Cisco Firewall :: ASA 5520 Versus ISA Server 2006
Mar 28, 2011
currently my firewall is Microsoft ISA Server 2006 and im using it very nicely but based on some security treats im changing my firewall from isa to ASA 5520 but im facing a problem that my i had installed on software name Soft Perfect Bandwdith Manager and i was limiting each users based on their MAC address to prevent using of full bandwidth in my internet so thats why i had a very relialble internet useage in my network.
after many search and searching i didnt find a good software or hardware that should support with Cisco ASA Apliances to support bandwidth management for endpoint users and etc and this is very troubel i dont want all users to use full badnwidth in my company becouse i have only 2MB internet badnwith taken via VSAT connection
View 3 Replies
ADVERTISEMENT
Jan 26, 2013
I created an Array but this array contains no server by default, could you show me a step-by-step guide to add a new server to this array, I've searched for hours but couldn't find anything talking about this, here is a snapshot of my ISA server 2006 management console, If there is no server included in that array, my ISA server can't work, can it?
View 1 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Dec 13, 2012
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
View 3 Replies
View Related
Jun 28, 2012
I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,
1)how to make this server https based access over SSL
2)how to protect this server form network and security standpoint?
View 6 Replies
View Related
Jul 18, 2012
I have the following setup
|| Socks Server || >> Switch1 >> ||Cisco 5520 ASA || -->> | Switch 2| -->> Clients
I have a SSH SOCKS tunnel set up on the socks server which is a Linux box. When I connect my machine to the switch 2, I am NOT able to receive and mail by setting up a mail client and it seems SOCKS traffic does not reach the socks server. I can however run a telnet command on port 1080 (socks port) which connects which shows that the port was going through and open. However there was no SOCKS traffic. When I connected the machine to Switch 1, SOCKS traffic worked as expected and I was able to receive mail.
This suggests to me that the ASA has some inherent rule that does not allow SOCKS traffic. IS this true and if so how can I bypass this?
View 4 Replies
View Related
Aug 23, 2011
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies
View Related
Oct 2, 2012
We have a Cisco ASA 5520
We are attempting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 68.0.0.0.3/28.
I set a static NAT rule to allow all traffic pointed at 68.0.0.4 to be directed to 10.10.10.20 and have ACLs allowing the following.
esp, ah, udp/500, udp/4500, udp/1701
Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I attempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.
View 2 Replies
View Related
Dec 8, 2012
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
View 1 Replies
View Related
Jul 7, 2012
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
View 1 Replies
View Related
Mar 3, 2013
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
View 6 Replies
View Related
Jul 10, 2012
On a csico 3750 switch I have ntp server < IP of stratum 1 Time Server> I want the swit to sync to the to time server and provide time to peers on my network. Do I have to be configured for ntp peer < IP of stratum 1 Time Server> for that to work?
View 7 Replies
View Related
Apr 24, 2012
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies
View Related
Jun 26, 2010
I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
View 3 Replies
View Related
Oct 5, 2011
we are running 8.4(2) on the asa with the below configuration we basically have a static for .7 on .25 and a nat for .7 for port direction with manual nat that takes precedense over auto nat within the object group am I correct that I dontneed the dynamic statement and that its redundant?
-object network obj-10.X.0.25-02host 10.X.0.25
-object network obj-10.X.0.25nat (any,INSIDE) static X.X.X.7 dns
-object network obj-10.X.0.25-01nat (INSIDE,OUTSIDE) static X.X.X.7 service tcp smtp smtp
-object network obj-10.X.0.25-02nat (INSIDE,OUTSIDE) dynamic X.X.X.7
View 1 Replies
View Related
May 27, 2013
Best practices for an ASA5520. I'm currently running a pair of these as internal firewall for my organization, and have about 750 rules dictating traffic. A lot of the rules are for individual ports to specific server(s), some of them having 50+ ports opened. For example, Exchange has about 115 ports opened right now, anywhere from port 25 to 55000.
My question is that would it be better (faster, less strain on the ASA) to open a port range, (ie 52000-55000) or would the individual ports (ie: 52112, 52336, 52698,53441,53495, etc...) be ok?Obviously the individual ports are much more granular for security, but I don't want to take that into consideration now. Just strictly individual ports vs ranges.
View 2 Replies
View Related
May 11, 2013
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network.
View 15 Replies
View Related
Mar 8, 2013
I've been asked to deploy an ASA in Transparent Mode because of concerns of putting another layer 3 hop between PE and CE routers running BGP.
Is there some problem with allowing BGP to flow freely through an ASA the is also terminating site to site and remote access vpn tunnels?
I just don't see the need for Transparent Mode here and you cannot have a standard DMZ setup with Transparent Mode: you have to use bridge groups to provide for multiple interfaces on the ASA and then have an external router route between those bridge groups.
what I'm missing here as to why Transparent Mode is needed (not needed)
ASA is 5512
View 4 Replies
View Related
Jan 18, 2008
WLC 2006 lost the ios,and started with grub> prompt,what can i do to recovery the ios??
View 12 Replies
View Related
Nov 29, 2012
I have a new server that i wish to set as an ISA Server,I've created a new domain on it and set it as a dhcp server.As isa 2006 doesnt work on a 64 bits server what is a good firewall software substitute? My server specs are as follow HP Proliant G7 DL 360 Xeon,12gb memory with a 64bits 2008 r2.
View 3 Replies
View Related
Jun 7, 2011
I have running a Wireless LAN Controller Cisco 2006.Today my management IP its public with Internet access. I am thinking in use a private IP without internet access. I have certains Access-Points in other building, that connect to AP Manager interface using Internet . When i see the tcp connections, i look that the access-point not only have TCP connections to AP Manager interfaces, it have TCP connections to Management interface too!!!.If i shutdown the connection between Management interface and Access-Points (mantaining the connection between Access-Point and AP Manager interfaces)?
View 1 Replies
View Related
Oct 12, 2012
I'm a newbie in wireless, recently I got a WLC2006 and AP1130 - IOS: 12.4(10b)JDE
- The AP has been changed LAP mode already
- AP-manager port and management port are PORT 4
- I have configured the WLC's "Internal DHCP server"...
When I plug the AP to WLC port 2 and 3, it can get the IP address from DHCP however, when I plug it to WLC port 1, it gets nothing. and the IP address is 0.0.0.0
Does it mean the port is damaged already? Or can I do anything to check or enable the port 1 again?
View 4 Replies
View Related
Oct 2, 2011
How to open a port in ISA 2006, step by step?So for example, if you wanted to open port 22559 incoming from either anyone or a static IP, NAT'd to an internal IP, what would be the steps?The setup is SBS 2003 Premium edition, two NIC's, DSL on the external NIC with a static IP.
View 1 Replies
View Related
Jun 16, 2013
Looking to set up a small office cheaply and quickly and was thinking about ordering a 2006 and some 1130s off EBay. Are the lightWeight 1130s compatible with the 2006?
View 9 Replies
View Related
Apr 30, 2013
I have two 1252ag wireless access points running in lightweight mode, and connected to a 2006 wlc. They were both running fine until this morning. One of the 1252s won't stop rebooting itself. I consoled in, and this was the output -
*Mar 1 00:00:32.055: %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER
*Mar 1 00:00:32.055: %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER
*Mar 1 00:00:32.055: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
[ code].....
IOS Boot loader - Starting system. X modem file system is available. I'm particularly curious about this line -
*Mar 1 00:00:50.283: %SYS-4-PUPDATECLOCK: Periodic Clock update with ROMMON failed, because size left in ROMMON (4294967295), size needed (29), error code (-1)
The only reference to it I found online was a very vague "It's a hardware failure", but no further explanation.
View 3 Replies
View Related
Mar 6, 2012
I have Server 2008 R2 DC & One ISA server 2006 enterprise. im facing problem with DHCP unable to give DHCP IP from internal LAN. Its taking IP from External LAN IP i.e. connected to Linksys external Router which has DHCP enabled with different IP class i.e .class B. After shutdown client PC it will take 0.0.0.0 no IP will be assigned & says linited connectivity.
View 4 Replies
View Related
Dec 13, 2010
I have a Cisco AnyConnect 2.5.2006 failing installation on an upgrade from 2.4.1012. Win7 64-bit.RunOnce exists in the registry and I even added everyone/full perms to it to make sure it wasn't a perms issue. (it seems everyone recommends checking this key exists)I've cleaned the system and the registry multiple time for anything AnyConnect related. The installation 'appears' to fail on the installation of the 64-bit virtual adapter
Installation log is attached to this post.
[code]....
View 11 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
May 30, 2013
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
View 9 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
