Cisco Firewall :: ASA 5505 Blocks New Connections To IP
May 22, 2012
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
View 1 Replies
ADVERTISEMENT
May 22, 2012
I am trying to configure my ASA 5505 security plus through ASDM to receive two blocks of outside IPs (each of which is on a different subnet and a different gateway ip) to translate to my internal server giving it public access.I have searched for days (and maybe incorrectly) but I am finally asking for the configuration of the ASA to support this.
View 1 Replies
View Related
Jan 16, 2013
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
View 7 Replies
View Related
Nov 25, 2012
i cannot send emails to outside, i have an access rule on interface inside permit source: inside destination: any servic: tcp/smtp and when i make paket tracer it shows me that the packet is dropped but i cant see through which rule!!
ASA version: 8.4(3)
ASDM version 6.4(7)
View 2 Replies
View Related
Nov 5, 2011
i have with my Edimax router. I could not make any progress with Edimax personnel in Taipei.
If i connect my vista box directly w/o the router, i can see that port 21 (Filezilla) is open, using WhatsMyIP.org | Port Scanners/Sniffers
When I insert the Edimax br6215srg router, the port is in timeout as reported by aforementioned site (guess the port scanner gets no synack nor reset back to the syn it sends)
The router is set to "disable firewall" or to "enable firewall and DMZ enabled" with as client's ip the one that is configured in the router's dhcp table for the vista box. The NAT module is set to forward port 21 to the same ip. ipconfig confirms that i do get the ip programmed in the router's dhcp table.
I do not want to believe that this edimax box is unable to forward connections!
View 19 Replies
View Related
Jan 10, 2012
Since the change from TeamViewer 6.x to TeamViewer 7.x my router's (WRVS4400N V1.1, latest firmware V1.1.13-ETSI from 2009-02-24 and latest IPS definitions 1.50 from 2011-08-09) IPS blocks its connections to my remotely supported computers claiming a "P2P Vagaa connection attempt - 2". This is not happening with TV 6.x.Who does the error, TeamViewer or Cisco?
View 4 Replies
View Related
Mar 1, 2012
We have a user who needs to access a vpn from his MAC through an ASA 5505. The user is getting an IP via DHCP and the outside interface of the ASA gets it's address via DHCP as well. The user states that when he is home or anywhere else but behind the ASA it connects fine, but once the ASA is added it times out. He is able to get to the internet from the machine without any issues. Looking over the config on the firewall it isn't set to deny any traffic and there is a global set on the interface and it is nat the inside interface. There is no global policy in place so I was considering implementing the following:
policy-map global_policyclass inspection_default inspect pptp
View 2 Replies
View Related
Oct 21, 2012
When we say that ASA 5505 supports 10k connections does it mean that we can have 10k connections to the different websites?
View 5 Replies
View Related
Mar 22, 2012
How do I monitor connections to the DMZ port on our ASA 5505 (via ASDM 5.2)? We have a WAP connected to it and it's intermittently dropping connections.
View 2 Replies
View Related
May 16, 2013
I have an ASA 5505 with Security Bundle license.
I am able to create 2 LAN networks (192.168.9.0 and 172.16.9.0) Vlan1 and Vlan12 respectively. I also setup 2 outside interfaces (outside1 and outside2).
Network 1 (192.168.9.0 - VLAN1) has no issues going out via Outside1, however I can't get Network 2 (172.16.9.0 - VLAN 12) to go thru outside2.
I put in a static route (route outside 172.16.9.0 255.255.255.0 x.x.x.x), the x.x.x.x is the default gateway of my ISP.
View 7 Replies
View Related
Nov 21, 2012
A client has an ASA 5505 with a base license. The version information and configuration is attached. In 8 hours, sometimes less and infrequently more, it becomes inaccessible. All connections are dropped and the only way to access the device is through a console connection. The WAN interface (VLAN 3) is connected to Verizon FIOS. The interface was set to 100 MBps and full duplex, but I just changed it to auto on both the speed and duplex to see what would happen. The LAN interface (VLAN 1) is also set to 100 MBps and full duplex It has not been changed.
The last time it happened logging was running, but nothing in the log indicated a problem. In fact, the last log entry was a couple of hours before the lockup (there's little or no traffic on the ASA while the problem is being diagnosed).
View 3 Replies
View Related
Feb 12, 2013
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
View 1 Replies
View Related
Mar 20, 2011
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
View 3 Replies
View Related
May 8, 2012
I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
Specific error is:5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
Here is my config.
: Saved:ASA Version 8.2(2) !hostname asawooddomain-name wood.localenable password W/KqlBn3sSTvaD0T encryptedpasswd W/KqlBn3sSTvaD0T encryptednamesname 192.168.1.117 kylewooddesk description kyle!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNSdomain-name wood.localobject-group service rdp tcpdescription rdp accessport-object eq 3389access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list outside_access_in extended permit tcp any interface outside eq 8080 access-list outside_access_in extended
[code].....
View 2 Replies
View Related
Oct 3, 2011
I have an ASA that is logging the message %ASA-3-321007: system is low on free memory blocks of size 2048. I ran the "show blocks" command and the "Cnt" value for the 2048 blocks is 0. How do I reclaim these blocks and what are they used for?
View 1 Replies
View Related
Mar 19, 2013
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
View 4 Replies
View Related
Jul 12, 2011
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
View 9 Replies
View Related
Sep 6, 2012
I have two complete networks in my office. I want to access my printer from both the networks. Condition: With the Firewall I can't access computer of one network from another how can I access the printer from both the LANs. I am not allowed to play with Firewall.
View 1 Replies
View Related
Aug 24, 2011
I am having trouble with our ASA5510. After upgrading the internal memory from 256 MB to 1 GB and upgrading the firmware to 8.4.2 we are experiencing that the ASA is running out of 1550 byte blocks. When that happens it is not possible to connect to the ASA by ADSM or SSH and new VPN IPSEC tunnels are not coming up. The only way I know how to fix this is to reload the ASA. This is happening every 2 to 3 days.
In the free blocks graph one can see that there is a loss of about 20 blocks per 10 minutes.
View 4 Replies
View Related
Dec 10, 2011
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (https, http, smtp, rpc).
I can use the IIS, if the firewall is activated, but the exchange Server can not receive any emails. I have also created some firewall access rules for the mentioned services but without success.
View 1 Replies
View Related
Jan 20, 2013
I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. [code]
View 6 Replies
View Related
Apr 6, 2011
I have a problem after upgrading the ASA5505 unlimited to 8.4.1, the message shown after startup is:IO memory blocks requested from bigphys 32bit: 9672 It has 512 Mb of ram and this is the view from sh ver:
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Compiled on Mon 31-Jan-11 02:11 by builders
System image file is "disk0:/asa841-k8.bin"
Config file at boot was "startup-config"
[code]....
View 6 Replies
View Related
Dec 10, 2011
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
View 16 Replies
View Related
May 14, 2012
We are planing on offering low end ASA 5505s as a customer offer to connect their network to our cloud as this is a business requirment. However, one of my colleagues is convinced that the license for the 5505 is *not* based ont he number of IPSEC endpoints, but the number of distince connections via *any* tunnel. So, according to him, if you have a license for 10 IPSEC endpoints, if you have 11 people connecting via *one* tunnel from a customer's network to our cloud, you go beyond your license.
View 1 Replies
View Related
May 17, 2011
is it possible to configure an ASA 5505 with two internet connections? One dedicated for VPN and the other one for Internet access only.
View 9 Replies
View Related
Mar 14, 2013
IOS Firewall (ZBF) Limit SMTP connections from same IP
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .
View 8 Replies
View Related
Jun 3, 2012
192.168.1.10 --> ASA 1-----> ASA 2-------> ASA 3----> server (172.21.16.15)
We have opened 3389 , 80 & 445 ports on all firewalls ( ASA 1, ASA 2, ASA ) for server (172.21.16.15) from (192.168.1.10).We are able to see connection in ASA 1 under show connection for 3389, 445 ,80.
We are not able to see connections in ASA 2 & ASA 3 under show connection for 3389. But we are able to see hits in ACl.
View 3 Replies
View Related
Apr 5, 2013
Is it possible to have a Cisco ASA5510 with two internet connections performing as follows.
Internet A---------All traffic except LAN to LAN vpn
Internet B---------LAN to LAN vpn
I cant find anything definitive on google to say it will or wont, i know it cant do policy based routing.
View 3 Replies
View Related
Aug 15, 2012
We are implementing an ASA 5510 firewall with DMZ. Our UDP packets are able to get outside the firewall, but our TCP packets are being denied because of no connection. I've attached the config file and log file.
View 2 Replies
View Related
Aug 1, 2011
We are in the process of getting two new connections pulled in that I would like to utilize in the following configuration.
DS3 - 45/45 I would like to use this circuit for all of our servers to NAT out of as well as our VPN tunnel to our remote site. It will be much more reliable than our cable line.
Cable Internet - 50/10 I would like to use this for all internet traffic that users generate. I would like to be able to fail over to the DS3 if this line goes down.
To get all traffic go out the cable line would take a dynamic NAT rule and a default route. How would I automate a failover to the DS3 with a backup route and dynamic NAT rule?
I understand that if the DS3 goes down it will take manual intervention to bring the tunnel back up and servers with static NAT will need reconfiguration.
View 1 Replies
View Related
Sep 18, 2012
We have a second ASA 5510 that is suppose to be a hot standby. I need to find out that, as a hot standby, does it have to have the same licenses as the ASA that it backs up. We purchased 50 SSL VPN licenses for that unit. If it fails over, we need to make sure the failover asa can allow SSL VPN connections.
View 3 Replies
View Related
Jan 9, 2013
i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
so, here is my questions:
1. does ASA5540 support multi vlan?
2. does it support spanning tree protocol?
3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?
4. achive network redundancy
View 3 Replies
View Related
Jan 15, 2008
I have a strange problem which looks to me like a DOS attack from the inside..but I cant be sure.
Symptoms:
All xlate connections used within hours.
Xlate connections start with all our servers across our WAN before moving onto all workstations.
No viruses have been found.
Looked in syslog and I cant find one single outside IP that seems to be a possible source.
View 7 Replies
View Related