Cisco Firewall :: ASA 5520 - Host 300+ Secure Websites Using Couple Of Public IPs

Jun 22, 2011

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
 
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
 
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
 
      public wan
          |
          |
       ASA-- public dmz
          |
          |
      private lan
 
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies View Related

Cisco Firewall :: 1841 / Can't Access Public IP Of LAN2 From Host On LAN1

Dec 11, 2012

i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.

View 1 Replies View Related

Cisco Firewall :: 1841 - Can't Access Public IP Of LAN2 From Host On LAN1

Dec 11, 2012

i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - SSH From Internal To DMZ Host

May 13, 2012

I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
 
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Filter Is Not Allowing To Access Certain Websites

Aug 20, 2012

We have a Cisco ASA 5520 and Web sense.  I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete". 

Filter I applied on the firewall:

filter url except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
filter https except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow

View 9 Replies View Related

Cisco Firewall :: ASA 5520 - How To Block Proxy Over Secure Browser

Mar 24, 2011

Having some problems blocking users installing/using secure browsers proxy. Currently runing ASA 5520 ver. 8.3 & IPS SSM-20 7.0 (2) E4 & Websense web filtering. Able to block most proxy sites with Websense that use port 80 but recently found that some users using some products like Njutrino that use their own secure browser that use it's own proxy over SSL connection.

View 3 Replies View Related

Cisco Firewall :: Host Cannot Browse And Allowed With Asa 5520

Apr 20, 2013

Port forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Creating Host Objects Via CLI

Nov 3, 2011

I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - PING From Outside Into Inside Host

May 13, 2013

I have ASA 5520. I cannot ping the host(192.168.1.20) which is inside firewall from outside hosts. Inside host (192.168.1.20) is translated into (198.24.210.226) using static NAT.From outside host, I used "PING 198.24.210.226".  Is it because I used dynamic PAT for inside hosts?

interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 198.24.210.230 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0

[Code].....

View 3 Replies View Related

Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?

interface GigabitEthernet0/1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdown
interface GigabitEthernet0/0nameif outsideip address 198.24.210.226

[Code].....

View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (201.148.156.193/28), one IP valid (201.148.156.194) have the Global NAT (all users LAN) and server FTP, but i need that IP 201.148.156.195 is used for VCSe, and the IP 201.148.156.196 is used for other server FTP.

View 5 Replies View Related

Cisco Firewall :: 5520 - Two Private To One Public Email NAT Going

Nov 8, 2011

How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.

View 1 Replies View Related

Cisco Firewall :: Changing ISP / Updating The Public IPs On ASA 5520

Jun 11, 2013

We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN.  We are changing ISPs soon and we will be getting a new block of public IPs   where do I even start to plan the migration and how?  Can I overlap somehow and do a slow migration or must I do it in one big swoop?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 8.6 Allow Publishing To Only One Range Of Public IP

Apr 19, 2013

Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
 
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
 
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.

View 2 Replies View Related

Cisco Firewall :: 5520 - Inside Server To See Actual Outside Host Source IP In Udp Packet

Mar 3, 2013

I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server.   The server can get to outside hosts OK, and the traffic is being NATed  properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send  'announcement' UDP packets to the inside server.  I thought this might be an  outside-NAT-required issue to get the traffic routed, but I need the inside server to see the  actual outside host source IP in the UDP packet, so I basically set the  outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the  destination (inside server) subnet, and its gateway is the outside  interface of the ASA, the same way the inside server is able to get to  hosts outside.  The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
 
I have the appropriate ACL's set up, and when I do 'show access-list' I  see policy hits for the 'permit' statements where the outside host is  generating the announcement and it's hitting the ACL.  I even duplicated  the ACL into list 101 and 102, and applied 101 for inbound traffic on  the outside int, and applied 102 for outbound traffic on the inside int,  and I'm seeing policy hits on both permit statements outside and  inside, so it looks like the traffic is being passed on to the inside  interface and permitted, but the server isn't seeing the packets.
 
I can ping the outside interface from the outside, but cannot ping the  inside interface or any inside hosts from the outside, even though I  have 'permit icmp any any' enabled on the ACL on both ints. When I  remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
 
I set up the same scenario in my lab with an ASA 5505, with the same results.  Below is the running config from the 5505 in the lab.  The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
 
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)

View 6 Replies View Related

Cisco Firewall :: ASA 5520 - Second IP Range On Public Interface For NATing

Jul 9, 2012

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
 
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

View 3 Replies View Related

Client Could Not Access Secure Websites?

Jul 17, 2012

I had an odd occurrence today on my network. One particular desktop running Vista could not access secure websites (httpsremoved the DHCP lease on my server (Windows 2008), let the desktop pick up a new address and all is good nowThis is a production network (domain) environment

View 3 Replies View Related

Can't Access Secure Websites Nothing Changed?

May 25, 2012

I work for a small company where we have a simple network that runs from one router and I believe has a switch. We all have access to the network wirelessly or with cable.The internet was running ok up until yesterday when I came in to do some online banking and thought the site was down. However, turned out it was just me that was having trouble. I coudn't access secure sites like online banking or facebook for example. Now I was using the cable at the time and this wasn't working. When I tried wirelessly it would work... this confused me but not as much as when I found out that others in the office could use the cable and even more, there are 2 others who cannot connect to secure sites with cable or wireless.I was wondering what could have changed over night as this is what seemed to happen. Is it our ISP? (prob not as others are ok) so I'm thinking there must be some kind of setup issue in our configuration. I believe we are all using dynamic IP addresses but I'm not sure if thats even relevant

View 3 Replies View Related

D-Link DIR-655 :: Extremely Slow Connection To Secure Websites

May 7, 2011

I am using Comcast as an ISP and have a standalone Arris modem. I, obviously, have a DIR-655 router REV B with a firmware revision on 2.00NA. I have already turned off packet shaping and QOS. Also, I have set the firewall settings to Endpoint Independent for both TCP and UDP, and assigned static IP addresses to my computers. The problem I am having is that whenever I go to any secure websites, i.e. anything that starts with https, it takes an extraordinary long time to log in and to navigate to any webpages therein. I also cannot upload photos to a website and when I try the Speed-test.net website the download speed is OK but the upload test errors out, it doesn't connect.

View 2 Replies View Related

Cisco :: Allow One Host To Access One Public IP With Port 500

Mar 4, 2012

I got one request from one of the user to allow his ip to access one public using port www, this needs to be allowed in Cisco PIX, if the below command is correct for this.

Source host : 10.84.11.1
Destination IP : 203.126.112.131
Port : www

access-list acl_outbound permit tcp host 10.84.11.1 host 203.126.112.131 eq www

View 1 Replies View Related

Protocols / Routing :: Secure Wifi / Public Shared Drive One Computer

Jan 6, 2012

I am trying come up with a setup that allows for a computer to simultaneously be connected to the web via a secure wireless network and to provide a shared drive via an unsecured (possibly ad hoc) wireless network.Which is to say, the computer needs to be able to use the web wirelessly via the secure network, and people need to be able to share files with it wirelessly whether or not THEY can use the secure wifi.One last requirement is that I need a this to be something that I can set up in a given location with no more configuration than required to connect to the secured wifi - if the setup requires me to mess around with the configuration of the router for the secure network itself, it won't work.

View 5 Replies View Related

Cisco VPN :: ASA5505 Tunnel Some Traffic (public Host) From Remote Site

Feb 6, 2012

On remote site I have Cisco ASA5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel. [code]

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Lose Internet Connectivity A Couple Of Times Per Hour

Oct 18, 2012

I have a problem with an internet connection with a customer.They have a Zyxel 660 in bridge mode and the public ip is delivered to the eth0/0 outside interface of a 5505 ASA.They lose internet connectivity a couple of times per hour. What solves the problem immediately is disconnecting the ethernet cable from the eth0/0 and then directly plugging it back. Then it runs for 20-30 minutes or so.The isp doesnt't notice any errors on the dsl connection, only that they cannot ping the outside interface from time to time (duhhh)However, yesterday, when problem appeared for first time , I noticed that this Zyxel was very hot since it was placed on top of the ASA. Now it is set apart.In the meantime I already replaced all cables, but I think it's the Zyxel so I urged that the ISP send a new Zyxel.Though it sounds strange. [code]

View 4 Replies View Related

Cisco VPN :: 5520 AnyConnect Authentication With RADIUS Secure Method

Nov 6, 2012

I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code.  I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server).  I have noticed one thing, on the server under "Constraints and Authentication Method".  I picked MS-CHAP-v2, but it is considered Less secure authentication methods.  I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2.  I picked PEAP but then the VPN does not work.
 
So first of all does it really matter if I just leave it to MS-CHAP-v2?  Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?

View 4 Replies View Related

Cisco VPN :: 5520 - AnyConnect Secure Mobility Client License?

Mar 1, 2011

I need to activate AnyConnect SecureMobility client on an IPAD. I have an ASA with the below feature licenses:
 
[code]...
 
This platform has an ASA 5520 VPN Plus license
 
As I've understood that I need the ASA-AC-M-5520 license for each IPAD used but they mentioned that we need also the Essential or premium license to be activated on the ASA as well. As shown above, I have the "VPN Plus license" activated on the firewall.

View 1 Replies View Related

Cisco VPN :: ASA 5520 SSL Using Different IP Than Public

Nov 6, 2012

I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.

View 7 Replies View Related

Cisco VPN :: Password Change Using AnyConnect Secure Mobility Client ASA 5520

Jun 3, 2013

We are using an ASA 5520, running 8.4(3).  We have users running the AnyConnect Secure Mobility Client 3.1.02026.  I have the AnyConnect connection profile configured to authenticate users using LDAP over SSL.  I enabled the password management and am able to get password change prompts to appear in the AnyConnect client.  However, new passwords are rejected and changing passwords through that prompt does not work.  I'm not sure what the cause of the problem is, since LDAP over SSL is enabled and working, which is required for the password management feature

View 9 Replies View Related

Cisco VPN :: Licensing Required To Perform Host Scan On ASA 5520

Apr 6, 2011

I want to mark company owned laptops with a registry setting and have our ASA 5520 identify these systems when connecting via SSL and IPSEC remotely, and allow broader access to the internal network than the telecommuter that use their personal PCs.  For the users that connect with their personal PCs, I want to only allow RDP access to their company PCs on the internal network.
 
Can I accomplish this with the current VPN Plus license and Anyconnect Essentials feature enabled?  If not, what license/features do I need installed/ enabled to accomplish these objectives?

View 1 Replies View Related

Cisco VPN :: 5520 - Use Public IP As Local Encryption Network

Mar 5, 2012

We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA.  We have multiple VPNs on this firewall. 
 
The issue with the latest one is they require a Public IP as the Local Encryption Network.  I've seen this question a couple times while searching but never really a definitive answer.
 
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient?  Or would this not work at all?
 
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66.  Would using X1.X1.X1.64/28 as the local encryption network make the connection?  Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
 
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
 
Edit:  Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool.  And make that our Local Encrypted Network?  I think this might be it, but could it cause IP overlapping?  Our webserver is part of this and I'm worried about causing connection issues.

View 8 Replies View Related

Cisco Firewall :: ASA 5505 Firewall To Filter HTTPS Websites?

May 28, 2012

I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.

View 4 Replies View Related

Cisco Firewall :: 5505 PAT With Single Public IP And Several Servers Behind Firewall

Nov 21, 2012

New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
 
-Single static public IP:  16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
 
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]

View 11 Replies View Related

Linksys Wireless Router :: E1000 Secure And Non-secure Hotspots

Jul 12, 2011

When setting up my e1000 router for a secure domain it automatically opened a non secure one that my neighbors are using. How can I cancel it?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved