Cisco Firewall :: ASA 5540 SSH Not Working From Outside Port
Mar 13, 2011We are try to connect ssh via outside system (from Internet) its was not getting connected.
When we try to connect from outside pool of ip than its working.
ADVERTISEMENT
Cisco Firewall :: ASA 5540 - NAT Not Working After Upgrade
Apr 26, 2011Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
Cisco Firewall :: ASA 5540 Load-balancing Over EIGRP Not Working
Nov 15, 2011We have an ASA 5540 running 8.4(1) on the inside of dual Internet-facing border routers. The routers run BGP facing out and EIGRP facing in, with the ASA also running EIGRP for the same AS. Both routers redistribute a default route into EIGRP. It was my understanding and expectation that the ASA would learn both of these, as they are equal cost, and load-balance the outbound traffic over the two links. This does not appear to be the case.
The routers both have:
router eigrp 100
network nn.nn.nn.nn 0.0.0.0
redistribute static
[Code].....
Cisco Firewall :: 5540 - NAT / PAT Two Private IP's To One Real On Same Port
Nov 25, 2012I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not?
Cisco Firewall :: ASA 5540 - Port Blocking For Voice In Transparent Mode
Dec 20, 2012i am using asa5540 with 7.0(8). firewall was configured in transparent mode.
now i am looking for block ip phone communication from site to site and head office. i am using cucm 7.1.2b.
all site was connected through ofc. no nat was using.
Cisco VPN :: ASA 5540 - Clientless SSL - SSH And WebService Not Working
Jun 25, 2011I am configuring it with our ASA 5540 default 2 SSL License. I have got 10 demo license from Cisco, however I am yet to activate it.
I have problems is accessing SSH and Web Services.
1) SSH: When I try to ssh one of my device, it ask me to give me Username and Password. After that it it shows the full black screen and do not ask me to provide Enable password. But Telnet is working fine.
2) WebService: We have one web service (internal). 2 webserver connected to cisco css 11501. the URL is http://10.10.10.10/web. I try to access it from the WebService page with giving 10.10.10.10/web and 10.10.10.10 using http protocol. but it shows that the server is not reachable.
Cisco Firewall :: Vnc 5950 - Port Forwarding Not Working
May 4, 2011All I want to do is have VNC connect on port 5950. So I want to forward traffic coming in on the external ip address on port 5950 an internal ip address on port 5950. Here is my config:Building configuration...Current configuration.
View 17 Replies View RelatedCisco Firewall :: ASA5505 / Port Forwarding Not Working?
Apr 6, 2012I'm not able to access my Slingbox from the outside. I've set up port forwarding on port 5001 to allow outside connections in, but port forwarding isn't working. Am I missing something?
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network Slingbox
host 10.10.10.254
object-group protocol TCPUDP
[code].....
Cisco Routers :: RV042 Port Forwarding Stops Working When Firewall Is Enabled
Jun 4, 2013I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->10.0.0.6HTTPS[TCP/443~443]->10.0.0.6IMAP[TCP/143~143]->10.0.0.5IMAP SSL[TCP/993~993]->10.0.0.5SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.
Cisco Firewall :: ASA 5540 - Version Change In Firewall?
Mar 15, 2012How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies View RelatedCisco Firewall :: Polycom HdX8000 Behind ASA 5540 Firewall?
Dec 28, 2012I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4
Jul 16, 2012i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control
Nov 19, 2011ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS
Jun 10, 2012I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies View RelatedCisco Firewall :: High CPU Utilization On ASA 5540
May 11, 2008I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?
View 2 Replies View RelatedCisco Firewall :: Reasons To Upgrade ASA 5540
Apr 29, 2012I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
View 4 Replies View RelatedCisco Firewall :: ASA 5540 Simulation In GNS3
Jan 26, 2013I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".
View 2 Replies View RelatedCisco Firewall :: Asa 5540 8.2.3 Arbitrarily Reload
Dec 19, 2011I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
View 4 Replies View RelatedCisco Firewall :: ASA 5540 And FTP Over Implicit TLS / SSL Client
Jan 3, 2012I am having the EXACT same problem as this user:URL
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.
Cisco Firewall :: ASA 5540 IPS Module Removal
May 20, 2012I have 2 ASA 5540's that I want to run in HA A/F. The active ASA has an IPS module running. I no longer need this and would rather remove it than purchase another module for the spare. What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?
View 3 Replies View RelatedCisco Firewall :: ASA 5540 / Nat Line Removed From 8.4(3) To 8.4(4) 1?
Sep 23, 2012we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies View RelatedCisco Firewall :: Unable To Run FTPS (FTP Over SSL) Across ASA 5540?
Mar 19, 2012there was remote FTP - users behind ASA5540 can connect to it.
Now, with this ftp there is SSL/TLS encryption added and users behind this ASA can't connect to this FTPS.
It this possible for users behind ASA to connect to FTPSs?
Cisco Firewall :: How To Load IOS From ROM Monitor In ASA 5540
Jul 20, 2011I was looking in the CISCO webpage how to load an IOS from a tftp server but i got some questions:
I got the information from this webpage: [URL]
rommon #1> ADDRESS=10.132.44.177 <---- Which IP address? the one that I got on my firewall?
Cisco Firewall :: Getting ASA 5540 Default Contexts?
Apr 19, 2011Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
Q2. can I configure the default box with High Availability using the default contexts?
Cisco Firewall :: ASA 5540 - BGP Dynamic Routing
Jan 10, 2012Does ASA 5540 support BGP routing protocol to be configured on it??
I'm talking about the latest versions.
Cisco Firewall :: ASA 5540 To Block Software
Aug 10, 2012I have an ASA 5540 , how can i block softwares like TeamViewer , VPN Adapters like Hamachi and all. Also , I have tried URL Blocking but i suppose ASA supports only HTTP url block and not HTTPS.
View 2 Replies View RelatedCisco Firewall :: ASA 5540 8.2 - Way To Make A Simple PAT
Sep 3, 2012I have a cisco ASA 5540 and i cant make a simple PAT (many private IP to one public IP). Below you can find my conf.
[code]...
Cisco Firewall :: ASA 5540 - Code Versions / 8.4 Or 9.x
Feb 28, 2013I am in the process of rebuilding our ASA 5540 pair. We are currently on 8.2 code with this set of firewalls and I was going to upgrade it to 8.4 being I have a couple of other firewalls running this code currently and am familiar with it. That said, I saw that the 9.x code is out there now. Are there any major advantages or caveats with the 9.0 code? I plan to use this firewall with SSL VPN and RSA Secure ID integration for the next 2-3 years at least. Any quick pointers on these two code versions and on upgrading to 9 or staying with 8.4 line.
View 2 Replies View RelatedCisco Firewall :: WCCP Redirection On ASA 5540?
Apr 3, 2013I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.X.X.X
Protocol Version: 2.0
[code]....
Cisco Firewall :: Slow SQLnet Throughput On ASA 5540?
Nov 14, 2011I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
View 6 Replies View RelatedCisco Firewall :: 5540 - Multicast Over Lan To Lan Ipsec Tunnel
May 3, 2011I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies View RelatedCisco Firewall :: 5540 - Remote VPN Authentication Fail?
Mar 15, 2011 wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
Cisco VPN :: Juniper Firewall To ASA 5540 Drops Every 45 Minutes
Oct 10, 2012We have a VPN established between the above devices (I don't have more info on the Juniper as it's a client site) The Juniper initiates the VPN and all is well, tunnel is up all ok but approx every 45 minutes the VPN drops.
the tunnel parameters are set to keep it alive for 8 hours but that doesn't work.