working config with least amount of code for:
IOS post 8.3
Subnet: 192.168.1.0 /24
Static NAT (from any source) to server 192.168.1.100 and allow the same incoming connections on outside interface
Ports:
TCP 20,21
TCP 80
UDP 50000-50020
If i connected the latop to brand new out of the box ASA 5505 through consloe cable and i have a config file on this laptop from other ASA5505, is there anyway i can upload that config file into startup-config of this new ASA5505 through console cable, without using TFTP or FTP?
View 5 Replies View RelatedI have ASA 5505 and I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.
View 8 Replies View RelatedWhat is the factory default config on ASA5505 with 8.4.1?
View 3 Replies View RelatedI just replaced a PIX 501 with a new ASA5505. I had a very weird problem and would like to know what caused it incase I run into it again. The setup is a DSL connection, with an old-ish speedstream DSL modem. Static IP, no PPPoE. I had a PIX 501, then two servers with static NAT entries on secondary WAN IPs. Everything was working fine on the PIX, I just duplicated the config over to the ASA. I swapped out the PIX for the ASA, and rebooted the DSL modem to clear out it's cache. After installation, NAT was working fine for the the global pool, but the systems with static NAT could not get online. I tried lots of different things to fix them, and they never worked. Finally I rememberd running into an issue like this a long time ago, in that the static NAT IP's wouldn't work without giving them a bump-start on the network. So I assigned the ASA each of my WAN IPs, one at a time, and tested them all. After that I went back to the original WAN IP, configured the static NATs, and they fired right up. why did my static NAT entries not work until I first assigned them to the ASA, then swapped back? I did reset the DSL modem when I swapped the firewalls, so I don't believe it was an ARP issue (unless it was an ARP issue at the far end?) I would like to know if there is something I can do differently with the devices or with the config to not have this issue again in the future.
View 5 Replies View RelatedCurrently a customer has all theLAN devices using a router as the Default Gateway. The router also do the Dynamic NAT to the internet access and has NAT/PAT rules to publish some services like HTTP and FTP. As I know the router will permit all the incoming traffic in all its interfaces without restrictions at less there is an ACLs that restrict the incoming traffic on an specific interface.Now the customer has bought a brand new ASA and wants to use it as the default gateway for the entiery LAN. This means, the ASA will have the internet connection and will be the responsible for the NAT/PAT process.
I have configured the NAT/PAT rules already following the current router configuration, but I need to know if I have to configure ACLs allowing the incoming traffic on th Outside interface for the services I NATed.
I have a Cisco ASA5505 running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 . I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100, Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
View 2 Replies View Relatedi have 2 internal server sitting in inside interface
inside network vlan 1 ip address 192.168.0.20, and 192.168.0.22
i going to map 192.168.0.20 to public ip routable address 203.117.124.180 and 192.168.0.22 to public ip routable address 203.117.124.181
the purpose is to make those 2 server 192.168.0.20, and .22 to be able to access remotely using public routable ip address,
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Antlab) 1 0.0.0.0 0.0.0.0
[Code].....
I have a 5505 for a small business that has one web server. The web server has a static NAT entry to an IP address and not an interface. There is an access rule allowing any HTTP traffic to the outside IP of the web server. From the web server I can't access the Internet.
All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface. The web server is accessible from a computer behind the firewall.
If I delete the static NAT entry for the web server I can get on the Internet.
I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.
I am running 8.0(5).
I have an ASA 5505 behind my internet router. i have got only one public ip configured on the router outside interface.192.168.20.0/24 subnet is configured between ASA and router and inside network is 192.168.10.0/24 (Refer the attached diagram).
I have exposed my mail server and ftp server to public through static PAT in router and ASA with the same public on router outside interface. Iam facing issue some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working. i have attached the diagram and ASA config , after this issue is sorted out i need to configure a L2L VPN to my head office.
I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.
Here's my Cisco ASA configuration:
ASA Version 7.2(3)
!
hostname domain
[Code].....
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.
View 2 Replies View RelatedI am mapping static ip address to the local ip address.We have a bsnl broadband connection, and bsnl has provided us with one static ip address.We are using broadband modem.Now I would liket to map this static ip address to one of the private ip address which is 192.168.1.2(database server).i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.I would like to access this device over internet, by typing my public (Static ip ) given by the BSNL.security device i have is cisco ASA 5505.
View 3 Replies View RelatedI am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
I have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100
[Code].....
But, no matter what, the I can't ping the static address or access the computer 10.2.1.2 from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
I was checking out the config on my ASA and noticed a bunch of static routes configured when I did a show route. With the exception of two that I expect to be there, the remainder point traffic destined for specific internal hosts to the outside interface, i.e.
S private_ip 255.255.255.255 [1/0] via public_ip, outside
I verified that I cannot ping those hosts from the firewall. I logged in to the ASDM. When I check the Configuration>Device Setup>Routing>Static Routes it only shows two static routes, the ones I expect to see. If I look under Monitoring>Routing>Routes, I see the same output as I did on the CLI. I looked around to see if I was missing a key location for this information, and I was able to see the same static routes output in Monitoring>Routing>Routes. Since this is under monitoring though there's no way to delete these routes, and I still don't know where they were configured originally. Then I happened to check under Monitoring>VPN>VPN Statistics>Sessions, and I see several of the private IPs used in the static routes being used by VPN users, including my own! I know I didn't assign myself a static IP for VPN use or anything like that. So, what are these static IP routes? Why do I see them in the CLI and not under the Configuration tab? I mean, I know I can delete them from the CLI but I'm trying to figure out why the info is not synced. Am I seeing dynamically created content based on the VPN connections?
I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:
object network NAT_ME
nat (inside,outside) static interface
Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.
If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).
In the near future I plan on updating all of my firewalls to 8.4, currently we're on a mix of 8.0 and 8.2. I've heard that if your equipment is on 8.2 there's an auto-conversion feature when upgrading to 8.3. However, I do not want to rely on that and am trying my hand at re-writing the NAT and ACLs myself. Attached is my pre 8.3 ASA 5510 config (santized) and a document that shows the particular sections pre 8.3 and what I think they should be after the upgrade.
View 1 Replies View RelatedI have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. [Code] ......
View 8 Replies View RelatedI have a Cisco 876 router running 12.4.(15)T5, configured as DHCP client. This works nicely.
A Cisco 886 router, running 15.1 software also works with the DHCP client. This also works but has the following strange beheaviour: In the running-config an ip route 0.0.0.0 0.0.0.0 <dhcp assigned address> appears. Also - some other static routes that are in the config using the dhcp keyword are duplicated with the dhcp-assigned address
Now - when a write mem is done, these dhcp-generated route entry's are stored in the startup-config...
This beheaviour is completely different and VERY unwanted. After a change from DHCP server the config will simply stop working, when a write mem was done at the first DHCP situation.
Should we stop using write mem commands when a DHCP client is active in IOS? Is it a bug? Is it a feature?
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies View RelatedI have a new ASA 5505 we have in production the same model.
So I copy and paste the same config bot ASA have the same IOS version 8.4(3)
But the VPN is not working. is because of this ? ikev1 pre-shared-key *****
When I copy paste the config the pass is still like this ****.
How can I copy my config to the new device withouth introduce the pass again.
I need to backup my ASA 5505 configuration and restore it to default, then I'll configure manually the new config, but if something doesn't work I want to restore the backup made before.
I tried the "copy run tftp" command, and it always answers the same: Result of the command: "copy run tftp" [code] I read everywhere its supossed to prompt asking me tftp server address and file name.
I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.
I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?
View 1 Replies View RelatedI've having a problem with our company ASA5505 router.
We recently moved to a new adress, so everything had to be set up again. I have a static IP, submask and gateway from our new ISP. The router have been factory reset before moving. We have betweeen 10-20 employees on our LAN in the office. In an attempt to make things easier I have changed the internal IP (and IP range) to 10.0.200.1 with a range from 10.0.200.5 - 10.0.200.100 as our NAS/printer/plotter have IPs within this range.
I can ping machines on the internal IPs and in ASDM the Outside interface is show as "up" with a green arrow. But there still isn't any internet connection. The only thing I haven't tried (because people need the current network to be online) is changing "route inside 0.0.0.0 0.0.0.0 62.242.X.X 1" to "route outside 0.0.0.0 0.0.0.0 62.242.X.X 1"
I have recieved a primary and secondary DNS adress as well, but I'm in doubt as to were I'm supposed to enter these (Using ASDM Version 6.3). I would like everything "Behind" the router to be run by DHCP.
Here is the running config:
ASA Version 8.2(2)
!
hostname ciscoasa
[Code].....
Trying to connect a 5505 with a dynamic address on 8.3(2) to a static IP'd asa (5510 on 8.2(1) with a DefaultL2LGroup and dynamic maps already created.
Inside networks:
Local (5505) 192.168.100.0 /24
Remote (5510) 10.100.1.0 /24
Configuration on 5505
isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp enable outside access-list 100 extended permit ip 192.168.100.0 255.255.255.0 10.100.1.0 255.255.255.0nat (inside,any) 0 access-list 100tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key *****crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco crypto map dyn-map interface outside
I have a Cisco 2811 router and when I turn of the router the running config is lost. I have to the following to get the router running of the start-up config settings.
router#copy start-up running-config
We have a customer, who has the following setup:
ISP router with ip range: x.x.202.1/ 28
That is connected to a Cisco 2960 switch, that doesn't do much but:
Vlan5: x.x.202.14 /28
Port 1-12 is switchport mode access to vlan 5 There are 3 firewall's connected to the 2960
1: D-Link DSR-1000N with ip x.x.202.2 /28
gw: x.x.202.1
2: Uknown
3: Cisco ASA 5505 with ip: x.x202.7 /28
static route: x.x.202.1
Each FW have a LAN behind it. The D-Link and the unknown device are both working perfectly and clients on each subnet can connect to the internet?However when I connect the ASA 5505 to the 2960 SW with a configued static route: Route Outside 0.0.0.0 0.0.0.0 x.x.202.1 1 is says it has no route to host?
Sanitized Config for the ASA 5505 is:
hostname ciscoasa
domain-name network.local
names
!
interface Ethernet0/0
switchport access vlan 2
[code]....
If I connect the ASA5505 to the LAN of D-Link DSR-1000N and give it a static address and a static route match the D-Link LAN network, it works perfectly, however not when I connect it the the Cisco 2960 Switch
I have an ASA 5505 with a dynamic IP address from the ISP.What I need to accomplish is the following:
- Either setup that ASA (Dynamic IP)VPN with an IOS router (Static IP)
- Or setup that ASA (Dynamic IP) with another ASA (Static IP)
I am converting one PIX config (in 6.2) format to 8.4 format manually.I am stuck at the following statements.
---------------------------
global (outside) 1 192.168.21.100-192.168.21.150 netmask 255.255.255.0
global (outside) 1 192.168.21.44 netmask 255.255.255.255
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 101 permit ip host 10.130.101.2 10.132.102.0 255.255.255.0
-----------------------------
My understanding from the old config file was that any traffic coming from source 10.130.101.2 to destination 10.132.102.0 would NOT be translated and this shall remain the same in 8.4.How can I rewrote the NAT commands?