To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
I am encountering an issue with IPv6 trace route both from within LAN as well as on the Cisco router is unable to function beyond the WAN interface of my Cisco 1941 router with IOS v15.x.
Below is the IPv6 Access List:
[code]
sequence 410 remark Allow Specific Inbound ICMP Types
permit icmp any 2001:D98:XXXX::/64 1 3
permit icmp any 2001:D98:XXXX::/64 packet-too-big
[Code].....
Here are two traceroutes both to 82.195.128.132. One results in the name ns1.hosting 365.ie and the other in the name mail.hosting365.ie. Why the difference? [code]
View 2 Replies View RelatedWe have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
how many active TCP sessions my ASA has but having a hard time finding this information. When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP. Is there any way to get just the TCP connections?
View 3 Replies View RelatedI have been searching to find out how to allow traceroute from an inside host to an outside IP address. I have found a few articles for IOS versions prior to 8.4 but nothing for 8.4. I can traceroute from the CLI of the 5510 just fine but from a windows host on the inside network all I get is Request timed out
View 1 Replies View RelatedWe have Cisco ASA 5520 firewall. ASA Version - 8.0(4). ASDM Version - 6.1(3). Firewall Mode - Routed.
We want to configure QoS for some subnets and enable policing such that they cannot use more than 1mb of bandwidth. I think we cannot create more than 1 policy for it. In that case i created a policy with QoS enabled and configured the Input and Output policing with Commited Rate of 1024000 bits/second. But it does not seem to work.
how can i create such policy in the ASA to limit certain subnets to 1mb bandwidth ?
i'm trying to configure an ASA with two ISP to be reached from internet for vpn access, the objective is that the user can use any of the Public address attached to ASA to connect to the company. Is this possible? i'm facing some problems because i can not use two different default routes (same AD) pointing to two different interfaces, this is the message that i receive "ERROR: Cannot add route entry, possible conflict with existing routes" and when i change the AD of one of the default routes i just can reach one ISP.
View 1 Replies View RelatedI've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
View 2 Replies View Relatedthere is an issue with tracroute from ASA 5505 with 9.0(2) - here is the running configuration [code] with this running configuration - from the LAN tracerouet to public IP, it is working fine. but once I traceroute from the LAN 192.168.225.x to the corporate networks via the IPSec l2l tunnel - it does not show any hop at all - even the inside interface of the ASA does not show in the traceroute.
View 4 Replies View RelatedWe have a ASA 5505 and a 5510, that we are using site to site..I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces..
-access-list outside_in extended permit icmp any any unreachable
-access-list outside_in extended permit icmp any any time-exceeded
-access-list outside_in extended permit icmp any any echo-reply
when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.
I've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
[code]....
I have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA
View 7 Replies View Relatedi have an ASA 5520 with ios 8.4 and asdm 6.4.
my configureation is below
my asa interfaces
inside ip
172.16.0.0/22
[Code].....
so now i want to configure my asa to give access to user based. what configurations should i use to do so.
i have attached the Edit Active Directory Server dialuge box so what should i put there in the box's
How to configure ASA 5520 to resolve names in ASA's. We are currently using ASDM to configure network objects with the hostnames in the internet and then specifying the IP address . But this is done manually. Is there a different way of setting it up on ASA. Also when getting reports from ASA, we see the IP's but is there a way that we could add an identity to the IP's (reverse lookup)
View 1 Replies View RelatedI have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
I am new to cisco ASA. I need to configure ASA 5520 in transparent bridge mode. [code] I need to place the new asa firewall in transparent mode. How to configure the firewall in transparent bridgmode.
View 5 Replies View RelatedWe already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies View RelatedBelow is my config for IP SLA. I would like a SNMP trap to be sent when my primary fails over to my secondary and so on.
sla monitor 20
type echo protocol ipIcmpEcho 100.X.X.1 interface INET-FIOS150
num-packets 2
[Code].....
Is it possible to import the config of a 5510 to a 5520. Trying to replace two 5510's with 5520's and wondering is there a way import the existing config files for the 5510's into the 5520's?
View 3 Replies View Relatedi have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
i want the time user connected .how log it is connected .If any error while connecting ?
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
object network obj-10.1.1.254
host 10.1.1.254
object network obj-10.1.1.254
nat (inside,outside) static 172.25.10.3
I want to also use nat (inside,backup) static 172.25.10.3
I am using 3550 with c3550-ipservicesk9-mz.122-44.SE6.bin. Have successfully run ipv6 commands on global and interface, however getting below error while configuring "ipv6 router ospf 1" :SW1(config)#ipv6 router ospf 1 % Failed to create routing protocol ospf
Command syntax help says its configurable but its not configuring ipv6 OSPF.
I'm still using 2.00NA.It seems that whenever I connect to a particular www3 webpage, my modem and router end up rebooting shortly thereafter. This has happened a few times. The modem's log shows in this order1. No Ranging Response received ,2. Unicast Ranging Received Abort Respone ,3. MIMO Event.I've tried to figure this out. My search on the MIMO event revealed one post about IPv4 and IPv6. This indicates to me that I should probably be upgrading the firmware and configuring its use for IPv6 compatibility.If I upgrade to FW 2.30NA, how should I configure the IPv6, i.e., which parameters should I use?
View 6 Replies View RelatedWhy my asa5520 brings out:
sh curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
while i am logging in with my username which is XXXX. And in my ACS accounting logs I cannot see which user did what.
Do you know when will be possible to manual configure ipv6 settings? I have all parameters from my ISP but the settings on the router are only automatic and 6rd. Is it possible to enable this in future firmwares?
View 1 Replies View RelatedIn our company we use the ACS 5.and i have a small problem, what we need to do is.create a profile that will allow SHOW RUNNING CONFIG but not configure terminal.i am investigating and im a littel bit lost i have created a new group but i dont see any option to put permissions.
View 1 Replies View RelatedI could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server.
View 4 Replies View RelatedI need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies View RelatedI am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?