Cisco Firewall :: ASA 5510 Ftp Traffic Passing On 1 Interface But Not Another?
Dec 20, 2011
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed. We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable. I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up. I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports. I also turned off the IPS and that made no difference. In addition I have checked the CPU during download/upload (max): CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520 Maximum firewall throughput (Mbps): 450 Mbps Maximum firewall connections: 280,000
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 220.127.116.11 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Current configuration : 5666 bytes ! ! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
Ive got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
When I search Google, it look like there is a lot issues with Cisco and Polycom, but I have not found any concret solution. Other then I should use a ADSL line with a public IP address. As we probably is going to do.
So I was doing some testing with my BB Playbook where I wanted to see what outside connections it tried to make during startup and whatnot. I have a pix 506e running 6.3(5). I created an simple 'deny ip any any' access list on the inside interface so that the Playbook doesn't actually make any connections, but I set up a 'capture' on the inside interface accepting 'ip any any' to see what kind of traffic I could see heading outbound from the Playbook. Well, it started off showing attempts to query DNS (and failed, naturally), but then after a couple of minutes, it tried to connect to a couple of IPs over port 443 and actually got a response!!! For the life of me, I can't figure out how this can happen. NO traffic should be allowed outbound due to my explicit 'deny' rule, but for some reason some traffic on port 443 made it past the firewall and got a response back. There are no other rules in the access list except the 'deny' rule. My PIX configuration is quite simple and I cannot see anything that would allow the Playbook traffic to circumvent the access list.
I've come to think that either RIM has found away around Cisco access-lists, or there is a bug in the Pix OS. I know it's an old appliance/OS, but still. I wouldn't think it could be THAT easy to bypass the firewall.
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (18.104.22.168) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 22.214.171.124 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 126.96.36.199 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
Cisco ASA 5510. Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses. Ping from console fails to ISP router IP. Ping to google name server failes. I have reset to factory default only setting up nic and natting and it still happens.
I've looked at many others having this same problem, but can't seem to figure out what my problem is. Same issue as most, I can connect fine, I get an IP, but it won't pass any traffic, I can't ping anything or access anything.
I have a vendor that currently uses a Cisco 871 as a VPN router in our company network, they use it connect to provide services to one of the servers in our LAN for our customers. Recently, we are going to be setting up a 24/7 call center with this vendor, they will be accessing a server in our network through the VPN to provide customer service during after hour periods.We have a problem however, with an application that is hosted by another vendor that is critical for our regular company call center. Access is reached with this application through this vendor by way of IPSec VPN tunnel that is built in our company's Cisco ASA 5510. This application is accessed via Internet Explorer that goes across to access the application at the endpoint
I need to figure a way by which the vendor that will be running the 24/7 call center coming through their tunnel in our network to connect over to the tunnel on the vendor on my ASA. Im likely going to have to set some routing of traffic in my internal default gateway router for this to work.
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users).
I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.
I have an Cisco ME3400-24TS-A Switch with is not behaving normal.
I have already erased its flash, uploaded new IOS but could not fix the issue. However it boots normally and pass all tests show in boot process. Issue is this the i cant access or ping the computers attached to its ports from one to other.
However i can ping the switch vlan 1 IP from all computers attached to it.
When i tried Debug All Command, its shows the following:
debug all This may severely impact network performance. Continue? (yes/[no]): yes All possible debugging has been turned on Switch# *Mar 1 00:03:41.467: special_oce_change_vectors: select debug vectors
I have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
I have a server with SQL Server 2008 on it. It listens on the default ports 1433 & 1434. But traffic is not making it through my DIR-655 to the LAN so that SQL Server can respond to the request. I am using DynDNS and have confirmed that the traffic is getting thru DNS and finding the router, but after watching the syslog I can see that I'm getting multiple of the following error messages when a request is initiated from a client (Microsoft Access app) outside my network:
01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 188.8.131.52:53284 to 184.108.40.206:139 01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 220.127.116.11:53282 to 18.104.22.168:445
In Port Forwarding I have specified a rule to allow/pass port 1433 & 1434 TCP traffic to my internal server IP.
Also I'm confused by the ports shown above since I was expecting to see 1433/1434 in there...seems this is a factor in the traffic never getting to the SQL Server to process the request?
We have a managed service provider voip network that requires us to use our own router for the data network. We wanted to use the RV042 for it's easy vpn setup. After installing it worked great for about 10 min. then the WAN port stopped passing traffic. 3 min. later it started working again. We tested the RV042 on a different network and it works fine. We tested an older Pix on the managed network and that works fine. But the RV042 will not work on the managed service provider voip network. The service provider says that on their end it shows our WAN port going up and down.
I run a network that uses MPLS circuits to connect all of the companies different stores. Internet access is through a Cisco ASA5500 here at the corp headquarters.
To make all of this work, we use a little 1721 gateway router to move traffic as needed. All the clients in our corporate office use 10.10.99.1 (Cisco 1721) as a gateway. The 1721 routes the traffic either to the internet (10.10.99.106 Cisco ASA5500) or the MPLS router (22.214.171.124).
For some reason, anything that runs on Linux (Ubuntu server, ReadyNAS boxes, Thecus NAS) will not pass traffic beyond the 1721 gateway router.
I've poured over the config for that router, and I can't find anything that could be causing this not to work. Thinking that the 1721 was bad, I put an 1841 online in it's place, and it did the same thing. I'm a noob when it comes to Cisco configs, but am learning as I go along.
Web server log showing the issue: 2013-03-08 05:39:21 192.168.1.102 POST /somewebpage/somefile.htm - 80 - 192.168.1.1 - 404 0 0 6098 410 457
ISSUE: 100% of the traffic forwarded through the router is taking on the IP address of the router when it arrives at the web server. In this case, 192.168.1.1
My email server and FTP servers are having fits due to the anti-hammering issue that this creates.
I simply got the run around and they told me to call level 2 support and did not provide me with a contact number. For some reason, he refused to escalate the call. They simply told me to contact someone from a previous issue in which they gave me the beta firmware to download and I spent a lot of time on the phone to get that far. I do NOT want to speak with the same person who addressed my last issue.
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output. ciscoasa# sh int ip br Interface IP-Address OK? Method Status Protocol Ethernet0/0 x.x.x.x YES CONFIG up up Ethernet0/1 x.x.x.x YES CONFIG up up Ethernet0/2 unassigned YES unset administratively down down Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 192.168.1.1 YES CONFIG up up
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?