Cisco Firewall :: ASA 5505 / Use The Ethernet Ports As Pure Physical Layer 3 Ports
Jun 9, 2013
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
enabling traffic between interfaces on the ASA 5510. Of course I have an outside interface E0/0 and an inside interface (E0/1) for normal operation. The idea was to enable one of the remaining interfaces on the 5510 to attach an internal network resource to for management in case we lost our switch. I am using E0/0 as the outside interface and the inside interface is E0/1. I am wanting to attached a management device on the same inside network IP address range for simplicity. I have E0/2 configured for the same security level (100) as the other inside interface and I also have enabled same-security-traffic permit inter-interface as well but I still cannot access the device on that port. Is there something else I am missing? I guess the best way to explain this is that I want ports E0/2 and E0/3 to act like a "switch" so to say...... The ASA 5505 lets you do this pretty easy but having trouble on the 5510.
We have a client that is running a PC on a internet over satellite. To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.
So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).
But I'm struggling a bit, since this is my first cisco router to be configured.
My interfaces are as follows. Outside - DHCP Inside (port 1) - 192.168.1.1
I'm only running ipv4.
in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)
in Access rules I made under outside (incomming rules) source=any destination=outside service=ssh action=permit
But when I try to add further rules to block everything else, it takes the SSH on port 22 with it. How should I do this the easiest way?
I have an ASA 5505 with ASA version 7.2(2) and ASDM version 5.2(2) and I am attempting to open ports 88 and 5445 and forward them to the IP address of my DVR. This is all new for me. I see several posts for other software version to do this same thing but my version appears to be older?
I need to forward some ports for remote desktop and remote outlook which I host on an internal server. I have looked all over the web and got close, but no hints on how to do it in the asa 8.2. there is an 8.3 guide, but it is just different enough to not work. I am new to this device and cli.
I am trying to configure a new 5505 but I am having difficulties opening ports that allow traffic in from the outside. My setup is Comcast Business Modem (w/ single static IP) -> ASA (10.0.0.1) -> (dumb) Switch -> NAS (10.0.0.10). I am attemping to open port 5001 to the NAS. I am very new to IOS so I have mostly been working in ASDM. Not sure if I am overcomplicating this for myself or what but I am stuck.
My running config is -
ASA Version 8.2(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted
I'm working on setting up a PBX server in our office, and I'm having trouble getting a port opened for SIP on my ASA 5505.I created static NAT rule for SIP traffic from internal server to the outside IP address.I created access rules on outside interface to forward port 5060 to internal PBX server (192.168.1.8)I also disabled sip packet inspection on the ASA.I'm still receiving a message from the PBX that the firewall is configured incorrectly.
When I do an NMAP scan against my ASA 5505 on it's internal interface's IP address, it appears to be listening on all TCP ports. If I do it from across a VPN tunnel, the ports show as open according to NMAP, if I do the scan from the local subnet they show up as unknown. I'm running 8.0.4 code on this ASA.
We've read everything about inspecting SIP packets and allowing them to pass through on port 5060, the default SIP port. However, our setup requires the ASA 5505 to allow SIP on ports 5060, 5160 and 5260.
Is this possible with the ASA 5505? If it's not, it would be a blocking issue for us to move forward with ASA appliances. We are currently investigating in a lab environment and really having difficulties configuring it to facilitate full SIP functionality.
I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1). The outside interface is configured with a single static address. I have a few services port forwarded sucessfully to three different servers on the inside network.
I need to make a media proxy on a SIP server available to the outside. It requires a large range of forwarded UDP ports for the media channels.
I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP. I entered a range of ports for the real port and the mapped port using the syntax 60000-60999. ASDM accepted it, but the NAT rule list displays "Any" in the service column. When I apply the change, I get the following error:
nat (inside,outside) static interface service tcp 60000-60999 60000-60999 ^ ERROR: % Invalid input detected at '^' marker.
How do I forward a large range of UDP ports from the outside interface to a single server on my inside network? I'd like to use ASDM, but I can switch to the CLI if that works better.
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
I am trying to open up 3 TCP ports in Cisco ASDM Launcher:
16000 16001 8098
And have a Cisco ASA 5505 Router. I need these ports open in order for a software that I have installed on the server to communicate with my local client computers for my business, The software is installed on Windows 2008 Server Standard Edition and was installed with MicrosoftSQL 2005. The software and Microsft SQL 2005 is pretty much installed and just requires this last step in order for the server to be connected to the local computers. In order to resolve this, I have gone to.
I am used to setting up access-lists on outside interfaces with ip addresses that are static. I have recently been given a site that is using a dyndns.org client for name to ip address resolution on an outside interface that is dhcp assigned. I created an access-list to open up ports 41794 and 41795 to an engineering application but everytime I try to connect from the outside I get a syn timeout. The application works when inside the lan. Basically I want to allow outside connections from anywhere on the outside to go to ports 41794 and 41795. I am running a Cisco ASA 5505 on version 7.2(4) Below is my conifg. what I may have misconfigured?
: Saved:ASA Version 7.2(4)!names!interface Vlan1 nameif inside security-level 100 ip address 172.31.2.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address dhcp setroute!interface Ethernet0/0 switchport access vlan 2!interface
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 220.127.116.11 service tcp/100 host2: 192.168.1.2 service tcp/200 >>>>> public ip 18.104.22.168 service tcp/200 host3: 192.168.1.3 service tcp/300 >>>>> public ip 22.214.171.124 service tcp/300
So people from remote just need to use 126.96.36.199 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Current configuration : 23648 bytes ! version 12.4 no service pad
One of techs accidentally connected two access ports from different switches together. Since then, LMS is alerting them as being Link ports down. I tried to default the config and set them to access ports without any success. what I should do in LMS to recognize them as access ports?
When i was looking for a wireless card, everyone seemed to be having connectivity issues with all of these cards, and i regularly have interference issues when the microwave is used which completely knocks off my connection. How to connect a second router as i have a telephone port in my room so i am able to connect my PC/PS3 via ethernet. Just some basic info, I'm on the O2 wireless network using their Thomson router, and i also have a Bt Homehub 2 lying about for some reason.
my house has 4 ports in each room, 2 coaxial, 1 for the net, and one for a TV, and there's a phone jack and a Cat5e Ethernet port. From what I have learned, all my ports lead up to a "closet", and I have found it. It has all the connections for the LAN, and everything else. I am confused on what to do next. I see that there are blue Ethernet cords connected to the ports on one side, and that they are not connected to anything on the other. I thought I had to buy a switch for all these ports, and I haven't done so yet. where am I supposed to connect the modem to the internet. It is currently connected to the internet coaxial port, which it then connect to the VoIP switch, and is then connected to everything else. Where is the coaxial port that I have to plug it in to, and what is it labeled?.
i've tried plugging in various devices (computer & solar panel management device) into the ethernet ports to no avail. i just updated the firmware, reset the router, and still no luck. all of the lights work when i reset and the wifi works fine. do i need to do something in the settings to turn on the hard connection?
I have a Cisco 1841 that has an ADSL (ATM) card installed. It was previously used with an ADSL line to provide NAT routing for an office. Now I want to use it witha cable modem, which would mean abandoning the ADSL interface and instead routing between the two Ethernet ports.Between the Cisco and the LAN is a Linux transparent proxy. It provides routing between 192.168.1.0 (LAN) and 192.168.2.111 (Cisco LAN interface). The network looks like this:
Cable Modem(188.8.131.52)(gateway) --- (184.108.40.206)(WAN) Cisco 1841 (LAN)(192.168.2.111) --- (192.168.2.11) Linux Proxy (192.168.1.10) --- (192.168.1.0) LAN
For testing and diagnostics, I've connected a laptop to each FastEthernet port on the router. One laptop is configured with the IP 220.127.116.11 to simulate the cable modem gateway and the other laptop has the IP 192.168.2.11 to simulate the Linux proxy. From those systems I've performed the following diagnostics with the following results:
From 192.168.2.11 Ping 192.168.2.111 - OK Ping 18.104.22.168 - OK Ping 22.214.171.124 - Timed out From 126.96.36.199 Ping 188.8.131.52 - OK NAT translation to LAN IP's failing
There are some vestiges of the ADSL configuration, but I've cleaned most of it out and shut down the ATM interfaces. Here's my config:
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
i would like to "team" two ethernet ports on a 2921 router into a single redundant link to a switch, similar to how an HP server teams multiple NICs to a single IP address. is port-channeling the best/only way to do this? i don't necessarily need the two links to be load balanced or bonded, considering the serial side of this router is just a single T1. i just want the links redundant, so in case something goes wrong with one cable or switchport, traffic will go over the other link.
how the ASR1000s are being setup.I am looking at ASR1000s as part of network refresh and was looking at RJ-45 based Gigabit Ethernet ports compatible with the ASR1000s SPA-5X1GE-V2 seems to be an option but they are all SFPs. Are there any options for RJ-45 ones on ASR1000s?
There is an option for the 2 port where one can mix and match SFPs and RJ45 but I was looking for something which is RJ45 only.Are there any options for them available.I know I could get something with FastEthernet type but was looking for the GigabitEthernet type.
How many routed ethernet ports do they support when using HWIC-1FE and HWIC-2FE modules? On the Cisco site for the two interface modules and in the corrseponding PDF of supported interfaces for 29xx routers a maximum number of 2 2port modules(HWIC-2FE) and 2 1port modules(HWIC-2FE) is written.Does this mean, that I can put in 4 L3 HWIC modules into one Cisco 2921 router by combining these two HWIC modules resulting in a total number of 7 interfaces for this router?
I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange. I don't have an inhouse IT guy and this seems pretty straight-forward in theory but I can't figure it out I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange.
I have Sky Fibre Optic Broadband, with a router supplied by Sky, (You can't use any other router, as username/password for internet is already put into router & they will not give you details when you phone them). The router they supply has only four Ethernet ports on. One is used by Sky to give you Fibre Broadband, thus leaving you with three.I have five devices that must use Ethernet, as they do not have wireless.How do I get more Ethernet ports available to use, without losing the Sky router, as Sky will NOT let you use any other router.