Cisco Firewall :: ASA 5505 / Track How Much Time User Spends Using Service Based On Port Number
Apr 26, 2012
I want to be able to gather some time metrics based on source IP, and destination port. Is it possiable to track how much time a user spends using a service based on it's port number. I have figured out how to capture all the data, and I can then look at timestamps, but I would like a better way if possible. Can this be done at the firewall, or do I need a different appliance?
View 1 Replies
ADVERTISEMENT
Mar 26, 2011
I have some tunnels which terminate to my home router. I'm allowing the other ends of the tunnels to use my voice setup. I need to prepend *67 to all called numbers which don't originate from my house. I don't want people calling my home number based on the caller-id number they see when someone across one of the tunnels calls.
So if 5008 calls 212-333-4444 I want it sent to my provider as *672123334444. If 5001 calls a number, I don't want it touched. Can I do this? I can use IOS or CUCM here.
View 13 Replies
View Related
Aug 25, 2011
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
View 1 Replies
View Related
Feb 21, 2012
I have a switch WS-C3560G-48TS.The version of IOS is:
WS-C3560G-48TS 12.2(58)SE2 C3560-IPSERVICESK9-M
The command "track number rtr" is missing. There are just three options there:
#track 10 ?
interface Select an interface to track
ip IP protocol
list Group objects in a list
Why is that so and where is rtr?I have the same switch with the following ios version:
WS-C3560G-24TS 12.2(50)SE1 C3560-IPSERVICESK9-M
rtr is present in there.
View 2 Replies
View Related
Jan 4, 2011
I have one 2621 router i want to creat time base access list so that one of my subnet user(10.128.194.0 255.255.255.128) use only internet between 11am to 2pm.
View 15 Replies
View Related
Dec 3, 2012
if there's any way to track the time or date when my modem was used. I have a TP Link modem/router.
View 1 Replies
View Related
Feb 26, 2012
how to track user logins with this device? I've pointed it to a SYSLOG, but it only creates Virtual Access connections, and I don't know who that connection belongs to.
View 3 Replies
View Related
Oct 23, 2012
I have found cisco's config for dynamic DNS on an ASA. However, I have seen many articles that the ASA doesnt support the HTTP update method that most dynamic dns services use.
View 2 Replies
View Related
Feb 6, 2011
I set up an "access control" rule in my DIR-635 and so I have all navigation log from a PC of my LAN. But the URL in log are often truncated.There's a way to obtain a full track for an user navigation?
View 3 Replies
View Related
Apr 21, 2013
I need to open port 4001 on my router for someone to have access. I need to do this thru GUI. Cisco ASA 5505
View 5 Replies
View Related
Feb 18, 2013
I currently have 2 5505 SEC BUN as Primary/FO Firewalls and I am considering purchasing the ASA5510-AIP10-K9 for use as a dedicated IPS device. Looking at [URL] I see that for service updates, CON-SU1-AS1A10K9 is available for this product, providing "IPS Signature and Engine Updates" and "OS Updates."It is my understanding that in the ASA5510-AIP10-K9 there are 2 OS:
1. ASA OS
2. AIP SSM-10 OS
My question is: Are both the ASA and AIP SSM-10 able to receive "OS updates" with this service contract?
View 3 Replies
View Related
Feb 15, 2010
Showing Your firewall has a version number null which is not supported by ASDM 6.2(5). I received this error when trying to run asdm on my asa 5505. I upgraded image and asdm trying different versions. I used many different versions of java all to no avail.
View 4 Replies
View Related
Mar 15, 2011
Have a customer who has two ISPs right now and only using one through a basic SOHO router. Looking to upgrade to something that supports dual WAN and allows connections from outside in on both WAN ports. There are 25-30 inside hosts.Requirements: Allow incoming connections on BOTH WAN ports to a single inside host
-This is a web app that needs as close to 100% uptime as possible
-Round robin DNS is set up
-Failover for internal people should one of the ISPs go down
Looking at either an ASA 5505 with Security Plus or an 891 Integrated Service Router.
View 1 Replies
View Related
Feb 13, 2013
connecting ASA 5505 with the Action Tech Router?
View 1 Replies
View Related
Apr 30, 2013
I'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Here's our running config:
ASA Version 8.4(1)!hostname ciscoasadomain-name opanslab.comenable password yYME2neTGgA0S1./ encryptedpasswd yYME2neTGgA0S1./ encryptednames!interface Vlan1nameif insidesecurity-level 100ip address
[Code].....
View 5 Replies
View Related
Aug 23, 2011
A user needs to be allowed through the Cisco ASA 5505 firewall to make a VPN connection to 83.1.**.** address on port 1723.
View 13 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Apr 4, 2011
We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
View 6 Replies
View Related
Aug 2, 2011
I tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
object network Private_IP
host 192.168.1.15
object network Public_IP
host 1.1.1.1
object-group network internal_net
[code]....
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
View 4 Replies
View Related
Sep 27, 2012
I have a question about Cisco ASA 5505 firewall.We need 3 interfaces on the firewall , "inbound", "outbound" and "DMZ" , to control traffic between these zones.
Can we do this with Cisco ASA 5505 50-user bundle , or do we need to purchase Cisco ASA 5505 Security Plus bundle to get the DMZ zone working.
View 4 Replies
View Related
Jul 17, 2011
I have a Cisco ASA 5505 Firewall. I am using windows VPN. I have configure IPSEC/L2TP Vpn. And now i hv some problem..
1) VPN is connected but I notices that VPN client connection gets in "HANG" mode after couple of minutes.
2) I am getting error when i try to connect my SQL Server (windows 2008) [code]
View 2 Replies
View Related
May 21, 2013
I currently have a problem where I have to constantly reboot my ASA whenever my cable modem reboots. The ISP (Pen Tele Data) is setup so that my ASA has to obtain its' static IP using dhcp (ip address dhcp setroute) on the outside interface. Now, I also have another location with a cable connection (Comcast) that does NOT experience the same problem. However, the difference is this ISP allows me to assign my static IP directly on my outside interface. What can I do so that I don't have to reboot my first ASA everytime modem reboots.
View 6 Replies
View Related
Aug 15, 2012
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies
View Related
Dec 2, 2011
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
View 28 Replies
View Related
Aug 18, 2011
With the Cisco ASA-5505, is there a more secure port that can be configured for VNC other than 5901? I am new to Firewalls We have a User who has requested that 5901 be opened but I was advised not to do so for security concerns.
View 5 Replies
View Related
Feb 24, 2012
I`m trying to come up with a couple of equations to determine the characteristics of residential networks.Basically, what I`ve got so far is that the bandwidth is determined by the interval in which PSACR (power sum attenuation to cross talk ratio) has a positive value.I do realize that bends in the cable will modify the impedance and thus modify the twisted pair characteristics.So, what I am looking for are the equations that would give me length and bend (corner) dependencies (for example, if I have a 130m link that has 4 corners, my link will have a bandwidth of X,attenuation of Y and max data rate of Z).
View 7 Replies
View Related
Aug 15, 2012
I wanted to know the maximum VPN client sessions (using the Cisco VPN client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505 simultaneously.
In other words, if I have x VPN clients and y Site-to-Site tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)? If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
[Code]...
View 3 Replies
View Related
Apr 1, 2012
I'm new to an ASA 5510 running 8.4(3) and am trying to figure out something regarding time ranges in ASDM. I simply want to allow a single port during business hours only (I'm not concerned about open sessions needing to be closed). So as an example I add a rule something like:
(RULE1 on the internal interface) SRC=INTERNAL DEST=ANY SERVICE=RDP ACTION=PERMIT with a time range set for weekdays 8:00-16:59. I did a test after 5pm on a weekday and was still allowed to do RDP to a server (from INTERNAL), and after using the packet trace tool saw it was still passing through due to a rule a couple lines down (rule 4) that allowed a port range that happened to include port 3389. So my question is if I specify an "allowed" time range and someone attempts access outside that time range, why doesn't it drop it right there? I guess I'm assuming that anything outside the "allowed" time range would be dropped but that doesn't seem to be the case. I'm also assuming the rule base is processed top to bottom.
View 2 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Jul 6, 2012
I have an ASA 5520 and I'm using Solar winds real time interface tool to monitor the through put of the port. It seems I can never get it to use more than 100mb, where should I check?
I have run a sh int giga 0/1 and it shows the port is 1000mb full duplex and the I have also checked the other end where it plugs into the LAN and this also says the port is running at 1000mb full duplex.
View 1 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Mar 23, 2012
I've installed Cisco ACS 5.3. After I created several internal users (defined password and enabled password), Identiy Groups, Access Polices, Network Devices and AAA Clients (e.g. Cisco 1841) for Radius and configured my Router like this:
...
aaa authentication login VTY group radius local-case
aaa authentication enable default group radius enable
....
Now I'm able to login successful using my internal User. But if I try to use enable to enter the enable level I'll receive the message "% Error in authentication." when I use the defined enable password.
In the ACS logging I'll can see that "$enab15$" is missing. If I setup a user name "$enab15" I can login to enable level, but what have I to do, to use the custom enable passwords?
Step 1.2 - 1.5 is requiered for both (Radius and Tacacs). Then you have to switch to 2.1-2.7 for Radius or 3.1 - 3.7 for Tacacs authentication.
View 1 Replies
View Related
Mar 4, 2012
I have cisco 1841 router in my office.In that router we configured MPLS bgp with two different service provider. [code] We can't able to use the different service provider at the sametime.Cisco 1841 is support two different AS ???
View 12 Replies
View Related
