Cisco Firewall :: 5520 VPN Traffic Between Interfaces

Jun 12, 2011

Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).

View 4 Replies


ADVERTISEMENT

Cisco Switching/Routing :: ASA 5520 - Can't Ping / Pass Traffic Through Interfaces

Apr 17, 2012

I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).

Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.

View 1 Replies View Related

Cisco Firewall :: 5520 - ASA Sub-interfaces NAT

Sep 7, 2011

i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following, NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1, i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25, will a  nat (Production,Advocate_MPLS) static ... statement work ?
 
------------------------------------------------------------------------
interface GigabitEthernet0/1
description Production
nameif Production
security-level 100(code)

View 1 Replies View Related

Cisco Firewall :: Routing Between Interfaces On ASA 5520?

Jul 10, 2012

We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.

View 20 Replies View Related

Cisco Firewall :: Max Sub-interfaces For ASA 5520 Running 8.2.2?

Feb 28, 2011

I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license.  I am wondering what is the max number of sub-interfaces you can have on a physical interface.  I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520.  I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.

View 1 Replies View Related

Cisco Firewall :: Configure Sub-interfaces In ASA 5520?

May 23, 2012

I have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA

View 7 Replies View Related

Cisco Firewall :: Routing Between Two Sub Interfaces On ASA 5520?

Oct 15, 2012

I have two virtual interfaces on my ASA 5520:

GigabitEthernet0/1.338     172.30.0.81/28
GigabitEthernet0/1.345     172.30.0.129/28
 
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
 
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Sub-interfaces With IPv6 Prefix

May 31, 2011

We have been testing out IPv6 configurations on a 5520 running 8.2(4).  We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly.   I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work.  I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes.  But using the two methods yields two different interface configurations:
 
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test

[Code].....

View 5 Replies View Related

Cisco Firewall :: 5520 Static NAT And Same IP Address For Two Interfaces

May 28, 2012

We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
 
-static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10  access-list production_nat_static_1

View 2 Replies View Related

Cisco Firewall :: ASA 5520 8.2 With Same Security Level Interfaces

Mar 27, 2013

I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]

I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Interfaces Bounced Due To WR Mem Executed

Sep 20, 2011

One line of an ACL was changed on an ASA 5520 (primary) and a wr mem was issued to save the change. It appears that when the wr mem was executed, the interfaced on the standby ASA bounced. Configurations have been saved in the past without the result of what's in the log entry.. 
 
ADC-5520-MGMT-FW01/stby# show logSyslog logging: enabled    Facility: 22    Timestamp logging: enabled    Standby logging: enabled    Debug-trace logging: disabled    Console logging: level errors, 1203060 messages logged    Monitor logging: level errors, 1203060 messages logged    Buffer logging: level errors, 17590658 messages logged    Trap logging: level informational, facility 22, 450126258 messages logged        Logging to management 10.5.3.214        Logging to management 10.142.20.214        Logging to management 10.218.3.31    History logging: disabled    Device ID: disabled    Mail logging: disabled    ASDM logging: level informational, 464351755 messages loggedSep 21 2011 17:35:29: %ASA-1-709006: (Primary) End Configuration Replication (STB)Sep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface managementSep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface outsideSep 21

[code]....

View 11 Replies View Related

Cisco Firewall :: ASA 5505 Traffic Flow Between Interfaces

Jun 13, 2012

I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.

View 14 Replies View Related

Cisco Firewall :: ASA 5505 - Allow Traffic Between Inside Interfaces

Nov 9, 2011

I trying to allow traffic between 2 inside interfaces with the same security level.  VLAN1 and VLAN15.  The are on different physical ports on the ASA.  I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'.  With this ASA version, I do not need NAT to allow this, correct?
  
ASA Version 8.2(1)
!
hostname ciscoasa

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - 2 Internet Interfaces Without Traffic

Jan 15, 2013

I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:

ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....

View 9 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
 
Below is a sanitized version of the config.

ASA Version 8.2(1)
!
hostname BOB

[Code].....

View 11 Replies View Related

Cisco Firewall :: ASA5505 - With Two Trusted Interfaces / Traffic Not Going Out Of Inside2?

Nov 14, 2011

I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
 
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24.  I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
 
inside works just fine but no traffic is going out of inside2, not to outside or to inside.

View 8 Replies View Related

Cisco Firewall :: 5520 Recreate Logical Interfaces For Each Physical Interface

Nov 29, 2012

We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections.   We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?

View 1 Replies View Related

Cisco Firewall :: Create Etherchannel With Sub-interfaces On Asa 5520 Running 8.4.1 Code?

Jun 22, 2011

I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code.  It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it. 

View 4 Replies View Related

Cisco Firewall :: Configure ASA To Send All Traffic From (3) VLans To Interfaces That Connects To 2960?

Apr 18, 2013

I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
 
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1 
 
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?

View 21 Replies View Related

Cisco Firewall :: ASA 5520 - VPN Traffic Is Getting Dropped Through Firewall

Apr 8, 2011

Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
 
2011-04-09 16:15:09    Local4.Info    172.16.1.68    %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653

View 1 Replies View Related

Cisco Firewall :: ASA 5520 VPN Tunnel Up But Not Traffic

Nov 1, 2012

We just migrated from a single 5510 to a dual (failover)  5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]

View 12 Replies View Related

Cisco Firewall :: Traffic Prioritization On ASA 5520?

Dec 1, 2011

I have a Cisco ASA 5520 (8.0) and I'm trying to figure out how to prioritize traffic to specific websites (by either domain names or IP addresses/ranges).  This document [URL] has some great examples, but I'm not able to create a class-map that will match addresses.  I'm not doing any other traffic manipulation on this ASA. 

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic Between DMZ Servers?

Dec 20, 2011

We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
 
(ASA 5520 Version 8.4)

View 2 Replies View Related

Cisco Firewall :: 5520 - Traffic From Inside To Outside

Mar 2, 2011

I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.

asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......

Base on the above configuration, I still cannot ping or HTTP.

View 10 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Cannot Block Incoming Traffic

Dec 12, 2012

I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.

View 2 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco Firewall :: 5520 Can't Get Traffic From Inside To Internet

Nov 27, 2011

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]

View 10 Replies View Related

Cisco Firewall :: Enabling Outbound Traffic Through ASA 5520 8.4(4)1

Apr 4, 2013

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
 
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
 
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
 
I've also enabled IPSec pass-through Inspection to no avail.
 
how should we configure our ASA to enable this kind of traffic?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - Allow All Traffic From Frame Relay

Jun 14, 2012

I am installing an ASA 5520 and I have a problem on accepring the incoming traffic from an external office connected via Frame Relay.
 
On my OUTSIDE interface I have both the internet traffic and the external office traffic incoming. What comes from the external office is visible as 10.1.0.0/16.
 
I have to allow this traffic to enter the internal network, without any control. I would also keep the original IP address.
 
I have configured the Firewall but I don't know how to setup the NAT.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 8.2(1) - Botnet Traffic Filter?

Jun 28, 2011

When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
 
[ERROR] dynamic-filter use-database  Dynamic Filter: New data file not terminated with newline

View 14 Replies View Related

Cisco Firewall :: 5520 To Pass Traffic Through Ssm 20 And To Create Sensors

Jun 20, 2011

I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved