Cisco Firewall :: 5520 - How To Check Hits On Particular Allowed IP
Aug 10, 2011
i allowed one of internal ip using static nat and public ip is 22.214.171.124 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 126.96.36.199? I have the cisco 5520 asa firewall.
I'm running into this issue on an ASA 5520 running version 8.2(2)9 and ASDM version 6.2(1).
I have an ACL denying traffic to a certain IP range and the logging level set to Debugging. The hit count is rising quite rapidly but when selecting "Show Log" the Real-Time Log Viewer opens with a value of 0x13d0ee2a in the "Filter By" field and no logs are ever shown.
Logging is enabled globally and Logging Filters on ASDM is set to Debugging as well.
Port forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)
Can threat detection provoke frequent disconnections on allowed traffic?We are using asa 5520 with 8.3.1 IOS For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
While user's connecting through AnyConnect, AnyConnect doesn`t check endpoint attributes. I've configured checking process of "notepad.exe", but it doesn`t work. There is no checking process of "notepad.exe" in output debug dab trace (see attach).
ASA 5520 ver 8.4(1) AnyConnect 3.1.02040 HostScan 3.1.02043 CSD 3.6.6234
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50) 001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpn_user Group=VPNGROUP Client_public_addr=<client public ip> Server_public_addr=<server public ip> 004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
I have recently setup Splunk to receive my syslog messages from my ASA 5510. In the past I used kiwi without observing this issue, but I needed more features than kiwi had available. Anyway, anytime I stop the splunk service my asa does not allow any outbound connections to be established.
I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
i know in Cisco PIX til 8.2 OS, if i have Nat control disabled and ACL permitting connection from Low Secirity ( DMZ ) to High Secuurity (INSIDE) then connectino should be successful, and i dont need any STATIC identity nat of inside IP to be created.
But i have Cisco PIX 525 with Version 7.2(2) Which is not allowing connection from DMZ to INSIDE , although nat control is disabled. and giving RFP check failure, any thought?
PIT525PIXINET# sh running-config nat-control no nat-cont
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s): DATA-BACKUP Name of interface Redundant1.10 DMZ Name of interface Redundant1.900 GUEST Name of interface Redundant1.990 HOSTING Name of interface Redundant1.100 Infrastruktur Name of interface Redundant1.20
After running for about one month, my SG200-08 hit 100% CPU and pings increase from under 1ms to 300ms. I purchsed the SG200-08 for home due to its support for IGMP snooping. I have a TELUS Optik TV service at home which uses the Microsoft Mediaroom platform and multicast on the local LAN. When the SG200-08 hits 100% CPU, my Cisco STBs start to exhibit multicast issues due to delayed or dropped IGMP messages. I recently upgraded the SG200-08 to firmware 188.8.131.52 hoping that it would fix the issue, but it hasn't worked. [code] Smoking latency graph of the SG200-08 ICMP response time. On May 1st the CPU spiked to 100% and the laency increased to 300ms. The problem has been occuring since I installed the SG200-08 with the CPU spiking to 100% about once a month. Rebooting the SG200 will clear the issue.
My network has two connections to a third party via links on two seperate ASA , one in location A and one in location B. The link in location A is the primary connection and the other in location B should be used by only two terminals (term1, term2) in location B. ASA are running OSPF and are redistributing static routes as metric-type 1 in OSPF. In order to achive the aforementioned goal, I have configured a route-map on ASA location B, that sets the metric for the route towards the third party to a high value (100). This way, all routers, even those in site B prefer the exit through location A (metric about 24).
I have checked that my routers correctly have the route to the 3rd party through location A, and the OSPF database has records for the network from both locations.In location B, I have configured the following route-map (on 6509)
route-map PREFER-LOCAL-ROUTER permit 10 match ip address XXX set ip next hop locationB-ASA int vlanYYYY ip policy route-map PREFER-LOCAL-ROUTER
From the terminals (term1 and term2) I have tried a traceroute towards the 3rd party's subnet, but I don't get any match neither on the access-list nor on the route-map. Unfortunately I have no other way to test that my configuration is correct, since the application on the terminals, that should access the 3rd party network, is not currently running.
I also addedd the statements below to the access-list, because of the test with tracert: permit icmp host term1 route_to_3rd_party 0.0.255.255 permit icmp host term2 route_to_3rd_party 0.0.255.255
Nothing changed...Is there something wrong with the above config? Is there a chance that there is a problem with the IOS, that simply doesn't show any hits?
When we setup a connection between two hosts we receive the message "TCP checksum incorrect" , This is between a settop box on the outside and a server inside the firewall. This STB used to communicate with the server on port 443 which is NAT-en to port 12697.With a new settop box image which uses on the inside and outside port 12697 we receive this TCP checksum incorrect on the Firewall with wireshark.
Strange is that on the outside of the firewall we see an MSS of 1460 and on the inside it is 1380 (don't know if there is a relation with this and the issue we have)