[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine. The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed. I did another test from the LAN and the captured traffic is attached. I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.
We have setup the IP phone proxy on our ASA-5520, we had a couple of issues with the initial setup, but nothing major. It has been up and running for a few weeks and basically everything works perfectly just like we designed it except for 1 strange audio issue on outbound calls. We can make a call to anywhere, no problem, if the call is answered, no problem, perfect call setup and good quality 2 way audio. But if the person we called doesn't answer the call and that call goes to their voicemail we loose all audio from that point forward, we do not hear their outgoing message or get any prompts just dead air. The same situation appears to be true for any "recorded" service on the other end of the call.
I've been tracking a conversation on my firewall. I have an inside device that is trying to communicate to a server outside to send data. The conversation is suppose to be all 443. I see that there is a TCP connection made and a dynamic NAT that translates my inside device to the public IP, and appears to change the port to 65415. The problem I'm having is that the conversation ends with reset-O, and I'm wondering if that port has something to do with it, or if it's just that their server is resetting the connection because of an issue they are having? The vendor says no firewall rules are needed for this device to communicate with their server.
I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Built outbound TCP connection 726440542 for outside:22.214.171.124/6666 to inside:172.16.x.x/3586 (65.204.x.x/52001) Teardown TCP connection 726440542 for outside:126.96.36.199/6666 to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.
I just changed my internet provider from DSL to cable. When I hooked up the DIR-615 I had some difficulties. At first my computers would all connect to the router but there was no internet connection. I had to download the latest firmware and install it. After the install succeeded, everything seemed to be okay. However, I now occasionally get the message that the connection to the server was reset while the page was loading. Also, the little world symbol on the router constantly flashes at a rapid rate. Before the switch, neither of these two things happened. When I check the download speed it seems fine. The cable modem is an Arris and also handles my telephone service.
I reset my Cisco 2911 ISR to the factory defaults. I then used the configuration guide to do the initial set-up through the CLI. I was able to assign IPs to the GE0/0 and GE0/1 ports. Now I cannot access the GUI device manager at all. I was able to ping the IP of GE0/0 so I know the adapter took the IP assignment, but still no GUI access.
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]
I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?Are both areas providing packet level inspection?Can I build Firewall rules (within the Security area) to replace the ACL's?
I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
old config on 8.2 and earlier nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 188.8.131.52
I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve: [code] I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.
Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
i got an error while connecting to my PIX (515e) via ssh connection there is an error message appears (The server has disconnected with error, server message reads: Internal Error) and at the console session at the time time, the following message appears also (process_create: out of memory)
We have some Cisco 2911's that we are configuring 2 VPN's ( second is for redundancy) We are pretty confident on the failover VPN setup using SLA monitoring.
One thing we are stuck on is the redundant VPN will be setup over a 3G connection provided by verizon. Verizon issues a Private IP ( 192.168.100.X) the far end device terminating the VPN has a public ip of 183.172.22.XX , what kind of NAT translation do I need to make this work ? Also does Cisco have any good configuration examples for VPN Failover setups for Cisco 2911's?
This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.access-list inside_access_in extended deny ip any any log interval 600 Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:
It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100 I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100 This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.
I have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.
-Hardware is ASA5585-SSP-10. -Software version: ASA 8.2(5),
ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Source Address 184.108.40.206 ==> Destination 220.127.116.11 (nat this to 18.104.22.168) inbound.
So if from the internet tries to hit 22.214.171.124 we want to nat that to 126.96.36.199 both of which sit on our public space.
I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
policy-map type inspect FWPol_Out-In class type inspect CCP_PPTP pass class type inspect FCMAP_In-Email pass class type inspect FCMAP_In-OutlookWebAccess inspect(code)
%FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic wasn't generated internally as all InZone>OutZone is inspected.
I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription. Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page [URL] or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlf policy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect -url') but how to do more with either the built in page or the redirect- url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
We are using the newest release of AD Agent (188.8.131.52.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following: