I am working on a task of redirecting any unmatched http traffic to Symantec public transparent proxy through Cisco ASA. For the definition of uncatched http traffic, we have inbound squid servers for deploying IE proxy pac and redirect the http traffic to Symantec public transpraent proxy, however we can't deploy IE proxy pac to mobile device and non-support web browers.Since we have some application using IE proxy setting for direct http communication with external domains, the current symantec policy addes those domains in the exception list so that they are not redirect to Symantec public transparent proxy server.
-For the platform - Cisco ASA 5510 ASA 8.4(4)1
-For the solution, I have the following two nat rules
I have an 5510 running 8.4(1) I can ssh into the system with no problems until I scan the device with Nessus security scanner. After that I just get timeouts from the client when I try to connect and the only way to fix the problem is to reload the device. I have included 2 syslog dumps one showing ssh into the device before(working) the scan and one after(not working).I do not have any acls on that int and I have turned off basic threat detection. The devices is still running I can login via the serial console and via ASDM it just appears ssh is someone shutdown or hung.
4/21/2011 11:33:43 AM 192.168.11.108 Debug %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:00:104/21/2011 11:33:43 AM 192.168.11.108 Informational %ASA-6-302014: Teardown TCP connection 50 for testing:192.168.65.106/4462 to identity:192.168.11.108/22 duration 0:00:10 bytes 3691 TCP Reset-O4/21/2011 11:33:43 AM 192.168.11.108 Informational %ASA-6-315011: SSH session from 192.168.65.106 on interface testing for user "test" terminated normally4/21/2011 11:33:40 AM 192.168.11.108 Informational %ASA-6-605005: Login permitted from 192.168.65.106/4462 to testing:192.168.11.108/ssh for user "leeh"4/21/2011 11:33:40 AM 192.168.11.108
4/21/2011 12:38:17 PM 192.168.11.108 Informational %ASA-6-302014: Teardown TCP connection 86 for testing:192.168.65.106/1954 to identity:192.168.11.108/22 duration 0:05:01 bytes 0 Connection timeout4/21/2011 12:38:17 PM 192.168.11.108 Debug %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:05:014/21/2011 12:33:15 PM 192.168.11.108 Debug %ASA-7-609001: Built local-host testing:192.168.65.1064/21/2011 12:33:15 PM 192.168.11.108 Informational %ASA-6-302013: Built inbound TCP connection 86 for testing:192.168.65.106/1954 (192.168.65.106/1954) to identity:192.168.11.108/22 (192.168.11.108/22)
Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]
we have hosted voip and would like have our internet as back for their router. We gave them public static ip so they can configure that in their router. How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
I have a few devices that the manufacturer told us we have to set with a public IP (No Natting) We have Internet ->ASA5510-> Switch 3550 with 3 vlans. Up to now we have always use Natting to configure internet access to specific devices. I heard setting up a witch with one VLAN connected to the internet and all other internals is a bad idea. that was the only Idea we had.
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24 Remote Network - 220.127.116.11/24 Remote Peer - 18.104.22.168 .ASA Version 8.2(5) ! hostname ciscoasa
We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 22.214.171.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 126.96.36.199). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 188.8.131.52 and then create a static nat to translate 192.168.0.3 to 184.108.40.206. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 220.127.116.11, outbound PAT and the site-to-site VPN.
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 18.104.22.168 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 22.214.171.124 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:126.96.36.199/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 188.8.131.52. From internet i can reach to web server with IP:184.108.40.206 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(220.127.116.11).how can configure it?
Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address) 2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 18.104.22.168 Public (outside) address = 22.214.171.124 Email server internal = 10.1.2.3 Internal private subnet for users = 10.0.0.0/8
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
P.S.: I'm using a 5510 machine running version 8.2
Just wondering if there are any methods or commands, natively, in the asa5510 for determining all traffic in to and from a certain server passing through the asa. This would be without a syslog server or something similar.
Core Internal Network -> Cisco ASA 5510 -> DMZ Switch.If i send a ping reguest from internal network to servers in DMZ Switch over the ASA 5510, i can see a delay in response, some times this delay can be more than 80ms, this is a problem for the web applications in http traffic.How i can find what's happening on my ASA? I disable the inspect traffic over the IPS, disable the policy maps below, reload the two boxes, but doesn't works, the problem still persists. [code]
I'm currently using ASA 5510 with software 8.4.1 and I have an issue with nat configuration. I used the following config line:nat (inside, dmz) source dynamic LAN Pat1 destination Server1 Server1
The traffic is not flowing and when I use Packet Tracer, packets are dropped at the NAT rule with the following error: Drop-reason: (acl-drop) Flow is denied by configured rule.The only ACE I have is permit ip any any.
I have an ASA with an outside ACL that is configured to allow 126.96.36.199 SIP/5060 to 1x.x.x.46. I show no hits. I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface. I see hits on the vuong ACL but not the production acl_out ACL.. What is up?
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network. FW1(config)# sh access-list | i 1.x.x.46 access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387 (*NO HITS) access-list acl_out line 658 extended permit udp host 188.8.131.52 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179 (NO HITS) [code]...
It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46. We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to . By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP. Looking below, no traffic appeared on the capture2.
I have manually configured the Firewall ASA 5510 from existing PIX to match the configuration, however when I connect the firewall to the Network, no traffic is flowing in either direction. I have the Inside network on the 172.29.0.0 subnet and the outside network on 184.108.40.206 subnet. I am attaching the cofiguration file.
I use ASA 5510 and I would like to log VPN traffic ( for example, as soon as a remote user try to connect to the asa). I would like this log be send to a specific mail address. I already configure Email Logging for severity ( level 3) and it works well.