Cisco Firewall :: ASA 5512-X 8.6(1)2 NAT Overload

Feb 18, 2013

My collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting. 
 
ASA Version 8.6(1)2
!
hostname ASA5512-X-Remote
enable password ********** encrypted
passwd ********** encrypted
names(code)

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: PAT / NAT Overload On 5510?

May 19, 2011

There is a new office which is going to be on a separate internal subnet (192.168.254.x), and need this to be port address translated to one public address (212.23.51.108). Ive given it a go on the ASA5510, but not sure if Im doing this right.
 
3 of the internal addresses need port redirection:
 
192.168.254.10 - public port 33510  - private port 3389
192.168.254.11 - public port 9940  - private port 443
192.168.254.173 - public port 3390  - private port 3389
port 80 and 443 opened for 192.168.254.10
 
I have a test pc setup and connected to the internal 192.168.254.0 network (gave it static of 192.168.254.10), it is reaching the internet, and its public IP is seen as 212.23.51.108, however how do I test to see if port 80 or 443 is open for this ip?
 
Tried using the cli but gave up and looked at doing int in ASDM, however cant see the option in ASDM for NAT overload, so ive tried configuring this with Dynamic NAT which looks about right.....
 
This is the relevant config so far as far as I can see.
 
global (outside) 2 212.23.51.108 
nat (inside) 2 192.168.254.0 255.255.255.0
nat (inside) 2 access-list inside_nat_outbound

[code]....

View 11 Replies View Related

Cisco Firewall :: Attacks That Simply Overload ASA 5505

May 6, 2013

We have an ASA 5505 and we keep getting short bursts of ICMP packets (5000 in one second) They will do this and it just simply overloads the ASA and it crashes.Is this since it is 1000 past the 4000 connections per second capacity of the ASA 5505 or do we have a setting wrong some place that could prevent this type of overload from happening? We are looking to prevent DoS and other attacks that prevent even a short loss of connection since the servers are getting attacked daily and we have voice streaming on through the ASA. [code]

View 2 Replies View Related

Cisco Firewall :: QOS By Protocol On ASA 5512-X

Apr 18, 2013

I'm looking to make a possible configuration for a customer. They need a device to provide :- firewalling- bandwidth limiting based on protocols, IP, users- web content filtering- good reporting to see which device/users are consuming most of the bandwidth.I used to use cisco ASA as firewall but it's a while I last installed on and I'm nt uptodate which current state.So I thought of using an ASA 5512-X but I'd like to know if it comply with all the requirements .Most important being the reporting and bandwidth limiting capability. It would be great to have some configuration example regarding bandwidth management.

View 1 Replies View Related

Cisco Firewall :: ASA 5512 - SSL VPN Not Working

Nov 10, 2012

I have a windows 2003 server and an ASA 5512
 
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
 
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
 
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
 
If I stop my IAS server on my Windows box i get the same error but much more quickly.
 
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...

View 5 Replies View Related

Cisco Firewall :: Configuration Of ASA 5512-X?

May 21, 2013

I have a customer who needs a 5512-X set up with two ports on the "Outside" interface and act like a switch on the outside.  This is very easy to do with the way the ASA 5505 works just by creating vlans and treating the ports as members of the vlan.

View 3 Replies View Related

Cisco Firewall :: ASA 5512-X Getting Documentation

May 14, 2013

I am having soem difficulty getting documentation and setup procedures for the new ASA 5512-X (or X models in general) firewalls.I know the IPS sensor is a software-based one, but I'm not sure how much different the setup in than with a 5510 and IPS module.
 
Also, is the IOS upgrade procedure different?

View 2 Replies View Related

Cisco Firewall :: ASA 5512-X Can't Connect To Console

Apr 10, 2013

I'm trying to access our ASA 5512-X via the Management port, but the address https://192.168.1.1/admin can't be displayed.

View 35 Replies View Related

Cisco Firewall :: ASA 5512 8.6(1) Failover Via Management

Jun 9, 2013

I am configuring a brand new pair of ASA 5512s running 8.6(1).  Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
 
ASA (config-if)# no management-only ERROR: It is not allowed to make changes to this option for management interface on this platform.
  
I have not been able to find anything in the official documentation mentioning this restriction. 

View 1 Replies View Related

Cisco Firewall :: ASA 5512-X DHCP Backup ISP?

Jun 3, 2012

I installed a new ASA 5512-X over the weekend for a client.  Their backup ISP connection is DHCP based.  I need to use the 'dhcp client route track' command on the interface, but it is not available.  However according the all the documentation I am looking at and even the ASDM says it should be available. 
 
This is the version of ASA and ASDM they are running:
 
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
 
I did upgrade to the latest ASA software, so has this command been removed?  If I do a '?' in the interface, there isn't a 'dchp' option. 

View 2 Replies View Related

Cisco Firewall :: ASA 5512 - Best Way To Setup Identity NAT

May 2, 2013

I'm porting our configuration from a Pix 515 firewall to an ASA 5512x.  What's vexing me right now is with the deprecation of the "static" command, I can't quite figure out the best way to Identity NAT my inside sub nets (multiple) to the DMZ sub net
 
So on the pix I have my identiy NATs as an example: 
static (inside,dmz) <IntSubA> <IntSubA> netmask 255.255.255.0
static (inside,dmz) <IntSubB> <IntSubB> netmask 255.255.255.0
static (inside,dmz) <IntSubC> <IntSubC> netmask 255.255.255.0
 
Cisco's migration guide seems to do them one object at a time, which I guess is straightforward enough to do: 
object network SubA
subnet <IntSubA> 255.255.255.0
[code]...
 
I'm thinking that there must be an easier way (aka less lines) to implement this for all the sub nets I want to Identity NAT to the DMZ. 
1)  Can I do this creating objects using a sub net with a net mask of 255.255.0.0 - one object to cover multiple internal sub nets?
2)  Can I do this using object groups and trim this down to:  (assuming I have to commands right)
 
Object-group network Inside_Subs
     network-object <IntSubA> 255.255.255.0
     network-object <intSubB> 255.255.255.0
     network-object <intsubC> 255.255.255.0
 
nat (inside,dmz) source static Inside_Subs Inside_Subs no-proxy-ARP route-enabled. What would be the best way to translate my Identity NATs?

View 10 Replies View Related

Cisco Firewall :: Does The ASA 5512-X Require A Separate HA License

Mar 25, 2013

If you look at the data sheet for the 5512-X the High Availability section states "Not Supported; ActiveActive or ActiveStandby" while the ASA 5515-X states "ActiveActive or ActiveStandby".  What does "Not Supported" mean for the ASA 5512-X?  Does this mean HA does not work, or that I need to purchase an additional license to use the HA feature? 
 
[URL]

View 5 Replies View Related

Cisco Firewall :: ASA 5512 X 2 Outside And 2 Inside Interface / How To Configure

Jun 7, 2013

I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.

View 7 Replies View Related

Cisco Firewall :: ASA 5512 To 5510 Replacement Benefit

Apr 8, 2013

What is the benefit of replacing 5512 for 5510.

View 1 Replies View Related

Cisco Firewall :: ASA 5512 - Cannot Connect To VPN After License Upgrade

May 1, 2013

I am having an issue where I can't connect to VPN after upgrading the license. The license upgraded is related to AnyConnect VPN. I noticed from the newly upgraded license, the Encryption-3DES-AES is disabled whereas previously it was enabled.
 
ASA 5512-K9
Version 8.6(1)2

View 2 Replies View Related

Cisco Firewall :: ASA 5512 WCCP Configuration With Web Filter

Oct 31, 2012

I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface.  ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40   All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda. 
 
Below are the respecive bits of my ASA config
 
interface GigabitEthernet0/0
description Management
speed 1000

[Code].....
 
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it.  how I can get this working ?

View 3 Replies View Related

Cisco Firewall :: 5512 Policy Routing Alternative?

Apr 7, 2013

From what I can find the ASA does not support policy routing.
 
I have two VLANS that need to go to the same destination but different routes. Anyway to accomplish this on the ASA?

View 1 Replies View Related

Cisco Firewall :: InterVLan Routing Not Working With ASA 5512 V8.6

Jan 11, 2013

Configuration of inter-vlan routing on ASA 5512 ver 8.6? I have everything configured (un-nat, access-list, etc.) but still not working. When i do a packet capture, it says the traffic is denied by the implicit acl. Here is my config:
 
interface GigabitEthernet0/0.100
vlan 100
nameif data
security-level 100
[Code]...

View 7 Replies View Related

Cisco Firewall :: Detailed Documentation On ASA 5512-x And 5515-x?

Aug 7, 2012

where I can find detailed documentation on these two products. Particularly, I am looking for high availability capabilities and any license requirements. 

View 1 Replies View Related

Cisco Firewall :: 5512 - NAT Random Source Address

Jul 4, 2012

I have a problem with random host's geting the wrong source address on a ASA 5512-X  8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel  I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
 
nat (any,outside) dynamic interface.     (5.5.5.5)
object network H-192.168.25.10
nat (inside,outside) static H-6.6.6.6X(code)

View 1 Replies View Related

Cisco Firewall :: Unable To Open SMTP Session Through ASA 5512-X?

Sep 20, 2012

Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
 
NAT and access rules are as follows:
  
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1

[code]....
 
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?

View 3 Replies View Related

Cisco Firewall :: ASA 5512-X Version 9.1 Multiple Contexts Supported?

Apr 3, 2013

if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
 
I found different information on the Cisco web,  the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
  
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6 [URL]
  
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) [URL]

View 7 Replies View Related

Cisco Firewall :: 5512 Able To Be Field Upgraded To 5515 And Through 5555

Jan 10, 2013

Is the 5512 able to be field upgraded to a 5515 and so on through 5555?  I.E. Can I add ram and other hardware to make the boxes more powerful as my requirements increase?  I was hoping this would have been a new feature with the ngen firewalls.

View 3 Replies View Related

Cisco Firewall :: 5512 - BGP Through ASA Versus Transparent Mode Deployment

Mar 8, 2013

I've been asked to deploy an ASA in Transparent Mode because of concerns of putting another layer 3 hop between PE and CE routers running BGP.
 
Is there some problem with allowing BGP to flow freely through an ASA the is also terminating site to site and remote access vpn tunnels?
 
I just don't see the need for Transparent Mode here and you cannot have a standard DMZ setup with Transparent Mode: you have to use bridge groups to provide for multiple interfaces on the ASA and then have an external router route between those bridge groups.
 
what I'm missing here as to why Transparent Mode is needed (not needed)

ASA is 5512

View 4 Replies View Related

Cisco Firewall :: Does ASA 5512-X Have Category-based Web Filter Built-in

Jun 26, 2012

Does ASA 5512-X have a category-based webfilter build-in?

View 1 Replies View Related

Cisco Firewall :: ASA 5512-X / VPN Client Is Connected But Unable To Ping Internal Network

Mar 17, 2013

I have created a VPN connection for ASA 5512-X by using the wizards and nothing seems to be wrong on the wizards's config.I am able to connect to the network by using the VPN but unable to ping internal network.Below is my config for your reference:
 
Result of the command: "sh run"
 : Saved
:
ASA Version 8.6(1)2
!
hostname FAA-ASA-1
enable password crzcsirI44h2BHoz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

[code].....

View 6 Replies View Related

Cisco Firewall :: ASA 5512-X - Automatic Power-on After Power Failure?

Dec 5, 2012

how can I enable an automatic power-on after a power failure on an ASA 5512-X?

View 5 Replies View Related

Cisco :: NAT Overload Breaks OSPF Adjacency

Aug 30, 2012

I have 3 routers all running OSPF. each of the three routers have 2 networks they are advertising..NAT Overload breaks OSPF Adjacency

[code]...

View 2 Replies View Related

Cisco WAN :: Catalyst 6509-E / Nat Overload Does Not Work

May 18, 2011

I have the folowing nat configuration on my catalyst 6509-E with a sup720-10G that does not work, and gives a erros messague:
 
ip vrf testes
rd 6900:5
interface Vlan1111
description liga
ip vrf forwarding testes
ip address 192.168.63.91 255.255.255.248
ip nat inside

[code]....
 
This configuration generates the folowing error:

NAT: translation failed (A), dropping packet s=128.2.21.21 d=192.168.63.185
 
If i change the nat overload to a static nat, everything? Is there any wrong with this configuration ?

View 1 Replies View Related

Cisco WAN :: Broken Pat / Overload After Upgrade From 1711 To 891

Apr 26, 2011

Broken Pat/Overload after upgrade from 1711 to 891

View 7 Replies View Related

Cisco WAN :: 2901 - Configure Router Overload NAT (IOS 15)

Jul 5, 2011

I am attempting to configure a Cisco 2901 router using IOS 15 to  properly perform NAT/PAT translation between LAN and the internet  connection. I've configured DHCP pool for the local interface (GigabitEthernet0/1), which  works properly. The WAN interface (GigabitEthernet0/0) is configured to obtain its own IP by  DHCP from the ISP. I can work on the LAN computers and I can access the  internet directly from the router (using, for example, telnet and  router's ping commands). The problem is, NAT does not work properly and connection from the LAN  interface does not reach the WAN interface.

View 1 Replies View Related

Cisco VPN :: Setting Up Split Tunneling 2821 With Nat Overload?

May 1, 2013

I have a cisco 2821 router. I currently have it setup to accept vpn connections from a cisco client which uses the 172.16.4.0 subjet for vpn connections. I also have nat overload setup for my local lan of the router so my internal servers on the 172.16.3.0 subnet can reach the internet. Every thing works great for that setup.However I have tried several methods I found for split tunneling and they have weird problems with the nat overload in place. If I take away nat overload the split tunneling works. If I take away split tunneling the nat overload works. I can't seem to get them to work at the same time.Config is below. This is the vpn/nat overload config with no split tunnel.
  
Current configuration : 2236 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

[code]....

View 1 Replies View Related

Cisco :: C892 / Overload Router With Debug Command

Jan 10, 2012

I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
 
Extended IP access list 151
10 permit ip host 10.1.1.1 host 91.1.1.1
 In the syslog then I got hundred of messages from IPSec:
Jan 11 09:43:35.677:  IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

[code]....
 
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved