Cisco Firewall :: ASA 5520 ACL Established Connections Configurations

Jan 16, 2012

I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.

Running-config of my ASA5520:

ciscoasa# show run
: Saved
ASA Version 8.4(3)
hostname ciscoasa
enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names !
interface GigabitEthernet0/0
[Code] ........

View 9 Replies


Cisco Firewall :: ASA 5520 - User Lose Session With Server While VPN Still Established

Jul 7, 2012

i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?

View 1 Replies View Related

Cisco Firewall :: LMS 4.0 Cannot See ASA 5520 / 5510 Configurations

Sep 30, 2012

I have an issue with the LMS 4.0, i added manually the ASA Fws 5520 and 5510, and i see them there, but i cannot see the configuration, inventory and technology details.Telnet is deactivaved in ASA´s, ssh and snmp v3 are enabled.Routers and switches were added without issues.

View 3 Replies View Related

Cisco Firewall :: Using Object-Groups For Easy Maintain ASA 5520 Configurations

Sep 19, 2011

After reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: [URL] is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post
Question: How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right? for each port I want to forward through the outside interface?
object network dmz-rdp
nat (DMZ,outside) static interface service tcp 3389 3389


View 1 Replies View Related

Cisco :: IOS 12.x+ Port Forward Only Established Connections?

Apr 3, 2013

Using Cisco IOS 12.x+ on a router.How would create an ACL that will only allow access to a port from the inside only after it has been established. i.e. similar to port triggering? Inside host needs to use port 61200 for bit torrent. Dont want the port to be visible as open to the global net accept when the host establishes the connection first.That way a port doesnt have to be left open 24-7.

View 4 Replies View Related

Cisco Application :: ACE 4710 Failed Probe And Established Connections

Jan 23, 2013

I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail. In fact rservers are still operational, but should not accept new connections. This works fine. BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true.

View 2 Replies View Related

Cisco Firewall :: Show Active TCP Connections In ASA 5520?

Jun 5, 2013

how many active TCP sessions my ASA has but having a hard time finding this information.  When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP.  Is there any way to get just the TCP connections?

View 3 Replies View Related

Cisco Firewall :: ASA-5520 - Auto-Save The Connections Detail And Xlate

Oct 10, 2012

I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Default Inspection Engine Dropping Connections

May 25, 2011

I currently have the default inspection engine configured in my firewall to inspect http traffic.  I noticed that the ASA will drop packets when visting legitimate websites.  I've tried googling for a workaround but have been unsucsselful.  How can I exclude some websites or IP's from being affected by the inspection engine?

View 1 Replies View Related

Cisco VPN :: 876 - Connection Established From Firewall But No Ping Answer

Mar 18, 2013

We try to establish a Site-To-Site- IP Sec- connection between a Cisco 876 (local site) and a Check Point-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL- Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".

From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.

The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] [inside ip local]" (see also appended running config for naming of ip- addresses). Establishing a Cisco VPN- Client connection to the same Cisco 876 router works fine.

View 7 Replies View Related

Cisco Firewall :: ASA 8.4 - Failover Not Replicating Configurations

Jun 5, 2011

I have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:

Header 1                             
failover lan unit primary


View 9 Replies View Related

Cisco Firewall :: ASA 5505 Without IPS Can't Remove Some IPS Configurations

Dec 5, 2012

I have an ASA 5505 without any IPS module.While copy/pasting some configurations from another 5510 with IPS I copied my mistake the some of the IPS configurations part. Now I can't remove it.When ASA starts I get this Warning:
...WARNING> IPS policy is configured without an SSM card.
*** Output from config line 828, "  ips inline fail open"
Those lines are:
policy-map Outside_Policy
class IPS_class
ips inline fail-open
 When I try to do "no ips inline fail-open" I get an "invalid input detected".If I try a no class IPS_class I get that is being in use.What can I do to clean up those lines?

View 8 Replies View Related

Cisco Firewall :: Move Some Configurations Over To ASA5510?

Apr 18, 2013

I'm trying to move some configurations over to an ASA5510 and some of the commands are a bit different than I'm used to (worked on old pix before)
I've configured the following on the device:
Outside interface:
DMZ                  :
Inside                :

The current firewall has the below configured on it (old Juniper)                       gateway               ** is the IP for 3750 switch on the inside LAN**                       gateway                 ** internal vpn- will remove later but thats a different discussion**
0 0                                    gateway            **to internet                            gateway                 ** represents mpls traffic

The current set up for this network has an mpls router and a vpn concentrator as part of the network my aim currently is to replace the juniper with an asa5510 the changing of the vpn tunnels will be for a different time:

work station ===>  switch (3750) DG to =====> MPLS (vendor owned and managed) ====> non mpls traffic ====> vpn concentrator ===>firewall ===> router
The above will need acls to go with the routes, which I should manage ok just want to make sure the routing is configured properly

View 2 Replies View Related

Cisco Firewall :: Migrate Checkpoint Configurations To ASA 5585 Using SCT Tool

Oct 28, 2011

I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it

View 14 Replies View Related

Cisco VPN :: ASA 5520 - Monitoring SSL Connections

Sep 12, 2012

On the ASA5520 we would like to create a report that gives us trending over 6 monthes for the amount of people logged in via the SSL VPN and for how long. Is there a way to do this on the ASA5520? Does it have this ability? Could I do this in SolarWinds? My boss mentioned a software package that Cisco has that will show a history - is this correct?

View 1 Replies View Related

Cisco VPN :: VPN Connections Fail When ASA 5520 Running IOS 8.41?

Sep 20, 2011

I have an ASA 5520 running, user web trafic, incoming VPN and systems NAT for DMZ services. Nothing new for a standard firewall.  I have upgraded the memory in it to 2GB, per Cisco so that I could install and run IOS 8.41.  I have uploaded the both the IOS bn image and the ASDM 645 image and set it as the primary boot file. When I reload the ASA, everything boots fine, no errors and all traffic appears to be working fine.But here is my problem:ALL the previously configured VPN sessions will connect to the ASA and show that they are passing traffice (TX and RX increments through the monitor) but if I try to access a device on the other side of the VPN or they try to access services in the corporate network, the connection fails.  Ping works, So I know I can reach the devices and the tunnel has been correctly created, but nothing else, .  I did not change anything in the configurations for the VPN connectors.But, if I reload the ASA with the 8.21 version image, everything works just as before and all connections are good.

View 3 Replies View Related

Cisco WAN :: 5520 - Active / Passive ASA With Redundant ISP Connections

Apr 25, 2012

Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.

View 1 Replies View Related

Cisco VPN :: 5520 Remote Site To Internet Connections

Jan 13, 2012

I have a remote office that currently connects back to a Central data center via Site to Site VPN.  I am bringing up a 2nd internet connection as a fall back in the Remote Office.  How do I configure the Site to Site VPN to work correctly so that if the primary internet connection goes down, the site fails over to the secondary? On Remote the internet connections are from different providers so they have completely different blocks of public IPs.

ASA 5520 8.0(4)
Gig 0/0 Public IP

ASA 5520 8.4(1)
Gig 0/0 Public IP
Gig 0/3 Public IP (2nd internet)

View 1 Replies View Related

Cisco VPN :: 5520 Active Monitoring Of Remote Access Vpn Connections

Apr 14, 2012

I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?

View 5 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco VPN :: 5510 - Get A Tunnel Established?

May 2, 2012

I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs

View 5 Replies View Related

Cisco :: After Tunnel Is Established Can't Ping Anything On Other Side

Jan 20, 2013

i successfully established site to site with 2 two ASA 5010. The problem is that traffic on not passing, This is current setup:1) Left side : only 1 private network 3) Right side : 1 private network, management network, 2 DMZ networks with public IP, On right ASA some netting is setup so servers in DMZ can be reached from private network. The goal would be that VPN client on left side can reach all resources on the right side (except management network, Just to get things going tunnel is built with only left and right private networks, but after tunnel is established i can't ping anything on other side.

View 4 Replies View Related

Cisco Routers :: IPSec SA Not Established 2 RV110W

Apr 7, 2013

I make a vpn site-to-site IPSEC tunnel between 2 RV110W the above ,you will find the configuration
Site 2
always the same message

View 3 Replies View Related

Cisco VPN :: 5510 - ASA 8.4.(1) VPN L2L Can Only Be Established Through Default Gateway

Jun 19, 2011

We have an ASA 5510, with two internet connections. One inteded for VPN l2l and the other for general users inet access.

On asa 8.04, I configured the crypto map on inteface "VPNAccess" and a static route to the L2L remote peer through VPN internet access, the default rotue was pointing the general inet router.
We bought a new firewall with 8.4.1, and now asa only tries to initiate traffic if remote peer is on the default gateway.
It ignores more specific routes (i mean longer masks) and always tries to use default gateway, but only for VPN, if I make a trace route for that peers it uses correctly the routing table.

View 12 Replies View Related

Broadband :: Internet Connection Could Not Be Established?

Sep 12, 2011

internet connection could not be established. the port used was closed.

View 1 Replies View Related

Active Established TCPs When Offline?

Mar 26, 2013

how its possible that even when I turn off wifi on the laptop and even disconnect the modem that when I type netstat into CMD that there is still one or two TCP ESTABLISHED connections? I have waited as long as an hour and there are still established connections even though I am not connected to my internet. if I shut down the computer and reload it again with the router unplugged there will be either no connections or maybe one TIME WAIT connection for one or two IPs. but as soon as I reconnect to the internet then disconnect, the same thing happens where there are established connections to the laptop even though I am not connected to the internet.I use ccleaner to remove all cookies between sessions.

View 4 Replies View Related

Wi-Fi Connection Is Lost And Needs To Be Re-established Wndr4500

May 27, 2012

I have the netgear wndr4500 setup on my home theater shelves which are located in the corner of the room. When using my ASus G74sx with the Atheros 9002 wifi I consistently get disconnected. The wifi connection is lost and needs to be re-established.

Interestingly, when I am using the laptop downstairs the disconnects never happen. I have pored over my router's settings, updated to the latest firmware, as well as installed the latest drivers on the laptop. I also tried setting the router to short preamble and changing the channels to 11and automatic.

View 1 Replies View Related

Cisco WAN :: 1811 As PPPoE-client / Connection Isn't Established

Jul 4, 2012

PPPoE connection isn't established...Config Cisco 1811 (c181x-advipservicesk9-mz.124-15.T15.bin):
vpdn enable
vpdn-group 1
  protocol pppoe


View 7 Replies View Related

Cisco Routers :: VPN - SRP527W / 857 Established But No Tx Traffic On SRP Side

Aug 2, 2011

I have now the sa`s stablished between SRP527w and cisco 857, but If i ping from a host of Cisco side to a host of SRP side I get  only rx traffic on the tunnel, the stats keep tx at 0 and ping is not answered.My tunnel is to send some voice call into IPSEC tunnel keeping DSCP bits, It comunicate SRP voice vlan with Cisco lan.

I have on SRP 2 vlans:
1 Vlan for data  on ports 1,2 and 4
1 voice vlan on ports 1,2,3,4.
I connect a netbook to port 3 and I can connect to internet but I cant reach by ping the other side of the tunnel?Maybe traffic from voice vlan is being natted with data vlan ip address?I need all traffic must go into the tunnel without being natted, on cisco side I have a policy to avoid nat but don know if SRP have any problem about it too.All gateways are ok ?

View 2 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Copyrights 2005-15, All rights reserved