Cisco Firewall :: ASA 5505 Traffic Flow Between Interfaces
Jun 13, 2012
I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
View 14 Replies
ADVERTISEMENT
Oct 21, 2011
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
View 1 Replies
View Related
Nov 9, 2011
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Aug 30, 2012
I've been thinking about this for a while and I can't seem to find a comforting answer: Assume you have three datacenters connected over a WAN. Each datacenter has its own Internet and firewall, and each firewall has a trusted network, untrusted network (Internet), and DMZ: [code]
-DMZhostA has inbound access from the Internet over port X.
-DMZhostB has outbound access to DMZhostC over port Y.
-DMZhostC has outbound access to the trusted network over port Z.
If DMZhostA gets compromised from the Internet, the attacker can indirectly access the trusted network through DMZhostC, assuming the services running on the given ports are vulnerable/poorly secured.How do you track this web of access? This is a simple scenario with just three firewalls and datacenters, but it gets proportionally more complex and harder to track as the network gets larger. Manually tracking the traffic flow seems tedious, slow, and inefficient.
View 5 Replies
View Related
Feb 16, 2012
I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
View 2 Replies
View Related
Jun 21, 2012
I use 3 interfaces on an ASA 5510. First interface is Lan, Second interface is Outside, Third interface is ADSL The Outside interface is used for VPN L2L and smtp traffic. (Leased line on router managed by ISP)The Adsl interface is used for Http traffic. (Adsl Cisco router) I use this configuration found on another forum subjet for routing.route outside 0.0.0.0 0.0.0.0 x.x.x.x 1route adsl 0.0.0.0 0.0.0.0 y.y.y.y 2 nat (inside) 1 0 0global (outside) 1 interfaceglobal (Adsl) 1 interface static (Adsl,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0 The problem is now I have an www intranet server on the VPN remote site. How i can exempt the http traffic to the intranet server routed through Adsl interface?
View 7 Replies
View Related
Jun 12, 2011
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies
View Related
Jan 15, 2013
I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:
ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....
View 9 Replies
View Related
Aug 17, 2011
Cisco 2951 w/ HWIC-4ESW
IOS 15.0(1)M5
#sh ip flow int
Vlan533
ip flow ingress
ip flow egress
#
The SVI sends the flow data just fine, however I also continue to receive flow data from most other interfaces.
I have attached a screenshot of one of our netflow collectors indicating that many of the interfaces are sending flow data even though not configured to do so. We have two different netflow collectors, from different vendors and both confirm the same interfaces sending flow data.
Normally I wouldn't care and ignore it, however one of them uses a license limit by interface and is a bit problematic.
View 2 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
Nov 14, 2011
I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24. I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
inside works just fine but no traffic is going out of inside2, not to outside or to inside.
View 8 Replies
View Related
Mar 20, 2012
Got new ASA5550, code 8.2.2 in flash, can't configure "nameif" or "ip address" on the interfaces: [code] These are all the options that I get! Another weird thing I noticed is "<system>" string in "show ver" top line: [code]
View 2 Replies
View Related
Aug 18, 2011
It is my understanding that ACLs can only be bound to logical interfaces using the access-group command. However, is it possible to somehow apply ACLs simply based on the ASA's local Ethernet interface? For instance, consider the following:
Device A with IP 192.168.1.1/24 is connected to Ethernet0/0 on the ASA. Device B with IP 192.168.1.2/24 is connected to Ethernet0/1 on the ASA.
Since both devices are in the same subnet and presumably the same VLAN, is it possible to manipulate the traffic to and from physical Ethernet interfaces using ACLs in this manner?
My predicament is fairly simple:
Internet --- ASA --- ROUTER
|
DMZ
In addition to NAT, VPN, and various other tricks, my ASA is also routing traffic from my internal LAN and the Internet to servers in the DMZ configured on the ASA. Due to a combination of Internet and DMZ traffic, my relatively slow ASA is struggling to route and thus becoming a bottleneck. My router is comparatively modest in terms of functionality when compared to the ASA but it is fast. My ideal solution would be to somehow harness the ASA's filtering capabilities for my DMZ but use the router to get traffic to and from my internal LAN into the DMZ without using the ASA to route it.
Additionally, it is worth noting that my DMZ is fairly restrictive so using protected or isolated ports would not quite work for me.
View 1 Replies
View Related
Sep 23, 2011
I have an ASA 5505 running 8.2(1), that is configured with three interfaces as follows:
Inside (security 100) 10.0.0.0 /24
Inside 2 (security 100) 192.168.0.0 /24
Outside (security 0) internet
Inside is connected to my internal network, inside 2 is connected to the network of a sister organization, outside is outside.
I'd like to be able to route between from inside to inside 2, and have NAT translate me to inside2's address.
I have inter-interface traffic configured, and when I use a NAT exemption, I can route fine. But the resources on network 2 must see my request as coming from the inside2 interface IP.
View 2 Replies
View Related
Feb 12, 2013
This is for an ASA 5505 with the base license...I have a situation where I will not have one interface in my outside VLAN, but instead I want to have interfaces 1-7 in my outside VLAN and interface0/0 in my inside VLAN.
Is this supported with the Base license, and if so how would I do this? Do I still just need to assign one IP address to the outside VLAN?
Or will I need to upgrade to the Security Plus license and put each interface in a separate outside VLAN, so in essence I would have 7 outside VLANs each with the same security level (0)?
My situation is that I have several partner networks that i want to "aggregate" thru my one ASA 5505. So each outside interface represents a separate partner (outside) network, each of which I want to get to from my inside network. Hence the many outside to one inside.
View 5 Replies
View Related
Mar 6, 2011
My customer is running an ASA5505 with 8.3 code.
The have a somewhat flaky proxy between their inside LAN and the firewall. I'd like to have a configuration as follows:
LAN > Proxy > VLAN 1 (eth0/2) on ASA
and
LAN > VLAN 1 (eth0/3) on ASA
So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.
This appears to be easily configured according to the documentation:
"The following example creates two redundant interfaces:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet 0/2
hostname(config-if)# member-interface gigabitethernet 0/3"
But these commands don't seem to be available on a 5505.
View 7 Replies
View Related
Apr 18, 2013
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
View 21 Replies
View Related
May 17, 2013
How can i enable Netflow for each Vlan Or interface indvidually in Cisco ASA? currently i have setup Netflow and only 2 interfaces are shwoing traffic for Netflow which are not even as my physical or Vlan interfaces . (see screen shot )
EscapeASA# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
[Code].....
View 9 Replies
View Related
Jan 18, 2012
I am trying to pass Traffic thru the IPSEC tunnel but it does not work ([Cisco Router 892] <---> [Cisco ASA 5510] <---> [Cisco Router 892]) The Cisco ASA 5510 doesn't pass traffic UDP=500 & UDP=4500 ports...
View 1 Replies
View Related
Oct 14, 2011
My question is pretty straight forward but here is some background information. I would like my browsing traffic to funnel through my phone's 3G or WiFi connection. Is there any information out there on how to direct the browser to use the second internet connection? I was thinking about setting up a VPN using the second nic and somehow instruct the browser to use the specific proxy. I have no idea if that is even possible though.
The need for this is pretty simple. I do not want my browsing habits being logged by my company's network. Also while maintaining the current corporate connection so Outlook and RDP programs continue to function correctly.
View 1 Replies
View Related
Dec 6, 2011
I have a 7204VXR Router, with Neflow. The collection for all interfaces is ok, but one interface (Gigabitethernet 1/0), is not showing the egress traffic in the pictures. The configuration has "ip route-cache flow", ip flow egress, and ip flow ingress set. But, is not showing the egress traffic.
View 4 Replies
View Related
Feb 24, 2011
I have 2 ASA 5505, with a site-2-site vpn, I need to reach a server on network A on port 7887 from Network B.The 2 boxes are both on a public net and has a private net inside.When initiating a telnet session from a Host on network B, to a ip 172.210.210.56 /24 (which is defined as my remote network in the connection profile)I can see the trafic arriving on the ASA on network A, but the trafic gets rejected with the following.
Built local-host outside:VPN-TEST_172.210.210.5602: VPN-TEST_172.210.210.56 7887 Teardown TCP connection 398765 for outside:VPN-TEST_x.x.x.x/16698 to outside:VPN-TEST_172.210.210.56/7887 duration 0:00:00 bytes 0 Flow is a loopback03: Teardown local-host outside:VPN-TEST_172.210.210.56 duration 0:00:00.I'm a newbee with the ASA 5505, and connot figure out why this is a loopback ?
View 2 Replies
View Related
Aug 8, 2012
We are facing one issue at the Customer site as Cisco 7600 series Router's having issue for reflection of traffic flow through netfluke as using by Customer to get bandwidth utilization report for our WAN links.Recently we have brought this 7606S router into production and moved some of our WAN links to this router and We are not getting proper bandwidth utilization report in netfluke after configuring netflow in this device.
HTAINCHN21XXXCR001#sh ver
Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-IPSERVICES-M), Version 12.2(33)SRB5, RELEASE SOFTWARE (fc2)
HTAINCHN21XXXCR001#sh run int gi1/12
[code]....
View 1 Replies
View Related
Nov 21, 2011
I'm receiving multicast traffic (400Mbps) on port 9/38 and sending it out on port gi9/48. I'm trying to achieve that traffic will stay within the card without using the switchfabric,
View 2 Replies
View Related
Mar 18, 2013
We have been deploying Cisco SF200-24P switches for our systems for over a year now. They connect to a Cisco 881 router. In many cases we are also deploying Cisco AP541s.Over the last few months, on an intermittent basis, the switches will simply freeze, blocking all traffic flow. The power LED also goes dark. It appears the switch has frozen. The only thing that seems to revive the switch is a hard reboot by pulling the power cord. In the last couple of weeks, one site in particular has gone down a handful of times. That client of our is fed up. Our patience is running thin too.
I cannot see any indications in the logs to any event that might give a clue as to the problem. We definitely see this problem with the 1.2.7.76 firmware and the 1.2.9.44 (latest as of typing this). Not sure if with earlier 1.1.2 firmware.Without a fix, we likely will have to change switches and possibly vendors as we need a reliable switch.I see some vague references to a similar problem. And one reference to a SG300 series having what sounds like the same issue.
View 8 Replies
View Related
Nov 27, 2011
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
View 9 Replies
View Related
Jan 20, 2013
I've been digging into some performance issues on a LAN that has a couple of 2960s. The monitoring software I'm using has indicated a high amount of discarded outbound packets (up to 5%). The suggested resolutions were to enable flow control.
My question is does enabling flow control on all ports interrupt network traffic at all? this is a production network so I had already planned on doing it during off hours but also wanted to know if I should be prepared for any significant drop in traffic.
View 14 Replies
View Related
Dec 5, 2012
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]
View 4 Replies
View Related
Jul 24, 2011
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
ASA Version 8.4(1)
!
hostname xxxxxx
enable password xxxxxx encrypted
[Code].....
View 15 Replies
View Related
Apr 11, 2012
We have 110mbps internet service. When we have the 5505 behind the cable modem, our speed drops to 55mbps or so. If we remove the 5505, we see the full 100mbps. I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps (It always seems to be half)
View 2 Replies
View Related
Jun 25, 2012
My understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.
View 2 Replies
View Related
Oct 27, 2011
I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.
View 8 Replies
View Related
Aug 15, 2011
I have a Cisco ASA 5505 that I have configured. The outside interface is vlan 2 and the inside interface is vlan 1. Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet. Port 1 is connected to my private LAN subnet. I have an additional router connected to Port 2 for guest connectivity. Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet. From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet. For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet. If the vlan were working the same as a vlan in a switch, I would expect to be able to do this. why it is not working or what I can do to get it working?
View 4 Replies
View Related
