Cisco Firewall :: ASA 5505 Vlans Routing & Access-list?

Jan 4, 2012

ASA 5505 vlans routing & access-list?

View 4 Replies


ADVERTISEMENT

Cisco Firewall :: 5505 - Construct An Access List For Outside Interface Using External Address?

Sep 10, 2012

I'm configuring a 5505 for a remote office.  Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?

View 5 Replies View Related

Cisco Firewall :: Routing Between VLans On ASA 5505?

Dec 5, 2012

I have an ASA 5505 and I have the three regular vlans, outside, inside and dmz. The best would be only have outside and inside and skip dmz, but without explenation there is not possible to have more then two clients in whats now dmz because of a mac filter on third party device.
 
So as security is concerned dmz and inside is equal, one to one and there should be full access between them. I ran the wizard and said that the only way traffic not should be possible to flow is from dmz to outside.
 
In the NAT rules the onle rule is
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
 
But traffic from one way or the other dmz to inside, og inside to dmz it says in log
 
3Dec 06 201215:38:39305006172.17.6.1053portmap translation creation failed for udp src inside:192.168.6.102/49358 dst dmz:172.17.6.10/53  From documentation I have an image with network drawing from documentation. What do I have to do allow traffic btween inside and dmz, both ways.

View 3 Replies View Related

Cisco Switching/Routing :: 3650 / 5505 / 1252 - Access Between VLANs

Dec 22, 2012

I have set up a scenario for a small business and have some questions about how to manage the access between the VLANs. Is there is a better / another way to do it. See the attached picture for the topology / info.
 
My question is:  
My switches is set up with x numbers of VLANs and a routed port (no switch port) to the ASA for internet connectivity. How is the best (or only??) way to manage the access between the VLANs?  Is it ACL's on the switch?
 
And by "managing access" I mean VLAN 50 (public WiFi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on. Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself? I have thought about "router on a stick", but then I imagine there will be a bottleneck between the switch and the ASA?  

(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file).         

View 3 Replies View Related

Cisco Firewall :: 5505 Static Nat With Port Redirection 8.3 Access List Using Un-Nat Port

Aug 15, 2012

I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.

View 12 Replies View Related

Cisco Switching/Routing :: 3560 - No Access List On Switches And No Firewall Between Sites

Jul 15, 2012

I have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
 
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
 
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
 
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.

View 22 Replies View Related

Cisco VPN :: 5505 Allowing VPN Network Access To Specific List

Feb 1, 2012

I've setup my VPN on the cisco ASA 5505 which works perfectly, users from outside can access my internal LAN. Now what i want, Is to create another VPN Tunnel group with another set of IP in which i want to allow them access to one server inside our LAN. See below details of network. [code]

View 1 Replies View Related

Cisco Firewall :: List Ports Open On ASA 5505 Appliance?

Oct 12, 2011

How to list ports open on Cisco ASA 5505 appliance? I have tried to see using Cisco ASDM launcher, but no luck.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Ping Between Two VLANs?

May 24, 2012

i am trying to get my ASA 5505 with 2 internal VLANs (voice and data) and external internet VLAN to run in router as a stick, and route between VLANS.
 
I cant get it working though:

[code]...

View 4 Replies View Related

Cisco Firewall :: NAT With Inside / DMZ VLANs On ASA 5505 V8.4(2)?

Sep 16, 2012

I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.
 
The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:
 
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2

[code]....

I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine
 
interface Vlan12
description Used only for guests access to the Internet - no access to the corporate resources
no forward interface Vlan1
nameif guests
security-level 20
ip address 192.168.2.1 255.255.255.0
 
My problem is that when I try to add NATing from the dmz to the outside I get a:
 
     ERROR: Address a.b.c.d overlaps with outside interface address.
     ERROR: NAT Policy is not downloaded
 
with either:
 
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic interface

[code]....
 
Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work:
 
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic a.b.c.d
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic a.b.c.d

View 5 Replies View Related

Cisco Firewall :: 5505 Licensing And VLANs

Oct 2, 2012

so I look up ASA5505 licensing and for VLAN support see: 3 (no trunking support)/20 (with trunking support)*
 
I need 3 VLANs...inside, outside, and DMZ..but when it is creating the third (DMZ) it says I am only allowed to have 2 VLANs and can only create the third if its set to not forward traffic. ?

View 1 Replies View Related

Cisco Firewall :: Configuring VLANs In ASA 5505 Switch

Apr 19, 2011

I have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
 
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B. 
 
Below is the my connectivity:
 
Site-A                                       IPSec VPN                                       Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
 
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
 
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.

View 4 Replies View Related

Cisco Firewall :: Can't Get Traffic Flowing Between VLANs On ASA 5505

Aug 20, 2012

I've got an ASA 5505 with the Security Plus license that I'm trying to configure.

So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).

From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.

I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.

When I try to ping there is no reply and the only log message is: 6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0

View 11 Replies View Related

Cisco Firewall :: 5505 - Route Traffic Between Two VLANs Through ASA

May 30, 2011

I have ASA 5505 Firewall with security plus license, I configured two V LAN 1 and V LAN 5 as my inside V LAN for different sub net, i need to route the traffic between this two V LAN's through ASA. I configured
 
int vlan 1
nameif inside
Security level 100
Ip address 172.16.100.1 255.255.255.0
[Code] .........

The problem is i am not able to ping other sub net, for ex my PC is in V LAN 1 not able to ping 192.168.22.1 ... For troubleshoot i type debug icmp trace while pinging other subnet
 
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4608 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4864 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5120 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5376 len=32

I turn off the firewall on my local machine.

View 10 Replies View Related

Cisco Firewall :: ASA 5505 Security License And Vlans Supported?

May 18, 2013

I am buying ASA 5505 with security  license. It says it can support 20 vlans does it support 20 vlans by allowing to create subinterfaces? As it has 8 physical ports only?

View 3 Replies View Related

Cisco Firewall :: ASA 5505 - All Traffic From Guest VLans To Always Go To Outside Interface

Mar 15, 2013

I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections.  I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.

View 5 Replies View Related

Cisco Firewall :: Multiple WAN IPs Routed To Separate Internal VLANs On ASA 5505

May 25, 2011

I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to 192.168.1.0 and IP 2 X.X.X.2 routed to 192.168.2.0. I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.

View 1 Replies View Related

Cisco Switching/Routing :: ASA 5505 - Port 80 Route Between Vlans

Apr 14, 2013

I have 2 Vlans with seperate networks and want to create a route between one server in vlan 465 to another server in vlan 436 via port 80.Vlan 465 has a ASA 5505 inside that IP address 89.254.12.35 will be initiating the connection to address 10.200.1.213.
 
-Vlan 465: server address 10.200.1.213
-Vlan 436: server address 89.254.12.35
 
However for extended security I would like to restrict the firewall opening to an IP to IP opening.

View 7 Replies View Related

Cisco Firewall :: Access-list On ASA5520

Feb 23, 2011

I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I  first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.

View 1 Replies View Related

Cisco Firewall :: PIX 501 With 1 Static IP / NAT / PAT With Access List

Aug 24, 2011

I am having a problem getting this to work and I have always done it with 2 Static ip address.  but now this company changed to 1 and I am doing something wrong.

I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.

I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.

View 11 Replies View Related

Cisco :: Router Outside Firewall / Access List On Interface?

Apr 2, 2013

I have a router in front of a few firewalls on an internet link. All traffic from the inside network must go through one of the firewalls to get out through the router and similarly there is a dmz on one of the firewalls.I am trying to make sure the router is fully hardened.Should I apply an access list on the outside interface of the router along with the access list for management access?

View 11 Replies View Related

Cisco Firewall :: ASA 8.6 Nat And Access List For Mail Server?

Oct 30, 2012

Trying to figure this all out. I'm getting untranslated hits. I posted the config I have so far.
 
Code...

View 7 Replies View Related

Cisco Firewall :: ASA 8.4 Access List Dynamic Interface?

Mar 11, 2013

This is a working example using static. But it doesn't work with the dynamic interface or I'm doing something wrong. Need to get rdp access to my laptop.
 
ASA Version 8.4(5)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

[code]...

View 1 Replies View Related

Cisco WAN :: 2921 - CBAC Firewall Access List

Jul 1, 2011

I need to configure the access list on the outbound internet port to accept the following:
 
ip access list 10
access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx
access-list 10 permit RDP any xxx.xxx.xxx.xxx
access-list 10 permit FTP any xxx.xxx.xxx.xxx
access-list 10 permit Postgresql any xxx.xxx.xxx.xxx
access-list 10 permit MacARD any xxx.xxx.xxx.xxx
 
This method does not work on the Cisco 2921 router with FW

View 1 Replies View Related

Cisco Firewall :: ASA 9.1 Access-list / Real IP Addresses?

Feb 26, 2013

So in the past from 8.2 down I had one to one NATs like so
 
static (inside,outside) A.A.A.A B.B.B.B netmask 255.255.255.255
 
but for 9.1 im running now I need to do this
 
object network obj-B.B.B.B
host B.B.B.B
nat (inside,outside) static A.A.A.A
 
So if I make an ACL to permit outside public access to the public IP (A.A.A.A) in 9.1 do I use real B.B.B.B ip address or the object itself obj-B.B.B.B?

View 4 Replies View Related

Cisco Firewall :: 2950 Switch Access-list On Dmz

Mar 4, 2012

On firewall we have zone created for dmz and ip is 192.x.x.x and it is connected to 2950 switch(DMZ switch)  with vlan 25..We have L3 switch on this we have created vlan 25 and connected cable from L3 with 2950 switch with vlan 25
 
As we have the servers on L3 and wanted to bring on dmz zone  we have connected a cable.Now the problem is when i connect a pc on 2950 switch (directly on dmz switch) with access-list below we are not geeting any hist on it.

View 6 Replies View Related

Cisco Firewall :: 5510 Access List For Remote Vpn Users

Apr 5, 2011

How to designate access-list for the remote access vpn users in order to let them access specific subnet or host,asa 5510 and acs is in the picture

View 9 Replies View Related

Cisco Firewall :: Configure Extended Access List On AS5350XM?

Sep 14, 2011

I'm trying to configure an extended access list on one AS5350XM but I get one way hearing on a voice calls and I can't determine why (please see the attached diagram). There is an OSPF running on both gigabit interfaces and the Loopback address is also advertised (it is actually the voip IP address). The access list is applied on both interfaces in the inbound direction. There is another gateway with IP:4.4.4.4 (no firewalls here) and the routing between gateways is working properly.
 
Here is part of the access list (applied on AS5350):

.
.
permit ip host 4.4.4.4 host 3.3.3.3
.
.
 
When I review the log of the AS5350xm I see many errors like this one:

%SEC-6-IPACCESSLOGP: list example denied udp 3.3.3.3(16638) -> 4.4.4.4(18094), 1 packet
 
So how it is possible to see this error since the access list is in inbound direction and the IP address (4.4.4.4) is open. I don't have problems when I do telnet or ssh from 3.3.3.3 to 4.4.4.4.

View 3 Replies View Related

Cisco Firewall :: 6513 - Unable To Remove Access List

Mar 22, 2012

I am unable to remove an access list. Currently this this access list contains 4 lines of remarks. I was unsure if I was entering the command correctly and now I have 4 lines of "trash" that needs to be removed.
 
Symptoms:
     The "sh run" command shows that I have access-list 100 defined.
     The "sh access-list" returns nothing.
  
Process I have tried:      config t
     no access-list 100
     no access-list remark Test (just trying anything at this point)
    clear configure access-list 100 (This returns "Invalid input detected at '^' marker" and the '^' is under the 'e' in clear.) 
 
So the "clear configure" command is not working.  The "no access-list" commands does not return an error but does not remove anything.
What step am I missing? Let me know if I can provide any more information.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / ASA 8.3 Migration - Expanded Access List

Apr 24, 2011

I have just upgraded a ASA5510 from 8.2 to 8.3 using migration tool.All seemed to go well, still double checking the config as this is a bench test of upgrade prior to filed upgrades.
 
Anyway one thing that is slightly frustrating is that the migration has expanded all of my access-lists, so we maybe had 10 lines of config relating to access-lists based on access-groups, now we have hundreds of lines.On ASDM this is bad enough but on CLI with show run its a bit of a bind.
 
Is there any way to un-expand the access list or do I simply delete and start again using my access groups.

View 2 Replies View Related

Cisco Switching/Routing :: 3560 - Access List On InterVLan Routing

Dec 11, 2012

I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
 
The configuration is
interface Vlan1
description Data VLAN

[Code].....

View 14 Replies View Related

Cisco WAN :: Command To Check List Of Incoming Vlans On Catalyst 4640?

Oct 4, 2011

is there a cisco command to check the list of incoming vlans on a catalyst 4640 or at least that will give you the same output?we're having an issue with an ethernet circuit, links are up but ping won't go through(no ACLs) and I want to see if the vlan tag from the the other side(side B) is properly reaching side A.

View 1 Replies View Related

Cisco Firewall :: 5540 - Extended Access-list Error Using FQDN

Nov 7, 2011

I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host. For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
 
This is how I normally add these rules (the ip addresses are fictive): access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
 
When I try to add this using the hostname on our asa I get an error: access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?ERROR: % Unrecognized command
 
I've tried it without the 'www', so hostname.com but same error.

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved