Cisco Firewall :: ASA 5510 - Get Traffic Through Box To 4 Dedicated Servers

Apr 17, 2013

Recently moved into the hardware firewall space and have a ASA 5510. Having some issues trying to get traffic through the box to my 4 dedicated servers. all the servers have static IP's and are connected to a private switch into one of the ethernet ports on the firewall(0/2). Public internet connection into another(0/0). 1 of my servers has a connection to the management port, and the public switch, and this is the one im trying to do the configuration on.
 
Im unsure what to set the IP address of my "outside" interface as. need to have RDP,FTP, HTTP traffic going to each of the 4 servers independently, pretty sure i can get the rules in place to allow this, but cant seem to get any traffic to go through the firewall to any of the other 3 servers.

View 6 Replies


ADVERTISEMENT

Cisco Security :: ASA 5510 - Internet Connections Dedicated VPN Traffic

May 22, 2011

We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Stops Forwarding Incoming Traffic To Internal Servers?

Dec 5, 2012

Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.

View 2 Replies View Related

Anti-virus For Virtual Dedicated Servers

Sep 5, 2011

I plan buy a virtual dedicated server, well as for anti-virus for it I am lost where to look for and what exist [what search]? any open source? url..is enough or needed additionally and other tools? Needed and software firewall to install?

View 5 Replies View Related

Cisco Firewall :: No Traffic To Public Servers PIX 515

Jun 8, 2011

Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic Between DMZ Servers?

Dec 20, 2011

We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
 
(ASA 5520 Version 8.4)

View 2 Replies View Related

Cisco VPN :: ASA 5510 Internet Connection Dedicated VPN

Mar 4, 2012

I have an ASA 5510 with a second internet connection on its way.  I would like to have one internet connection dedicated to my Site-to-Site VPN traffic and the other left to handle public internet traffic.   I know I can do this with a static route but I noticed today the "tunneled" option.  How exactly does the tunneled option work and would it work better for my specific situation?

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
 
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
 
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
 
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
 
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
 
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Cisco Firewall :: Shared Public IP To Two Servers - ASA 5510 8.3 - NAT / PAT

Feb 5, 2012

I have a situation where we have a single DMZ server currently statically forwarded to a single public IP.  TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
 
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server.  This server only needs traffic on TCP/8800 forwarded to it.
 
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
 
My question lies in the reconfiguration of NAT/ PAT.  Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port.  I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
 
It appears ASDM will not allow me to put multiple ports into a single network object.  I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - How PAT With One Public IP To Two Internal Servers

Sep 18, 2012

I've tried a bunch things but it didn't work, I'm about to gave up! :-/
 
I have the following scenario:
 
ASA5510 - v8.3(2)
 
Interfaces
ETH0/0 = outside  = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15

[Code]....

What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?

View 5 Replies View Related

Cisco Firewall :: 5510 8.3 (1) Static Nat For Web Servers And FTP Server As Well

Sep 13, 2011

I got the charge of a ASA 5510 running with 8.3(1) version.Found that this is simple config with Patting for inside host and couple of Static Nat for web servers and FTP server as well.
 
There is lots of other configuration being done,I assume for the purpose of just R&D by the previous administrator.I need to understand if the following Nat statements holding any relevance?
 
Where we are running Only  NETWORK_OBJ_192.168.0.0/23 subnet at inside and there is no other subnet defined in rest of the statements.i.e 10.0.0.0/27 and 192.168.1.128/27 doesn't exist at all.

View 1 Replies View Related

Cisco Firewall :: Remote VPN On ASA 5510 Failing To Hit Public Servers?

Mar 12, 2012

I have a Cisco ASA 5510 that was set up as a VPN server for working remote.  I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA.  The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution.  Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW.  So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1.  Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work.  The FW gives me a error which is posted below.  However, using the private IP of the server works.  I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
 
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA. 

Here are some configurations on the ASA:
 
static (INSIDE,Outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
 access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.202.0 255.255.255.0 
object-group network DM_INLINE_NETWORK_2

[code].....
 
Outside with 4.4.4.4 as the public ip traffic gets NAT'd do dynamically Inside with 10.1.1.x network on it.The ASA is running 8.2

View 2 Replies View Related

Cisco WAN :: 1941 - ASA 5510 Via VPN Tunnels For Communication Back To Servers Behind Firewall

Jun 20, 2012

I am setting up a network that will use the 1941 router with a cellular card (HWIC) to connect to the Internet for communication with remote stations in the field. The 1941 has a static IP address (166.142.xxx.yyy) on the Internet provided by the ISP (Verizon). The 1941 is connected via ethernet to the ASA5510. The end goal is to have the field cell routers (Digi Transport WR-44-R, also static IP) connect to the ASA5510 via VPN tunnels for communication back to the servers behind the firewall. I'm not sure exactly how to configure the 1941 so that the remote router can connect to the ASA using the public IP of the 1941 router. I have the 1941 working stand alone and can connect to the Internet and pass traffic, but I tried a static NAT to translate the public IP to the private IP of the ASA and cannot pass traffic. below is part of the 1941 configuration: [code]
 
Do I need to use VLAN bridging to accomplish the task or am I missing something with the NAT?

View 3 Replies View Related

Cisco Firewall :: 5510 / DMZ To Outside Only Traffic?

Nov 28, 2011

I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
 
P.S.: I'm using a 5510 machine running version 8.2

View 4 Replies View Related

Cisco Firewall :: Determining All Traffic In And Out Of ASA 5510?

May 20, 2011

Just wondering if there are any methods or commands, natively, in the asa5510 for determining all traffic in to and from a certain server passing through the asa.  This would be without a syslog server or something similar.

View 3 Replies View Related

Cisco Firewall :: Traffic Delay ASA 5510

Mar 11, 2013

Core Internal Network -> Cisco ASA 5510 -> DMZ Switch.If i send a ping reguest from internal network to servers in DMZ Switch over the ASA 5510, i can see a delay in response, some times this delay can be more than 80ms, this is a problem for the web applications in http traffic.How i can find what's happening on my ASA? I disable the inspect traffic over the IPS, disable the policy maps below, reload the two boxes, but doesn't works, the problem still persists. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 With 8.4.1 - Traffic Is Not Flowing

Mar 27, 2011

I'm currently using ASA 5510 with software 8.4.1 and I have an issue with nat configuration. I used the following config line:nat (inside, dmz) source dynamic LAN Pat1 destination Server1 Server1
 
The traffic is not flowing and when I use Packet Tracer, packets are dropped at the NAT rule with the following error: Drop-reason: (acl-drop) Flow is denied by configured rule.The only ACE I have is permit ip any any.

View 2 Replies View Related

Cisco Firewall :: ASA-5510 - SIP ACL Traffic Not Working

Jun 11, 2013

I have an ASA with an outside ACL that is configured to allow 208.84.248.95 SIP/5060 to 1x.x.x.46.  I show no hits.  I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface.  I see hits on the vuong ACL but not the production acl_out ACL..  What is up?
 
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network. 
FW1(config)# sh access-list | i 1.x.x.46
access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387  (*NO HITS)
access-list acl_out line 658 extended permit udp host 208.84.248.95 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179  (NO HITS)
[code]...

It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46.  We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
 
ccess-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0x2759fa92
FW1(config)# q
FW1# capture capture1 access-list vuong interface outside
[code]...
 
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to .  By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP.  Looking below, no traffic appeared on the capture2.
 
FW1# capture capture2 access-list vuong interface ServProv
FW1# sh capture capture2
0 packet captured
0 packet shown
[code]...
 
Capture 1 above shows the last 3 incoming messages initiated from 63.x.x.140 to the 1x.x.x.46! Vuong ACL belows shows 3 more hits.....nothing on the acl_out ACL???
 
FW1# sh access-list vuong
access-list vuong; 1 elements; name hash: 0x29df3e90
access-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=6) 0x2759fa92
[code]...

View 1 Replies View Related

Cisco Firewall :: ASA 5510 No Traffic Flowing?

Jul 12, 2011

I have manually configured the Firewall ASA 5510 from existing PIX to match the configuration, however when I connect the firewall to the Network, no traffic is flowing in either direction. I have the Inside network on the 172.29.0.0 subnet and the outside network on 20.2.0.0 subnet. I am attaching the cofiguration file.

View 4 Replies View Related

Cisco Firewall :: 5510 Allow Traffic Inside To Outside

Nov 18, 2011

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
 
-Host IP on inside network  - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - Scan Traffic To Public IP?

Feb 19, 2013

Im having problems with google saying we generate to much traffic to [URL]
 
I need to know which machines on the inside are talking so much with google. Can this be done via ASA 5510? do i need a third party program for this?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Email Logging VPN Traffic

Feb 29, 2012

I use ASA 5510 and I would like to log VPN traffic ( for example, as soon as a remote user try to connect to the asa). I would like this log be send to a specific mail address. I already configure Email Logging for severity  ( level 3) and it works well.
 
How I can add the VPN traffic Log ?

View 4 Replies View Related

Cisco Firewall :: Traffic Shaping ASA 5510 Vs 5505?

Oct 19, 2011

Is there any difference with traffic shaping capability on the 5510 as opposed to the 5505? is there anything the 5510 can do that the 5505 cant? with regards to TShaping?

View 4 Replies View Related

Cisco Firewall :: Redirect HTTP / Ftp Traffic (ASA 5510)

Apr 25, 2011

i have the following scenario :
  
ISP1-------ASA 5510----------ISP2
                    |
                    |
                    |
                  LAN
 
i would like to use ISP2 for all http/https/ftp traffic.how could I force my ASA to set a different gateway for http/https/ftp traffic ?i have tried several solutions such as nat/pat rules, nothing seems to work.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Ftp Traffic Passing On 1 Interface But Not Another?

Dec 20, 2011

FTP traffic routed from outside to the inside interface works fine.  I have another interface with multiple sub-interfaces and vlans configured.  FTP traffic routed from the outside to vlan2_servers is not making it through the firewall.  I must be missing something.  I have attached my config.

View 4 Replies View Related

Cisco Firewall :: ASA 5510 8.4 / VPN Traffic For Specific Client?

Mar 16, 2013

I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Always Allow Traffic On A Single Port

Feb 1, 2012

I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.
 
The inside IP for the ASA is 192.168.25.1
The outside IP for the ASA 192.168.11.54
 
Here is my current configuration:
 
: Saved
: Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012
!
ASA Version 8.2(5)

[Code]....

View 6 Replies View Related

Cisco Firewall :: ASA 5510 High Traffic On Outside Interface

Jul 31, 2012

I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today.  On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.

View 2 Replies View Related

Cisco Firewall :: Cannot Get 5510 ASA To Reach Internet Traffic

Nov 30, 2012

I have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
 
 Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24 
 
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / QOS For VOIP Traffic To And From Internet

Apr 20, 2011

We are using an ASA 5510 as our gateway to our ISP.  All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls.  Our pipe to the Internet is 100Mbps metro ethernet.  I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing.  However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device.  I could police traffic on the inside interface of the ASA.  However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection.  I could police this incoming (from the Internet) traffic on my outside interface of the firewall.  This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped?  Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.

View 1 Replies View Related

Cisco Firewall :: 5510 - CSC SSM Slows Down Internet Traffic

May 17, 2011

We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this, It the computer is bypassing the CSC, it gets This was done when there's very low traffic on the LAN and CPU is low usage on the CSC. The CSC has been re-imaged also but still doesn't solve the problem.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Can't Move Traffic From DMZ To Outside Interface

Jan 16, 2012

I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the  outside interface

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - 2 Internet Interfaces Without Traffic

Jan 15, 2013

I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:

ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved