Cisco Firewall :: ASA 5520 - Access Current Server Using External SNAT IP
Dec 8, 2012
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 126.96.36.199 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 188.8.131.52 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
I am working on adding a mapping to our external address for our mail server - let's call it mail.example.com
I would like to be able to access mail.example.com internally for our user's smartphones - if they access our company WiFi they are not able to get mail using the mail.example.com as the server name in their phone setups. However, once they leave the office and use any other WiFi it works fine. Also, I am unable to ping that address from any internal device. I believe also this is the reason Exchange accounts do not work on our site to site VPN connections.
I have a ASA 5520 and work primarily in the ASDM 6.4 to do configurations in the main office and have 5510 in our site to site connections.
I have installed quite recently a cisco ASA 5520 replacing a linux based firewall I have only 2 zones ..one is internal netowrk and other external the internal network has web servers, dns and mail server all having public IPs Every thing is OK but i have seen that if I try to ping an external server for example [URL] i cannot ping says
I have an FWSM running in multiple context mode running 3.2(18) code. I have 3 urls that I would like to block so I can't justify the cost of an external URL filtering server. I have found a way to filter individual URLs on the ASA but the same configuration does not seem to be available on the FWSM. At least not on my code. Any way to do this other than resolving the hostnames and blocking the current IP addresses?
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
I am using a 6500 with FWSM. I need to separate an internal server/HQ network from 3 or 4 different external connections. The external networks do not necessarily need to be isolated from each other.I have the option of using a 3 layer model: L2 Access layer to SVIs on the Distribution layer and then L3 to the 6500.L2 Access, connecting directly to the 6500s, with the SVIs on the FWSM.Is it better to have the FWSM outside the MSFC or Inside? Am i correct in thinking that "inside" vs "outside" is determined by whether the SVI's are configured on the FWSM or the MSFC? is there any performance impact from having the FWSM doing the routing instead of the MSFC.If the vlans are all configured on the FWSM, what is the 6500 doing, other than providing switch ports?
I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.
Region : UnitedKingdom Model : TL-WDR3600 Hardware Version : V1
I am trying to restrict external access to a ftp server I have running, to a single external IP address. Is this possible? It can be done for the Remote Management IP Address page, where you can enter a single address or 255.255.255.255 to allow all external hosts. But the set up of a virtual server does not appear to have that option.
I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall.
Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
currently my firewall is Microsoft ISA Server 2006 and im using it very nicely but based on some security treats im changing my firewall from isa to ASA 5520 but im facing a problem that my i had installed on software name Soft Perfect Bandwdith Manager and i was limiting each users based on their MAC address to prevent using of full bandwidth in my internet so thats why i had a very relialble internet useage in my network.
after many search and searching i didnt find a good software or hardware that should support with Cisco ASA Apliances to support bandwidth management for endpoint users and etc and this is very troubel i dont want all users to use full badnwidth in my company becouse i have only 2MB internet badnwith taken via VSAT connection
I have the following setup || Socks Server || >> Switch1 >> ||Cisco 5520 ASA || -->> | Switch 2| -->> Clients
I have a SSH SOCKS tunnel set up on the socks server which is a Linux box. When I connect my machine to the switch 2, I am NOT able to receive and mail by setting up a mail client and it seems SOCKS traffic does not reach the socks server. I can however run a telnet command on port 1080 (socks port) which connects which shows that the port was going through and open. However there was no SOCKS traffic. When I connected the machine to Switch 1, SOCKS traffic worked as expected and I was able to receive mail.
This suggests to me that the ASA has some inherent rule that does not allow SOCKS traffic. IS this true and if so how can I bypass this?
I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.
We are attempting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 184.108.40.206.3/28.
I set a static NAT rule to allow all traffic pointed at 220.127.116.11 to be directed to 10.10.10.20 and have ACLs allowing the following. esp, ah, udp/500, udp/4500, udp/1701
Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I attempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.