Cisco Firewall :: 5520 Unable To Add Another Line To An Existing NAT ACL
Mar 26, 2013
As part of our PCI compliance, we were required to add a line to all of our ACLs in our ASA 5520 running version 8.2(3). Though there is an implicit deny all, we had to add a line to deny from any source to any destination.We had no problems in adding the additional deny all statements except for our NAT access-list. This NAT access list is used for our internet connection.Currently, the NAT ACL has 4 entries to permit from a specified source to destination any. This ACL is then called on our NAT statement.nat (inside) 1 access-list NAT,Also, note that NAT control is in place and we also have NAT zero statements for our VPN connections.So to fulfill our requirements, we just had to add another line to our ACL entries. But we encountered an issue with our NAT acl.
View 10 Replies
ADVERTISEMENT
Jul 3, 2011
After upgrading to 8.4(2) and ASDM 6.4(5) I seem to have an extra access rule duplicating an existing rule, this is only visable through the ASDM. When using the CLI you can't see this duplicate rule.
I therfore get the following warning everytime I make a config change using the ASDM [code] If I delete this rule it returns everytime I launch the ASDM!
I also have extra config under Firewall>Configuration>Public Servers that I didn't have before. If I delete it, again it returns.
View 8 Replies
View Related
Jan 13, 2012
I have a number of existing 4506 chassis type switches (the older non -E version) that I would like to roll out IP phones to. Instead of replacing the entire chassis, I would like to just replace the line cards in the switches with WS-X4548-GB-RJ45V. What or how much power supplies should I have in each switch to be able to power the 5 poe line cards (each port per line card will power an ip phone)?
View 6 Replies
View Related
Feb 8, 2012
I am unable to ssh to the cisco firewall from outside. Though when i telnet on port 22, [code] When i do a putty session i get a blank screen.
View 9 Replies
View Related
Aug 16, 2011
I was trying to upgrade from 8.3.1 to 8.3.2. but I am unable to copy via tftp to the ASA flash or disk0:
ASA5520# copy tftp: flash:
Address or name of remote host []? 10.88.127.153
Source filename []? asa831-k8.bin
Destination filename [asa831-k8.bin]?
[code]....
Half way thru writing to the disk, it goes for a reboot. There is more than enought space on the disk0. I tried copying via a Compact Flash, but the ASA is not detecting the Compact Flash (which I thinks should be disk1). I tried copying a asdm file, even that also went for a reboot.I am stuck now, unable to upgrade
View 12 Replies
View Related
Jul 1, 2012
I am working on adding a mapping to our external address for our mail server - let's call it mail.example.com
I would like to be able to access mail.example.com internally for our user's smartphones - if they access our company WiFi they are not able to get mail using the mail.example.com as the server name in their phone setups. However, once they leave the office and use any other WiFi it works fine. Also, I am unable to ping that address from any internal device. I believe also this is the reason Exchange accounts do not work on our site to site VPN connections.
I have a ASA 5520 and work primarily in the ASDM 6.4 to do configurations in the main office and have 5510 in our site to site connections.
View 6 Replies
View Related
Jul 26, 2011
I am unable to ping inside interface (Rin) to outside interface (Rout) of my Cisco ASA 5520 runing on ASA Version 8.4(1).
ASA Version 8.4(1)
!
hostname FW5520
[Code].....
View 10 Replies
View Related
May 29, 2012
Is it possible for Time Warner Cable to use a pre-existing cable line which is going into my cable box to hook up a modem so I can have Internet? I've got a modem in another room but I don't want a cable running down my hallway for 30 feet.
View 6 Replies
View Related
Mar 30, 2013
i am not able to add new 3750G switch into existing domain even after the domain name is correct and unable to authenticate with tacacs.
View 5 Replies
View Related
Jan 19, 2013
I want to add new vlan in existing firewall group in 6500. I am confused if it will add new vlan or overwrite.. I am using ASASM module with 6500.
View 3 Replies
View Related
Nov 16, 2012
I cannot eliminate the lines vty in my Cisco 7609 router when I write show users, I obtain the following thing: [code]
View 2 Replies
View Related
Sep 20, 2012
We are using Cisco VPN Client 5.0.07.0290 to connect to our servers. We have Sonicwall NSA2400 FW and we have 2 ISPs. We have configured the Load balancing on Firewall in 'Spill-Over' mode.
So whenever the 1st ISP Line is on full load it will automatically moves the users on 2nd line.The problem we are facing here is users who are getting IP from 1st ISP Line they are smoothly able to connect to Cisco VPN client but the users who are getting IP from 2nd ISP Line they are not able to connect to Cisco VPN Client. This is really annoying as everyone should be able to connect.
View 8 Replies
View Related
Jun 5, 2013
In order to do a flash upgrade on a 5510, is there any way to get the files from the existing flash onto the new flash before you replace existing flash? Is there an online procedure?
View 2 Replies
View Related
Mar 21, 2013
I am having a problem trying to figure out how to add a new ASA 5505 to an existing network. My current network is:Cable Modem > Linksys > 48 port switch With multiple hosts residing on the 192.168.0.x network.Now i know that the ASA comes default with 192.168.1.1 on the inside interface and i want to change that to 192.168.0.1. I have tried to do this thru ASDM using the wizard and manually. Once i hit ok for it to write the config, it gives me an error that it didnt take. I then lose connection to the ASA and have to hard boot it to get it back.I am trying to do this without my external connection connected and i have a laptop connected to the ASA on port 0/2 with an IP address of 192.168.1.75.Do i need to connect my internet connection to it first and then run the wizard? I was hoping to get it configured for my existing network before i plugged in the internet connection to limit my downtime.This ASA came with 6.4.1 ASDM and 8.2 OS installed. i was able to upgrade the ASDM to 7.X but when i go to update the OS to 9.1, i get an error that i am not registered to use cryptographic software. Dont know where i need to register to get it?
View 4 Replies
View Related
Oct 10, 2012
Cisco 2500 series access servers show line usage with the "show line" command:
View 2 Replies
View Related
Mar 7, 2011
I am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
View 5 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Sep 23, 2012
we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies
View Related
Jun 11, 2012
we just bought a 2921 with the following modules: 4 port clear channel T1/E1 HWICSM-ES3G-24-P: EtherSwitch.I read some CISCO documents, and not be able to find what I need. I would prefer all instructions from you are for CLI interface.This is my first time to deal directly with T1, WIC and 2921 etc. The following is what I get from ATT, IP masked IP Address Block IP Address: 20.20.20.136/29 WAN Link Details: WAN Link IP Address:13.13.13.92 AR Serial INT IP Address:13.13.13.93 CR Serial INT IP Address:13.13.13.94 WAN Link Subnet Mask:255.255.255.252
A: how do I configure T1, what does "AR, CR" stands for, and do I need to use both IP addresses? What is the WAN Link IP for?
B: We have two T1 lines, so I should plug them both to the WIC, say port 0 and port 1, how to configure them?
C: how do I access the firewall from the command line?
D: I followed T1/E1 HWIC installation guide, and as soon as I add channel-group to the controller t1, the serial interface went down?
View 2 Replies
View Related
Jul 15, 2011
I am going to design one network. I had queries with this design.Let me explain scenario first( it was attached below).I have two sites, Site-A and Site-B, repectively.
In site-A i have one Cisco 1841 router, one Cisco ASA 5510 firewall and One cisco 3560 layer 3 switch.
in site-B i have one Cisco 1841 router, one Cisco ASA 5505 firewall and One Cisco 3560 layer 3 switch.
From ISP side
I have point-to-point leased line between sites A and B. And both sites have internet connectivity from another ISP.
I planned to terminate leased line in cisco 1841 router in both branches for branch to branch connectivity.
I will configure site to site VPN between two sites, A and B.
Here my query was i want make VPN as failover connectivity if leased line fails. In both the cases, i need internet to the inside users in both sides.
Summary requirement:Leased line is Primary and VPN is Back-up, if leased line fails. In both cases internet is needed to inside users.
View 3 Replies
View Related
Aug 23, 2012
We are configuring a twice-nat to send traffic for scansafe, its on a asa5505 ve 8.4(3) on a remote location for the customes. The nat redirecion is working but we also have a VPN tunnel to the corporate network. Through the tunnel we need to reach a http server. The problem we are having is that when we add the scan-safe nat, all http traffic gets redirected to scansafe, includind the traffic to the http server on the corporate network.
10.2.1.0 ---<ASA5505> ---Internet,scansafe ---- <Corporate> --- 10.1.1.0
the http server is 10.1.1.75
the remote location network is 10.2.1.0/24
[Code].....
View 9 Replies
View Related
Feb 17, 2013
We have an ASA 5520 with two VPN profiles working fine.Since some users are now working with Windows 8, VPN clients for Cisco ASA is not able to connect.I have read there are problems for such VPN Clients in that OS, and I should use now Anyconnect for them to connect. I thought we had anyconnect working also, because some users can connect to a web page they can do some kind of connections to internal servers, (web, telnet, rdp, etc) so I installed cisco anyconnect VPN client in a laptop and try to connect (same IP and port I used for that web page) but after signing I get the message AnyConnect is not enabled on the VPN Server.So I tried to follow a configuration guide for Anyconnect, but there's a step in which I am trapped, these are the steps: Click Configuration, and then click Remote Access VPN.
View 7 Replies
View Related
Dec 14, 2011
i have a site to site vpn stablished, the vpn works fine (while is up), i have a cisco asa 5520 and the other end of the vpn is a jupiter device that for technical reasons needs to send a continuos ping and when it does not receive a reponse back it brings down the vpn tunnel and reestablish it again. while the vpn is up traffic flows perfectly but because i m unable to repond to the ping the vpn is brought down as reestablished by the jupiter device. the jupiter device pings the encryption domain which is an ip that is natted to the real ip in the inside network. this is my configuration of the vpn:
AAA.AAA.AAA.AAA is the ASA public ip in the outside
BBB.BBB.BBB.BBB is the jupiter device ip (part of the object group IP_LIST)
CCC.CCC.CCC.CCC is the nat ip on the ASA
10.21.0.164 is the real address in the inside(code)
View 1 Replies
View Related
Dec 10, 2011
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ?
configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
View 3 Replies
View Related
May 27, 2012
I have an issue where my vpn clients are unable to access certain vlans in my network.I have configured an ASA 5520 with VPN access using the wizard and using the ASA as a dhcp server for VPN clients. I find that this allows the clients to access server resources such as the Exchange and Domain Controller but I find that these vpn clients are unable to ping each other as well as certain vlans that I have.Is there a way to configure the ASA to use a particular vlan that is already configured on the core switches?If I create a vlan interface and set the IP of it to 10.50.x.x then the vpn clients are suddenly unable to connect to any network resources...
View 1 Replies
View Related
Mar 12, 2013
i've got up and running a webportal on my asa 5520 os 8.2.5 and but i can not make the ssh plugin ver ssh-plugin.111006 work, all of the others work well, no matter what web browser i use always fail, I even upgraded to the version ssh-plugin.120911 but with no luck, is there a debug or something that i could use to make it work properly?
View 2 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Jun 11, 2012
We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
View 2 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
