Cisco Firewall :: ASA 5505 Static Hosts Cannot Access Outside

Feb 9, 2013

I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.

View 2 Replies


Cisco Switching/Routing :: ASA 5505 - Dynamic And Static Internal Hosts Setup

Nov 21, 2012

I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following: Internal hosts assigned a DHCP address are blocked from the internet Internal hosts with a static IP are permitted access to internet All internal hosts can communicate regardless of state
Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet. What sort of steps would I need to do to configure this? New access lists. For the record, the dhcp addresses are in the range of VPN users are assigned an address from and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP ( should be just as valid as

View 10 Replies View Related

Cisco Firewall :: ASA 5505 - Cannot Ping Local Traffic And Hosts

Jul 24, 2012

I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA ( There is a PC ( plugged into e0/1.

I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping

I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC cannot get out

ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted

View 2 Replies View Related

Cisco Firewall :: ASA 5505 8.4(1) - Map Multiple Inside Hosts Ports To One Public IP?

Jun 22, 2011

I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:

host1: service tcp/100 >>>>> public ip service tcp/100
host2: service tcp/200 >>>>> public ip service tcp/200
host3: service tcp/300 >>>>> public ip service tcp/300
So people from remote just need to use public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - Increase Inside Hosts License Count?

Feb 14, 2012

At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number:  xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        
This platform has a Base license. 
The flash activation key is the SAME as the running key.

View 2 Replies View Related

Cisco Firewall :: 5505 Static Nat With Port Redirection 8.3 Access List Using Un-Nat Port

Aug 15, 2012

I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.

View 12 Replies View Related

Cisco Firewall :: NAT Configuration To Allow Access To Two Hosts In The Same DMZ (RFC 1918)

May 16, 2011

I am using a three interface ASA config (Internet, DMZ, Inside).  The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts .  In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site.  When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to.  A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?

View 1 Replies View Related

Cisco Firewall :: Get DMZ Hosts To Access Internet Via Outside Interface Of ASA5505

Jun 19, 2011

How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.
Here is my configuration and it can be changed as needed.
User Access Verification
Password:Type '?' for a list of available commands.ciscoasa> enaPassword: *******ciscoasa# sho run: Saved:ASA Version 8.0(4)!
interface Vlan1nameif insidesecurity-level 100ip address!interface Vlan8no forward interface Vlan1nameif dmzsecurity-level 50ip address!interface Vlan11nameif outsidesecurity-level 0ip address!interface Ethernet0/0!interface Ethernet0/1switchport access vlan 11!interface Ethernet0/2!interface Ethernet0/3switchport access vlan 8!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa804-k8.binftp mode passivedns server-group DefaultDNSdomain-name asaobject-group protocol DM_INLINE_PROTOCOL_1protocol-object udpprotocol-object


View 10 Replies View Related

Cisco Firewall :: ASA5505 - Outlook Access For Inside Hosts

Apr 25, 2011

I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to  browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Static NAT

May 26, 2011

I just replaced a PIX 501 with a new ASA5505. I had a very weird problem and would like to know what caused it incase I run into it again. The setup is a DSL connection, with an old-ish speedstream DSL modem. Static IP, no PPPoE. I had a PIX 501, then two servers with static NAT entries on secondary WAN IPs. Everything was working fine on the PIX, I just duplicated the config over to the ASA. I swapped out the PIX for the ASA, and rebooted the DSL modem to clear out it's cache. After installation, NAT was working fine for the the global pool, but the systems with static NAT could not get online. I tried lots of different things to fix them, and they never worked. Finally I rememberd running into an issue like this a long time ago, in that the static NAT IP's wouldn't work without giving them a bump-start on the network. So I assigned the ASA each of my WAN IPs, one at a time, and tested them all. After that I went back to the original WAN IP, configured the static NATs, and they fired right up. why did my static NAT entries not work until I first assigned them to the ASA, then swapped back? I did reset the DSL modem when I swapped the firewalls, so I don't believe it was an ARP issue (unless it was an ARP issue at the far end?) I would like to know if there is something I can do differently with the devices or with the config to not have this issue again in the future.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 - Static NAT And ACLs

May 25, 2011

Currently a customer has all theLAN devices using a router as the Default Gateway. The router also do the Dynamic NAT to the internet access and has NAT/PAT rules to publish some services like HTTP and FTP. As I know the router will permit all the incoming traffic in all its interfaces without restrictions at less there is an ACLs that restrict the incoming traffic on an specific interface.Now the customer has bought a brand new ASA and wants to use it as the default gateway for the entiery LAN. This means, the ASA will have the internet connection and will be the responsible for the NAT/PAT process.

I have configured the NAT/PAT rules already following the current router configuration, but I need to know if I have to configure ACLs allowing the incoming traffic on th Outside interface for the services I NATed.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Static Nat And VPN Conflict

Jan 12, 2012

I have a Cisco ASA5505 running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 . I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100, Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.

View 2 Replies View Related

Cisco Firewall :: Static 1 To 1 NAT Not Working On ASA 5505

Jan 28, 2013

i have 2 internal server sitting in inside interface
inside network vlan 1 ip address, and
i going to map to public ip routable address and to public ip routable address
the purpose is to make those 2 server, and .22 to be able to access remotely using public routable ip address,
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
global (outside) 1 interface
nat (inside) 1
nat (Antlab) 1


View 2 Replies View Related

Cisco Firewall :: Static NAT SYN Timeout - ASA 5505

Aug 30, 2011

I have a 5505 for a small business that has one web server.  The web server has a static NAT entry to an IP address and not an interface.  There is an access rule allowing any HTTP traffic to the outside IP of the web server.  From the web server I can't access the Internet.
All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface. The web server is accessible from a computer behind the firewall.
If I delete the static NAT entry for the web server I can get on the Internet.
I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.
I am running 8.0(5).

View 3 Replies View Related

Cisco Firewall :: Internet In ASA 5505 With Static PAT

Aug 31, 2012

I have an ASA 5505 behind my internet router. i have got only one public ip configured on the router outside interface. subnet is configured between ASA and router and inside network is (Refer the attached diagram).
I have exposed my mail server and ftp server to public through static PAT in router and ASA with the same public on router outside interface. Iam facing issue some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working. i have attached the diagram and ASA config , after this issue is sorted out i need to configure a L2L VPN to my head office.

View 8 Replies View Related

Cisco Firewall :: ASA 5505 - No Internet Using Static NAT Rules?

Feb 5, 2012

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.
Here's my Cisco ASA configuration:
ASA Version 7.2(3)
hostname domain


View 16 Replies View Related

Cisco Firewall :: 5505 Broadband Connection With One Static IP

Jun 3, 2013

I am mapping static ip address to the local ip address.We have a bsnl broadband connection, and bsnl has provided us with one static ip address.We are using  broadband modem.Now I would liket to map this static ip address to one of the private ip address which is server).i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.I would like to access this device over internet, by typing my public (Static ip ) given by the device i have is cisco ASA 5505.

View 3 Replies View Related

Cisco Firewall :: How To Configure Multiple Static IPs On ASA 5505

Jun 10, 2011

I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,

1:- Can we Configure Multiple Static IP On ASA 5505 ?

2:- If Diagram is wrong what change need to be done ?

View 2 Replies View Related

Cisco Firewall :: ASA 5505 - Public Static IP Address And DMZ

Feb 3, 2013

I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,

View 4 Replies View Related

Cisco Firewall :: ASA 5505 - Creating Simple Static IP

Mar 22, 2012

I have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100

But, no matter what, the I can't ping the static address or access the computer from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit inside
icmp permit any echo-reply outside
icmp permit any outside

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Create A Static Ip Address Under Version 8.4?

Mar 20, 2012

I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
hostname cisco-asa
domain-name default.domain.invalid
interface Vlan1
nameif inside
security-level 100


View 7 Replies View Related

Cisco Firewall :: ASDM And CLI Show Different Static Routes For ASA 5505?

Feb 23, 2013

I was checking out the config on my ASA and noticed a bunch of static routes configured when I did a show route. With the exception of two that I expect to be there, the remainder point traffic destined for specific  internal hosts to the outside interface, i.e.
S    private_ip [1/0] via public_ip, outside
I verified that I  cannot ping those hosts from the firewall. I logged in to the ASDM. When I check  the Configuration>Device Setup>Routing>Static Routes it only  shows two static routes, the ones I expect to see. If I look under Monitoring>Routing>Routes, I see the same output as I did on the CLI. I looked around to see if I was missing a key location for this information, and I was able to see the same static routes output in Monitoring>Routing>Routes. Since this is under monitoring though there's no way to delete these routes, and I still don't know where they were configured originally. Then I happened to check under Monitoring>VPN>VPN Statistics>Sessions, and I see several of the private IPs used in the static routes being used by VPN users, including my own! I know I didn't assign myself a static IP for VPN use or anything like that. So, what are these static IP routes? Why do I see them in the CLI and not under the Configuration tab? I mean, I know I can delete them from the CLI but I'm trying to figure out why the info is not synced. Am I seeing dynamically created content based on the VPN connections?

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Post 8.3 Static NAT With Least Amount Of Config

Mar 17, 2012

working config with least amount of code for:
IOS post 8.3
Subnet: /24
Static NAT (from any source) to server and allow the same incoming connections on outside interface
TCP 20,21
TCP 80
UDP 50000-50020

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Setup Single Port Exclusion For Static NAT?

Sep 20, 2012

I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:
object network NAT_ME
nat (inside,outside) static interface
Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.
If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).

View 5 Replies View Related

Cisco VPN :: ASA 5505 Can't Ping Remote Hosts

Jun 24, 2012

configuring ASA 5505 to be able to ping remote host.Setup - We have a site-to-site ( - VPN setup with client VPN access (IP Pool, on ASA 5505.Issue - Not able to ping host on from VPN client but  able to ping host.

View 8 Replies View Related

Cisco Firewall :: Static NAT And Access From Outside In ASA 8.4

Aug 24, 2011

I have configured Static NAT on ASA 8.4; and opened the telnet access through following configuration but it is not working. What mistake I am making in my configuration
interface Ethernet0/0nameif outsidesecurity-level 0ip address!interface Ethernet0/1nameif insidesecurity-level 100ip address
hostname(config)# object network Router_A
hostname(config-network-object)# host
hostname(config-network-object)# nat (inside,outside) static
hostname(config)# access-list ACCESS-TO-SERVER extended permit tcp any host eq telnet
hostname(confi)# access-group ACCESS-TO-SERVER in interface outside
The host (router) can access internet after this configuration but telnet is not possible from outside.

View 2 Replies View Related

Cisco Firewall :: PIX 501 With 1 Static IP / NAT / PAT With Access List

Aug 24, 2011

I am having a problem getting this to work and I have always done it with 2 Static ip address.  but now this company changed to 1 and I am doing something wrong.

I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.

I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.

View 11 Replies View Related

Cisco Firewall :: ASA 5510 - Static NAT For Outside Access Not Working?

Sep 19, 2011

I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
4    Sep 20 2011    16:20:33        fw_outside_ip    62678    outside_host    2001    Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]
When I try to use the packet tracer to simulate the outside traffic, I get the following
5    Sep 20 2011    16:17:41        inside_host    2001            Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure
I've got over my NAT statement and access rule and can't find anything wrong with either.
Here are the pertinent NAT and access rule...
static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask
access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001

View 5 Replies View Related

Cisco Firewall :: Create Static PAT To Allow Host Address To Access Network Through ASA5510

Aug 23, 2012

The old syntax that I am much more familiar with has been deprecated.  On older IOS it would have been something like static (inside,outside) tcp 14033 1433 netmask  Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA.  I have external address that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on  port 1433.

View 11 Replies View Related

Cisco Firewall :: Max SNMP Hosts On ASA 8.2?

Nov 13, 2012

Seems like something simple, but can't find on What are the max SNMP hosts allowed on an ASA 8.2 code? That would be Polls and Traps?                  

View 1 Replies View Related

Cisco :: Restricting Access To Certain Sites By Certain Hosts

Dec 4, 2012

I am trying to block access to facebook and twitter on my router, to a certain range of ips, - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.

View 5 Replies View Related

Cisco VPN :: Access From Local PIX 515 IP To Hosts On Site

Apr 7, 2013

I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip ( on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel. [code]

View 2 Replies View Related

Cisco Firewall :: Cannot Ping To Inside Hosts From ASA-8.2

Jun 8, 2013

I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
Here is the running config
Prem-ASA(config)# sh run
: Saved


View 7 Replies View Related

Copyrights 2005-15, All rights reserved