Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.
Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.Does the static statement which actually does the translation for this application carry any arp problems or so.how can i check this problem.
View 3 Replies View RelatedRight now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Steps in getting all http and https traffic from ASA go via my squid?
View 18 Replies View RelatedI am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
[Code].....
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies View RelatedI have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies View RelatedOur Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
Need to know if ASA 5520 does Layer 7 firewall or not?
View 2 Replies View Relatedlet me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies View Relatedwhen I connect to VPN with ASA 5510, can not connect to web applications in HTTP instead https in other applications are working properly. how can I fix this?
View 2 Replies View RelatedI have problem i want to access to my http server in my local network from outside
192.168.2.42 : it my server http
195.X.X.X its my internet IP but it was connected in eth 0/4
static (DMZ,Orange) 195.X.X.X 192.168.2.42 netmask 255.255.255.255
access-list outside-acl permit tcp any host 195.X.X.X eq 80
access-group outside-acl in int orange
but its not good why
We're getting this error message randomly when surfing the Internet. We have websense running on our network to perform web content filtering and are using the ASA for the http/https redirects. We've contacted websense and they said this error message is coming from the ASA, not their product.
ASA-5550
version 7.2.4
i have the following scenario :
ISP1-------ASA 5510----------ISP2
|
|
|
LAN
i would like to use ISP2 for all http/https/ftp traffic.how could I force my ASA to set a different gateway for http/https/ftp traffic ?i have tried several solutions such as nat/pat rules, nothing seems to work.
I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
View 4 Replies View RelatedI am replacing an old Fw with a New ASA 5510 and I have a problem with a TCP Connection on My LAN InterfaceI joined a picture of what I want to do. [code] From the PC,I can Ping the Video Camera But I can't connect to it with HTTP.I don't understand, Packet Tracert allow the Http packet too. [code]
View 7 Replies View Relatedhow to enable inspect http on ASA 5510, so that URL information populate in the syslogs?
View 2 Replies View Relatedconfigure my ASA 5505. It is setup using PPPoE. What I want to do is this:
I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to [URL]. I would like to not have to not require the port in the URL.
In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.
Here is my current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
I am configuring a new ASA 5510 to replace a SonicWall and I have a problem with an HTTP Connection inside my LAN.PC from the LAN ( using ASA LAN interface as gateway) can't Connect to a Camera video Web Server (192.168.4.20) on Port 80 whereas I can Ping it.
ADSM logs show :
106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security appliance Connection table.
- I Enabled command "same-security-traffic permit intra-interface"
- HTTP inspection is disabled.
I used Capture feature on the Ingress Interface, I joined the Logs and a part of my ASA Running Config.
My config:
Windows 7 host
MS Loopback Adapter with ICS
GNS3
ASA 8.42 with ASDM 6.4
Vmware Workstation 7 with Windows XP SP3 vm
All are working like a charm, from my virtual XP machine I can ping every site, e.g. www.google.com which replies nice with it's ip-address.
However, I cannot reach ANY website
When I connect through a Cisco 3700 router the webbrowser works perfect, so it must be something in the ASA configuration (I presume )
I've tried about all possible Access Rules, but still nothing.
I have an ASA5510 with CSC Module which is inspecting HTTP traffic. We need to be able to use http radio stations. Some radio stations work but some don't work. I excluded my computer ip address from the CSC filtering but i am still unable use certain radio stations. I thought since my computer is excluded from the CSC filtering and some radio stations don't work that it must be the firewall that is blocking the traffic. I removed the rtsp inspection and it won't work.
View 1 Replies View RelatedI need to redirect all http and https traffic from one source in a dmz network, to port tcp/8080 on a proxy server on the inside network.
The source device doesn't handle proxying very well, so i've been advised to redirect the tcp/80 and tcp/443 ports to tcp/8080 as it passes through the firewall.
Scenario is thus:
PIX 515E 6.3 (5)
DMZ server: 172.31.255.250 (Real IP), 10.44.181.236 (NAT IP)
Inside Proxy server: 10.44.132.28 (Real IP), 172.31.255.110 (NAT IP)
I've configured a static NAT redirect using the following command: static (inside,dmz) tcp 172.31.255.110 www 10.44.132.28 8080 netmask 255.255.255.255 0 0
When I try to add the next command of: static (inside,dmz) tcp 172.31.255.110 443 10.44.132.28 8080 netmask 255.255.255.255 0 0
I get the following error: ERROR: duplicate of existing static
Is there a work around for this at all or am I stuck with the limitations of the software?
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
I am using ASA 5510 and I have a specific problem with Http Connection to receive a video Flow ( RSTP protocol ) in the LAN. Some Pc users (192.168.1.133,in the log) with ASA Lan Interface as gateway can ping the Camera but don't receveive the video flow.Some Pc users (192.168.1.116,in the log) using another gateway can ping and receive the video flow. I used Whireshark to capture traffic between camera and Pc using the 2 gateway. I joined Logs with this message.It seems to be a problem of TCP segments on the ASA, I try to changed some TCP options but it's still the same:- Disable Force Maximum Segment Size- Enable Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Second.
View 7 Replies View RelatedI have a PIX 515E V7.0.4 and I'm having trouble with http access between the inside interface and a DMZ zone I have. I have a web server setup in the DMZ with an web interface to upload/download files. I can connect to this interface from a workstation in the inside network but when I try to download a file it is incredibly slow. If I upload a file there are no speed issues. If I connect using an https connection then both upload and downloads are at speeds I would expect.
I have disabled http inspect but this didn't improve the speed connection.
Other http communications from inside to outside do not have any speed issues in either direction.