Cisco Firewall :: ASA 5505 - Block Certain URL On Certain Users
May 20, 2013I am using ASA5505 and I would like to block certain websites such as facebook.com on some users only
View 3 Replies
ADVERTISEMENT
Cisco Firewall :: ASA 5520 To Block Https Traffic But Users Are Able To Open Website
Jul 1, 2011We have ASA 5520 with CSC-SSM 20 and we want to block https traffic but when we are blocking https traffic http traffic going to block but user are able to open website.
View 1 Replies View RelatedCisco Firewall :: ASA 5505 Users Restriction?
Jul 2, 2012There are 10, 50 and unlimited users profiles for the ASA 5505, reason for that restriction? Does that mean for example that only 10 users can go through a 10-user 5505?
View 6 Replies View RelatedCisco Firewall :: 5505 - Block Everything Except A Few Ports
Apr 15, 2013We have a client that is running a PC on a internet over satellite. To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.
So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).
But I'm struggling a bit, since this is my first cisco router to be configured.
My interfaces are as follows.
Outside - DHCP
Inside (port 1) - 192.168.1.1
I'm only running ipv4.
in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)
in Access rules I made under outside (incomming rules) source=any destination=outside service=ssh action=permit
But when I try to add further rules to block everything else, it takes the SSH on port 22 with it. How should I do this the easiest way?
the hardware setup is pretty straight forward.
sat-terminal(with IP 192.168.0.1 running DHCP) -> 5505 (outside IP=DHCP - inside IP=192.168.1.1) -> computer (IP=192.168.1.5)
Cisco Firewall :: Restricted Inside Users Of ASA 5505
Jul 6, 2011i have an asa 5505 firewall with asa version 8.2(1). my asa connected on wan port over isp router on internet.inside users connected over dlink switch and the allied telesis 24 ports switch on this asa. the inside users are blocked and they can't communicate. all inside ports of asa 5505 are in one vlan and all ports are switch ports. the configuration of my firewall is
: Saved : Written by xxxxxx at 11:26:22.109 CEDT Thu Jul 7 2011 ! ASA Version 8.2(1) ! hostname asa5505 domain-name dri.local enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 no
[Code].....
Cisco Firewall :: Block Website Or Ip Address From ASA 5505?
Apr 27, 2011if it is possible to block a website or ip address from an ASA 5505? if it is possible, can you give me an example of the commands to get it done?
View 2 Replies View RelatedCisco Firewall :: Block Pings On Outside Interface Of ASA 5505?
May 2, 2013I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Cisco Firewall :: ASA 5505 Intermittently Disconnects Remote Vpn Users
Mar 7, 2011I am using my ASA 5505 to remote VPN. I use both windows and Macs. I use the Cisco VPN client software on the windows machine, on the Mac I have used both the Cisco VPN software and the built in OS X VPN client.
I am able to VPN with all machines, but randomly the VPN will disconnect all users. I know there is a setting that may fix this which I think I tested in the past and it did not work, but I have now forgotten it.
Cisco Firewall :: ASA 5505 Users Are Always Disconnecting 25-30 Minutes From Outside Server
Feb 27, 2012I am facing Tear down problem on cisco asa 5505.Users are always disconnecting 25-30 min from outside server. [code]
View 2 Replies View RelatedCisco Firewall :: ASA 5505-ISP Providing DHCP And Separate IP Block
Mar 12, 2011I have a ASA 5505 that I have been using for a while, but a new ISP is trying to configure my service so that the outside interface has to be configured as DHCP to receive a reserved IP address, and then they will route a separate, non-contiguous block of addresses to that address.
Essentially, they have a DHCP reservation for 1.2.3.4 for my ASA, and then they have 10.2.3.16/28 as a separate block routed to me.
Obviously, I can do my static NAT translations using outside as the address, but I cannot get the separate block of addresses to route through the ASA. Is there a way to do this and get them to work? My ASA is running 7.2(2)
Cisco Firewall :: How To Block ARES With ASA 5505 Base License
Sep 1, 2011Well, I tried using the cisco configuration for ASA 5505 for blocking P2P: url...but this configuration only is usefull with programs like Kazaa, so I try this configuration to block ARES but the problem is that ARES try to make downloads from different ports, ¿How do I block ARES if there are sereveral ports ?
View 1 Replies View RelatedCisco Firewall :: 5505 Block Port 80 On A Specific Host In LAN
Apr 22, 2012I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80
-access-list block_port extended permit ip any any
-access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
Cisco Firewall :: 5505 - Users Unable To Access External Email Servers ASA?
Nov 28, 2011I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
Cisco Firewall :: ASA 5505 / Block Internal LAN And Internet Traffic Except LogMeIn Site?
Sep 12, 2011I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET
Cisco Firewall :: ASA 5505 / Block Website With Regular Expressions Affecting All Internet?
Dec 27, 2011We have an ASA 5505 and I want to block www.facebook.com for all users on the inside network. I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
[URL]
Once the configuration has been changed based on these instruction www.facebook.com is blocked. However I can't access any other websites except my Google News home page comes up just fine for some reason.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 4nJloDG8uYd8w4D3 encrypted
names
!
interface Vlan1
[code]....
Cisco Switching/Routing :: 2800 Block Some URL That Users Have Access Through LAN
Jan 30, 2012I wish to block some url that users have access through my LAN .That's i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.what i have in place is a cisco 2800 series routers,
View 7 Replies View RelatedServers :: Trace Users Activities And Block Internet Connection?
Aug 26, 2012We've got Workgroup LAN at our office and the Server is configured by the OS “Windows Server 2008 R2”. Most of the users use OS Windows XP-Service Pack-2. Now, I want to see the Internet surfing status/activities done by any particular user/users at any time from the Server. You know that, some people enter into restricted sites which impose severe negative impact on the network. If I could trace from the Server any user of doing this, I shall block his Internet connection from the Server.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: 6509 - Detect And Block Unauthorized Devices / Users In Network
Sep 25, 2012we have Cisco 6509 as a access switch in our network. Each user has an IP phone and a computer. we are going to implement 802.1X for end users by next month. I need to check all the users activity in the network like if someone plug an access point to the network or a router.I just checked Cisco NAC and how to detect those activities on the network.
I need to get more details on Cisco NAC or other products for that purpose. also what is the difference between Cisco NAC and application like Microsoft TMG?
is it agent less or I have to install something on computers? is it working as a default router for users computers?
Linksys Wireless Router :: EA6500 How To Block IP / Internet Addresses For ALL Users Without Adding Sites Manually
Dec 20, 2012how do I block IP/Internet Adresses for ALL users without adding the sites manually per user in the Parental Control panel? I want to block a certain IP/internet adress for all users but can't find this feature within my EA6500 anywhere?Is this a firmware bug? Has linskys forgotten that some sites want to blocked for all users and how do I do it all in one?
View 1 Replies View RelatedCisco :: Block Pings From Outside To ASA 5505
May 1, 2013I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
2wire 2700hg-d Router / Block Or Monitor Porn Viewing Activity Of Users Through The Router?
Jan 19, 2013I have a 2wire 2700hg-d (Qwest/Centurylink) router serving 3 or 4 computers. Is there a way I can either block or monitor porn viewing activity of users through the router?
View 2 Replies View RelatedCisco VPN :: 5505 Allow VPN Users To Access A Different VLAN
Jan 17, 2012I have an ASA 5505. I have configured Remote Access VPN so that users can connect to VPN and access my main VLAN (Inside). I would like to secure it so that when a user VPN's in, they are only allowed access to the HVAC vlan (Vlan 2) as seen in my configuration. Please note there is also a LAN- 2- LAN VPN which has been configured as well.
View 17 Replies View RelatedBlock Internet Access For An IP On ASA 5505?
Mar 15, 2011How do I configure Cisco ASA 5505 (using ASDM 5.2) to block a workstation (IP address) from accessing internet completely? I was trying to set up a new incoming access rule for outside interface to deny any IP traffic to that workstation but it doesn't work from some reason - the workstation can still access the internet. The ASA has no special settings, only a few ports opened for servers?
View 1 Replies View RelatedCisco VPN :: 5505 Local Users Authenticate To AnyConnect
Jul 16, 2012I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
View 3 Replies View RelatedCisco Security :: ASA-5505 - Getting Home Users Internet Access?
Feb 28, 2013I have configured and tested an ASA-5505 that will be deployed at a customer's home. The ISP cable modem will connect to the E0 (outside) interface of the ASA. All other interfaces on the ASA are configured for the inside network 192.168.5.0/24. I have created a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/24 subnet access to the internal networks on the UC540.
The user has requested that all the network devices used by the rest of the family will only need to connect to the Internet. They will not need access to the VPN tunnel and they will not need access to the computers on the 192.168.5.0/24 inside network. I was planning on performing the following tasks to get this to work.
Cisco Switching/Routing :: Implement ASA 5510 / 5505 For Existing IP Block
Jun 5, 2012some recommendations for product selection and overall infrastructure setup for our datacenter: We have an old, legacy setup, and are looking to replace equipment, improve performance, enhance security, and implement hardware redundancy (if cost effective).
1) We now have (2) IP blocks from our provider, and need to support both (because we have mailers on older IPs with a good reputation rating).
2) We have (2) aged Sonicwalls, one for each IP block, each connects to multiple internal subnets (some internal subnets need connectivity to eachother, some don't).
3) We have (mostly) public facing web servers (Linux/Apache), as well as database servers (with no external access).
Questions-
1) Should we implement a Cisco ASA 5520 w/ or w/o SSM modules for the new IP block (for webservers)?
1a) Should we implement a Cisco ASA 5510 or 5505 for the existing IP block (for mailers)?
1b) Or, can we have multiple public IP blocks connected to a single ASA 5520 (or 2 ASA's w/ failover)?
2) Can we connect both firewalls (5520 and 5510/5505) to a single Catalyst 3550 (or similar) using VLANs, and have 6 - 10 VLANs for webserver subnets, with ACLs controlling which subnets/servers can connect to eachother?
2a) Should we implement a second Catalyst 3550 (or similar) for redundancy (webservers have multiple network cards).
3) From our provider, we only have (1) dmark which both IP blocks connect through. Currently we have a switch connected to the dmark in order to 'splice' the connection, and have both existing firewalls connected. Is there a better approach to this?
4) We would like to implement SSL-VPN, and possibly site to site IPSec VPN, but only if there will not be significant performance degredation.
5) Other thoughts/recommendations for new features, enhanced security, or redundancy?
Cisco VPN :: ASA 5505 - AnyConnect 3.1 Captive Portal False Alert Stops Users Connecting?
Dec 29, 2012I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall
Feb 26, 2013I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet
Feb 24, 2011I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
Cisco AAA/Identity/Nac :: Use Radius On ASA 5505 To Block Outgoing User Access By Username In Group
Jan 15, 2012Can I use AAA Radius on a ASA 5505 to block outgoing user access by user name in a group?
View 2 Replies View RelatedCisco Firewall :: ASA 5500 - Get Firewall License To 500 Users?
Jan 25, 2012I purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
Cisco Firewall :: Block Ip Address From CLI At PIX Firewall Version 6.3(4)?
Oct 11, 2011I would like to know how can I block a ip address from the CLI at the Cisco PIX Firewall Version 6.3(4)
View 4 Replies View RelatedCisco VPN :: ASA 5505 - Users Aren't Able To Reach Remote Network Through Site-to-site Tunnel
May 21, 2011Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24