Cisco Firewall :: ASA 5510 Version 8.2(4)2 Can't Remove ACL Named Extended
Feb 13, 2012
I have an access-list that was named "extended" (without quotation marks) and the ASA will not let me remove it.
I have tried everything I know to try and get it out, but I cannot remove a single line.
ASA(config)# no access-list extended line 1 extended permit ip host 10.1.1.1 host 192.168.1.1ERROR:<1> not a valid permission
ASA(config)# no access-list extended line 1 permit ip host 10.1.1.1 host 192.168.1.1ERROR:<1> not a valid permission
View 1 Replies
ADVERTISEMENT
Oct 10, 2012
I've got a 7200 vxr that I'm trying to create a named extended access-list in.
I got to configure it if I go into ip after that the only commands available for access-list are log-update, logging, and re sequence.
so if I go back to the main config menu access-list is an available command
but then from the main config menu, if I type: access-list extended eth0_in it says invalid input detected at the carrot marker which is under the first character of the work extended.
also, at the main config menu, if I type: ip access-list extended eth0_in it again give me the invalid input detected at the word extended.
I don't understand what I am missing to get this to work.
View 9 Replies
View Related
Jul 25, 2012
I have created Different extended access-list which allow/block some specific services like IP,TCP,UDP ,ICMP etc for certain source and destination . But now I have to allow/Block all/any type of services to a certain host from a extended access-list . How can I do it ?
View 4 Replies
View Related
May 10, 2011
i am using Cisco ASA 5510 with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies
View Related
May 14, 2012
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?
View 3 Replies
View Related
Mar 8, 2011
Will give configuration of NAT for my internal users with 192.168.1.0/24 with single public IP.
I new to configure IOS version 8.3.
View 5 Replies
View Related
Dec 22, 2012
i have asa901-k8.bin" in my asa firewall and downlaod liecnce from cisco,now i dont know how to allow internet to my user.?
View 1 Replies
View Related
Feb 19, 2012
have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
static (inside,outside) 196.68.99.x 192.168.1.x netmask 255.255.255.255
access-list inbound extended permit tcp any host 196.68.99.x eq 225
accesslist outbound extended permit host 192.168.1.x host 196.68.99.x
View 9 Replies
View Related
Feb 3, 2013
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime.
View 8 Replies
View Related
Sep 14, 2011
I'm trying to configure an extended access list on one AS5350XM but I get one way hearing on a voice calls and I can't determine why (please see the attached diagram). There is an OSPF running on both gigabit interfaces and the Loopback address is also advertised (it is actually the voip IP address). The access list is applied on both interfaces in the inbound direction. There is another gateway with IP:4.4.4.4 (no firewalls here) and the routing between gateways is working properly.
Here is part of the access list (applied on AS5350):
.
.
permit ip host 4.4.4.4 host 3.3.3.3
.
.
When I review the log of the AS5350xm I see many errors like this one:
%SEC-6-IPACCESSLOGP: list example denied udp 3.3.3.3(16638) -> 4.4.4.4(18094), 1 packet
So how it is possible to see this error since the access list is in inbound direction and the IP address (4.4.4.4) is open. I don't have problems when I do telnet or ssh from 3.3.3.3 to 4.4.4.4.
View 3 Replies
View Related
Nov 7, 2011
I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host. For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
This is how I normally add these rules (the ip addresses are fictive): access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
When I try to add this using the hostname on our asa I get an error: access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com ?ERROR: % Unrecognized command
I've tried it without the 'www', so hostname.com but same error.
View 4 Replies
View Related
Nov 15, 2010
I'm currently reconfiguring an ASA5510 installation to a HA setup with a second 5510. The old 5510 has an "AnyConnect for Mobile" license which isn't being used. So we upgrade that one to a SecPlus License to enable failover posibilities and we bought a new 5510 also with a SecPlus license. When I'm trying to enable failover I get the message that my mate hasn't got the "AnyConnect for Mobile" license. I know for failover both devices must be exactly the same (at first i thougth that the AnyConnect license would be lost when upgrading to SecPlus). So now I'm wondering and searching for solutions to remove the AnyConnect license (because we don't use it).
View 7 Replies
View Related
Apr 3, 2012
provide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies
View Related
Sep 3, 2012
I just need to start building the configuration of an ASR 1001 but I do not know how gigabitethernet interfaces are named on these routers? Are Gi0/0/X or Gi0/X ??
View 1 Replies
View Related
Mar 5, 2012
Any way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
View 11 Replies
View Related
Dec 27, 2010
In my test lab I am playing with the Numbered ACL's and Named ACL's. Both configurations are working BUT , I am sure I do something wrong in the Named ACL's version. When I reboot or reload the CISCO 1841 ROUTER , I do not have INTERNET anymore , I still have access by TELNET or SSH , but no external communication anymore. The only way to start the communication again , is by adding :
PERMIT IP ANY ANY . This will of course work , but the funny thing is that when I do a : NO PERMIT IP ANY ANY It still works !!!
I have learned by this to always shut down and restart my ROUTER or SWITCH to see if everything still work . Here bellow some parts of the working Numbered ACL's version :
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 8096 rotary 1
ip ssh version 2
[ code] ....
View 4 Replies
View Related
Aug 10, 2008
I am facing problem while configuring SSL Web VPN on my ASA 5510 which is on version 7.2.I need to configure RDP access to the internal servers for the users using SSL Web VPN for which i dont see an option while configuring it though I have uploaded the plugin to my ASA.
View 6 Replies
View Related
Oct 12, 2012
I get 2 troubleshoot messages printer cannot be contaacyed over network and windows can't find a computer or device named....
View 1 Replies
View Related
Dec 5, 2012
I have an ASA 5505 without any IPS module.While copy/pasting some configurations from another 5510 with IPS I copied my mistake the some of the IPS configurations part. Now I can't remove it.When ASA starts I get this Warning:
...WARNING> IPS policy is configured without an SSM card.
*** Output from config line 828, " ips inline fail open"
Those lines are:
policy-map Outside_Policy
class IPS_class
ips inline fail-open
When I try to do "no ips inline fail-open" I get an "invalid input detected".If I try a no class IPS_class I get that is being in use.What can I do to clean up those lines?
View 8 Replies
View Related
Feb 22, 2011
I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.
View 1 Replies
View Related
Mar 22, 2012
I am unable to remove an access list. Currently this this access list contains 4 lines of remarks. I was unsure if I was entering the command correctly and now I have 4 lines of "trash" that needs to be removed.
Symptoms:
The "sh run" command shows that I have access-list 100 defined.
The "sh access-list" returns nothing.
Process I have tried: config t
no access-list 100
no access-list remark Test (just trying anything at this point)
clear configure access-list 100 (This returns "Invalid input detected at '^' marker" and the '^' is under the 'e' in clear.)
So the "clear configure" command is not working. The "no access-list" commands does not return an error but does not remove anything.
What step am I missing? Let me know if I can provide any more information.
View 2 Replies
View Related
Sep 14, 2009
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies
View Related
Jul 1, 2006
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes
HPMFIRE(config-tunnel-general)# authen
HPMFIRE(config-tunnel-general)# authentication-server-group none
ERROR: The authentication-server-group none command has been deprecated.
The isakmp command in the ipsec-attributes should be used instead.
--[code]....
I couldn't find anything under isakmp to disable it.
View 2 Replies
View Related
Jun 29, 2012
I have a strange problem with my Linksys E1000. When I try to connect wireless, there is a network with an excellent signal, but it has the name "CiscoI1593" and it asks for a password which I don't know. My original network does not appear for some reason when I try to connect wirelessly. I do see my original network name when I use an ethernet cable through the E1000.
It's not possible, where I live, for this "CiscoI1593" network to belong to someone else, it just seemed like it renamed my network to this and also wants some different password.
I think this may be due to something I did. My internet occasionally cuts out and it's usually something wrong with the modem or router, so I typically unplug and press the reset button on both until it begins to work again. This is the first time i've had this problem though, and I have unplugged and pressed the reset button on my router many times.
There is also a button in the middle of the front of the router that looks like a refresh symbol, but I don't really know what it is, pushing it doesn't seem to do anything but make a solidly-on light become blinky.
View 6 Replies
View Related
Jun 24, 2012
I have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
View 2 Replies
View Related
Mar 5, 2013
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
View 4 Replies
View Related
Mar 15, 2012
How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies
View Related
Dec 26, 2012
configuring NAT on intranet firewall. here is the my topology:
DMZ Network - - - - - - - - - External Firewall - - - - - - - - - Internet
|
|
|
Internal Network - - - - - - - - - Internal Firewall
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network
2) Both ASA's are running OS Version 9.0(1)
3) ACL used permit IP any any, on both (i.e inside and outside)
NAT configuration on Internal Firewall (Identity NAT)
object network MGMT-SRV-INSIDE subnet 10.10.10.0 255.255.255.192
object network MGMT-SRV-identity
subnet10.10.10.0 255.255.255.192
object network MGMT-SRV-INSIDE nat (Inside,Outside) static MGMT-SRV-identity
[code]....
View 1 Replies
View Related
Oct 11, 2011
I would like to know how can I block a ip address from the CLI at the Cisco PIX Firewall Version 6.3(4)
View 4 Replies
View Related
Jun 2, 2012
I apply extended ACL on my router cisco 1941, but it didn't work. So I tried to apply standard ACL, it's work. I'm not sure about my cisco 1941 IOS is support extended ACL. My cisco IOS is
Cisco CISCO1941/K9
c1900-universalk9-mz.SPA.151-4.M1.bin
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
[code].....
Is it IOS bug or limit feature on hardware.
View 20 Replies
View Related
Aug 11, 2012
I have a sony bravia tv that has wifi and supports dlna. And I have a desktop in another room, running windows xp. Since they both connected to the same network, is it possible to use the tv as another screen for the pc?( duplicate the screen, whatever i do on the pc will be shown on the tv screen) I'm installing a software that might stream content from the pc to the tv, but then i'm not hoping too much on it because the tv seems to be very picky about fCPUile formats... so i figured somehow duplicating the screen would be best if all else fails i'll just hook up the CPU to the TV.
View 1 Replies
View Related
Sep 1, 2011
Is it possible to use a DNS entry in an extended ACL instead of an IP address range?
View 2 Replies
View Related
Jan 23, 2013
whether MTU sweep is possible in Brocade 7420B. This is used in Data Center and Sys Admins are refusing it . I wish to check path MTU between these two devices (including these devices) separated by transmission media (I own this). OR any other method to check path MTU in Brocade . I have allowed jumbo frames in all my DXCs.
View 1 Replies
View Related