Have cisco ASA5520 on place and i want to configure it to access my webserver outside of my network throught sftp/ftp with filezila what command to add so as port/service associate to it should be able to run?
View 1 RepliesI try to change password on the ASA 5520 device and its not getting changed.
FW(config)# enable password cisco1234(config)# end
After that I perform a write memory.
But somehow I relogin again the enable password still remain as the old enable password
version : 7.2(5)2.
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies View RelatedWe have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
I am trying to enable access to use RealVNC on our Cisco ASA 5505 without using VPN. RealVNC uses port 5900. Users should be able to vnc to 99.23.119.78 and reach our internal server 192.168.1.4. So far they are receiving connection refused.
View 5 Replies View Relatedi'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
View 3 Replies View RelatedI have a cisco asa 5520 ios 8.2. This is my configuration [code] But i can not access from DMZ to INSIDE.
View 3 Replies View RelatedI just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....
I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?
View 7 Replies View RelatedWe have an ASA 5520 in HA. (version 8.X upgraded to 9.1 (1))We used Wizzard to configure VPN clientless and portal. Also, configured manually we have the same issue: We can access to the portal using IP address of Lan interface but not with outsides (2 ISP). The clientless VPN is enable on the public interface and no packets rejected in logs.We try to modify the Crypto map created by default to replace "any" to "any" by "any" to "our public IP" (We see that is recommended by Cisco) It works for 10 minutes.(strange..) but after 10 minutes the active member crashs.. only a reboot with previous configuration was good.We try to investigate but each time we modify Crypto maps, the firewall is going bad.
View 7 Replies View RelatedI have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:
-access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any
-access-group OUT out interface outside
i added ports like www or 443 and it is not working to Internet access a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,
We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies View RelatedI've got what is probably a very basic question - but i can't figure it out.I have: Internet (ADSL) -> 2851 (ADSL wic) -> 5520 -> internal LAN (192.168.1.x/24)
The asa has just replaced a Checkpoint firewall.I've set up the ASA to the point where all hosts on the internal LAN have internet access (using a dynamic PAT on that network). This all works well.
The problem i have is i am trying to allow access from the internet to an internal host on a specifc TCP port (as i had done on the Checkpoint) but i'm getting:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:111.111.111.11/52135 dst inside:192.168.1.252/5555 denied due to NAT reverse path failure
From what i have read i need to add a NAT exemption for this particular use case - to avoid the dynamic NAT i have setup, but im not sure how to do so.I'm running 9.1 on the ASA, no VPNs yet. Just this basic setup.
I am new in ASA, I have the DMZ (10.1.1.0/24) configured on ASA 5520 and I achieve the reach Internet from DMZ (10.1.1.0/24), but now need reach DMZ from inside (172.16.12.0/24) and inside (172.16.12.0/24) from DMZ (10.1.1.0/24), in other words round trip.
View 6 Replies View RelatedI have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
View 7 Replies View RelatedOur company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
After upgrading to 8.4(2) and ASDM 6.4(5) I seem to have an extra access rule duplicating an existing rule, this is only visable through the ASDM. When using the CLI you can't see this duplicate rule.
I therfore get the following warning everytime I make a config change using the ASDM [code] If I delete this rule it returns everytime I launch the ASDM!
I also have extra config under Firewall>Configuration>Public Servers that I didn't have before. If I delete it, again it returns.
i have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
i want the time user connected .how log it is connected .If any error while connecting ?
When trying to access the asa (8.0(3)) with asdm the console send follwing error message:
vPif_isVpifNumValid: pifNum out of range!
vPif_getVpif: bad vPifNum(0xa6) from 87EBC81 from 83833B4
Have a strong suspicion that it is a hardware failure (since asdm has worked and have tried to restart the box) can not see any errors with any show commands, but could it be a RAM error .
This is just a general question... is there a good way to organize the ASA's access rule list to increase its efficiency? Maybe by service or hit count (Top 10). I am using the Cisco ASDM 6.2 to manage our ASA 5520.
Looking at it looks very unappealing and I'm in the process of adding names and descriptions to all the Network Objects.
We have a Cisco ASA 5520 and Web sense. I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete".
Filter I applied on the firewall:
filter url except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
filter https except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
View 1 Replies View RelatedI have an issue where my vpn clients are unable to access certain vlans in my network.I have configured an ASA 5520 with VPN access using the wizard and using the ASA as a dhcp server for VPN clients. I find that this allows the clients to access server resources such as the Exchange and Domain Controller but I find that these vpn clients are unable to ping each other as well as certain vlans that I have.Is there a way to configure the ASA to use a particular vlan that is already configured on the core switches?If I create a vlan interface and set the IP of it to 10.50.x.x then the vpn clients are suddenly unable to connect to any network resources...
View 1 Replies View RelatedI am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies View RelatedI'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
I have set-up the 3 remote access groups:
Group 1 - subnet 192.168.1.48/28Group 2 - subnet 192.168.2.0/25Group 3 - subnet 192.168.3.0/25
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
[code].....
I'm working with ASA 5520s. how to add network objects via CLI. I know I could easily do it using ASDM, but I like to learn the hardway first. How do I add the subnet mask for a network object when creating via CLI? [code] That sets up the hosts with IP addresses, but how do I add the subnet mask?
View 2 Replies View RelatedI am trying to configure a server(192.168.5.50) in DMZ(192.168.5.0/24) to be able to communicate with a domain controller(10.5.44.220) in the inside network(10.5.44.0/24). I made some configuration using ASDM(not familiar with the CLI) but not working and it caused existing NAT not to work, for example RDP(TCP 3389) connection to 38.96.179.220
The things I am trying to achieve are
1. two way commucation between 192.168.5.50 in DMZ and 10.5.44.220 in Inside for SecureAuthPorts and SecureAuthOutbound service groups
2. NAT for 192.168.5.50 mapping 38.96.179.50 for the service groups mentioned above
3. NAT for other hosts already existing
I have created a new sub-interface on our ASA 5520 for guest internet access.
My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.
The order of the rules I plan to setup on the guest interface inbound are:
#1. <rules to allow access to specific services in the dmz>
#2. <block any ip access to the entire private network ip address space>
#3. <permit ip any any>
#1. These rules will give access to the guest user to services located in the dmz
#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)
#3. This rule is to allow access to any other services i.e. the internet.
Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?
(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)
I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
View 3 Replies View Related