Cisco Firewall :: ASA 5505 Not Able To Access Internet And Outside To DMZ Servers
Jul 20, 2011
I have configured the ASA 5505 for internet access and outside users to use two servers in the DMZ. Every thing is working fine. When I was configure VPN, I did some mistake I guess, now inside users are not able to access internet. They get an error 405. Thats an error. The request method XXX is inappropriate for the URL /. Thats all we know. Even I am not able to access the server in the DMZ from outside and I get an error : Bad Request - Invalid HeaderThese things just happend after I did some thing on the ASA. I copy and pasted the my old configuration but still insider users are not able to connect to internet and from outside I am not ableto connect to server. The weired thing is that I can user VPN with out any issues. I can connect to vpn but I cant access any internal resources. Even inside users are able to ping internet addresses with out any issue.
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. [URL]) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuration or the firewall itself is not letting my requests through. The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
I have a customer with an 877ISR with zone base firewall. They want to access two servers on the inside from the internet using RDP but with different ports.
Partial configuration.
interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables(code)
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
Users are connecting to Site A (PIX 515e) via Cisco VPN client and can access servers/resources within that site no problem. They cannot access anything within Site B (ASA 5505) however. Devices communicating between Site A and Site B have no issues (have site to site VPN configured). I'm assuming that I'm missing something in configuration - or is it not possible for VPN clients connected to the PIX firewall and access data on the other network?
We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server: [code]
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
I would like to restrict Internet traffic (HTTP & HTTPS) for Inside Users with an ASA 5505. I would like to setup a proxy-like system where a User/Password must be entered before the User can actually browse the web.
I know that this can be done with an additional RADIUS/TACACS+ Server. Is this also possible without any external AAA Server, so with User/PW stored on the ASA locally only?
i am looking for the best practices when using a Cisco ASA 5505 to provide NAT and protect my inside network from the outside.
I have the inside security level set to 100 and the outside set to 0, want other features can be used to protect the network from the Internet, am assuming that the security levels will ensure no traffic comes from the outside to the inside unless there is a rule that allows it.
Would any firewall policies be required to increase the level of security?
What should i do on my Cisco ASA 5505 firewall to grant access to my network systems to access internet via gateway. I use ASDM to configure the firewall.
I have a wireless Airport Extreme on Vlan3. My problem is that I can't get internet access from a wireless client which connects to the Airport which is on the DMZ. From my laptop which is connected to the Airport, I can ping the 5505. That's as far as I get.
asa5505(config)# sh running-config : Saved : ASA Version 8.4(2) ! hostname asa5505 enable password ArKd0aXL.wihdyE3 encrypted passwd ArKd0aXL.wihdyE3 encrypted names
ASA 5505 and DMZ and Base License,"For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network." Page 6-17.
This is exactly what I need. Mail server in DMZ, full access from internet to DMZ, and from inside network to DMZ, no access from DZM to inside network. If I good understand, this is possible with base license.
I successfully configure, internet Access for DZM and inside network, Mail server can be accessed from internet, as well as RDP on inside network. But I have problem to configure communication from inside network to DMZ. [code]
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. What ports I need to open up? My AD servers are Windows 2003.
I am trying to set up an ASA5550 so that I can access the servers behind it. Simple.
As of now, I am unable to even create an access-list to allow traffic from my remote IP into the firewall. As far as my level of experience with Cisco firewalls, it's basically zero but I have taken the Cisco CCNAX class and feel that I have a good understanding of the fundamentals. That said, we only dealt with routers and switches, and it's not impossible that I'm missing something that would be totally obvious to most folks on this board. I've used CLI and ASDM with no success.
Lost internet access through server after change router LAN ip.I did every thing still dont have access to internet .and also read this post:
http:[url]....
I have a router and a server that are connected through two unmanage switches. The router has DSL service in it, and i can ping the router from server3 client through cable and 2 client through WLAN.
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured) DMZ Segment: 192.168.3.0/24 (This is a future deployment) LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
Need to Have both ISP to access internet/servers configure a Cisco 2911 router, It has two ISP one as primary 216.140.140.0, and secondary for backup as 216.150.150.0. I need to be able to access both the ISP's using the same interface Gi0/1. Since we have servers that have to have specific IP both when accessed and when accessing the internet so I used static Nat for the servers and Dynamic for all others. I did the following configuration but it does not work as i want it, if i unplug the Primary ISP from the unmanaged switch the secondary cant access the Internet or network.The secondary only works when the primary and secondary are both connected and have an equal cost Administrative distance, hence it is not available when the primary is down . Even though I can use a sub-interface instead of a secondary Ip address (which worked when I used it) I need to use the same interface using a unmanaged switch to which the outside interface of the router is connected and the two ISP's. Below is my configuration.
interface GigabitEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside
I set-up my law firm network with a server 2008 database. Now I am renting out one of my offices to a separate lawyer and I want him to be able to use my network to access the internet, but not my server 2008. Is that possible or is it already secure being I haven't installed any of my software on his computer?
I have setup a site-to-site VPN tunnel between 2 sites using CISCO rv120w.Everything works fine; any PC on one site can access all systems on the other site and vice-versa.The issue I have is when I start a VPN connection another site on Internet using IPSecuritas.I can initiate a VPN to site 1 and site 2; but when connected, I can only access servers that are located into the same site I'm connected to; I cannot ping the remote site.The Range of IP addresses on the internet during my tests is 192.168.11.0 (I 'm using a Mac)
-Systems with IP 192.168.1.1 and 192.168.10.1 are bridges -Systems with IP 192.168.1.2 and 192.168.10.2 are CISCO rv120w
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I can't access our ASA 5505 via SSH from the outside. I've configured this through the ASDM to allow SSH (Device Management > Management Access > ASDM/HTTPS/Telnet/SSH). I added a rule that allows SSH on the outside interface from 0.0.0.0 0.0.0.0. When I try to ssh in with putty, it says "server unexpectedly closed network connection" When I watch the logs on the ASA, it shows a Built inbound TCP connection on port 22, but then immediately a Teardown TCP connection. It doesn't show it's being blocked by any rule. Is there something I'm missing on enabling SSH?
I have a web server behind my 5505 that I'd like to access from the outside of the 5505 (still within my home network though). Its running on port 3000. I made the changes but I have been unable to access my server from the outside.
I do have an Airport Extreme in from of the 5505 and the 5505 is getting its address via dhcp from the airport. So I'm trying to hit 192.168.2.57:3000 from my wireless airport network.
if log on to the firewall with the enable_15 account remotely via a Cisco IPSec VPN client? Similarly, how do you restrict access to the ADSM to the local LAN for the enable_15 account? Is there a way to tell when a user last logged on via an IPSec VPN?
I have question about license for ASA 5505. I have to put public access point behind ASA into DMZ. Do I need to hava the unlimited license? Does Securipty Plus license include unlimited users option and 50 VLAN or I will need different type of license.
We have a Cisco ASA 5505. As of yesterday we could no longer access our web server (the web server is hosted off-site). Pinging the DNS address and direct IP (from the firewall and a PC) both return no response. Pinging the IP from the T1 router responds properly, meaning the router can access the web server, but the firewall cannot. Accessing the web server has never been a problem, and no configuration changes have been made to the network/firewall. Other locations can access the web server just fine.
