Cisco Firewall :: ASA 5520 - Access Current Server Using External SNAT IP

Dec 8, 2012

I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 - Enable External Access To Server On DMZ

Apr 5, 2011

i'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
 
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
  
i have on server ssh (10.70.70.10) on my DMZ .
 
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)

View 4 Replies View Related

Cisco Firewall :: 5510 - How To Allow Access From LAN To Server Using External FQDN

Feb 20, 2012

I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
 
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.

View 10 Replies View Related

Cisco Firewall :: Can't Access Web-server Behind ASA 5520 8.4(2)

Dec 13, 2012

How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.

View 3 Replies View Related

Cisco Firewall :: 5520 Can't Access Internal Web Server From Outside Network

Aug 23, 2011

I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.

View 9 Replies View Related

Cisco Switching/Routing :: 5520 To Redirect An External Address To An Inside Server

Mar 21, 2012

I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
 
This is what we have:  A wireless network with an SSID to serve visitors.  We also have an in-house web server which can be accessed internally and externally.  We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside.  The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server.  The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server!  The traffic then is sent to the outside interface of the ASA 5520.  The visitor who wants to access our web server cannot connect!
 
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Unable To Resolve External Hostname Internally

Jul 1, 2012

I am working on adding a mapping to our external address for our mail server - let's call it mail.example.com
 
I would like to be able to access mail.example.com internally for our user's smartphones - if they access our company WiFi they are not able to get mail using the mail.example.com as the server name in their phone setups.  However, once they leave the office and use any other WiFi it works fine. Also, I am unable to ping that address from any internal device.  I believe also this is the reason Exchange accounts do not work on our site to site VPN connections.
 
I have a ASA 5520 and work primarily in the ASDM 6.4 to do configurations in the main office and have 5510 in our site to site connections.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 / Cannot Ping External Servers Like Yahoo Or Sony

Jun 14, 2011

I have installed quite recently a cisco ASA 5520 replacing a linux based firewall I have only 2 zones ..one is internal netowrk and other external the internal network has web servers, dns and mail server all having public IPs Every thing is OK but i have seen that if I try to ping an external server for example [URL] i cannot ping says
 
[sylvan@kmdns1 ~]$ ping www.yahoo.com
PING eu-fp.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data. 
--- eu-fp.wa1.b.yahoo.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5010ms
 
but I can ping  from systems which are outside my firewall perfectly with the linux firewall i had before i could ping perfectly to yahoo from any of my internal servers?

View 5 Replies View Related

Cisco Firewall :: How To Add External Server To ASA 5505

Feb 24, 2013

I have a Cisco ASA5505 and windows DHCP server, how do I add this external server to ASA so my PC clients can get DHCP from this server?

View 3 Replies View Related

Cisco Firewall :: 3.2 (18) - URL Filtering In FWSM Without External Server

May 18, 2011

I have an FWSM running in multiple context mode running 3.2(18) code.  I have 3 urls that I would like to block so I can't justify the cost of an external URL filtering server.  I have found a way to filter individual URLs on the ASA but the same configuration does not seem to be available on the FWSM.  At least not on my code. Any way to do this other than resolving the hostnames and blocking the current IP addresses?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Connecting To External IP Of Internal Server

Sep 25, 2012

I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network.  I have already set up dns doctoring for dns lookups, and everything is working fine there.  We have an application inside the network that tries to connect straight to the external Ip of another internal server.  where to look in the ASDM 6.4?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - NTP Server For Firewall Clock Setting

May 22, 2013

I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
 
[URL] 209.151.225.100
  
Can I use the following command to set ntp server?
 
ntp server 209.151.225.100 source outside.

View 3 Replies View Related

Cisco Firewall :: 6500 Separate Internal Server / HQ Network From 3 / 4 Different External Connections

May 21, 2012

I am using a 6500 with FWSM. I need to separate an internal server/HQ network from 3 or 4 different external connections. The external networks do not necessarily need to be isolated from each other.I have the option of using a 3 layer model: L2 Access layer to SVIs on the Distribution layer and then L3 to the 6500.L2 Access, connecting directly to the 6500s, with the SVIs on the FWSM.Is it better to have the FWSM outside the MSFC or Inside? Am i correct in thinking that "inside" vs "outside" is determined by whether the SVI's are configured on the FWSM or the MSFC? is there any performance impact from having the FWSM doing the routing instead of the MSFC.If the vlans are all configured on the FWSM, what is the 6500 doing, other than providing switch ports?

View 1 Replies View Related

Cabling / Cards :: Network Of Wifi Access Points With External Server Authentication

Apr 6, 2013

I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.

View 1 Replies View Related

TP-Link Dual-Band Wireless :: WDR3600 Restrict External Access To A Ftp Server

Feb 25, 2013

Region : UnitedKingdom
Model : TL-WDR3600
Hardware Version : V1

I am trying to restrict external access to a ftp server I have running, to a single external IP address. Is this possible? It can be done for the Remote Management IP Address page, where you can enter a single address or 255.255.255.255 to allow all external hosts. But the set up of a virtual server does not appear to have that option.

View 1 Replies View Related

Linksys Wireless Router :: Access Media Server And External USB Drive On E4200 From An IPad?

Aug 21, 2011

How to access the media server and/or external USB drive on an E4200 from an iPad?

View 1 Replies View Related

Cisco Firewall :: 2801 Cannot Access External Websites That Use FTP

Dec 26, 2012

I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall.

View 13 Replies View Related

Cisco Firewall :: 5510 - Can’t Access External IP From Within LAN

Oct 20, 2010

Basically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.

View 8 Replies View Related

Cisco :: DNAT / SNAT After IPSec Tunnel

Aug 24, 2012

I'm going to implement a S-2-S VPN IPSec connection between 2 locations and I've to NAT incomming and outgoing traffic.

View 4 Replies View Related

Cisco Firewall :: Web Server (linux) Sits In The DMZ (asa 5520)

Jun 28, 2012

I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,
 
1)how to make this server  https based access over SSL
 
2)how to protect this server form network and security standpoint?

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Versus ISA Server 2006

Mar 28, 2011

currently my firewall is Microsoft ISA Server 2006 and im using it very nicely but based on some security treats im changing my firewall from isa to ASA 5520 but im facing a problem that my i had installed on software name Soft Perfect Bandwdith Manager and i was limiting each users based on their MAC address to prevent using of full bandwidth in my internet so thats why i had a very relialble internet useage in my network.
 
after many search and searching i didnt find a good software or hardware that should support with Cisco ASA Apliances to support bandwidth management for endpoint users and etc and this is very troubel i dont want all users to use full badnwidth in my company becouse i have only 2MB internet badnwith taken via VSAT connection

View 3 Replies View Related

Cisco Firewall :: 5520 - SSH Socks Tunnel Set Up On Server

Jul 18, 2012

I have the following setup 
|| Socks Server || >> Switch1 >> ||Cisco 5520 ASA || -->> | Switch 2| -->> Clients
 
I have a SSH SOCKS tunnel set up on the socks server which is a Linux box. When I connect my machine to the switch 2, I am NOT able to receive and mail by setting up a mail client and it seems SOCKS traffic does not reach the socks server. I can however run a telnet command on port 1080 (socks port) which connects  which shows that the port was going through and open. However there was no SOCKS traffic. When I connected the machine to Switch 1, SOCKS traffic worked as expected and I was able to receive mail.

This suggests to me that the ASA has some inherent rule that does not allow SOCKS traffic. IS this true and if so how can I bypass this?

View 4 Replies View Related

Cisco Firewall :: 8023 / External Access To Internal Router Via ASA

Dec 31, 2012

I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.

View 2 Replies View Related

Cisco Firewall :: 5520 L2TP Pass Through To Windows Server

Oct 2, 2012

We have a Cisco ASA 5520
 
We are attempting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 68.0.0.0.3/28.
 
I set a static NAT rule to allow all traffic pointed at 68.0.0.4 to be directed to 10.10.10.20 and have ACLs allowing the following.
esp, ah, udp/500, udp/4500, udp/1701
 
Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I attempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 / Allow External Traffic To Access Internal Computers

Mar 22, 2012

We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
 
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object

[code]....

View 10 Replies View Related

Cisco Firewall :: ASA 5520 - User Lose Session With Server While VPN Still Established

Jul 7, 2012

i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
 
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?

View 1 Replies View Related

Cisco Firewall :: 5505 - Users Unable To Access External Email Servers ASA?

Nov 28, 2011

I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
 
I have narrowed it down to the fact that these uses are using  ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA.  I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
 
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
 
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
 
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!

View 2 Replies View Related

Cisco Firewall :: 5505 - Construct An Access List For Outside Interface Using External Address?

Sep 10, 2012

I'm configuring a 5505 for a remote office.  Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - NAT And Firewall Access Control

Oct 4, 2012

I have an ASA 5520 in my company which does all our NAT and Firewall access control.  Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created.  This is a test before the web app is released live.  Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through.  Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?

View 2 Replies View Related

Cisco Firewall :: 5520 - Inside Server To See Actual Outside Host Source IP In Udp Packet

Mar 3, 2013

I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server.   The server can get to outside hosts OK, and the traffic is being NATed  properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send  'announcement' UDP packets to the inside server.  I thought this might be an  outside-NAT-required issue to get the traffic routed, but I need the inside server to see the  actual outside host source IP in the UDP packet, so I basically set the  outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the  destination (inside server) subnet, and its gateway is the outside  interface of the ASA, the same way the inside server is able to get to  hosts outside.  The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
 
I have the appropriate ACL's set up, and when I do 'show access-list' I  see policy hits for the 'permit' statements where the outside host is  generating the announcement and it's hitting the ACL.  I even duplicated  the ACL into list 101 and 102, and applied 101 for inbound traffic on  the outside int, and applied 102 for outbound traffic on the inside int,  and I'm seeing policy hits on both permit statements outside and  inside, so it looks like the traffic is being passed on to the inside  interface and permitted, but the server isn't seeing the packets.
 
I can ping the outside interface from the outside, but cannot ping the  inside interface or any inside hosts from the outside, even though I  have 'permit icmp any any' enabled on the ACL on both ints. When I  remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
 
I set up the same scenario in my lab with an ASA 5505, with the same results.  Below is the running config from the 5505 in the lab.  The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
 
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)

View 6 Replies View Related

Cisco Firewall :: 5510 Security Plus To Terminate Client VPN Access For External Support Team

Aug 7, 2012

I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
 
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
 
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
 
3. does the CSC module provide any web proxy functionality?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 CIFS Doesn't Work For Share Folder On Windows Server 2008 R2

Jun 26, 2010

I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.

View 3 Replies View Related

Cisco Firewall :: 5520 Can't Access From DMZ To INSIDE

Mar 13, 2012

I have a cisco asa 5520 ios 8.2. This is my configuration [code] But i can not access from DMZ to INSIDE.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved