I have a Cisco ASA 5510. I have detected an infected workstation on my internal LAN which has caused my IP to be blacklisted by Barracuda Networks and other RBL. I have scanned and cleaned the workstation removing the spambot. I want to prevent all my internal workstations from sending SMTP traffic on Port 25 through my ASA 5510 device. I only need to allow my Exchange Server access to send out traffic on port 25. configure this setup using ASDM 5.0? I know it may be easier using CLI, but using the ASDM would really be preferred.
I have cisco ASA 5510 with ios version 7.07 & all users are browsing the internet via PAT through ASA. i want to block some sites/URLs like facebook, yahoo etc.
We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site.
I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
-access-list 102 extended deny tcp any eq smtp any eq smtp
-access-list 102 extended permit ip any any
-access-group 102 in interface inside
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.
We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site...
I am working on an ASA5505 and am trying to open the ftp port. I have a server (192.168.10.202) on the local LAN which is attempting to download antivirus updates from the net via ftp.
Saved : ASA Version 8.3(2) ! hostname SITE enable password XXXXXX passwd XXXXXX names
I have an ASA 5505 running 8.4.I am only letting ICMP traffic in from the outside.As a test, I opened a couple of ports I need on the ASA.I cannot access these ports and I do not get a denied error in the log.
I contacted the ISP and they are not blocking these ports.I ran an online port scanner to check ports 1-100 as a test. They all came up as blocked on the port scanner. The only deny error I got on the ASA was for port 80.Is this normal behavior? If so, how do I get it to show all of the deny errors so I know the traffic is at least hitting the firewall?
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
I thought I had the configuration to allow bi-directional traffic for my Blackberry server. I have a second fw with the same config and it worked on that one. But right now, my blackberry server is down, and all the users are upset.
I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
I've got an unconnected ASA 5510 running IOS 6.1 that I need to upgrade to 8.X (I believe 8.4 is available). The unit is a blank/default configuration and is not on any network so it can't be easily accessed via Ethernet. Is there a method that I can use its onboard USB port (0 or 1) to plugin a USB memory stick with the 8.X...bin file and process the upgrade that way?
i have a asa with a outside IP address of 140.32.121.5. behind this firewall i have a cisco MWR 2941 that i would like to connect to via telnet. its inside ip address is 10.10.10.2. my reasoning for this is because i cannot SSH or telnet from a ASA so i need to have the ASA push my telnet request to the router on its inside interface.i have tried some NAT examples but i am very green with NAT. i have also built access lists that look like the follow " access-list 101 permit tcp any 10.10.50.2 eq 23. and then tied the access-group 101 with the outside interface. this also with no success.
I have a Cisco ASA 5510 appliance running ASDM 6.3 We have a number of public IP addresses associated with our company. In order to utilise the IP addresses effectively I want to use one puplic IP address for two servers running on different ports.e.g.
Public IP address 78.109.174.100
for both
Server 1 HTTPS and HTTP Server 2 FTP
Both Servers live in the same subnet (DMZ) I believe this maybe port forwarding but could be completely wrong. I've tried creating a NAT rule that goes from Server 2 Network object to Server 1 external but this didn't work.
We have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x.We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses. The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.
However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside. Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.
Apparently we do not have a clear understanding of what the ASDM is actually asking for. When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet). The named value "Internet" has an ip associated with it 96.56.x.x. But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value. This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface?
I'm trying to forward an internal service on a internal server to the external interface on the same port on the outside interface of our ASA.I been searching for a solution for days and found nothing.Here are the relevant parts of my config:
: Saved : ASA Version 8.4(2) ! object service TCP-WebServer-8080 service tcp source eq 8080 object network WebServer_Object_10.1.10.7 host 10.1.10.7
[code]....
So it looks like it's being dropped by an ACL, but it looks right to me.
I have a ASA 5510. I want to access the internal server IP through the ASA via http://60.54.x.x:8080/sms/DnNotify ( via port 8080).How do i configure it? NAT? ACL? configure port?
i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!
If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)
I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at! Now if i run this NAT statment:
how do i enable port forwarding on the CLI for ASA 5510. outside subnet is 192.168.1.0/27. when i try to ping another IP with that range i can't access.
Successfully creating a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?I have spend hours now trying, but I'm still unsuccessful.What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.I have never had any trouble on any other firewall creating something like this, but the ASA is killing me.
I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.
The inside IP for the ASA is 192.168.25.1 The outside IP for the ASA 192.168.11.54
Here is my current configuration:
: Saved : Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012 ! ASA Version 8.2(5)
I'm trying to setup port mirroring on a Cisco ASA 5510, but when I try to use the switchport monitor command, that command is not recognized.I've selected what interface I want to configure (conf-if), but the switchport command seems to not be part of the IOS.I'm running ASA version 8.2(1)
I need to forward port 55443 to an internal address ( lets call it 15.15.15.15) from two outside ip's ( 5.5.5.5 and 6.6.6.6)These addresses need to see the server IP address (15.15.15.15) only and nothing else. It is an ASA 5510?
This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.no http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.
Any one experience with this issue that cannot access to console port. USB serial cable and terminal server working fine with all other ASA 5510 except one of them. I rarely see the console and aux port failed to response.
how to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem. I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits. So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
