Cisco Firewall :: ASA 5505 - Create ACE For Range Of IP Addresses
Nov 7, 2011
trying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks 2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.
ASA1(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.2(2)4Device Manager Version 6.0(3) Compiled on Wed 03-Feb-10 14:17 by buildersSystem image file is “disk0:/asa822-4-k8.bin”Config file at boot was “startup-config” ASA1 up 1 day 18 hours Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHzInternal ATA Compact Flash, 128MBBIOS Flash Firmware Hub @ 0xffe00000, 1024KB
I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.
Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.
I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.
I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.
I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.I believe a picture tells a thousand words in this case so I have attached some images which show the problem. I have also tried going through the VPN wizard, this also does not allow me to add new network objects.
I have purchased a subnet of 8 private IP addresses from my ISP. 109.x.x.128/29.The ISP has placed a juniper router within our data centre which is routing purely from 109.x.x.206/30 to 109.x.x.128/29 with the ip of fa0/1 set to .129.
I have linked a cisco 5505 to fa0/1 of the juniper from fa0/0 and configured its IP to .130. I have configured NAT to translate our client pool 192.168.16.x /24 address' to the internet.
Is it possible for the 5505 to route / map my remaing private IP addresses through its external port? I have tried creating a seperate VLAN for a DMZ for our servers to sit within but am returned with a subnetting error as VLAN for my external port is all ready configured within the same subnet.
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
I'm trying via the ASDM to port forward http connections to a DVR for the purpose of viewing IP cams.I've tried via ASDM to create a public server but I'm not allowed to use my public IP address for the public Interface.I have only one public IP address available.Is there any way round this ? I would also like to know how I can enable NAT with PAT.I've tried setting the outside Interface for use with PAT but It keeps reverting to the setting for a range of external addresses.I'm not really used to the ASA cli yet , I'm getting there.If there's a workaround via the CLI , I'll take that route.
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC. (Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside". So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection. (Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1). The outside interface is configured with a single static address. I have a few services port forwarded sucessfully to three different servers on the inside network.
I need to make a media proxy on a SIP server available to the outside. It requires a large range of forwarded UDP ports for the media channels.
I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP. I entered a range of ports for the real port and the mapped port using the syntax 60000-60999. ASDM accepted it, but the NAT rule list displays "Any" in the service column. When I apply the change, I get the following error:
nat (inside,outside) static interface service tcp 60000-60999 60000-60999 ^ ERROR: % Invalid input detected at '^' marker.
How do I forward a large range of UDP ports from the outside interface to a single server on my inside network? I'd like to use ASDM, but I can switch to the CLI if that works better.
: Saved : Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013 ASA Version 8.4(4)1 host name cisco asa enable password xxxxx encrypted password xxxxx encrypted names interface Ethernet0/0 switch port access v lan 100 interface Ethernet0/1 interface Ethernet0/2 [code]...
Just started using our ASA 5505 v8.2 (1) Trying to configure the ASA appliance to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).I have used a static NAT:
When I view the logs it is reporting the following:Inbound TCP connection denied from 22.214.171.124 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.Been pulling my hair out with this one as I believe I have everything configured correctly.
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
How can i configure DHCP to use two different range of IP addresses. One range will be for example 192.168.0.* and the other range will be 192.168.1.* When the first range of ip is full the DHCP automatically assign IP addresses from the second range.
I'm am using Google Analytics for my webpage, and I want to exclude(filter) the IP range of my router's external IP addresses from the Analytics data. How do I determine the IP range of my router's public IP?
I have a 1941 router tt needs to be setup with the range of WAN ip addresses ip nat inside outside don't allow me to use it..How can i configure on the router to ensure from outside i'm able to access to firewall (126.96.36.199) ?
A small network and uses the Linksys Router BEFSR81 as dhcp.the default Number of addresses is 50 and starts 10.0.0.100 to 10.0.0.149.A new Cisco IP Phone just introduced requires ip addresses and have noticed running out of addreses.Can I increase the number to 120 so that the address range would start from 10.0.0.100 to 10.0.0.219, also, I have a VPN device which automatically configures itself for 10.0.0.199 address and this is /24 network configuration.
We have Cisco ASA 5505 box.We have a /29 subnet available.At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10 .The main purpose is to have specific public IP address for mail server only not to get to any black list,and to give visitors different outgoing IP address than for our internal users.
If I ping a NAT'ed IP address configured on an ASA 5505, is it handled at the firewall (as far as priority) as if I were pinging the firewall interface itself, or the end device? The reason I ask is I am seeing waves of ping latency that I can relate to data transfers, but the nothing is even close to being maxed out as far as CPU, memory, or bandwidth. My guess is this is being handled by the ASA in software instead of in hardware.
I have a customer thats got a Linksys router now, that has a DMZ port.The DMZ port is configurede to it routes the extra public ip-adress to the DMZ port it has.At the DMZ port they have another router connected, where they routes the public ip-adresses på some other devices.How can i make this setup on a Cisco ASA 5505 (With the Security Plus licens)What i have to do is to replace the Linksys router, and make it so, so it works like it was before with the Linksys.
I have an ASA 5505 with Security Plus License ?I have 5 Static IP Addresses from my ISP?I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.
What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.
I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.
I have two cisco ASA 5505 devices and two cisco switches plugged to ASAs in each office. I need to create a VPN tunnel between two offices.
-Network behind the ASA1 in office1 is 192.168.1.0/24 with DHCP server – 192.168.1.10
-Networks behind the ASA2 in office2 are 192.168.5.0/25; 192.168.5.128/26 and 192.168.5.192/26
All computers in office2 need to get IPs from DHCP server 192.168.1.10. I have switch in office2 with 3 VLANS and I can assign computers from different subnets to different VLANs.How can I archive this goal? Should I assign 3 IPs for ASA2 inside interface (192.168.5.1, ...5.129, ...5.193) as a default gateways for each subnet? Should I put dhcp helper address 192.168.1.10 on the switch for each VLAN?