i am working on a project with 2 security ASA's 5520 with Microsoft ISA/TMG-2010 Server having 2 DSL's my question is regarding the designing issue where should i connect the 2 DSL's using ISA/TMG-2010..
View 1 RepliesI need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
We have a 5520 ASA running 8.4(2). We are trying to setup Clientless VPN access to our SharePoint 2010 environment. We have most of it working, however there are a few things that do not function right in SharePoint via the VPN but function fine internally. Are there any special things to configure specific to SharePoint? Some of the things that do not work include the SharePoint ribbon, up level function, opening of documents within SharePoint, etc.
View 3 Replies View RelatedWe have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
View 4 Replies View RelatedI am trying to port forwarding Exchange 2010 OWA using ASA5505, wherever I used object NAT or Twice NAT it just doesn't work.... here is my config:
access-list outside-access remark "Exchange Server Access Rules"
access-list outside-access extended permit tcp any host <public x.x.x.11> eq smtp
access-list outside-access extended permit tcp any host <public x.x.x.11> eq https
[code]...
note that i use public ip <public x.x.x.9> on the outside interface for PAT, so all hosts in the same private can access internet
I have need to test async communications through a pair of CGR 2010's..This emulates some particular serial-talking-only devices at either end that want to communicate with eachother. I've done stuff like this before but with modems attached to the PC's.
View 1 Replies View RelatedI have a toshiba 2010 windows 7 laptop, and like two days ago it wouldnt connect to my wifi. i keep going to network and sharing but my network wont come up everyone elses does though. ive tried to fix problem but it just keeps saying connect to a network..or plug in ethernet.
View 1 Replies View RelatedI had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.
View 3 Replies View RelatedI am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
2- Any sample config for ASA 5520 for this type of network?
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
How do I set my network key in Microsoft Word 2010
View 1 Replies View RelatedI try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
We have acquired a cisco sge 2010 to replace our distribution switch. I set up the 802.1X network. Everything works great except I can not find how to enable 802.1x with 'Wake on LAN' on this kind of switch.
On catalyst I saw that it was sufficient to activate this control "authentication control-direction {both | in}" Except that it seems not to exist on this switch. Is there another way to enable 802.1x on WoL without using this command?
Or how to allow the magic packet (WoL) on a tagged port by unauthorized 802.1x?
I am working with a client to implement QoS for their Lync environment. Lync 2010 has this feature to mark dscp values based on packets tagged with logical ports. As an example, packets on port 49000 til 49999 will be marked to dscp 46(ef). On Cisco 2811 router, I am basically honouring the markings by the application and placing bandwidth priority on them and sending it out to the WAN.
The behaviour that I notice is that when port based packets are marked with a certain dscp value on the application, the router policy map doesn't pick up any packet increment for that dscp. But when all packets without port assigning to it are marked with certain dscp value, I can see increment on the router policy map for that dscp match. Why is this so???
The client wants the Lync to mark the packets with dscp value and the router is suppose to honour the marking, schedule the priority and send it out. [code]
We have a pair of ACE 4710 devices in front of a TMG 2010 array (3 members) and are having some issues. We have a nat pool on the ACE and need to be able to use integrated authentication in TMG since we are filtering URLs based on user ID. For example some users might have access to certain websites that other users do not have access to. TMG does all this fine when we send traffic directly to one of the TMG servers and it can successfully authenticate the user using the active directory username that was passed through. The problem occurs when we send traffic through the ACE first, upon which time the user credentials are no longer appearing to TMG and the user is getting prompted for a username/password whenever they try to access a website. Even when they do enter their username and password (which they shouldn't have to do) the request is still denied by TMG since it is coming from "anonymous" instead of their actual username.
Another problem we seem to be having which isn't as important right now is the fact that since we are using a nat pool on the ACE, every web request to the TMG servers comes from one of the NAT addresses, rather than the original client IP. Is there any way to get around this and have the actual client IP show up instead?
Currently i am having a scenario where i have setup RV042 and which is connected to Microsoft Forefront 2010. PPTP works fine only on rv042 subnet but i am not able to access the "internal" network of TMG.
RV042 (172.16.1.1) ---> TMG [external] (172.16.1.2) ---> TMG [internal] (192.168.1.1)
Is there any way through static route to access the TMG internal network through RV042 pptp server ?
Lost pin number for Microsoft 2010?
View 1 Replies View RelatedI downloaded the ISO for SSE 2010, and the damned thing is too big to burn to a DVD5. I doubt seriously MS expects people to have Dual-Layer discs handy.Is this intended not to be burned, but installed from the desktop instead? I can open the ISO just fine with WinZip.
View 5 Replies View RelatedI have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies View RelatedI have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies View RelatedOur Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
I'm looking to do a basic QOS configuration which states that VOIP traffic has priority over anything else.
View 3 Replies View RelatedIm testing ASA 9.0, that according to the release notes should support SharePoint 2010.But I still get the same problems I had with previous versions: the ribbon does not show up (just a loading spinner) and javascript popups do not show as well.
View 3 Replies View RelatedI have got a TMG 2010 and i want to use Skype through it. if HTTPS inspection is enabled skype doesn't work, if it is disabled skype is working.What can i do for using Skype behind a TMG with httsp inspection so i want to use 8080 port only.I have excluded the 1 PC from HTTPS inspection or the destination URLs from HTTPS inspection.
View 1 Replies View RelatedI think that our users are at the largest capacity for attachments, twice in the past week one of our users did not received important emails because of the attachment size limit. The problem is that the sender thinks we got it b/c there is no bounce back and we have no record of the email being sent. my question is how do i increase the attatchment size for incoming emails?
View 4 Replies View Related