Cisco Firewall :: ASA 5515X 8.6 IOS For NAT Control

Feb 21, 2013

I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured. Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: 5515x Apply On Firewall / Switches To Make Implementation Successful

Apr 22, 2013

I will be implementing a new firewall (cisco asa 5515x) on my existing  3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the  implementation successfull.  I will put my 3750x as my DMZ and my 2960s  as my inside.  The 3750x have multiple subnet and also the 2960s.which  features and technologies i need to know on those 3 products.  my 3750x  and 2960s don't have any ACL defined and most common features are vlan,  switchport, trunking, spanning-tree, stacking, vtp.how  my asa knows that my 3750x/2960s have multiple vlans.  my current  connection right now on 3750x and 2960s is just through 6 ports i  assigned as one trunk, below is my config [code]

my  2960s vlans are almost the same with my 3750x except vlan 160, 170,  192.  but of course when i put this in asa, i have to segragate vlan for  3750x (192, 100, 110,160, 170) and 2960s (130, 150).  for my 2960s  connection to the asa and since this will have big bandwidth, i will use  3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2  ports on my asa (and trunk it) connecting to my 3750x.  the one  internet ports and my one management ports on my asa will stay like  that.

View 2 Replies View Related

Cisco Firewall :: ASA 5515X - Config Loss After Primary Firewall Reloaded

Sep 23, 2012

I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
 
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
 
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.

View 2 Replies View Related

Cisco Firewall :: Upgrade From 8.2 To 8.6 For New ASA 5515X

Sep 19, 2012

My customer has a rather complex configuration on an ASA 5510 running version 8.2.

They are migrating to new ASA 5515X models which of course only version support 8.6
 
How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
 
The X series seems to be a great option for new deployments but what about replacements of existing older models?

View 3 Replies View Related

Cisco Firewall :: ASA 5515X Max Contexts In HA Mode

Jun 4, 2013

What is the maximum number of contexts a pair of 5515Xs in HA mode can support?
 
I know each 5515X can have a max of 5 contexts, but does that mean in HA mode a pair can support 10 with license pooling? 

View 8 Replies View Related

Cisco Firewall :: ASA 5515X - How To Block Traffic Of P2P

Jan 28, 2013

I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?

View 2 Replies View Related

Cisco Firewall :: Upgrade From ASA-5510 SSM20 To ASA-5515X?

Dec 25, 2012

I need to upgrade to firewall which supports Active/Standby configuration.I am currently using a ASA-5510,SSM-20 8.2(5).Will the configuration file from the ASA-5510 work on the 5515X?

View 1 Replies View Related

Cisco Firewall :: Remote Desktop Connection To ASA 5515x

Feb 5, 2013

I have ASA 5515x and it has already Internet Connection since my firewall is not "production". So right now I'm trying to configure a Remote Session just for a test and eventually I was not able to connect from it. I followed the instructions from technotes but still Remote Connection dropped. Here's my sample configuration on my firewall, btw I also configured a service policy rule and ACL just to make sure if I can able to access the Server inside my network but Session also dropped. 
 
nat (inside,outside) source static 1.1.1.1 2.2.2.1
access-list 110 extended permit tcp host 3.3.3.1 host 2.2.2.1 eq 3389
CiscoASA(config)#class-map rdpmss

[Code].....

View 5 Replies View Related

Cisco Firewall :: Management Interface In Cluster ASA 5515x?

Jan 6, 2013

I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
 
my config
 
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif

[Code].....

View 9 Replies View Related

Cisco Firewall :: Testing 5515x At Home - No Internet Route

Apr 15, 2013

im new to cisco asa and the model is 5515x with license plus.  below is my config at home,
 
ciscoasa#
ciscoasa# sh run
: Saved

[Code]......

View 1 Replies View Related

Cisco Firewall :: Ports To Be Opened Up For Hosted Voice Access On ASA 5515X

Sep 23, 2012

I have a customer who is going to host a VOICE services like providing SIP services to its customers. What specific ports required to be opened up for this on ASA  5515X. I would rate it ASAP.

View 3 Replies View Related

Cisco Firewall :: New ASA 5515X Generation Support PBR Or Not / ISPs Links Redundancy

Jun 9, 2013

I need to know if the cisco ASA next generation specially ASA 5515X support PBR or no ?how to implement it? Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation.

View 1 Replies View Related

Cisco Firewall :: Maximum Number Of 1-1 Static Nat Entries On ASA 5515X Or 5525X?

Aug 7, 2012

I have a FWSM cluster that I exceeded the maximum number of static nat entries on.  i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs.  however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them..  The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat.   Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls?  Say I wanted to be able to grow to 2500 or more static 1-1 nat entries.  I am currently running 2010 1-1 static host nats currently.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - NAT And Firewall Access Control

Oct 4, 2012

I have an ASA 5520 in my company which does all our NAT and Firewall access control.  Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created.  This is a test before the web app is released live.  Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through.  Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?

View 2 Replies View Related

Cisco Firewall :: NAT-Control Feature In ASA 8.4 (2)?

Aug 26, 2011

I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
 
My Second Query
 
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.

View 3 Replies View Related

Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control

Nov 19, 2011

ASA5540# sh run nat-control
no nat-control
 
this means higher security can talk to lower security without NAT rules
 
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
 
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
 
global (dmz) 1 interface
global (inside) 1 interface
 
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
 
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
 
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
 
And do I have to have a global statement for NAT 0 ...like below?
 
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-

View 2 Replies View Related

Cisco Firewall :: 5520 NAT Control Is Disabled

Jun 28, 2012

ASA 5520
version 8.2
 
My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200.  The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP.  The access list is in place ont the guest interface to allow traffic to the server.  The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check. NAT control is disabled. [code]

View 2 Replies View Related

Cisco Firewall :: Don't Want ASA5505 To Control DNS For Internal Client

May 28, 2012

We have an internal DNS server that all internal hosts do lookups to .. these requests are forwarded onto open dns for anything the dns server isnt authoritative for.. My question is we have purchased the botnet filter and this requires the asa5505 dns client to be active on at least one interface .. Should i point the asa dns to an external IP such as 8.8.8.8 and apply DNS enabled on interface outside ( am using asdm) I don't want the ASA to control DNS for our internal clients we already have a internal server for this, i  DO want the asa5505 to check dns packets against its botnet filter, whilst still using open dns for forwarding.

View 1 Replies View Related

Cisco Firewall :: ASA 5585X - Possible To Have Content And Control Security?

Aug 10, 2011

Is it possible have Content Security and Control Security in a ASA 5585-X? I´m asking because the CSC-SSM is only supported in ASA 5540, 5520 and 5510 and I dont know how it feature ca be supported on a new ASA 5585-X.

View 2 Replies View Related

Cisco Infrastructure :: ASA 3750 Firewall To Control Traffic Between VLANs

Jan 20, 2013

We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.

View 1 Replies View Related

Cisco Firewall :: ASA Version 8.3 And Higher / Nat Control From Lower Security?

Oct 1, 2012

I have read that nat control is no longer exist in this version,However, I am trying to permit traffic from lower security interface to higher interface security,Is it need to be Natted ?

When I try to route, i have never succeeded, but when I put a nat, I can access and the traffic go through Do I miss anything on the nat control statement ?

View 5 Replies View Related

Cisco Firewall :: ASA5500-x Bandwidth Control Based On Different Users And Applications

Sep 20, 2012

I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications

View 1 Replies View Related

Cisco Firewall :: How To Design ASA 5510 Failover For Process Control Network

Mar 19, 2013

I'm currently working on setting up 2 ASA 5510's with redundancy/failover. I'm not an expert when it comes to the ASA's so I'm not 100% sure if I can do what I need to.I have 2 inside networks that need to remain separate, a DMZ network,and an outside network. Since each network connects via ethernet to one of the 4 ethernet ports on the ASA 5510's, all 4 ethernet ports on the ASA 5510 will be in use. If I wanted to setup one firewall as Active and the other as standby, how would I go about doing that? Do I need a direct ethernet connection between the 2 firewalls to use something such as HSRP? Or would the Standby firewall be able to tell if the Active firewall is OK since they would both be connected on each of their interfaces to the same networks?        

View 1 Replies View Related

Cisco Firewall :: Update License Content Security And Control Info ASA 5510

Mar 20, 2013

I have to upgrade to an ASA 5510 CSC, and the new license is generated, the file you sent me licensing, only seen this:Activation Code not required for this renewal. Please go to "Administration> Product License" in the CSC SSM console and click "Check Status Online" to get the latest expiration date (BASE: 09/04/2014, PLUS: 09/04/2014).This means that what I have not make any upgrades or license charge in the ASA? Does the automatic update is made?

View 1 Replies View Related

Cisco Firewall :: Access-List Traffic Control Attempting To Block RDP 3389

Nov 7, 2012

I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels.  Tunnels appear to work.  I am lab'ing some additional controls that I would like to implement.  On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass).  I was hoping to lock things down a little without having to reconfigure all of the Tunnels.  My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN.  One port that I was attempting to block is RDP 3389.  When this ACL is applied to the inside interface it does not block Port 3389 at all.  What am I missing?  Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels? 
 
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
 
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
 
ip access-group 145 out interface Internal
 
This work great on a 2821 Router, but not so much on the ASA.

View 11 Replies View Related

Belkin Routers :: N759 / Custom Firewall Rules (parental Control)

Oct 28, 2012

can i set what websites I want to kid to have access to on a belkin N759 N+ router

View 2 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco VPN :: Connect VPN Site-to-site Between FW ASA 5515X / 5510

Jul 11, 2012

I have a problem trying to connect a VPN site to site between a FWASA 5515X - ASA5510. [code] The configuration in the 5510 its the old one that i been using with a firewall 5505.

View 1 Replies View Related

Can't Get To My Control Panel

Aug 12, 2012

I can not get to my control panel. I have tried 192.168.1.1 and 192.168.0.1,. I do have it flashed with DD-wrt. I can access the internet with it, the lights look correct, I don,t believe it is bricked. I have tried hard reset and soft reset.

View 5 Replies View Related

Cisco :: Access Control For Static NAT

Jun 15, 2012

(1) forward range of ports to a specific IPs using static NAT? for ex, i would like to forward port 5060 and 10000-20000 to a server 192.168.1.22..

(2) how to apply access control to this static NAT ? for ex. i would like to deny specfic IPs from accessing it from public..

====================================================
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside

[code]....

View 3 Replies View Related

Cisco VPN :: ASA 8.4 / How To Allow SSLVPN Client To Control SBL

Apr 25, 2011

I enabled SBL on ASA 8.4, anyconnect client is Win-XP, everything worked as expected, but some users do not want to see SBL logon screen before windows logon because often times they will need to login before they can get network connection. So I modified profile.xml's following line from
 
UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon
 
to
 
UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon
 
the new profile is downloaded to client machine's anyconnect vpn profile fine, yet still users see VPN logon screen before Windows log on, "Connect on startup" is un-checked on Anyconnect VPN client, client machines rebooted multiple times, Anyconnect VPN client was removed and re-downloaded from scratch, no change ... What else do I have to do? I certainly can create a new group-policy/tunnel-group for those users without SBL, but that is far from an elegant solution.

View 7 Replies View Related

Cisco :: 5508 - MAC Access Control

Nov 29, 2012

We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.

View 8 Replies View Related

How To Get Mouse To Control Arrow

Jan 8, 2011

How can i get the mouse to control the arrow when i connect my tv to my laptop computer;i can control the arrow with the control on the laptop but not with mouse.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved