Cisco Firewall :: ASA 5510 DMZ Creation
Nov 13, 2011
I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.My questions are,is traffic from inside to DMZ is permit by default?,What about DMZ to Inside traffic ?,Is it necessary to do a NAT from inside to DMZ with the same IP as of inside,What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?,Is it necessary to permit traffic from DMZ to inside?,Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
View 17 Replies
ADVERTISEMENT
Dec 4, 2012
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
View 1 Replies
View Related
Feb 10, 2013
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
View 1 Replies
View Related
Jul 26, 2011
I need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone
2) Connect it to the DMZ port
3) Create a NAT for inside to DMZ with same IP as inside
4) Create ACL for permiting traffic to DMZ and apply it to outside interface
5) Create ACl for permitting traffic from DMZ to inside
6) Routing for DMZ in PIX
View 3 Replies
View Related
Jul 30, 2012
On the ASA running the 8.4.4.1 code in transparent mode. Can I create sub interfaces in different vlans and attach them to different BVI groups?
switch---trunk---ASA---Trunk---switch
Gig0/1.1 vlan 100 bridge-gr1 Gig0/2.1 vlan 101 bridge-gr1
Gig0/1.2 vlan 200 bridge-gr2 Gig0/2.2 vlan 201 bridge-gr2
View 6 Replies
View Related
Jan 27, 2013
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
View 4 Replies
View Related
Aug 1, 2012
Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
View 1 Replies
View Related
May 22, 2012
See the error below on my ASA5510.
305006 200.200.0.34 53 portmap translation creation failed for udp src inside:192.168.1.4/1047 dst outside:200.200.0.34/53
The first two computers work normally( IP 2 and 3) , but the third computer gets ip does not work on the Internet.
View 2 Replies
View Related
Oct 10, 2011
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspection_default
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30
172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz
172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
View 7 Replies
View Related
Mar 24, 2013
We have an ASA 5540 with 8.2(5)
Last three days in early afternoon we start getting these errors in the log and webpages either won't load or pages only half load.
3|Mar 22 2013|13:22:24|305006|184.73.105.115|443|||portmap translation creation failed for tcp src inside:10.10.176.114/58217 dst outside:184.73.105.115/443
3|Mar 22 2013|13:22:24|305006|54.243.129.71|80|||portmap translation creation failed for tcp src inside:10.35.54.37/1517 dst outside:54.243.129.71/80
[Code].....
View 6 Replies
View Related
Feb 8, 2011
i have a query regarding the no. of isakmp policy priority creating..when i create a new policy in ASA 5500 firewall, i get the below error...i assume it will support only 20 nos, where as we can use between 1-65535.. can anyone from cisco confirm it...running version is 8.x & VPN Plus license.Policy limit reached. No more than 20 isakmp policies can be configured.”
View 2 Replies
View Related
Oct 11, 2011
How do you create a vlan? In enable mode, there is no "vlan" command.
View 4 Replies
View Related
Apr 23, 2012
I'm connected to my remote access vpn and am getting the below error, wierd thing i only get this error for ICMP, i can browse data on our network retrieve files etc, but pings fail for some reason
NAT-T is enabled
NAT rules are in place
ICMP is not blocked as can ping elsewhere
Where to being looking as to why only ICMP fails?
View 2 Replies
View Related
Feb 7, 2011
I have cisco switch model WS-C3750G-12S-D. It is in transparent mode. I am getting below error message when tried to create new vlan.
Proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
After deleting few unnecessary vlans, it allowed me to create.
3750#sh vtp statusVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 959VTP Operating Mode : TransparentVTP Domain Name : VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xBC 0xA7 0xEC 0xDE 0x36 0x6C 0x61 0xB4 Configuration last modified by 97.193.17.172 at 0-0-00 00:00:00
I confused with terms 'maximum supported vlans' and 'maximum locally supported vlans'. If switch is supporting vlans 1-4094 means it should also allow to create locally. Otherwise how they will pass through the switch trunks without local creation.
View 1 Replies
View Related
Apr 11, 2012
I could not find any report in ACS 5.3 which gives details on user creation and deletion in ACS. This feature was there in ACS 4.x but it seems not provided in 5.3 version.
View 3 Replies
View Related
Mar 15, 2011
I have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:I can't ping 192.168.17.104 from remote ip 192.168.17.138 - 305006 192.168.17.138 regular translation creation failed for icmp src OLD-Private:192.168.17.104 dst OLD-Private:192.168.17.138 (type 0, code 0) in the same time I able to ping 192.168.17.104 from my network 192.168.10.0 and can ping from ASA No firewall at 192.168.17.104?How to fix it?
There is my config:
ASA Version 8.2(2)
!hostname ASA5505domain-name domainenable password password encryptedpasswd password encryptednames!interface Vlan1 description INTERNET mac-address 0000.0000.0001 nameif WAN security-level 0 ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1 ospf cost 10!interface Vlan2 description OLD-PRIVATE mac-address 0000.0000.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10!interface Vlan6 description MANAGEMENT mac-address 0000.0000.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10!interface Vlan100 description LAN Failover Interface!interface Ethernet0/0!interface Ethernet0/1 shutdown!interface Ethernet0/2 shutdown!interface Ethernet0/3 shutdown!interface Ethernet0/4 shutdown!interface
[code]....
View 10 Replies
View Related
Sep 11, 2011
My backup userid, password, privi 15 on all our company routers Say around 300 routers, it is difficult to log in each router and create a backup account, i heard from one of my friend that i can create a backup account and can upload thru the kiwicat tool and it will automatically creates my backup account on all the routers. Procedure to create this.
View 6 Replies
View Related
May 28, 2012
i have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?
View 0 Replies
View Related
Apr 22, 2013
I have a query regarding the deletion and creation of one of my SVI interface on 6513 ,The reason behind it as follows.My traffic get to Internet in this manner
proxy(external int.)[IP:192.168.1.30] --> Gi0/9[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi0/10[In VLAN 170] -->ASR[IP:192.168.1.20],I need to assign this VLAN ie 170 to my inside interface of firewall but it was mentioned in books like this "Assign the VLAN for the FWSM before it is applied to the MultilayerSwitch Feature Card (MSFC)." so I am thinking the following steps to assign VLAN 170 to firewall group first before creating SVI Interface for it
1.Remove all currently assign ie Gi 0/9 & Gi0/10 interfaces from this VLAN and then delete this VLAN.
2.Create the same SVI ie VLAN 170[IP:192.168.1.10] by this way the issue can be resolved.
As in part of my configuration PBR is define like this .
interface Vlan170
description "PUBLIC IP VLAN"
ip address 192.168.1.20. 255.255.255.0
ip policy route-map NAT
route-map NAT permit 10
match ip address 101
set ip next-hop 192.168.1.10
I need to clearify what impact it may have on PBR part if I delete and create the VLAN 170.Will the traffic move to the inside interface of FWSM.
View 0 Replies
View Related
May 22, 2012
we managed to integrate our newly setup ACS 5.2 to our regional domain. now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full and read access respectively.
i already have the default identity policy and authorization policy with with command sets fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that each user falls under one of these groups will have a correct read/write access.
View 4 Replies
View Related
Dec 30, 2008
I just got the WRT610N and I really like it so far, I'm playing with the NAS option and I can't get it to create any new users or groups. I click on the link, fill out the form and click on 'modify user' (The set-up guide has a button there for 'save settings') and nothing gets created. I tried this several times and there are no new groups or users. I checked the storage.info file and there is no additional users or groups there either. I think I can edit that file but I'm not too sure what these last 2 lines mean
nas_login@admin:admin:admin: off guest:guest:guest: onusers_content@admin:admin:admin:admin: off guest:guest:guest:guest: on
View 8 Replies
View Related
Feb 26, 2013
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
View 9 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Jun 22, 2011
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
View 6 Replies
View Related
Apr 24, 2012
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies
View Related
Feb 20, 2012
How much is the limit for the creation of PortChanel in a Core Switch 6509 and 6513?Is there a limitation byu hardware?
View 7 Replies
View Related
Oct 20, 2012
I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
View 23 Replies
View Related
Nov 15, 2012
I am quite new to firewall, in my company one asa 5510 firewall is there.I configured inside, outside, dns, dhcp and nating.I need to config bandwidth limit (1Mbps) for inside port and I restruct like facebook, youtube and pornsites..And I heard that some subscription is required, really is it required?
View 1 Replies
View Related
May 21, 2013
I have an ASA 5510 in a live environment. Up til a short while ago I could access this via the ASDM and ssh. However I can no longer connect to it via eithier. When I access It via SSH I get a disclaimer saying the following
*** You have entered a restricted zone! Authorized access only!!! Disconnect immediately if you are not authorized user! ***
It then cuts me off.
When I try to access the ASDM I get the following
The firewall is running all its services without a problem and I can ping the device without any issues. Also none of the config (to my knpowledge has been changed). I set up a console session and http server enable is still there with
http 192.168.200.0 255.255.255.0 inside
View 4 Replies
View Related
Nov 21, 2011
I have just configured identity firewall on our ASA 5510.I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server: A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.
Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.But not the Android phone.
Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy.This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.
View 2 Replies
View Related
May 14, 2012
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?
View 3 Replies
View Related
Mar 20, 2013
I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
View 1 Replies
View Related
Jul 29, 2012
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br Interface IP-Address OK? Method Status Protocol Ethernet0/0 x.x.x.x YES CONFIG up up Ethernet0/1 x.x.x.x YES CONFIG up up Ethernet0/2 unassigned YES unset administratively down down Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 192.168.1.1 YES CONFIG up up
View 8 Replies
View Related
