Cisco Firewall :: ASA 5520 - Inspection Of MSSQL Dynamic Port
Jun 5, 2012
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
View 1 Replies
ADVERTISEMENT
Jan 29, 2013
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies
View Related
Jul 16, 2009
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
View 2 Replies
View Related
May 25, 2011
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies
View Related
Sep 7, 2011
verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.
View 5 Replies
View Related
May 10, 2012
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
View 1 Replies
View Related
Mar 6, 2013
How config dynamic alp inspection for 300 or 500 series ? I find in admin guide it's no simple to do.
View 8 Replies
View Related
Mar 2, 2011
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies
View Related
Jan 13, 2013
To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:
Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
View 8 Replies
View Related
Apr 22, 2013
I have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
Apr 23 16:15:34: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([5835.d9b0.b9d1/172.30.5.2/0000.0000.0000/172.30.5.3/16:15:33 BST Tue Apr 23 2013])
Apr 23 16:15:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:39 BST Tue Apr 23 2013])
Apr 23 16:15:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:40 BST Tue Apr 23 2013])
[Code] .....
View 2 Replies
View Related
May 29, 2013
I've been tracking a conversation on my firewall. I have an inside device that is trying to communicate to a server outside to send data. The conversation is suppose to be all 443. I see that there is a TCP connection made and a dynamic NAT that translates my inside device to the public IP, and appears to change the port to 65415. The problem I'm having is that the conversation ends with reset-O, and I'm wondering if that port has something to do with it, or if it's just that their server is resetting the connection because of an issue they are having? The vendor says no firewall rules are needed for this device to communicate with their server.
View 4 Replies
View Related
Jun 4, 2013
we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.
View 7 Replies
View Related
Jun 11, 2012
We have an ASA 5520 and it's inside interface is currently plugged into a fast ethernet port on a 3750. I have just bought a 1gig SFP module and have copied the fast ethernet port config to the gigabit port, but the port seems to be flapping
The port conf gi is this:
interface GigabitEthernet1/0/4
description Link to Inside ASA
switchport access vlan 2
switchport trunk encapsulation dot1q
View 1 Replies
View Related
Jan 2, 2012
I have got ASA 5520. How to use the management port as a normal port on ASA. What are the basic reqirements for that.
View 3 Replies
View Related
Nov 29, 2011
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies
View Related
Aug 2, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies
View Related
Jun 21, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies
View Related
Jan 13, 2012
In a cisco firewall 5520 how could you take a public wan connection and pass it to another firewall behind the 5520 without using nat. How could you put a single port on the 5520 into transparent or passthrough much like you can on a broadband modem?
View 3 Replies
View Related
Oct 3, 2012
I have an ASA 5520 Cisco Adaptive Security Appliance Software Version 8.4(2)8 Device Manager Version 6.4(5)206. I am trying to add a nat for outside x.x.x.77 port going inside x.x.x.22 port 80 . the wan interface is .74 with subnet of 255.255.255.248 the rule will add but traffic wont pass in.
View 14 Replies
View Related
Oct 3, 2012
I am trying to forward all the traffic of a particular port number to my outside interface forwarded to an internal IP address.
View 1 Replies
View Related
Jun 11, 2013
So everything I've read on Cisco's documentation here: URL says that I can create a port-channel on two physical interfaces that will uplink to a VSS pair. However, the command is not recognized. What am I missing? I've tried executing "channel-group #" on the physical interface and tried creating the port-channel 1st and neither commands exist. I haven't seen it listed anywhere if it is only available after a specific piece of ASA software. If it is the software what version at a minimum I need to upgrade to? Below is an output from a show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-(code)
View 2 Replies
View Related
Sep 26, 2012
I have a cisco asa 5520. i need to forward telnet to a router on the inside interface. Here is what i have done so far but it doesnt seem to be working.
I have created an access-list that looks like this:
access-list 102 extended permit tcp any host 10.10.60.2 eq telnet
But when do this it still doesnt forward my request to the router at 10.10.60.2 . So just to explain what im trying to do. I use Putty, i am putting the outside interface IP into putty, selecting telnet and opening the session. i need the outside interface to see this request and know to forward port 23 to the router on the inside interface with IP 10.10.60.2. The ASA is running version: asa842-k8.bin
View 3 Replies
View Related
Oct 31, 2011
I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ. In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ. My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.
View 10 Replies
View Related
May 26, 2012
I am having cisco asa 5520 with internet having public ip and cisco 2911 with mpls link in my office. the mpls link is between my HO and my branchmi am putting my webserver in the branch side i want to port forward one of my publicip in my office to be forwarded to branch we, server.is it poosible on the firewall ouside the local network.
View 3 Replies
View Related
May 25, 2011
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
View 3 Replies
View Related
Jun 13, 2012
I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
View 2 Replies
View Related
Aug 9, 2012
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
View 2 Replies
View Related
Sep 21, 2011
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
View 3 Replies
View Related
May 3, 2011
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies
View Related
Jul 6, 2012
I have an ASA 5520 and I'm using Solar winds real time interface tool to monitor the through put of the port. It seems I can never get it to use more than 100mb, where should I check?
I have run a sh int giga 0/1 and it shows the port is 1000mb full duplex and the I have also checked the other end where it plugs into the LAN and this also says the port is running at 1000mb full duplex.
View 1 Replies
View Related
May 9, 2012
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
View 2 Replies
View Related
Jan 10, 2011
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
View 9 Replies
View Related
Jan 18, 2012
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
View 1 Replies
View Related
