Cisco Firewall :: ASA 5510 - Setting Up ACL To Permit Access Only To The Nat Subnet?
Apr 9, 2012
setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
[code].....
View 3 Replies
ADVERTISEMENT
Sep 7, 2011
First off, let me preface this by saying that I'm a novice when it comes to firewalls and more specifically, the ASA. I do however, have an above average understanding of switches/routers.
We have an ASA 5510 running 8.3 and recently I've decided to clean up the last admin's mess. All hosts and servers are on the same subnet, multiple subnets on the same VLAN... and a slew of other problems. Anyway, I recently placed the IT department on another subnet to test some things out before I migrated other departments to different networks. Everything seems to be working as it should be with the exception of one of our servers. The IT subnet is 192.168.150.0/24 and the problem server is on the 192.168.10.xxx network. I'm guessing the issue lies somewhere in the fact this server does have a static NAT and is accessible from the public. Let me give you an overview of what our network looks like:
ISP ---->ASA----->3750----->2960
My workstation is directly plugged into the 3750 switch, and the server is plugged into the 2960. I'm able to ping this server by both IP and hostname. However, I cannot access port 80 by IP or hostname. The users that are on the 192.168.10 and 192.168.11 (sadly both of those are on the same VLAN) network are able to access this server without a problem. Thinking logically, I thought I would send a packet from my workstation, it would head to the layer 3 switch's VLAN interface corresponding to my subnet, realize the .10 network is directly connected and then forward the packet straight to the server. However, it doesn't seem to be working that way. It look like it's being routed to the ASA then being dropped. I guess there's an access rule or firewall rule preventing me from getting to the server. Is there a specific part of my config you will need to see...
View 15 Replies
View Related
Oct 25, 2012
We have a 5510 (8.2) with the following 4 interfaces (security-levels) inside (95), outside(0), dmz(25), and test (95). The dmz network is 10.10.10.0/24 and the outside interface is 40.133.84.69.We have run into a situation where a dmz hosted iRedMail server running postfix (10.10.10.51) is relaying mail which in some cases points back to us at 40.133.84.69 and into our Exchange server. In these cases in the dmz server's mail logs we see postfix timeout trying to connect to smtp at 40.133.84.69. When I try to telnet from 10.10.10.51 to the outside interface on port 25 it times out.We've tried different ways to allow the outside adapter to permit smtp (or any service!) from 10.10.10.51 but we're left scratching out heads.
View 1 Replies
View Related
Feb 9, 2012
I have a rule which permits traffic to a web server and logging is enabled. But when I go to syslog I am only seeing traffic which has been denied. What needs to change to be able to see the logged traffic on permit rules?
View 1 Replies
View Related
Jun 3, 2012
In Cisco ASA 5510 , outlook port only permit ( pop3 995/smtp :587) with TLS encryption. How we can do it thru ASDM .
View 1 Replies
View Related
Dec 9, 2012
Background: I have a couple of ASA 5510's I'm going to put in our lab environment. I have restored them to default config and set up the m0/0 interface with an ip/mask and started the http server. My lab environment is on the 10.45 subnet and my .com corporate environment is on the 10.40 subnet. I've also setup DNS and, from the ASA, can ping anything in the 10.45 subnet.
The problem, is that from the ASA, I can not ping the internet or my 10.40 subnet. And vice versa, I cannot ping the ASA from my 10.40 subnet. When I bring up a regular server, there is no special configuration I need to do as those subnets talk to each other and nothing is restricted.
Is there something special I need to do go get it to work? I tried adding a access list to allow icmp, but that didn't seem to work.Oh, and I'm getting to the ASA by RDPing into a lab server (on 10.45) then putty to the ASA.
View 7 Replies
View Related
Jun 5, 2012
I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.The setup is as follows:
-ASA inside interface on 192.168.10.240
-VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet,[code]
View 3 Replies
View Related
Jun 9, 2013
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
View 1 Replies
View Related
Mar 8, 2011
I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.I have added the followings in ASA5510. [code]
View 8 Replies
View Related
Aug 12, 2012
I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
What I have is this:
Internet<----->ASA<-->router<-->4507(layer3)
| |
| |-Vlan1
[Code]......
View 1 Replies
View Related
Jan 23, 2012
I have a Cisco ASA 5510 firewall, my problem is that when the first VPN connections is established everything is good. But when that connections is cancel or terminated due to non connectivity. No one can connect to that firewall through that VPN unless that firewall is restarted.
View 1 Replies
View Related
Mar 21, 2013
I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
Here it is:
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0
[Code]......
View 1 Replies
View Related
Feb 14, 2011
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies
View Related
Mar 5, 2012
how to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem. I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits. So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?
View 2 Replies
View Related
Oct 14, 2011
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
View 4 Replies
View Related
Mar 23, 2011
I want to give access to remote subnet on firewall 5505.
Remote subnet is 16x.15X.56.0
Here is my access list
access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.254.0 16x.15X.56.0 255.255.254.0
View 7 Replies
View Related
Nov 11, 2008
I have allways configured and run LDAP Server Groups authenticating to Active Directory Domain Controllers using LDAP, never an issue, until I hit a Domain Controller running on a Windows Server 2008. I have been unable to authenticate with the common setting with an ASA5510 running 8.0.1.
View 4 Replies
View Related
Jan 22, 2013
I Have this Topology: R1 is as server and i want to public that server in INTERNET using public IP 7.7.7.7, but i can not do that. I tried to do a NAT but it just translate from DMZ to Outside, however i can not to ping to 7.7.7.7 from Outside (R2).
I have a route in R2
7.7.7.7 [1/0] via 200.200.200.1
On R2 i can´t ping to 7.7.7.7
On R2 i can´t ping to 172.16.0.2
On R1 i can ping to 200.200.200.2
On Inside i can ping to 172.16.0.2
when i try to ping from DMZ to Outside (200.200.200.2) the debug, and show nat details, show me:
ciscoasa(config)# nat: translation - dmz:172.16.0.2/26 to outside:7.7.7.7/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
ciscoasa(config)#
ciscoasa(config)# sh nat detail
[code]...
View 6 Replies
View Related
Jul 11, 2012
I have a network with 3 sites that are on different subnets. Each site has an ASA Right now, I am only able to connect to the ASA that is connected to the subnet I am connected to.I want to be able to connect to the ASA that are on the remote subnets on the address of the inside interface.The sites are connected all together by site-to-site VPN.Is there any way I can achieve that without opening the outside interface directly on the Internet?
View 2 Replies
View Related
Feb 16, 2011
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
View 10 Replies
View Related
May 12, 2013
I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool. From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN. I am available at any time if further information is needed. find attached my ASA config.
View 7 Replies
View Related
Apr 6, 2011
I can not seem to view my "permit" entries in the log on my ASA 5520. I set up logging-lists, changed the level to 3 on the logging statement, and simply can't find it anywhere.
Partial config:
logging enabled
logging timestamp
logging JC-L3 level errors
logging monitor JC-L3
logging buffered JC-L3
logging trap notifications
[code]....
View 6 Replies
View Related
Jul 20, 2011
We have SSL VPN using the AnyConnect client going to an ASA5540.
Is there a way to permit users to access their own LAN, but still force them to use the VPN tunnel for Internet access?
If I'm reading the documentation correctly, it seems that when you activate split tunnelling, it allow LAN access, but will also allow the user to access the Internet over the LAN instead of over the VPN.
View 1 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Sep 4, 2011
Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]
View 7 Replies
View Related
Jul 5, 2012
We have a firewall service environment where logging is handled with UDP at the moment. Recently we have noticed that some messages get lost on the way to the server (Since the server doesn't seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP. You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command being able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a mismatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message: "%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server are not reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-host down" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem. Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-host down" command didn't wor or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didn't have ANY logging configurations on. Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isn't corrected by any of the above measures we took (like the command "logging permit-host down" which is supposed to avoid this situation altogether).
View 4 Replies
View Related
Mar 25, 2012
I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
View 4 Replies
View Related
Oct 29, 2011
Due to the way I have my DSL and VOIP TA configured I need to be able to set the subnet mask in the Internet connection. I am currently using the Static IP, putting in an IP of 192.168.1.x with the subnet of 255.255.0.0 when I try to do this it gives me an error saying that 192.168.33.1/255 is reserved for the guest network. I am not using the 33 at all ANYWHERE. If I change the subnet to 255.255.255.0 it will save but I can't connect to the internet with it. My router I just bought today is the E2500 I have an old Linksys WRT model that worked fine with this exact setup for several years before it crashed on me.
View 3 Replies
View Related
Feb 26, 2013
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
View 9 Replies
View Related
Nov 4, 2012
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
View 9 Replies
View Related
Jun 26, 2012
I have a new ASA 5510 firewall, the objective is to set up a DMZ zone. my problem is I can't access to the web server in the DMZ from outside
DMZ ==========> outside OK
INSIDE ==========> DMZ OK
DMZ ============> Inside OK
OUTSIDE ==========> DMZ NOK "FAIL"
I put in attachment the running-config file.
View 6 Replies
View Related
Oct 5, 2012
Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them.
View 5 Replies
View Related
Feb 28, 2013
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
View 1 Replies
View Related
