Cisco Firewall :: ASA 5505 10 Host Limit?
Feb 26, 2013I updated an ASA 5505 to 50 users, but I still can only connect 10 hosts. In Licensing it show 50 insides hosts. I also tried to update to ASA 8.4.5 but that did not work.
View 2 Replies
ADVERTISEMENT
Cisco Firewall :: ASA 5510 How To Limit Icmp To Just Single Host
Nov 1, 2012I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 4.2.2.2 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
View 3 Replies View RelatedCisco Firewall :: Two Host With Same Nat On ASA 5505
Mar 22, 2011I have 2 web servers that replicate between them (two different internal ip). My idea is that if one of them will not work, the other to do the relay.I have a Cisco ASA 5505 I can do a nat for each machine. How should I set ?
View 3 Replies View RelatedCisco Firewall :: 5505 - Host In DMZ Cannot Get Outside
May 13, 2012Based on the configuration pasted below, we believe the host (10.0.2.200 / 255.255.255.0 GW: 10.0.2.1 with external DNS servers configured) should have access to the web. However, it cannot resolve any names nor can it connect outside.
[code]....
Cisco Firewall :: ASA 5505 - Allow (outside) Host To (inside)
May 20, 2011I have a ASA 5505 Sec Plus. I would like to allow outside hosts to our mail server and also our FTP server. So i would like to allow only SMTP, HTTP (for Outlook Web Access) and FTP.
View 10 Replies View RelatedCisco Firewall :: ASA 5505 / How To Use A Host Instead Of IP Address For A NTP Server
Jul 8, 2012Instead of using a IP address I would like to use a host address that points to a NTP pool.An example would be:ntp server 0.north-america.pool.ntp.org Can this be done on the ASA series?
View 1 Replies View RelatedCisco Firewall :: Output Bandwidth Limit On ASA 5505
Jun 11, 2013I'm having a bit trouble to limit the bandwidth on outgoing traffic with a Cisco ASA 5505.
In my case I want to limit the bandwidth to 31mbit/s up and down on the outside interface. but with my current configuration, just the download rate gets limited to 31mbit/s when I do a tptest. and the upload is around 40/50mbit.
Here is the policy configuration,
access-list outside_bw extended permit ip any any
class-map outside_bw
match access-list outside_bw
[Code].....
Cisco Firewall :: 5505 Block Port 80 On A Specific Host In LAN
Apr 22, 2012I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80
-access-list block_port extended permit ip any any
-access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
Cisco Firewall :: Limit Speed On Port Or VLAN ASA 5505
Aug 7, 2012We need to have one connection with less internet bandwidth assigned to it than all other other connections. Basically it is a separate conection from all others, incoming just from one switch port and separate VLAN.I know this can be done on the switch by limiting the bandwidth allocated to a port,
however, is it possible to have the speed limited down, just before it goes to the internet, ie, on the ASA, rather than doing it on the switch?The firewall is an ASA 5505.
Cisco Firewall :: ASA 5505 Connection Limit And TIME_WAIT Freezing Device
Sep 30, 2011My little ASA 5505 is working great The device appears to be artificially crippled and limited to 10,000 connections. This isn't a "CPU limit" it's just some fake limit in the device as far as I can tell.
The problem we have is that we are only using around 500-600 connections and CPU usage is only like 25%, and yet the connection count is pegged at 10,000 and locks us out of our network.
I am pretty sure this is because there are a lot of "dead" TIME_WAIT connections hanging around not being used. In our application we only have the couple hundred connections but they do move around a bit every now and then.
Is there anyway to get the device to ignore the "dead" connections and not count them towards the artificial limit on the device given that it's pretty clear the CPU / etc., is not utilized sufficiently. These aren't real connections, we only have a couple 100 established, they do just move around a bit however.
We are really only using 500-700 connections according to our servers, the others are just sitting in TIME_WAIT doing nothing.
Cisco Firewall :: ASA 5505 - Limit Access To Remote Desktop To Range Of Outside IPs
Jan 7, 2013After getting hacked I want to limit terminal server/ remote desktop to only my computer. (although I may need to let other net in later)
In other words I want only computers from my home ip range (lets say my ISP gives me at home something in 28.28.XX.0) to be let in to the router at work and then to port 3389.
In the work ASA 5505 softwareVersion 7.2(4) I now have:
access-list outside_in extended permit tcp any interface outside eq 3389
static (inside, outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
acces-group outside_in in interface outside
Cisco Firewall :: ASA 5505 - Local Host Names To DNS Server At Main Site
Mar 3, 2013 I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
Cisco :: Licensed Host Limit Of 10 Exceeded?
Sep 28, 2011I thought that in the past I had problems with my ASA5505 because I had to reboot a number of times, now that I have logging enabled I can see the following: -Deny traffic for protocol 17 src inside, licensed host limit of 10 exceeded.Does this mean that I can not have any more than 10 inside host going out of the outside interface at any time, if not what this means and how I can solve it.
View 16 Replies View RelatedCisco VPN :: DS3 - Limit Number Of Active IPSec Connections Per Host
May 18, 2011I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?
View 1 Replies View RelatedCisco :: Bandwidth Limit In ASA 5505?
Aug 18, 2011I am using ASA 5505 cisco firewall as a transparent firewall. I have assigned ethernet 0/0 as outside interface and ethernet0/1-7 as inside interface. There are 3 departments in office. So, i connected ethernet 0/1 to Dept A, ethernet 0/2 to Dept B and ethernet 0/3 to Dept C. Now, I want to limit bandwidth to each department, e.g, 1 Mbps download/upload to Dept A, 512 kbps download/upload to Dept B and 512 kbps download/upload to Dept C. So, how can i do this in ASA 5505.?
View 1 Replies View RelatedCisco VPN :: ASA 5505 IPSec SA Limit?
May 2, 2012I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer. There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks. Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?
ASA 5505 - 10 License Limit?
Nov 27, 2011Hit my 10 license limit on my 5505 and am trying out how to clear the cache so my main machines can get online.
I connected some VMs to the internet so i could download updates and now im stuck.
Cisco :: ASA 5505 Licensed Limit For SSH Sessions?
Sep 11, 2011I have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
ASA5505 <164>Sep 09 2011 10:42:08: %ASA-4-450001: Deny traffic for protocol 6 src DMZ:X.X.X.X/2479 dst DMZ1:X.X.X.X/22, licensed host limit of 10 exceeded.
I hope that the communications through 22 TCP port, are not countable for license propose.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
[code]....
Cisco VPN :: 5505 / Remote Access VPN Allowing Only Since Host To Connect?
Jun 12, 2011I have created a RA VPN with a 5505 using Anyconnect client. My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect. To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect. how I can limit the outside access to a single host?
View 3 Replies View RelatedCisco VPN :: ASA 5505 DHCP Request Incorrect Host Name Length
Jun 26, 2011I have an ASA 5505 with software version 8.2(1). It is making DHCP requests for IPSec clients that connect to the ASA. The DHCP requests packets the ASA makes have an extra '00' appended to the hostname field, and the length field is the size of the hostname + 1. The DHCP server is Microsoft Server 2003 and this causes the hostname to be registered with an unknown character which appears as []hostname. Then when server 2003 tries to update the DNS record, it fails because of the invalid character in the hostname. Is there anyway to have the ASA have the correct length for the hostname field in the DHCP packet, or a workaround that will solve this problem?
View 5 Replies View RelatedCisco Security :: ASA 5505 / HTTPS From Vpn Client To Internet Host Through Tunnel Ipsec-spoof?
Jan 17, 2013we have a cisco ASA 5505 and are trying to get the following working:
vpn client (ip 192.168.75.5) - connected to Cisco ASA 5505
the client gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100) when i try to access the url from the client i get a syn sent with netstat when i try the packet tracer from the ASA i see the following:
<Phase>
<id>1</id>
<type>FLOW-LOOKUP</type>
<subtype></subtype>
<result>ALLOW</result>
[code].....
Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP
Mar 14, 2013IOS Firewall (ZBF) Limit SMTP connections from same IP
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .
Cisco VPN :: Pix 515e - Remote Host Cannot Ping Any LAN Host
Jun 27, 2011I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
View 2 Replies View RelatedCisco VPN :: ASA 5510 Ping / Communication Host To Host
May 7, 2012ASA 5510
Ver 8.2(5)
I have been looking all over the place for the answer of how to allow clients on an IPSEC VPN to ping from host to host.
Cisco Firewall :: Connection Limit On ASA 8.3 Above
Sep 22, 2011What would be the equivalent of the below static translation below which limit the connection to 100 and embroynic to 50 in ASA 8.3 above.
View 1 Replies View RelatedCisco Firewall :: How Many ASA 5520 ACL Limit
Jan 27, 2011i want to understand ASA 5520 ACL limitation as max ACEs . in FWSM case is following link "rule limits" section. [URL] but in ASA case, I cant find this information. where is this limitation in CCO?
View 9 Replies View RelatedCisco Firewall :: ASA 5510 / PAT Different WAN IP Tp Internal Host?
Dec 14, 2012We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
Cisco Firewall :: ASA 5520 - SSH From Internal To DMZ Host
May 13, 2012I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]
Can Pure IPv6 Host Ping A IPv4 Host?
Feb 10, 2011I'm just wondering if its possible to ping an IPv4 host using the IPv6 host assuming that the NAT64 has already been implemented?
[code]...
Cisco Firewall :: To Put In ACL To Limit Inbound 2621
Apr 20, 2013I have a 2621 router - old. but works well.Need to put in an ACL to limit the inbound SMTP traffic to be FROM a specific set of IP's, and deny all others.
I have tried various combinations with no luck. Something obvious, I am sure.
When I do a show access lists 160 it shows all SMTP traffic being snagged by the SMTP deny statement. All other traffic works correctly.
Here is my config so far...
Current configuration : 3093 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname xxxxxxxxxx!logging rate-limit console 10 except errorsenable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!ip subnet-
[Code] ....
Cisco Firewall :: ASA 5510 Ver 8.2 Rate Limit
Jan 17, 2012I'm trying to limit one of my inside hosts, since it's been a little of a hog. I have 3Mb available from my ISP via 2x T1. I'm testing this on a computer in a lab:
PC 10.10.10.10------Cisco2960-------- 10.10.10.1 Inside - ASA - Outside 208.66.x.1------------------------208.66.x.2-Cisco 2811-2xT1
Here's what I've tried so far, please see text in red:
***global (outside) 1 208.66.x.115
***nat (inside) 0 access-list No-Nat
***nat (inside) 1 0.0.0.0 0.0.0.0
[Code].....
It didn't work... I was able to max the bandwidth again. I also tried to apply service-policy to inside int, which didn't make a difference.
Cisco Firewall :: Can Configure More Than One Syslog Host On ASA 5500
May 31, 2012I would like to send my ASA 5500 logs to more than one syslog server - is this possible? I can't seem to find it in the documentation.
View 3 Replies View RelatedCisco Firewall :: ASA5505 - Can't Ping Inside Host
Sep 29, 2012I just try to ping a internal Host but it want to go.
Laptop<===>ASA5505
Connected is the Laptop at Ethernet 0/2 Inside
My running-config is a clear config, only VLAN 1 has a IP and Ethernet 0/2 is up.
But If I try to ping to the Laptop I get the followed:
asa5505# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa5505#
From the Laptop to the ASA5505 I can Ping successfully.