My web server sits behind an ASA 5500.When I access the web site from outside, it works fine. When I try and access it from the server itself, I get"Internet Explorer cannot display the webpage" error. I can access other web sites, such as Yahoo.com, Google.com, etc. I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".
View 18 RepliesWe use multiple ASA 5500/5580 cluster systems running 8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)
b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic
c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
View 2 Replies View RelatedWe currently have one Cisco ASA 5510 firewall at our mailn office. Our firewall does not let users access the internet. We currently have a web proxy that lets users access this. I need to let users access one website through the firewall without going through the firewall. I believe this is possible if I use dynamic NAT.
View 1 Replies View RelatedOne of my Clients just aquired a CISCO ASA firewall, and they would like to restrict internet access, that is they want to block internet for Junior employees while managemnet remains connected, Looking at the situation, The ASA serves as the gateway,I tried an Access list like below for one pc to test if it works but instead everyone just went off, may be i misfired somehwere.
Access-list 110 deny tcp any host 192.168.20.100 eq wwwAccess-list 110 deny tcp any host 192.168.20.100 eq 443Access-list 110 permit tcp any any eq wwwAccess-list 110 permit tcp any any eq 443access-group 110 in interface inside
Recently i have upgraded the IOS of ASA5550 (in HA mode) to 8.4.2 from 8.0.5, after OS upgrade we found that the syslog from thses firewalls are not getting captured/transfered to centralised syslog server. The server is reachable from the firewalls.
View 3 Replies View RelatedWe are retiring our current radius server. It is windows 2003 IAS server (also a DC) that we use for 802.1X authentication. We are moving to server 2008r2. I have already installed NPS and Network Authentication services on the server.
On the existing IAS server I exported the settings (using iasmig reader.exe) and was able to import the profiles (I see the 5500 as a radius client etc) Our 5500 is still pointing to the old server.
Is it as simple as changing the ip of the RADIUS server to point to the new server? It looks like I actually have to add the new server and create a new pres hared key on the NPS server but only find documents on adding a new 5500 (vs flipping it to a new NPS server).
I need to do one Catalyst 5500 as a TFTP server.Can I do it?Is the catalyst available to be a tftp server?
View 4 Replies View RelatedI have two 5500-controllers and one WCS-server. Now I will have to move the WCS-server to another subnet and change the IP, but it will keep the name.Will that effect the connection between the controllers and the WCS?Do I have the change anything in the configuration on the controllers or the WCS-server?
View 3 Replies View RelatedI have a 5500 controller that we use to manage our lightweight access-points. We have had complaints that the 'guest' vlan in the boardroom is not usable. Our guest vlan is in fact overloaded.
I went back to the original site survey and noticed that coverage for the room is not ideal so I would like to have a new lightweight access-point installed in the boardroom and somehow limit the access to it to only a few people.
I upload files to the FTP server and some of the folders I didn't have access to, so I had to call the company server tech to allow me permission. He said he never created any restrictions on the account when he made it (Which he probably did, just forgot,because I use another unrelated FTP server with no problems.) So he made a new account for me to log into, at the very moment I typed in the login info (FileZilla) it said could not connect. So I went to input my old login into, still didn't connect. At that point on the whole website for me just results in a "Could Not Load Page blah blah".Doesn't work on any browser. Doesn't work on any computer on my wireless network, or a laptop hardwired to the modem.
Works on my friends connection at his house, works on my iPhone's 3G connection, but not on my wireless network. So basically it works everywhere in the world but my house. Which is great because I work for them and I need to have files uploaded by the end of each day. I have told the server techs and they said they didn't do anything but make a new account. I did all the DNS and IP crap, I refreshed the caches, ran a disk cleaner/ defragger. I get some interesting results when running tracerts and pings. I CAN view the site through a proxy.ALSO, they told me their servers crashed overnight because of some solar flare just a few days ago. So the site WAS down for a few hours, but when it came back online, it wouldn't load for me.
I think its unrelated because I lost access before their servers crashed the following night, just letting you know that happened.My connection is fine, chatted with AT&T they said everything looks fine on my end in the router settings. Which should be correct because I've been years on this router with no problems at all. Everything works flawlessly. (Steam downloads, YouTube, I've been gaming on Portal 2 Co-Op and Battlefield 3, 64 players!) So it's nothing to do with me. I did notice that uploads took a little longer than usual to initiate, but a SpeedTest confirmed the connection was solid and at my level. Just took a few seconds to "start" uploading.
Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
We assign in our IPSec VPN the tunnel-address from our centralized dhcp server pools.In the profile we have two server's ip configured.In test (whireshark) we noticed that the discover always go to the first configured ip.
I do not understand and could not finf hints how the function is.
- backup server with a timeout when no answer comes from primary ?
- should ASA do simultaneous discover to all configured ip's ?
=>Problem is, that although the first server not answered in a timely manner, we noticed no discover to the second.
Here the partial CLI - Config:
++
tunnel-group AZInt07 type remote-access
tunnel-group AZInt07 general-attributes
authentication-server-group ActivPack
default-group-policy AZInt
dhcp-server 10.x.x.y
dhcp-server 10.x.y.y
[code].....
getting process to upload my website on WWW Server?
View 1 Replies View RelatedAll of a sudden -it worked before for ages- I cannot connect with just one particular Web site via either of my two Win XP and one Win 7 machines hard wired to a common Linksys Router/hub/switch. The message is much the same either via IE or Firefox, e.g. "server not found" I tried a Ping cmd with the same result-not found.
View 4 Replies View RelatedI've been trying to connect to a particular website for a couple of days now, but always get "Server not found" error messages in Firefox. I have tried connecting on IE and Chrome as well, along with the 2nd computer on my wireless network. No luck there either though. I have been able to connect to any other website just fine. Between the two PCs on my network, I'm running Windows 7 and Windows XP.The website in question is currently up and they have said that no issues have been detected on their end and that it might be a DNS problem on my end.
View 4 Replies View RelatedI purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
How to connect window server data to website. when i change in server than update website data.
View 1 Replies View RelatedI am looking for ways to access (1) my (own) web server (with IIS 6/Apache) (HTTP)(2) my IP/Network cam (RTSP)from my smartphone (3) from "Internet". I am a .NET-system developer but my networking skills are very poor.My problem is that there are obstacles, i e an evil firewall (4). Since my web server (1) and IP/Network (2) cam are behind it (4), I have absolutely no idea how to access them from my smart phone (3) from Internet.My ISP doesn't allow port forwarding, but I know that there is a Socks5 server which I can reach @port 1080. I believe that I can use it somehow?Is it possible to reach my web server at all from outside the firewall? How? Are there any other solutions for me except for changing my ISP?
View 3 Replies View Relatedcan I add a server 2003 on my home wireless network (4 computers) to run a website. I am trying to redirect a AU domain to 2003 server
View 2 Replies View RelatedHow can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
View 3 Replies View RelatedWe have a Cisco ASA 5505. As of yesterday we could no longer access our web server (the web server is hosted off-site). Pinging the DNS address and direct IP (from the firewall and a PC) both return no response. Pinging the IP from the T1 router responds properly, meaning the router can access the web server, but the firewall cannot. Accessing the web server has never been a problem, and no configuration changes have been made to the network/firewall. Other locations can access the web server just fine.
View 1 Replies View RelatedI bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:
Nat Section:
==================================================================================
Dynamic:
nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
[Code].....
There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet. [code]
1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them? [code]
2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80.whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?
I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
View 4 Replies View RelatedTrying to figure this all out. I'm getting untranslated hits. I posted the config I have so far.
Code...
What I have is 3 interfaces on my PIX.- Outside: 216.116.87.0/24 (security level 0)
- 469: 172.16.6.0 /24 (security level 10)
- 571: 192.168.255.0 /24 (security level 1)
My users on 571 need to access a web server on the 469 interface. However, the requirements are that the 571 users can only access the Website using the public FQDN which there is a static NAT from outside to 469. [code] Here is also the Packet-Tracer and it shows what I expect that the traffic is source from 571 and exits 469. However, the users are not able to access the website.[code]
First off, let me preface this by saying that I'm a novice when it comes to firewalls and more specifically, the ASA. I do however, have an above average understanding of switches/routers.
We have an ASA 5510 running 8.3 and recently I've decided to clean up the last admin's mess. All hosts and servers are on the same subnet, multiple subnets on the same VLAN... and a slew of other problems. Anyway, I recently placed the IT department on another subnet to test some things out before I migrated other departments to different networks. Everything seems to be working as it should be with the exception of one of our servers. The IT subnet is 192.168.150.0/24 and the problem server is on the 192.168.10.xxx network. I'm guessing the issue lies somewhere in the fact this server does have a static NAT and is accessible from the public. Let me give you an overview of what our network looks like:
ISP ---->ASA----->3750----->2960
My workstation is directly plugged into the 3750 switch, and the server is plugged into the 2960. I'm able to ping this server by both IP and hostname. However, I cannot access port 80 by IP or hostname. The users that are on the 192.168.10 and 192.168.11 (sadly both of those are on the same VLAN) network are able to access this server without a problem. Thinking logically, I thought I would send a packet from my workstation, it would head to the layer 3 switch's VLAN interface corresponding to my subnet, realize the .10 network is directly connected and then forward the packet straight to the server. However, it doesn't seem to be working that way. It look like it's being routed to the ASA then being dropped. I guess there's an access rule or firewall rule preventing me from getting to the server. Is there a specific part of my config you will need to see...
I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network) Those networks (10.132.0.0/16) come from the DMZ interface.
View 12 Replies View RelatedI have verizon wireless router to connect to the internet via FIOS. The public IP on the wireless router is DHCP assigned. I have my home lab with cisco 2511 and octal cables. I would like to be able to access the terminal server remotely via the internet when I'm not in. I'm concerned cause the wireless router is DHCP assigned IP. Even if I have a static IP on the ethernet port of the 2511 connected to the wireless router, I'm not sure if the NAT will work so it can be accessible from the internet.
View 2 Replies View RelatedI tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
object network Private_IP
host 192.168.1.15
object network Public_IP
host 1.1.1.1
object-group network internal_net
[code]....
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
[OK] object network SBS-HTTPS
object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
NAT unable to reserve ports.