we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.firewall# show conn count 1900000 in use, 2000008 most used As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..
local host: <172.x.x.x>, TCP flow count/limit = 35857/unlimited TCP embryonic count to host = 25 UDP flow count/limit = 0/unlimited local host: <DC01>, TCP flow count/limit = 306/unlimited TCP embryonic count to host = 8 UDP flow count/limit = 736807/unlimited local host: <DC02>, TCP flow count/limit = 246/unlimited TCP embryonic count to host = 2 UDP flow count/limit = 582010/unlimited local host: <172.y.y.y>, TCP flow count/limit = 1/unlimited TCP embryonic count to host = 0 UDP flow count/limit = 308412/unlimited
These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ?
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM nat (inside,outside) static interface service tcp smtp smtp to: object network BMMM nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 4.2.2.2 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
I have setup this firewall with a NAT, everything seem fine. I try pinging from my external translate IP to the internal IP address, on the ASDM Log i can see the traffic built and teardown but on the PC i used to execute the ping it will show timeout. My configuration as belows:
I created some acess-lists, and you can assign a logging level to this access-list. Now this ACL has a lot of hits, so i want to see whats happening. Only the log I then see is completely empty. I cannot figure out how to get some info in that log.
I think there is some global logging setting i probably need to enable in order to get anything logged at all, but i cannot figure out which.
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any access-list ACL-Limitada extended permit ip any host srv-proxy access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
There is a device which is connected to the PC via Lan. I have an exe file which is supposed to get connected to that device and perform some operations. However, the problem is, the exe file tries to connect to the local host ip address 127.0.0.1 and i cant change the ip since it's been coded.So, I'm wondering if i can use the device connection (which already has a different ip like 169....) as a local host connection. So whenever it tries to connect to the loopback 127... it automatically connects to the external device.
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?
I just bought pc anywhere software, after instalation in my host pc and laptop(remote) it work very well when I used it in the same network in my Rv camping ground where I have a mobil router with a Verizon broad band card.Later when I come back home where I have a cable internet with a router, I tried to access the host pc but after several minutes trying it said cant find host pc.
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
We are using an ASA with 8.4 in transparent mode. Connection fails when a host on inside tries to connect to a server on outside. This server uses mac-address 0100.5E00.0000 to load balance but replies with real mac-address.Firewall logs "Deny TCP".ARP inspection is disabled.
I'm using 3 AP's 1140 with local authentication using local radius (flex connect mode).the radius server im using is MS 2008 R2.authentication is working great on all devices pc's&mobile.authentication method is PEAP wpa2 aes enterprise.after 3 or 4 hours devices loose connectivity to the web.the device seems to be still connected to the ap but there is no ping to host from local lan or any arp learnd on local router.only manual disconnect on device and reconnecting brings connectivity up again.in one case only reseting the AP's worked.
I just purchased an E2500. I have a small home network dominated by Mac and Linux boxes, with an occassional Windows machine. On my previous router I had been running OpenWRT.
One of the nice features of DNSMASQ is that it will do local name resolution from the /etc/hosts file on the router. Is there anyway to turn on similar features in the E2500? I have a NAS box and a networked printer that require local name resolution. I had hoped that I could just create a DHCP reservation for them, and that the router would resolve their names for other hosts on the network. This does not appear to work.
Should I just be boxing this thing up and returning it in favor of a unit I can flash better firmware on to?
Im working for a client at the moment and I've had to setup a network printer for them, I've got 4 Windows 7 machines easily printing over the network to this printer that is connected wirelessly but they want one of there machines to use the scanning functionality of the printer.The scanner doesn't show up at all in the local network devices like the printer does and to be honest i don't really have any experience with scanning over a network to a windows 7 machine, but this printer does support scan to ftp so my idea is to setup a small ftp server on the windows 7 machine with a folder to stored scans on the desktop or something, then put the details of the server in to the printer making it as easy as possible for the customer to scan stuff and just get it from the folder on the desktop, i could also share this folder over the network for anyone to open and get a scan if needs be.
This is the configuration I am running:Internet > Cable Modem > Netgear WNDR3700 Router ~~ DAP-1522 > Wired Windows 7 PC + Linux PC + Printer.The Windows 7 and Linus PC's do communicate well to the internet as do any laptops accessing the router wirelessly and any devices wired to the router. That is the good news.
The bad news is that any devices located after the DAP-1522, including the DAP-1522 do not show up on the network map of either the router or any of the wireless laptops. Neither does the Win 7 PC connected through the DAP-1522 show any networked devices, whether through the DAP-1522 or not, even though network discovery is turned on.
Right now the DAP-1522 is set up to function as a bridge and is in "Static IP" mode. I tried changing it to DHCP, but the DAP-1522 will not allow saving that setting, even though it will allow changing it. It just reverts back to "Static IP". The firmware version is 1.31, and the firmware update went well after a workable logon to the admin page was discovered. Also the one-button (WPS) set-up to the router worked as far as allowing an internet connection.
What needs to change to allow all the devices to show up on the network maps and maintain internet access? Ultimately, I would like to stabilize the IP's of the major components of the network to make troubleshooting easier. But to do that the devices need to show up on the network maps, particularly of the router, so they can be added to the IP reservation table by selection.
We have an ASA 5510 that handles our vpn client traffic, and occasionally, we run into a client that, while using Cisco AnyConnect in conjunction with Phonefactor, the connection attempt will timeout before the connection actually establishes.The odd thing is - The logs show the client finished connecting, and the Phonefactor server shows completed authentication. We even added a custom timeout script to increase the default 12 second timeout to 30 seconds.This behavior has proven difficult to find a common factor for, as it has affected different versions of the client, 2.3 and 2.5, as well as Windows XP, Vista and 7 installs. This problem does not affect our Anyconnect/RSA clients, and if the same person on the same client with the issue is migrated over to the Cisco IPSec vpn, the problem disappears.