Cisco Firewall :: 6552 Static Entries With Same Ip Address But Different Ports
Sep 15, 2011
Our proxy/anti-smap/IPS box called PROXY is behind our Cisco ASA firewall. The PROXY is set in transparent mode.The PROXY internal ip is 1.1.1.1 (internal ip)We have the MX record for mail.domain.com with public ip 9.2.7.5 (public ip as we entered with ISP public DNS)What happens now is that the emails that come through get "caught" by the PROXY and then we setup a thing whereby the emails are then forwarded from PROXY to our mail.domain.com server. Also, we made a static entry in PROXY whereby we can https to our email server for the outlook web access from outside of work therefore allowing for users to see the outlook web access web page.On the Cisco firewall, we put the static entry that 9.2.7.5 is mapped to 1.1.1.1 thus the mail server public ip is mapped to the PROXY.
Now, the box has this thing whereby it sends an email to all staff once a day telling them how many mails are legit, how many rejected and how many are spam - the spam emails are listed within the email and staff can at a click of a release button next to each spam email release a particular email from the PROXY box and make it to into their inbox. This works fine from the inside network, but I have issues from the outside due to the DNS and other things.I also put in the PROXY that any network can release spam and that our staff vlan can release emails. Also, on the inside of the firewall we did an access list that computers from staff vlan can access 1.1.1.1 on port 6552 (Which is the release spam port).Hence, we can release emails from internal network through the Microsoft Outlook.
On the outside network, we cannot release emails when using outlook web access.The host name for the PROXY release spam is proxy.domain.com so what we did also today is ask "ISP" to make an A record entry for another public ip which is 9.2.7.6 for proxy.domain.com.We meanwhile made an entry on the access list that comptuers from outside can access 9.2.7.6 on port 6552 (which is the release port).Now the only question is in regards to the static entries:
1. do we (and can we?) static map 9.2.7.6 to 1.1.1.1 through a port 3840 on the Cisco ASA (although we have already mapped 1.1.1.1 to 9.2.7.5 - I have a doubt here as this might mean we might not get emails? Or would we have to do the static again for this one specifcying the 9.2.7.5 as an smtp entry and the 9.2.7.6 as a release button?
2. have I made a mistake in general and should I have just told the ISP to make a CNAME entry for proxy.domain.com with the public ip 9.2.7.5 (which is the public ip for MX record?)?
View 9 Replies
ADVERTISEMENT
Aug 7, 2012
I have a FWSM cluster that I exceeded the maximum number of static nat entries on. i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs. however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them.. The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat. Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls? Say I wanted to be able to grow to 2500 or more static 1-1 nat entries. I am currently running 2010 1-1 static host nats currently.
View 1 Replies
View Related
Jul 11, 2011
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies
View Related
May 28, 2012
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
-static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10 access-list production_nat_static_1
View 2 Replies
View Related
Feb 3, 2013
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
View 4 Replies
View Related
Mar 20, 2012
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
View 7 Replies
View Related
Aug 22, 2011
I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)
object network inside-net
subnet 192.168.1.0 255.255.255.0
nat (inside, outside) dynamic interface
object network SYSLOG_SERVER
host 192.168.1.50
nat (inside,outside) static 10.10.1.10 service tcp ssh ssh
View 6 Replies
View Related
May 10, 2012
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies
View Related
Jul 13, 2011
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies
View Related
Nov 30, 2011
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0
description New 6mb circuit
speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
View 2 Replies
View Related
Aug 23, 2012
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
View 11 Replies
View Related
Dec 6, 2012
I am receiving this error after connecting a copper adapter on a GBIC blade in a 6509. Here are the results from the show Interface. I am waiting to confirm the device on the other side settings but as far as I see I get UP and Up for protocol and line respectively.
GigabitEthernet2/11 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0009.11e4.f3ce (bia 0009.11e4.f3ce)
Description: RCPBSDEV
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
[code]....
View 3 Replies
View Related
Oct 12, 2011
how to read some of these log entries I see on the IOS 15.2 router I'm working with. I'm fairly new to this stuff. My understanding is that the first socket (123.123.123.123:port#) is the originating one, and the 2nd socket is the receiving or destination. This makes sense when I see an entry like:
01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever. Then I see an (unrelated) entry like this elsewhere in the logs:
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from. However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur. So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver? there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sending, hoping to get our mail server to respond? BTW, the outside host WHOIS's to Microsoft's IP range, Block 1.
View 8 Replies
View Related
Oct 13, 2009
Is it possible using any module in CW to get the MAC address and IP address of all switchports on a 6500?
View 6 Replies
View Related
Apr 6, 2011
I can not seem to view my "permit" entries in the log on my ASA 5520. I set up logging-lists, changed the level to 3 on the logging statement, and simply can't find it anywhere.
Partial config:
logging enabled
logging timestamp
logging JC-L3 level errors
logging monitor JC-L3
logging buffered JC-L3
logging trap notifications
[code]....
View 6 Replies
View Related
Sep 24, 2011
how many route entries can ASA5520 (8.2.1-k8) support?
View 2 Replies
View Related
Mar 13, 2011
Is it possible for a Cisco ASA 5580 to create Syslog entries when someone connects via HTTPS or SSH to it. I need to obtain information from Syslog when someone does this.
View 5 Replies
View Related
Dec 4, 2011
I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
View 2 Replies
View Related
Mar 7, 2013
I have a SML2008 smart switch. I want to set a static IP to each port
View 4 Replies
View Related
Dec 29, 2012
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
View 2 Replies
View Related
Jun 9, 2013
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
View 3 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
May 13, 2013
Right now I have a lab setup with a couple of these AP's.They are both doing DHCP to get their IP address from a 5508.How do I set a static IP address on the AP?
View 5 Replies
View Related
May 26, 2012
I am trying to give an static ip address to a time clock on my network and for some reason when I connect time clock to network it will always get an ip address from a different network. for example my computer IP address is 192.168.2.70 when connected to network, my default gateway is 192.168.2.1, the IP address that the time clock always gets is 192.168.1.120, there is no way to tell the time clock what IP address I wanted to be it has to get it from router (that is what the manufacturer told me), router (16portLiksys) does not have DHCP enabled the guy who set up network left it disabled, on his notes he says server (dell server T110) is acting as router is that true that a server can be acting as router?what do guys think is going on here?all the computers hooked up to network have static IP address.I also notice that when I connect a computer to router it will get an IP address from different network the same as time clock.I tried to reserve ip address on router by entering MAC address from time clock but it won't work. I am not very familiar with the server settings I have not try changing settings on server, I am not even sure the guy who set up network is right about using server as router.
View 1 Replies
View Related
Mar 15, 2013
I have two different locations, two different ISP�s .
Cable �Modem--------Linksys Router WRT54G
DSL-Modem----------Linksys Router WRT54GS
One computer (Windows 7 Laptop) which travels between both locations.Can I or how do I setup a static IP address for both locations on my computer and not have to change settings when I change locations?
View 1 Replies
View Related
Feb 7, 2012
configure my cisco 892 router want a static ip address assigned to the interface because and I have no more internet on the router because am working on my network academy for CCENT?
View 28 Replies
View Related
Apr 10, 2011
I am trying to configure ASA to assign same static ip address to certain user(User1) every time when he connect to network via AnyConnect client. We have Windows AD and use LDAP AAA server for authentication of VPN Remote Access users. I found in document "Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2" in section "Configuring an External Server for Security Appliance User Authorization" explanation and configured ASA and User Properties in AD on exectly same way:First, I assigned static ip address in properties menu(dial in section) of User1 in Active Directory. Then I created ldap attribute map where I mapped msRADIUSFrameIPAddressattribute to IETF-Radius-Framed-IP-Address attribute. At the end I applied this ldap attribute map to AAA server group LDAP.
Although I set this up, whenever I connect using User1 credentials from AD I still get ip address from vpn pool instead static ip address that I configured. In output of debug ldap 255 command I found line "msRADIUSFramedIPAddress: value = -1062718956" but not any line that prove mapping above mentioned attributes.It seems like mapping is not working.All AnyConnect users get parameters from defined internal group policy on ASA,including addresses form pool,dns server etc. I want that User1 get static ip address and inherit all other parameters from group policy.
View 4 Replies
View Related
Apr 22, 2013
My second problem with sg200-08 (firmware: SG200-08x_FW_1.0.6.2.stk) is when I try to add specific MAC address as secure:MAC Address Tables - Static Addresses - Add; insert vlan id, port, mac address and select "Secure":I get error message: "Error: Failed to Add 'Static Address' entry.
View 3 Replies
View Related
Jul 11, 2011
I am connected to a static ip network. This network sets local ips to connected computers but general ip is the same: static ip of network. When i go to "whatismyipaddress", I can see this static ip. I want to change my ip address. I have no chance to use proxy server or router connection. Is there a way to change my ip address? (Because some sites ban ip address, ex:rapidshare etc. and I need to change my ip)
View 1 Replies
View Related
Jan 7, 2013
HP wifi printers (I've had 2 over the last several years)eventually have a disconnect with my wifi router and was told (by an experienced IT guy from my last job) I should assign the printer a static address to eliminate the problem. How can I assign a static address to my printer. Here are the models Router: Belkin model F5D9231-4v1(01); Printer HP Officejet 6600. I know how to access the printer and manually enter an IP address and subnet and such, I just don't know which numbers to use where. I also know how to access my router, via typing in the IP address in Internet Explorer, but i'm unsure of which tab within the router's page (i.e. is it category wirelessunder MAC address control) or which numbers (IP address or MAC Address)and where should I get the correct numbers from (i.e. go run, cmd,IPconfig/all).
View 6 Replies
View Related
Feb 24, 2011
Everytime I start one of my two Windows machines, I need to go to the control panel network adapter and enter the static IP address in the IPV4 properties. It is always blank after a shutdown.I have two machines that are networked for flight simming.One of the machines must have a static IP so I configured both static. Not sure if this has anything to do with my problem.
View 5 Replies
View Related
Feb 7, 2011
A business network has had a Static IP Address for several years. Recently, something caused the settings to be changed to "Obtain an IP Address Automatically". As a result, pcAnywhere will no longer connect, and this is a critical function of the office. This has to get fixed. I've attempted to put the settings back to what they were (The IP Address, Subnet Mask, Default Gateway, etc...) but now the Server will no longer connect to the internet when you setup the Static IP. The settings I am using are exactly the same as the ones from over 2 years ago. Now they no longer work, and networking is confusing to me.
View 4 Replies
View Related
Jun 10, 2012
I've had the same IP address for years and want to change it to a new one - I have a dynamic IP but for some reason it will never change.It looks as if it's always static-what settings I need to change on Windows 7 to get it to roll over onto a new IP address?
View 1 Replies
View Related
