Cisco Firewall :: ASA 5510 Stops Forwarding Incoming Traffic To Internal Servers?

Dec 5, 2012

Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.

View 2 Replies


Cisco WAN :: ASA 5505 - Forwarding All Incoming Traffic To Two Internal HTTP Server

Oct 2, 2011

We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward

HTTP traffic to e.g. 90.x.y.3/29 to
How can I do that? See scenario image (scenario.png) if needed.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Find The Receiving End Of Incoming Traffic?

Jul 3, 2012

We run a Cisco ASA 5510 and i need to find out how i can find the receving end on the inside of a vlan for traffic comming from outside.
ie incomming traffic on port 3937 and are NAT to eth 0/1.10
Thers a bunch of traffic on one port 33771 udp going in on how do i trace this to the inside computer ???
lets say incomming traffic is on and this is on eth0/0 this ip is NAT to a Vlan on the side for with a subnet of

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it > fileserver > domain controller (exchange) > terminal server > terminal server
Now yesterday i removed and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from to due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Cisco Firewall :: ASA 5510 - How PAT With One Public IP To Two Internal Servers

Sep 18, 2012

I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
ETH0/0 = outside  =
ETH0/1 = inside = 10.xx.1.15


What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the and get through directly to my internal server 10.xx.xx.61 ?

View 5 Replies View Related

Port Forwarding Working For Incoming Traffic But Not Outgoing?

Feb 6, 2012

I have a licensing server. Other computers need to turn on a program, they send a message to the licensing server, and it responds that they have permission to run.Until today the licensing server was plugged into its own ethernet wall socket and configured with a static IP address. Today I put a router into that wall socket and now the server's plugged into the router.The router (WRT-54G) was set to the static IP - and now the internet on its network works. I set all ports to be forwarded to the server's internal IP address - and now my programs can detect and ping it. But now the server won't send back permissions to use licensed software, or even reply with a list of the software which it can license.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Get Traffic Through Box To 4 Dedicated Servers

Apr 17, 2013

Recently moved into the hardware firewall space and have a ASA 5510. Having some issues trying to get traffic through the box to my 4 dedicated servers. all the servers have static IP's and are connected to a private switch into one of the ethernet ports on the firewall(0/2). Public internet connection into another(0/0). 1 of my servers has a connection to the management port, and the public switch, and this is the one im trying to do the configuration on.
Im unsure what to set the IP address of my "outside" interface as. need to have RDP,FTP, HTTP traffic going to each of the 4 servers independently, pretty sure i can get the rules in place to allow this, but cant seem to get any traffic to go through the firewall to any of the other 3 servers.

View 6 Replies View Related

Cisco VPN :: Stops Forwarding Traffic On Subsequent Connections 861

Mar 23, 2011

I have a very strange problem on 2 (independent) Cisco 861 routers in different places.They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:

* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.

* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However,  no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.

* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing. [code]

View 17 Replies View Related

Cisco Switches :: SG300-52 Stops Forwarding Unicast Traffic

Feb 6, 2013

We have problems with 3 switches in our network.
Users continues receive adresse via DHCP, but no traffic was forwarded. After reboot switch works fine about one week and problem arrives.
I telnet to one problem switch and try to found reason by reaply acl and source guard and saw some strange message:
nov-20(config)#int r gi1-48
nov-20(config-if-range)#no service-acl input
nov-20(config-if-range)#service-acl input 2
Exceeded the maximum ACE allowed in the system.         -repeated 48 times
Configuration and log int attachment (show tech-support)
port 52 - uplink, 1-47 - users, 49-51 - downlink switches (SPS224g4) with aprox 200 pc connected. 48-ups

View 11 Replies View Related

Cisco Firewall :: ASA 5505 - Discarded Incoming Packets On Internal-Data0/1

Apr 4, 2013

How to best troubleshoot some errors I'm seeing on the internal interfaces of my ASA 5505. This is similar to the question at [URL], but the details are different enough that I felt it justified a new discussion.
I have an ASA 5505, running version 8.2(2), 256MB RAM. From time to time (on the order of once a week) our monitoring alerts us that both Internal-Data0/0 and Internal-Data0/1 are experiencing an unusual amount of inbound packets which were discarded with errors, up to 2.3 per second as of this post. Here is what I hope relevant output from my device:
asa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      10.x.x.x     YES CONFIG up                    up
Vlan2                YES CONFIG up                    up


1. My understanding is that Internal-Data0/0 is an internal bus that connects to modules like the 4GE. I don't have any modules installed at all, as you can tell. Therefore, what is this bus doing?
2. For that matter, what is Internal-Data0/1 doing? What does it connect to?
3. I'm guessing that due to the input errors and overruns reported for both of these interfaces, it's a buffering issue. Since these are input errors, does this mean that traffic destined to this bus for forwarding is being dropped because the bus itself is running out of buffer memory? How would I see (and subsequently monitor) the buffer memory for these interfaces? Once I am able to see it, what sort of tools can I use to determine what is causing this?

View 3 Replies View Related

Cisco Firewall :: How To Log Incoming Traffic (SMTP) On PIX 515E

Mar 6, 2013

I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Not Allowing Incoming Traffic

Mar 15, 2012

I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  What I am doing wrong with the following script?  I've masked public IP info with and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]

View 7 Replies View Related

Cisco Firewall :: ASA 5520 Cannot Block Incoming Traffic

Dec 12, 2012

I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.

View 2 Replies View Related

Cisco WAN :: ASA 5510 - Outside Interface Stops Sending And Receiving Traffic

Aug 8, 2012

Cisco ASA 5510.  Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses.  Ping from console fails to ISP router IP. Ping to google name server failes.  I have reset to factory default only setting up nic and natting and it still happens. 

View 2 Replies View Related

Cisco Firewall :: ASA 5520 / Monitor Largest Outgoing And Incoming Traffic Per Ip In Real Time?

Mar 4, 2013

We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.

View 1 Replies View Related

Cisco Firewall :: Can't Access Internal Servers From Behind ASA 5505

Apr 3, 2013

I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. [URL]) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuration or the firewall itself is not letting my requests through. The remote servers are located at a remote Disaster Recovery site and use the subnet I am at head office which is connected to the DR site via a VPN using

[Code] .....

View 2 Replies View Related

Cisco Firewall :: ASA5510 Cannot Publish Internal Web Servers To Outside

Mar 26, 2013

Cisco ASA 5510  directly facing the internet on E0/0 (1 Public IP only) with internal  LAN on E0/1. Exchange 2010 OWA working fine with ACL and NAT rules  configured.Problem:

•1. Cannot publish internal web servers to outside, have tried PAT.
•2. Have multiple web servers to publish with all on one protocol (HTTP) to  a single public IP which I don’t know if it’s possible on a ASA.
•3.When SSL VPN is configured with Local user database, connecting from  Anyconnect client gives a certificate error. Upon viewing the  certificate it points to the internal mail server.

View 7 Replies View Related

Cisco Routers :: RV042 Port Forwarding Stops Working When Firewall Is Enabled

Jun 4, 2013

I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->[TCP/443~443]->[TCP/143~143]-> SSL[TCP/993~993]-> SSL[TCP/587~587]->
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.

View 1 Replies View Related

Cisco Firewall :: ASA5505 Configure Port Forwarding To Multiple Internal IP Addresses

Jun 21, 2012

ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address ( Everything I read tells me how to do this in a 1 to 1 static NAT.

View 1 Replies View Related

Cisco Firewall :: SSH Stops Working To ASA 5510?

Feb 5, 2013

I find are steps to turn on SSH access.  I have quite a few customers with ASA5510's installed.  SSH is set up and working fine on every one.  After a period of time, you are no longer able to SSH into the firewall.  Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt.  Rebooting the firewall will solve the issue and SSH access works again.  Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in.  Most of my customers are on as most don't want to reconfigure for the new NAT, etc. 
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to.  Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - SIP Stops When Upgrading

Dec 9, 2011

I have to be missing something small in my config. If I upgrade my ASA 5510 which I am routing and Na Ting off of, from 8.4.1 to, SIP stops. All phones go dead.
If I roll back to 8.4.1, SIP comes up.,... Go back to 8.4(2)8 and SIP goes down..... 
This is without making any config changes. I have looked at it so long, I must be overlooking something simple.

View 9 Replies View Related

Cisco Firewall :: Frequently ASA 5510 Stops

Sep 1, 2010

I am having a cisco ASA and its frequently stops working . Check the logs given below.
Let me know this happens because of the commands given below.
threat-detection basic-threatthreat-detection statistics access-list

View 7 Replies View Related

Cisco Firewall :: ASA Version 8.3(2) - Internal Traffic Not Allowed

Jul 29, 2011

i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't.   The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 (9.1.1) & Comcast Business Cable Stops Passing Traffic

Apr 18, 2013

I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside.  Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface.  Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)


View 5 Replies View Related

Cisco Firewall :: ASA 5505 Allowing Traffic Between Two Internal Networks

Aug 30, 2011

I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip:, Destination ip:
When I check the NAT rule, it says:
Type            Source     Interface    AddressDynamic         any          outside      outside.

View 3 Replies View Related

Cisco Firewall :: No Traffic To Public Servers PIX 515

Jun 8, 2011

Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic Between DMZ Servers?

Dec 20, 2011

We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
(ASA 5520 Version 8.4)

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / PAT Different WAN IP Tp Internal Host?

Dec 14, 2012

We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.

So i just changed this:

object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
object network BMMM
nat (inside,outside) static service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp

View 5 Replies View Related

Cisco Firewall :: 5510 Exchange Active Sync Stops Working

May 8, 2012

I know that I've run into this before but I can't remember the fix.  I have a 5510.  The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working.  It is tied to the external DNS name of the OWA server (we'll say  So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface.  What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)

View 1 Replies View Related

Cisco Firewall :: ASA5505 Appears To Be Dropping Traffic For Internal Network?

Jan 10, 2013

we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.

View 15 Replies View Related

Cisco Firewall :: ASA 5505 / Allow External Traffic To Access Internal Computers

Mar 22, 2012

We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address!interface Vlan2nameif outsidesecurity-level 0ip address!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a- network a- network ext-serversnetwork-object host host host network ecomm_serversnetwork-object


View 10 Replies View Related

Cisco Firewall :: ASA5505 8.4.2 NAT To Forward SMTP And RDP Traffic To Internal Host

Nov 26, 2011

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Redirect HTTP Traffic To Internal Proxy?

Feb 13, 2011

I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC ->  WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.

View 6 Replies View Related

Copyrights 2005-15, All rights reserved