?.

I have been looking information about this but the manuals only explain the configuration options that i could configure on the CSC Trend Micro page, but it doesn't say which network environment i could use or need.

View 2 Replies View Related

Cisco Firewall :: Blocking P2P Traffic On E2500?

Feb 15, 2013

networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 For Blocking LogMeIn And GoToMyPC

Sep 1, 2010

How to block LogMeIn and GoToMyPC?  We are using an ASA 5520.  We mainly want to prevent people coming into our network using those applications.  Also, our helpdesk uses LogMeIn Rescue and would need to allow that for them. 

View 6 Replies View Related

Cisco Firewall :: 5520 - Blocking URL And Instant Messenger

May 11, 2011

Can  we block websites and messenger on Cisco ASA 5520 running code 8.2 ,  we are looking to block facebook.com , yahoo.com , twitter.com , msn messenger, yahoo messenger, google talk and messenger. All Internet traffic from users are passing via the firewall and for 20 users on this site we do not have microsoft ISA or bluecoat.

View 6 Replies View Related

Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
 
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
 
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
 
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
 
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
 
Some background:
 
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
 
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
 
taz(config)# sho ver
 
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
 
Compiled on Fri 07-Jun-02 17:49 by (code)
 
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies View Related

Cisco Firewall :: 2921 - ZBFW Not Blocking Traffic From DMZ

Apr 22, 2013

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
 
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco Firewall :: 5520 - URL Blocking To Be Applied To Specific Users

Feb 10, 2010

I am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.

View 5 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
 
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
 
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
 
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
 
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
 
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Cisco Firewall :: ASA 5540 Blocking Legit Traffic From Inside

Aug 21, 2011

I just made a move from a PIX 506 to an ASA 5540.  I have a user that currently logs into a web portal and runs a job.  It is now erroring out.  When I run the test it gives me the following message:
 
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
 
One or more tests have failed
 
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing.  Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack. 

View 1 Replies View Related

Cisco Routers :: RV110W - Firewall Blocking All Inbound Traffic

Apr 5, 2013

I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 NAT Rules Blocking Inside Traffic

Jan 7, 2012

Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]

View 10 Replies View Related

Cisco Switching/Routing :: Firewall On 1921 K9 Blocking UDP Traffic?

Apr 18, 2012

I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.

Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
 
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
  
Building configuration... 
 
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!

[Code].....

View 2 Replies View Related

Cisco Firewall :: Blocking Outbound Port 80 Traffic Using ASDM On ASA 5510

Nov 26, 2012

I am attempting to block outbound traffic for a specific PC on my LAN using the ASDM.

View 2 Replies View Related

Cisco Switching/Routing :: Policing Traffic On 4510?

Nov 21, 2012

I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - VPN Traffic Is Getting Dropped Through Firewall

Apr 8, 2011

Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
 
2011-04-09 16:15:09    Local4.Info    172.16.1.68    %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653

View 1 Replies View Related

Cisco Switching/Routing :: 4510 - Command To See If Port Was Ever Up And Passed Traffic

Apr 24, 2012

I am looking to find a command or counter to tell me if a cisco switch port on a 4510 was ever up and passed traffic.  I want to shutdown all unused switchports on our access switches.  But before I do that I need to make sure device is just not off or the person is away on vacation.  If I do sh int interface, is there a counter I can reference.

View 4 Replies View Related

Cisco Switching/Routing :: Not Capturing Span Traffic On WS-4510 / SupervisorV / 12.2(54)SG1

Mar 22, 2012

I have configured Span port on our 4510. We have an application 5view server to monitor trafic connected to G9/17 Since we have changed the network connection from physical Giga port and add a Port-channel instead, we don't see any more trafic from the new Port-channel to G9/17
 
We have the configuration below on our 4510 :
 
monitor session 1 source interface Gi4/6
monitor session 1 source interface Po20
monitor session 1 filter vlan 311 - 312 , 375
monitor session 1 destination interface Gi9/17
  
From the commands show, we don't see the trafic duplication from the source to the destination port :
 
Port Source
 
4510-5567#sh int po20
Port-channel20 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0016.9de2.a818 (bia 0016.9de2.a818)

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA 5520 VPN Tunnel Up But Not Traffic

Nov 1, 2012

We just migrated from a single 5510 to a dual (failover)  5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]

View 12 Replies View Related

Cisco Firewall :: 5520 VPN Traffic Between Interfaces

Jun 12, 2011

Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).

View 4 Replies View Related

Cisco Firewall :: Traffic Prioritization On ASA 5520?

Dec 1, 2011

I have a Cisco ASA 5520 (8.0) and I'm trying to figure out how to prioritize traffic to specific websites (by either domain names or IP addresses/ranges).  This document [URL] has some great examples, but I'm not able to create a class-map that will match addresses.  I'm not doing any other traffic manipulation on this ASA. 

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic Between DMZ Servers?

Dec 20, 2011

We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
 
(ASA 5520 Version 8.4)

View 2 Replies View Related

Cisco Firewall :: 5520 - Traffic From Inside To Outside

Mar 2, 2011

I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.

asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......

Base on the above configuration, I still cannot ping or HTTP.

View 10 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Cannot Block Incoming Traffic

Dec 12, 2012

I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.

View 2 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco Firewall :: 5520 Can't Get Traffic From Inside To Internet

Nov 27, 2011

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]

View 10 Replies View Related

Cisco Firewall :: Enabling Outbound Traffic Through ASA 5520 8.4(4)1

Apr 4, 2013

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
 
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
 
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
 
I've also enabled IPSec pass-through Inspection to no avail.
 
how should we configure our ASA to enable this kind of traffic?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - Allow All Traffic From Frame Relay

Jun 14, 2012

I am installing an ASA 5520 and I have a problem on accepring the incoming traffic from an external office connected via Frame Relay.
 
On my OUTSIDE interface I have both the internet traffic and the external office traffic incoming. What comes from the external office is visible as 10.1.0.0/16.
 
I have to allow this traffic to enter the internal network, without any control. I would also keep the original IP address.
 
I have configured the Firewall but I don't know how to setup the NAT.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 8.2(1) - Botnet Traffic Filter?

Jun 28, 2011

When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
 
[ERROR] dynamic-filter use-database  Dynamic Filter: New data file not terminated with newline

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved