Instead of using a IP address I would like to use a host address that points to a NTP pool.An example would be:ntp server 0.north-america.pool.ntp.org Can this be done on the ASA series?
View 1 Replies
I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
I just purchased a domain name, that I have forwarding to my WAN address. I want to be able to access my home websie via this route. I have an ASA 5505, how do I get the ASA to point to the home server when the WAN IP address is entered?
View 16 Replies View RelatedI have 2 web servers that replicate between them (two different internal ip). My idea is that if one of them will not work, the other to do the relay.I have a Cisco ASA 5505 I can do a nat for each machine. How should I set ?
View 3 Replies View RelatedBased on the configuration pasted below, we believe the host (10.0.2.200 / 255.255.255.0 GW: 10.0.2.1 with external DNS servers configured) should have access to the web. However, it cannot resolve any names nor can it connect outside.
[code]....
I have a ASA 5505 Sec Plus. I would like to allow outside hosts to our mail server and also our FTP server. So i would like to allow only SMTP, HTTP (for Outlook Web Access) and FTP.
View 10 Replies View RelatedI updated an ASA 5505 to 50 users, but I still can only connect 10 hosts. In Licensing it show 50 insides hosts. I also tried to update to ASA 8.4.5 but that did not work.
View 2 Replies View RelatedI'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80
-access-list block_port extended permit ip any any
-access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
View 11 Replies View RelatedTrying to allow inbound access from any host outside to my LAN server on port 995. [code]
View 1 Replies View RelatedI have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 7 Replies View RelatedWe are using an ASA with 8.4 in transparent mode. Connection fails when a host on inside tries to connect to a server on outside. This server uses mac-address 0100.5E00.0000 to load balance but replies with real mac-address.Firewall logs "Deny TCP".ARP inspection is disabled.
View 2 Replies View RelatedI have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
we have a cisco asa 5505 and it working great .i want to create web server that only selected public ip address can access.
View 3 Replies View RelatedWe have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142)
Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message
Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
We have a number of 5505 ASAs at remote sites all of which are configured to connect to one of two head-end servers.We need to change the primary head-end IP addresses. At the moment devices are successfully connected to the secondary.If we issue vpnclient server i.j.k.l e.f.g.h then the device drops off the network and won't reconnect until it is power cycled.If we make the changes in ASDM using the GUI to remove the old primary and add in the new primary the ASDM says "No changes made".Devices are running 8.2 and 8.4 code and behaviour is the same.
how to change head-end server IP addresses without the device disconnecting and not coming back up? According to the configuration guide the ASA should cycle through the addresses every 8 seconds until it can connect - but it doesn't seem to do this as it won't connect to the good secondary head-end either!
Trying to set up a asa 5505 in transparent firewall mode. I cannot set the management ip address:
ciscoasa> enable
Password:
ciscoasa# config term
[Code].....
I have a test ASA 5505 at home. The DHCP IP address in my real home firewall is 192.168.1.x and as you are aware the default ip address in ASA is the same. how to configure the ASA.
In the link below there is an instruction, it seems it is working for everybody except me. I followed the instruction up and the only change was assigning the IP address, which I chose something other than 192.168.1.x But after the step of creating NAT, I do not have access to the internet. [URL] Also I followed the link below, but the revision of the ASDM in the instruction does not match with mine, so I was not lucky to figure the device.[URL]
1- How can I configure the ASA 5505 with an IP address different than 192.168.1.x (at home = no incoming static IP address = DHCP on subnet 192.168.1.x for the incoming internet)I have installed ASDM 6.3 on my laptop (From work) but when I connect to the ASA it wants to install ASDM 5.7.I tried to connect to the device through ASDM 6.3 and input the IP address 192.168.1.1It takes for ever and it does not connect to the device
2- How can I connect to the device by ASDM 6.3 or any ASDM with higher version than the original of the device?
if it is possible to block a website or ip address from an ASA 5505? if it is possible, can you give me an example of the commands to get it done?
View 2 Replies View RelatedI have a cisco asa 5505 and i need a public ip address on the inside of my network without NAT. for example: I can create a static nat translation rule, but this is not what i need.
isp -> x.x.x.1 /29 (outside asa) (inside network) x.x.x.2 /29
Is this possible?
I have Cisco ASA 5505 Firewall with security plus license, Currently I open ports on 25,80,443 on public IP address 1.1.1.1 and perform static nat between the inside and outside IP address Such as i configured via CLI
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 80
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 443
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 25
[Code]......
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
I have a website that is hosted by our company, but when the staff goes to the outside address of th website it gets denied by ACL thus page not found.
3Feb 20 201211:25:23192.168.3.5752928our Extrenal IP80TCP access denied by ACL from 192.168.3.57/52928 to inside: our External IP/80,OUr external ip is also the ip of the 5505.
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
my 5505 running on version 8.2.5 doesn't seem to recogize the simple command "ip address dhcp setroute......"
ciscoasa(config-if)# ip address dhcp
^
ERROR: % Invalid Hostname
ciscoasa(config-if)# ip address ?
configure mode commands/options: Hostname or A.B.C.D Firewall's network interface address
We have an ASA 5505 and are changing ISPs so we'll be getting a new static IP address. How do I change the external IP address using ASDM? (I haven't done it in 5 years so I'm rusty and just want ot make sure.) The ASA and ASDM are up to date.Am i correct in that I only need to change the external address in the configuration under Interfaces, then under Routing - Static Routes - Gateway IP I just need to enter the new WAN gateway address?
View 2 Replies View RelatedI have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 5 Replies View RelatedWe have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies View RelatedI have an ASA 5505 in transparent mode. The device mac address table is always empty.
show mac-address-table and show mac-learn both come with empty response.
I have a Cisco ASA configured for Any Connect clients. I also want to pass 443 traffic back to an internal web server, but not sure if I can do this since the Any Connect clients are already connecting over 443 to the ASA, right?
View 8 Replies View RelatedWe have a Cisco ASA 5505. As of yesterday we could no longer access our web server (the web server is hosted off-site). Pinging the DNS address and direct IP (from the firewall and a PC) both return no response. Pinging the IP from the T1 router responds properly, meaning the router can access the web server, but the firewall cannot. Accessing the web server has never been a problem, and no configuration changes have been made to the network/firewall. Other locations can access the web server just fine.
View 1 Replies View RelatedI have a Cisco ASA5505 and windows DHCP server, how do I add this external server to ASA so my PC clients can get DHCP from this server?
View 3 Replies View RelatedI'm configuring a Cisco ASA 5505 ASA Version 8.3.1 I want to publish my web server is in the DMZ (10.30.30.1) and server address is 10.30.30.30 but it still fails.I have only one public IP, and hope that when they call the Public IP, my web server appears, another problem I have is that when I assign the public IP to my interface OUTSIDE my LAN loses internet connection.I have to do to publish my web server and the LAN computers have internet access?
View 16 Replies View Related
