After upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.149.21/53 dst inside:192.168.37.123/53 [code].....
All the subnets mentioned above are connected via VPN.
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.13.50 dst DMZ2:192.168.13.15 (type 8, code 0) denied due to NAT reverse path failure
Cant seem to get around this one yet. I have a remote ASA that I can VPN into. It has 2 dmz's, outside and inside interface configured.
Inside subnet is 192.168.11.0 / 24
DMZ2 is 192.168.13.0 / 24
VPN client pool is 192.168.15.0 /24
I login in fine. But have no access to the DMZ2 subnet. I get the failure listed above.
Connection denied due to NAT reverse path failure
View 2 Replies View RelatedASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s):
DATA-BACKUP Name of interface Redundant1.10
DMZ Name of interface Redundant1.900
GUEST Name of interface Redundant1.990
HOSTING Name of interface Redundant1.100
Infrastruktur Name of interface Redundant1.20
[code]....
We have 2 ASA 5520's working in active/standby mode and both have the IPS module installed then 2 firewalls have also been upgraded to have 2GB of memory.
I have been asked if it is worth upgrading to 8.4 from 8.2. There is nothing wrong with our current firmware and if it isn't broken then why change strings to mind, but I also dont wnat to be left behind.
I've upgraded the firmware on the ASA's before, but they have been pretty simple. I do the standby ASA first and wait for it to come up, then do the other. However I think 8.3 and 8.4 are big jumps and have issues with NAT (we have a lot of NAT's and NAT exempts). I have had a quick read of 8.4's document, but has actually upgraded from 8.2 to 8.4?
I'm in the process of upgrading our ASA 5520's from 8.2 to 8.4. I have sufficient memory installed and have read many posts in this forum on different upgrade strategies. I have an active/standy configuration and have settled on upgrading the standy unit from 8.2 to 8.3 then to 8.4, fixing any errors, testing traffic and then upgrading the primary unit to the latest rev. I've read where active/standy mismatching is supported but for a short period. My question is how long will I be able to run two boxes with different software? Unfortunately I don't have the option of doing this off line in a lab.
View 1 Replies View Relatedofficial or unofficial (official more preferable) guide about upgrading IOS from 8.2 to 8.4 on ASA 5520 model?
View 1 Replies View RelatedIve got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
View 5 Replies View RelatedI have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
have just set up a WLC 4402 as a Guest WLAN controller on the DMZ of our network. I have successfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was OK but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0.
I have 2 data centers conencted via WAN and each has their own Internet conenction. One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections. The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.
So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet. That way it is routed back to the proper firewall. I am able to do this with the following code, but this code only works with a static one to one NAT. I am limited in public IP addresses, so I want to NAT on a per port basis. Each time I try to change the any any to a specific port, it fails.
object network host-inside-int
host 10.1.52.172
object network host-outside-nat1
[Code].....
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
After upgrade to 9.0.1 from 8.4 I have problems with reverse dns resolving, like this:
named[2679]: DNS format error from 193.0.9.1#53 resolving 82.64/27.195.26.72.in-addr.arpa/PTR for client 127.0.0.1#37124: question section mismatch: got 90.64.195.26.in-addr.arpa/IN/PTR
Only solution I found is to disable inspect dns, which is not very good.
I've got a 5520 running 8.4(1).I've setup a simple NAT: [code] Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.What do I need to do to allow the reverse packets to get through the ASA back to the host ?
View 3 Replies View RelatedI have 2 sites connected with ASA 5520 Site-to-Site vpn. now I'm adding a 3rd location that will connect both original sites the config should be the easy part (I assume it is the same concept going to each of them) the question is more of a designconcept one: what are the hidden failure points, things i didn't think of etc - I must ensure this triangle function and avoid loops and other problems
View 2 Replies View RelatedWe have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25
212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
I have the need to do an outbound NAT redirection. So what I mean is this. I have a custom program that uses SSH to port 22 from a server inside the ASA firewall. This goes out to a server on the Internet over port 22. The ISP of the SSH server told me that they changed their SSH port from 22 to 2102. So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102.
so for example:
The server is at 192.168.0.2 and it uses a program to initiate SSH traffic to 205.246.1.1. The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 205.246.1.1.
It is a Cisco ASA 5510. The server at 192.168.0.2 does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc. Lets pretend that was at 64.18.23.60.
I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error: 5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 10.10.1.7 255.255.255.0!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 10.10.1.1object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_net_Insidesubnet 192.168.1.0 255.255.255.0object network Outside_globalhost 10.10.1.6access-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list
[code]....
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
View 8 Replies View RelatedHaving a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside) [code]
View 2 Replies View Relatedwhat the upgrade path is for 5505 ASA . I have one which is version 7.2 and need to upgrade it to 8.4(5). I have read that it needs to upgraded btwn major release versions.Not sure if I need to upgrade from 7.2 - 8.0 , then form 8.0 - 8.2, then from 8.2 - 8.3 and finally 8.3 to 8.4 or can I just upgrade from 7.2 - 8.2 and then from 8.2 - 8.4 .Also what is the minimum memory requirements for vers 8.4 .my ASA running on vers 7.2 currently has 256Mb Memory and I will be upgrading this to 512MB before I do the upgrade the image above?
View 4 Replies View RelatedWe are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below.
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
!
ASA Version 8.6(1)2
[Code].....
I are currently implementing a new patching schedule (when I say new i mean a company first!!!) and I have identified that the firewalls are all running 8.2(2). I would like to bring these up to the latest version but am a little worried about impact!!! I have setup a test firewall with the config from our live asa's and run the upgrade but have received multiple lines.
View 9 Replies View RelatedWe are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?
View 1 Replies View RelatedI need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
View 1 Replies View RelatedI wanna upgrade FWSM Version 3.1(11) to latest 4.x version is this possible or i have to upgrade first to 3.2 and then to 4.x?
Is there any changes in configuration commands that i need to know? The version that 6500 running is s72033-advipservicesk9_wan-mz.122-18.SXF14.bin,an upgrade to 6500 is needed also?And if so what ios version will i put?Also which is the asdm supported version?
I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to download ASDM or the ASA software.
Apparently I need a service account? I'm looking at Cisco software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM.
I was trying to upgrade an ASA to from 8.2.4 to 8.4.4, and I began receiving the following migration errors (the IP addresses have been changed to protect the innocent):
ERROR: MIGRATION: The following ACE is partially/not migrated to Real IP, as it could result in more permissive policy. Please manually migrate this ACE. permit esp host 1.1.1.1 host 2.2.2.2
I got a TON of these, in fact the migration, and these errors ran for over 24 hours before I gave up, powercycled the unit and forced 8.2.4 to boot through ROMMON. This was a secondary unit, that's why I let it go this long.
What I don't understand is that we do not have anything in the configuration for ESP.
I have a ASA5505 with the Sec Plus license on it. This allows 25 VPN peers at any time according to the show version output:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license.
1.)As far as I understand this means RA users and peer2peer combined?
2.)I need additional RA clients to be able to connect in at any time, as far as I know there is no way to allow more IPSEC clients then this due to hardware limitations?
3.)If I go for the Anyconnect option (10 users license), does this then mean that I can use the 25 IPSEC VPNs and at the same time have users using the 10 SSL Anyconnect VPNs at the same time?
4.)Which Anyconnect license am I supposed to buy if this is the route I go, the clients will all be connecting from their desktops most of the time?
5.)Is it difficult to set up?
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
I've got a used WS-SVC-FWM-1-K9 on the way and I'd like to standardize it to the Firewall Module Software Version 4.0. I'm not positive if the current software on it is newer or older than Version 4.0. Is this possible to perform or is the Software as is on these modules?
View 2 Replies View Related