I have created Different extended access-list which allow/block some specific services like IP,TCP,UDP ,ICMP etc for certain source and destination . But now I have to allow/Block all/any type of services to a certain host from a extended access-list . How can I do it ?
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?
have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime.
I'm trying to configure an extended access list on one AS5350XM but I get one way hearing on a voice calls and I can't determine why (please see the attached diagram). There is an OSPF running on both gigabit interfaces and the Loopback address is also advertised (it is actually the voip IP address). The access list is applied on both interfaces in the inbound direction. There is another gateway with IP:22.214.171.124 (no firewalls here) and the routing between gateways is working properly.
Here is part of the access list (applied on AS5350):
. . permit ip host 126.96.36.199 host 188.8.131.52 . .
When I review the log of the AS5350xm I see many errors like this one:
%SEC-6-IPACCESSLOGP: list example denied udp 184.108.40.206(16638) -> 220.127.116.11(18094), 1 packet
So how it is possible to see this error since the access list is in inbound direction and the IP address (18.104.22.168) is open. I don't have problems when I do telnet or ssh from 22.214.171.124 to 126.96.36.199.
I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host. For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
This is how I normally add these rules (the ip addresses are fictive): access-list internet_access extended permit tcp host 192.168.50.5 host 188.8.131.52 eq www log
When I try to add this using the hostname on our asa I get an error: access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com ?ERROR: % Unrecognized command
I've tried it without the 'www', so hostname.com but same error.
I'm currently reconfiguring an ASA5510 installation to a HA setup with a second 5510. The old 5510 has an "AnyConnect for Mobile" license which isn't being used. So we upgrade that one to a SecPlus License to enable failover posibilities and we bought a new 5510 also with a SecPlus license. When I'm trying to enable failover I get the message that my mate hasn't got the "AnyConnect for Mobile" license. I know for failover both devices must be exactly the same (at first i thougth that the AnyConnect license would be lost when upgrading to SecPlus). So now I'm wondering and searching for solutions to remove the AnyConnect license (because we don't use it).
Any way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
In my test lab I am playing with the Numbered ACL's and Named ACL's. Both configurations are working BUT , I am sure I do something wrong in the Named ACL's version. When I reboot or reload the CISCO 1841 ROUTER , I do not have INTERNET anymore , I still have access by TELNET or SSH , but no external communication anymore. The only way to start the communication again , is by adding :
PERMIT IP ANY ANY . This will of course work , but the funny thing is that when I do a : NO PERMIT IP ANY ANY It still works !!!
I have learned by this to always shut down and restart my ROUTER or SWITCH to see if everything still work . Here bellow some parts of the working Numbered ACL's version :
ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh port 8096 rotary 1 ip ssh version 2 [ code] ....
I am facing problem while configuring SSL Web VPN on my ASA 5510 which is on version 7.2.I need to configure RDP access to the internal servers for the users using SSL Web VPN for which i dont see an option while configuring it though I have uploaded the plugin to my ASA.
I have an ASA 5505 without any IPS module.While copy/pasting some configurations from another 5510 with IPS I copied my mistake the some of the IPS configurations part. Now I can't remove it.When ASA starts I get this Warning:
...WARNING> IPS policy is configured without an SSM card. *** Output from config line 828, " ips inline fail open"
Those lines are:
policy-map Outside_Policy class IPS_class ips inline fail-open
When I try to do "no ips inline fail-open" I get an "invalid input detected".If I try a no class IPS_class I get that is being in use.What can I do to clean up those lines?
I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.
I am unable to remove an access list. Currently this this access list contains 4 lines of remarks. I was unsure if I was entering the command correctly and now I have 4 lines of "trash" that needs to be removed.
Symptoms: The "sh run" command shows that I have access-list 100 defined. The "sh access-list" returns nothing.
Process I have tried: config t no access-list 100 no access-list remark Test (just trying anything at this point) clear configure access-list 100 (This returns "Invalid input detected at '^' marker" and the '^' is under the 'e' in clear.)
So the "clear configure" command is not working. The "no access-list" commands does not return an error but does not remove anything. What step am I missing? Let me know if I can provide any more information.
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes HPMFIRE(config-tunnel-general)# authen HPMFIRE(config-tunnel-general)# authentication-server-group none ERROR: The authentication-server-group none command has been deprecated. The isakmp command in the ipsec-attributes should be used instead.
I couldn't find anything under isakmp to disable it.
I have a strange problem with my Linksys E1000. When I try to connect wireless, there is a network with an excellent signal, but it has the name "CiscoI1593" and it asks for a password which I don't know. My original network does not appear for some reason when I try to connect wirelessly. I do see my original network name when I use an ethernet cable through the E1000.
It's not possible, where I live, for this "CiscoI1593" network to belong to someone else, it just seemed like it renamed my network to this and also wants some different password.
I think this may be due to something I did. My internet occasionally cuts out and it's usually something wrong with the modem or router, so I typically unplug and press the reset button on both until it begins to work again. This is the first time i've had this problem though, and I have unplugged and pressed the reset button on my router many times.
There is also a button in the middle of the front of the router that looks like a refresh symbol, but I don't really know what it is, pushing it doesn't seem to do anything but make a solidly-on light become blinky.
I have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 184.108.40.206. and the IP of the inside interface is say - 220.127.116.11/24 on our router we have a static route sending 18.104.22.168/24 to next hop of 22.214.171.124 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
I apply extended ACL on my router cisco 1941, but it didn't work. So I tried to apply standard ACL, it's work. I'm not sure about my cisco 1941 IOS is support extended ACL. My cisco IOS is Cisco CISCO1941/K9
c1900-universalk9-mz.SPA.151-4.M1.bin ----------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ ipbase ipbasek9 Permanent ipbasek9 security None None None data None None None
I have a sony bravia tv that has wifi and supports dlna. And I have a desktop in another room, running windows xp. Since they both connected to the same network, is it possible to use the tv as another screen for the pc?( duplicate the screen, whatever i do on the pc will be shown on the tv screen) I'm installing a software that might stream content from the pc to the tv, but then i'm not hoping too much on it because the tv seems to be very picky about fCPUile formats... so i figured somehow duplicating the screen would be best if all else fails i'll just hook up the CPU to the TV.
whether MTU sweep is possible in Brocade 7420B. This is used in Data Center and Sys Admins are refusing it . I wish to check path MTU between these two devices (including these devices) separated by transmission media (I own this). OR any other method to check path MTU in Brocade . I have allowed jumbo frames in all my DXCs.