Cisco Firewall :: ASA 5520 Access Rule Duplicating Existing One
Jul 3, 2011
After upgrading to 8.4(2) and ASDM 6.4(5) I seem to have an extra access rule duplicating an existing rule, this is only visable through the ASDM. When using the CLI you can't see this duplicate rule.
I therfore get the following warning everytime I make a config change using the ASDM [code] If I delete this rule it returns everytime I launch the ASDM!
I also have extra config under Firewall>Configuration>Public Servers that I didn't have before. If I delete it, again it returns.
View 8 Replies
ADVERTISEMENT
Jun 4, 2013
we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.
View 7 Replies
View Related
May 28, 2013
I am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
View 19 Replies
View Related
Apr 16, 2013
I have configured the primary firewall every thing seem to be fine, And we have configured fail over device while config is getting replicated to the fail over device we are getting below error.
ERROR: Cannot add policy to rule engine
ERROR: Unable to assign access-list LAN_out to interface inside
IOS and Model are same.But all the config got replicated from primary to secondary but except the one access group command.
access-group LAN_out in interface inside.
View 7 Replies
View Related
Dec 20, 2011
I'm running into this issue on an ASA 5520 running version 8.2(2)9 and ASDM version 6.2(1).
I have an ACL denying traffic to a certain IP range and the logging level set to Debugging. The hit count is rising quite rapidly but when selecting "Show Log" the Real-Time Log Viewer opens with a value of 0x13d0ee2a in the "Filter By" field and no logs are ever shown.
Logging is enabled globally and Logging Filters on ASDM is set to Debugging as well.
how I can get the RTLV working?
View 7 Replies
View Related
Mar 26, 2013
As part of our PCI compliance, we were required to add a line to all of our ACLs in our ASA 5520 running version 8.2(3). Though there is an implicit deny all, we had to add a line to deny from any source to any destination.We had no problems in adding the additional deny all statements except for our NAT access-list. This NAT access list is used for our internet connection.Currently, the NAT ACL has 4 entries to permit from a specified source to destination any. This ACL is then called on our NAT statement.nat (inside) 1 access-list NAT,Also, note that NAT control is in place and we also have NAT zero statements for our VPN connections.So to fulfill our requirements, we just had to add another line to our ACL entries. But we encountered an issue with our NAT acl.
View 10 Replies
View Related
Jan 18, 2011
what is the purpose of the "Permint all traffic to less secure networks".
Well I know the purpose and the technique to handle some sercurity level is nice. when I cannot add add a rule without deleting this implicit rule?
The technique of security level is then obsolete?
View 8 Replies
View Related
Jun 3, 2013
I have a server behind an rv042 that i would like to block access to on one port from outside in. I have configured the rule as follows:
priority = 1. policy name<name>. enable<checked>. action = deny. service <service to block>. source interface = wan1. sources = any. destination = <public ip address of server>. day <nothing>.
This does not block the intended port from outside. I also changed the destination to be the private ip address and i changed the source interface to LAN and to *. What is the correct syntax to do this?. Port forwarding is enabled. I noticed that there is one entry in the forwarding table for the public ip but it is going to a dead private ip address. Would this have an effect?
View 5 Replies
View Related
Apr 17, 2011
I am creating access rule on a ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) and found that the GUI has less option then when creating access rule on a ASA5505 running ASA 7.2 (3) and ASDM 5.2(3) (see attachment). Is there an option that enables me to get the same configuration options on the ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) as I have on the ASA5505 running ASA 7.2 (3) and ASDM 5.2(3).
View 4 Replies
View Related
Oct 13, 2011
I have a PIX with 600 active access rules but many rules arent't in use. A lot of the rules aren't necessary anymore but I don't know what they are. How to know what rules are working?
View 4 Replies
View Related
Apr 24, 2012
I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall.I have included my current asa 5505 configuration. [code]
View 3 Replies
View Related
Mar 6, 2012
Just started using our ASA 5505 v8.2 (1) Trying to configure the ASA appliance to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).I have used a static NAT:
static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255
access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389
When I view the logs it is reporting the following:Inbound TCP connection denied from 206.100.100.1 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.Been pulling my hair out with this one as I believe I have everything configured correctly.
View 5 Replies
View Related
Dec 10, 2011
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
View 16 Replies
View Related
Apr 8, 2012
I am a novice with networks but do have a fair understanding of networks. I have a small business network, utilizing a RVS4000 router (Firmware V2.0.27)I am attempting to set up firewall rules to block certain web sites at certain times.I have successfully set up rules using source and destination ranges, to deny service 24 hours a day everyday.
However and here is the problem when I attempt to edit any of the rules (I want to change the time to certain hours of the day) it allows me to edit the rule but when I attempt to save I get an error message up saying there are invalid characters and it will not save the changes?create the whole thing with the changes I want it works fine, is this a known bug?
View 1 Replies
View Related
Oct 4, 2012
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies
View Related
Apr 1, 2013
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
View 4 Replies
View Related
Sep 6, 2012
I need to move 1 data stream onto 4 different servers in different subnets, I know I can NAT into a multicast address, but with it coming into an ASA I was wondering if I could make a PAT that sees packets coming in on port 4567 and sends it out to port 4567 on 4 other IPs (I don't think this will work though as I don't think a pat will duplicate packets, only change them)
View 2 Replies
View Related
Feb 16, 2013
We have inherited a 5508 controller running 7.0 code and WCS running 7.0 code. This site did not have a backup controller. So we have installed a wism as a backup controller. The problem is no one can seem to remember the pre shared keys for the wlans on the primary controller. Can I use WCS to duplicate the wlans to the secondary controller and have the psk copied?
View 3 Replies
View Related
Dec 13, 2012
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
View 3 Replies
View Related
Mar 13, 2012
I have a cisco asa 5520 ios 8.2. This is my configuration [code] But i can not access from DMZ to INSIDE.
View 3 Replies
View Related
Mar 13, 2011
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....
View 1 Replies
View Related
Jul 27, 2011
I accidentally setup two schedule rules both with the name of "Log". When I highlight either rule, and try to delete either, I get error "The rule is being used by another rule and cannot be deleted" How do I delete?
View 1 Replies
View Related
Nov 10, 2011
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
View 28 Replies
View Related
Mar 7, 2012
Our external security department needs to scan, every three months, a computer behind the firewall. I need to create a simple NAT rule that will allow an ip address or subnet to the computers behind the ASA 5505. At the moment, we have a simple NAT rule which allow all network traffic to exit from inside to outside.
View 19 Replies
View Related
Dec 16, 2010
I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?
View 7 Replies
View Related
Mar 11, 2013
We have an ASA 5520 in HA. (version 8.X upgraded to 9.1 (1))We used Wizzard to configure VPN clientless and portal. Also, configured manually we have the same issue: We can access to the portal using IP address of Lan interface but not with outsides (2 ISP). The clientless VPN is enable on the public interface and no packets rejected in logs.We try to modify the Crypto map created by default to replace "any" to "any" by "any" to "our public IP" (We see that is recommended by Cisco) It works for 10 minutes.(strange..) but after 10 minutes the active member crashs.. only a reboot with previous configuration was good.We try to investigate but each time we modify Crypto maps, the firewall is going bad.
View 7 Replies
View Related
Mar 6, 2012
I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:
-access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any
-access-group OUT out interface outside
i added ports like www or 443 and it is not working to Internet access a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,
View 3 Replies
View Related
Nov 2, 2011
We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?
View 1 Replies
View Related
Dec 18, 2011
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies
View Related
Jan 17, 2013
I've got what is probably a very basic question - but i can't figure it out.I have: Internet (ADSL) -> 2851 (ADSL wic) -> 5520 -> internal LAN (192.168.1.x/24)
The asa has just replaced a Checkpoint firewall.I've set up the ASA to the point where all hosts on the internal LAN have internet access (using a dynamic PAT on that network). This all works well.
The problem i have is i am trying to allow access from the internet to an internal host on a specifc TCP port (as i had done on the Checkpoint) but i'm getting:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:111.111.111.11/52135 dst inside:192.168.1.252/5555 denied due to NAT reverse path failure
From what i have read i need to add a NAT exemption for this particular use case - to avoid the dynamic NAT i have setup, but im not sure how to do so.I'm running 9.1 on the ASA, no VPNs yet. Just this basic setup.
View 8 Replies
View Related
Sep 23, 2012
I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.
View 6 Replies
View Related
Oct 17, 2011
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
View 7 Replies
View Related
Apr 14, 2011
I just installed a new ACS 5.1 to authenticate wireless PEAP users, so I created an Access policy "WirelessUsers" with identity store being Windows Active directory and all domain users are selected, and create a service rule that dictates that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "WirelessUsers", so this part worked perfectely, all domain users are able to gain wireless access via their DOMAIN/usernames and domain passwords. Now I want ACS local indentity store users (those local usernames can be the same or different from their AD usernames) to be able to manage those controllers, so I created another access policy "DeviceAdminUsers" with identity store being local users, another service rule which says that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "DeviceAdminUsers". The problem is that with the setup, whenenve when I try to SSH to WLC, ACS always put me in "WirelessUsers" access policy, even the login name does not have DOMAIN pre-pended or the login name simly does not exist in AD. if I put the second rule in front of first rule, I am able to authenticate with ACS local username/password and gain access to WLC, but wireless users will fail to authenticate, because ACS is trying to put regular wiress users in "DeviceAdminUsers" access policy. I would expect if username does not exist in AD, ACS should proceed with next rule. Similar requirement was easily achieved in ACS 3.3.
View 5 Replies
View Related
